As Middle Eastern Malware Goes, Shamoon's a Strange Bird
One more piece of malware is making its through systems in the Middle East. However, the size and scope of Shamoon make security gurus think it may be unrelated to malware like Flame and Gauss. The author "has definite skills," but "doesn't do this malicious stuff all the time," said ICSA Labs' Roger Thompson. "It feels, to me, to be deliberate sabotage from a disgruntled employee."
Aug 17, 2012 3:57 PM PT
Yet another malware attack has emerged in the Middle East. Called "Shamoon," it's hit computers in Saudi Aramco's network, causing a sudden disruption.
The specific malware delivered is being referred to as "W32.Disttrack" by Symantec. The attack as a whole was named "Shamoon" after the title of a folder found within the malware executable.
W32.Disttrack corrupts files on compromised computers and overwrites their master boot records (MRBs) to render the computers unusable, Symantec said.
Saudi Aramco has confirmed that some personal workstations on its network were suspected of having been infected by a virus.
There's speculation that the attack is targeting the energy sector but "just because somebody has found an instance of the malware on Saudi Aramco doesn't mean that," Jayendra Pathak, director of live testing at NSS Labs, told TechNewsWorld. "It's too early to tell."
Simon's Not so Simple
"Shamoon" is apparently the Arabic version of the name "Simon."
The W.32.Disttrack malware, which includes the "Shamoon" file, consists of a dropper, a wiper and a reporter, Symantec said.
The dropper is the main component and source of the original infection. It copies itself to the system, and drops a 64-bit version of itself, as well as the reporter and wiper components, into the infected PC, Symantec said. It also copies itself to various network shared files, creates a task to execute itself, and creates the "TrkSvr" service to start itself whenever Windows starts.
The wiper component is the module responsible for the malware's destructive functionality, Symantec stated. It deletes an existing driver from the system and overwrites it with another digitally signed legitimate driver that enables user-mode applications to read and write to disk sectors.
The driver also executes various commands to collect file names, which will be overwritten, Symantec disclosed. It also overwrites the MBR so that the compromised computer can no longer start up.
The reporter module reports infection information back to the attacker, as an HTTP request, Symantec said. It sends a domain name, a number that specifies how many files were overwritten, the infected computer's IP address, and a random number indicating the computer's state.
Seculert believes Shamoon is a two-stage attack, with the attacker first taking control of an internal PC connected directly to the Internet and using it as a proxy to infect other internal PCs.
Shamoon "targets any machine running Windows," Liam O Murchu, manager of operations at Symantec Security Response, told TechNewsWorld. Both 32- and 64-bit versions of Windows are vulnerable.
No More Than Fifty People ...
There have been only two sightings of W.32 Disttrack, both reported by security researchers in China, Kaspersky Lab said. It surmises that the malware is being used in very focused targeted attacks.
"The good news is that, if you use the Internet, you are almost certainly one of about 2 billion people who are never going to encounter Shamoon," Randy Abrams, a director of research at NSS Lab, told TechNewsWorld.
The "wiper" reference in W.32 Disttrack's Shamoon file raises memories of the Flame malware that hit Iran and other countries in the Middle East recently, but "we haven't seen any connection between Shamoon and Flame," Symantec's O Murchu remarked.
Flame is believed to have been state-sponsored, while W.32 Disttrack "feels too amateurish for state-sponsored malware," Roger Thompson, chief emerging threats researcher at ICSA Labs, told TechNewsWorld.
The author "has definite skills," but "doesn't do this malicious stuff all the time," Thompson continued. "It feels, to me, to be deliberate sabotage from a disgruntled employee."
Little else is known about the W.32 Disttrack malware so far.
Coughing Up Blood That Ain't Mine
Saudi Aramco said the electronic network that manages its core business has retained its integrity and that the interruption had no impact on any of its production operations.
The firm operates the world's largest hydrocarbon network. It owns the Ghawar and Shaybah Fields, two of the world's largest oil fields. It also manages more than 100 oil and gas fields in Saudi Arabia.
Saudi Aramco has isolated all its electronic systems from outside access as a precaution following the attack.