Wednesday, January 2, 2013

Shamoon attack

Overview. 

A new malware surfaced during August 2012 as reported by the various security agencies.  The malware has been  dubbed by the code name  "Shamoon". The attack is called "Shamoon", due to a filename i.e. string of a folder name within the malware executable called as Shamoon. ("C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb").The spyware infects all the computers in an internal network.

Composition

The main executable contains 3 resources, each maintains a ciphered program. PKCS12:112, PKCS7:113 and X509:116,  according to Dmitry. Symantec said that the malware, which it calls "W32:Disttrack," had infected fewer than 50 machines worldwide. The main Shamoon module has a resource PKCS7:113 that maintains an executable which is saved to disk as %WINDIR%\System32\NETINIT.EXE says Dmitry Tarakanov. He adds that the malware waits for CNC communication as evident from its communication module. He also talks about PKCS12:112 another module playing an important role. The details of shamoon's operation is explained  by Dmitry here.  Shamoon, is being used in targeted attacks against at least one organization in the energy sector, according to Symantec.

Impact

Shamoon is deployed with  a module named "Wiper," which was used to for erasing traces of its own activities. The identified wiper module was compared with the wiper module present in Flame. However, Kaspersky Lab, one of the organizations that found Flame, says Shamoon's "Wiper" is completely different.  Shamoon as a malware is unusual due to its unconventional measures to ensure that the data gets destroyed without recovery which is something that is rarely seen in targeted attacks. The worm has self-propagation capabilities that allow it to spread  using network shares.

The attack is believed to have been instigated via spear-phishing against one or more Aramco staff says infosecurity. The malware attacked the hard drives of 30,000 workstations owned by Saudi oil firm Saudi Aramco says kaspersky. Saudi Aramco announced Sunday that it had restored full network access to PCs after a malware attack, launched on Aug. 15, infected approximately 30,000 of the organization's workstations. The company said it had proactively disabled network access for all infected PCs, as well as any remote access to the company's networks, until Saturday, when it completed related clean-up efforts.

--
Dr.B.M
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)