The Shamoon Attacks
Symantec has identified a new series of targeted attacks, dubbed the Shamoon attacks, affecting at least one organisation in the energy sector. Unlike the current trend in targeted attacks that focus on stealing sensitive information, the Shamoon attacks seek to render infected computers unusable by corrupting critical files.
The attacks leverage the destructive Disttrack malware, which in addition to corrupting files, overwrites infected machines’ mater boot records. The malware also has a suicide function that results in the malware removing itself after it has accomplished its purpose.
More information is available in the following blog post: http://www.symantec.com/connect/blogs/shamoon-attacks. Please let me know if you would like to discuss this threat in greater detail with a Symantec researcher.
W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organisation in the energy sector. It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.
W32.Disttrack consists of several components:
- Dropper—the main component and source of the original infection. It drops a number of other modules.
- Wiper—this module is responsible for the destructive functionality of the threat.
- Reporter—this module is responsible for reporting infection information back to the attacker.
The Dropper component performs the following actions:
- Copies itself to %System%trksvr.exe
- Drops the following files embedded into resources:
- A 64-bit version of the dropper component: %System%trksrv.exe (contained in the “X509” resource)
- Reporter component: %System%netinit.exe (contained in the "PKCS7" resource)
component: %System%[NAME SELECTED FROM LIST].exe (contained in the
Note: The name of the component is selected from the following list:
- Copies itself to the following network shares:
- Creates a task to execute itself
- Creates the following service to start itself whenever Windows starts:
- Service name: TrkSvr
- Display name: Distributed Link Tracking Server
- Image path: C:WINDOWSsystem32trksvr.exe
The Wiper component includes the following functionality:
- Deletes an existing driver from the following location and overwrites it with another legitimate driver:
- The device driver is a clean disk driver that enables user-mode applications to read and write to disk sectors. The driver is used to overwrite the computer’s MBR but may be used for legitimate purposes.
- The file is digitally signed
- Executes the following commands that collect file names, which will be overwritten and writes them to f1.infand f2.inf:
- Files from the f1.inf and f2.inf will be overwritten with the JPEG image shown below. Overwritten files are thus rendered useless.
- Finally, the component will overwrite the MBR so that the compromised computer can no longer start
Figure 1. Image used to overwrite files
The following string that points to the location of debug symbols was left in the Wiper component of this threat and gives an idea of where the component was located on the developer’s computer: C:ShamoonArabianGulfwiperreleasewiper.pdb
The Reporter component is responsible for sending infection information back to the attacker. Information is sent as a HTTP GET request and is structured as follows:
The following data is sent to the attacker:
- [MYDATA]—a number that specifies how many files were overwritten
- [UID]—the IP address of the compromised computer
- [STATE]—a random number
Threats with such destructive payloads are unusual and are not typical of targeted attacks. Symantec Security Response is continuing to analyse this threat and will post more information as it becomes available. Symantec customers are protected from this threat, which our security products detect as W32.Disttrack.
For more information
+61 2 9469 5740
+61 2 9086 2140