dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1164
share rss forum feed

daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:2

2 recommendations

Malicious Windows malware 'Shamoon' deletes computer content

"If your Windows-based computer suddenly won't boot up, it could be the evil doing of malicious malware that deletes the contents of your computer -- farewell, documents, pictures and videos -- and then prevents reboot.":

»www.networkworld.com/news/2012/0···12-08-17



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24

Well, at least it sounds as if this one is real. Given that the last one of a similar result was merely a scam/hoax, this is quite interesting.


daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:2

1 recommendation

Even though this malware presently "seems to be aimed at very specific targets", will it (or something based on it) eventually be sent out to pretty much every Windows PC? Time will tell.

The article didn't indicate whether data on external hard drives is subject to deletion, but it is probably best to assume that any drive listed in "My Computer" is vulnerable.



aussiedog

join:2007-01-10
Colorado Springs, CO
reply to daveinpoway

Regularly backup to a removable drive. Anything can happen at any time in todays digital world. Cripes!
--
If I can only find my keys...



norwegian
Premium
join:2005-02-15
Outback
reply to daveinpoway

More here:

»www.securelist.com/en/blog/20819···_at_Work

»arstechnica.com/security/2012/08···-attack/
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to daveinpoway

Also Spotted:
Disttrack Sabotage Malware Wipes Data At Unnamed Middle East Energy Organization

More on Shamoon

Shamoon energy sector malware

--
siljaline

Here at Mountain View Chocolate, we’re committed to transparency and choice



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to daveinpoway

Shamoon, a two-stage targeted attack
The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files and the Master-Boot Record of the computer. Why would someone wipe files in a targeted attack and make the machine unusable?

While it's rare to find this type of malware in targeted attacks, our friends at Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran, that were infected with another unknown malware. This then lead Kaspersky to the discovery of Flame.

Furthermore, Shamoon is collecting the names of the files it has overwritten and sending this information to another internal machine within the compromised company network. The samples we analyzed communicated with a local IP address 10.1.252.19 (see Figure 1).

The evidence above suggests that this is a two-stage attack:

The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy.

»blog.seculert.com/2012/08/shamoo···ack.html

The samples are especially interesting because they contain a module with the following string:

C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb
Of course, the “wiper” reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame.

The malware is a 900KB PE file that contains a number of encrypted resources:

»www.securelist.com/en/blog/20819···_at_Work
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Expand your moderator at work


norwegian
Premium
join:2005-02-15
Outback

1 recommendation

reply to daveinpoway

Re: Malicious Windows malware 'Shamoon' deletes computer content

Details if anyone is interested:

»www.securelist.com/en/blog/20819···_details



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to daveinpoway

While we don't often see truly destructive viruses, but given government funded efforts like Stuxnet, we are now and this trend will only go up from here (one of the dangers of Stuxnet)

Given how much hardware has improved, backups for most people seem unnecessary which only magnifies the effects of this type of attacks. You might get my system, but not my data is an important mindset in security.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to daveinpoway

Some recent findings:

Siemens 'flaw' claim sparks US power plant security probe

Kill timer found in Shamoon malware suggests possible connection to Saudi Aramco attack