How The Shamoon Attacks Computers ; Deadliest Cyber Virus on Earth

The Shamoon Attacks
Updated: 16 Aug 2012 | Translations available: 日本語
Symantec Security Response
Also read up on recomandation on how to protect from SHAMOON
http://samuelezerzercyberspacethenewfrontier.blogspot.ca/2013/03/writeup-by-symantec-security-response.html

W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector.  It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.

W32.Disttrack consists of several components:

Dropper—the main component and source of the original infection. It drops a number of other modules.
Wiper—this module is responsible for the destructive functionality of the threat.
Reporter—this module is responsible for reporting infection information back to the attacker.

Dropper Component

The Dropper component performs the following actions:

Copies itself to %System%\trksvr.exe

Drops the following files embedded into resources:
A 64-bit version of the dropper component: %System%\trksrv.exe (contained in the “X509” resource)

Reporter component: %System%\netinit.exe (contained in the "PKCS7" resource)

Wiper component: %System%\[NAME SELECTED FROM LIST].exe (contained in the "PKCS12" resource)

Note: The name of the component is selected from the following list:
caclsrv
certutl
clean
ctrl
dfrag
dnslookup
dvdquery
event
extract
findfile
fsutl
gpget
iissrv
ipsecure
msinit
ntx
ntdsutl
ntfrsutil
ntnw
power
rdsadmin
regsys
routeman
rrasrv
sacses
sfmsc
sigver
smbinit
wcscript

Copies itself to the following network shares:
ADMIN$
C$\\WINDOWS
D$\\WINDOWS
E$\\WINDOWS

Creates a task to execute itself

Creates the following service to start itself whenever Windows starts:
Service name: TrkSvr
Display name: Distributed Link Tracking Server
Image path: %System%\trksvr.exe


Wiper Component

The Wiper component includes the following functionality:

Deletes an existing driver from the following location and overwrites it with another legitimate driver:

%System%\drivers\drdisk.sys

The device driver is a clean disk driver that enables user-mode applications to read and write to disk sectors. The driver is used to overwrite the computer’s MBR but may be used for legitimate purposes.

The file is digitally signed
Executes the following commands that collect file names, which will be overwritten and writes them to f1.inf and f2.inf:




Files from the f1.inf and f2.inf will be overwritten with the JPEG image shown below. Overwritten files are thus rendered useless.


Figure 1. Image used to overwrite files

Finally, the component will overwrite the MBR so that the compromised computer can no longer start
The following string that points to the location of debug symbols was left in the Wiper component of this threat and gives an idea of where the component was located on the developer’s computer:
C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb



Reporter Component

The Reporter component is responsible for sending infection information back to the attacker. Information is sent as a HTTP GET request and is structured as follows:
http://[DOMAIN]/ajax_modal/modal/data.asp?mydata=[MYDATA]&uid=[UID]&state=[STATE]

The following data is sent to the attacker:

[DOMAIN]—a domain name
[MYDATA]—a number that specifies how many files were overwritten
[UID]—the IP address of the compromised computer
[STATE]—a random number
Threats with such destructive payloads are unusual and are not typical of targeted attacks. Symantec Security Response is continuing to analyze this threat and will post more information as it becomes available. Symantec customers are protected from this threat, which our security products detect as W32.Disttrack.

Discovered:

August 16, 2012

Updated:

August 22, 2012 2:07:45 AM

Also Known As:

WORM_DISTTRACK.A [Trend], TROJ_WIPMBR.A [Trend]

Type:

Worm

Infection Length:

Varies

Systems Affected:

Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

W32.Disttrack is a worm that spreads through network shares. It also drops malicious files and overwrites existing files. 

Antivirus Protection Dates

• Initial Rapid Release version August 16, 2012 revision 001
• Latest Rapid Release version February 19, 2013 revision 016
• Initial Daily Certified version August 16, 2012 revision 002
• Latest Daily Certified version September 12, 2012 revision 021
• Initial Weekly Certified release date August 22, 2012

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: High
• Payload: Drops malicious files.
• Deletes Files: Overwrites existing files.

Distribution

• Distribution Level: Low
• Shared Drives: Spreads through network shares.

Writeup By: Symantec Security Response