Typhoon-like data wiper is latest computer virus headache

Aug 19, 2012 by Nancy Owano weblog
Source: Kaspersky Lab

(Phys.org) -- A new computer virus is leaving security experts asking what could be the motive and where is the source—but one suspicion is that it is targeting infrastructure in the energy industry. The culprit, called Shamoon, wipes out files and then makes the affected computer unusable.

Guesses that it is going after the energy sector are based on a recent incident where the network for the national oil company in Saudi Arabia was taken offline following a malware intrusion. In a Saudi Aramco statement acknowledging the attack, but not naming any specific virus, the explanation was disruptions were "suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network." It affirmed the continued integrity of its networks.

set about trying to explore details of the virus and issued their statements. According to Symantec, “W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector. It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.”

Kaspersky Lab noted that this new virus has a file named Wiper. “The “wiper” reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame,” said a Kaspersky source.

That led them to ask if this was another Wiper incident similar to the attack in Iran. They answered their own question, No.

“Based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.” Kaspersky Lab called Shamoon “the work of script kiddies.”

Nonetheless, the attack is considered a grown-up headache in that it makes computers unusable. The person’s PC is unbootable. The machine’s data is wiped. A list of the wiped files is passed to the attacker’s center, in turn replacing the files with JPEG images. This move successfully thwarts rescue attempts to get the deleted files back.

What puzzled security sleuths examining Shamoon is that its motive, unlike other worms, was not to steal information, but just to wipe it off. Seculert, security specialists, said the code had unusual characteristics compared with that seen in other attacks."The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files," the company said.

While the malware does not try to steal sensitive information, it does appear to be concerned with names of the files that it deleted and how many files and the IP address of the infected computers.

One Symantec researcher said that, since the malware was an executable, it might arrive at the victim’s workstation as an e-mail attachment.

Generally, security firms examining Shamoon agreed that the malware was not widespread and was launched in very focused attacks.

By Friday, reports coming in from the UK said that, in a post on the website Pastebin.com, the Arab Youth Group claimed responsibility for the attack. The group called the attack a message to Saudi officials.

Explore further: Twitter rules out Turkey office amid tax row

More information: www.securelist.com/en/blog?print_mode=1&weblogid=208193786

Related Stories

Global wave of Flame cyber attacks called staggering

May 28, 2012

(Phys.org) -- Kaspersky Lab has discovered complex malware that has been in operation for at least five years, collecting data from countries including both Israel and Iran. Kaspersky experts think the masterminds ...

'Sabpab' Trojan seeks out Mac OS X

Apr 17, 2012

(Phys.org) -- Three compelling reasons that Mac loyalists say justify their love for Macs have been that Macs are 1) the prettiest computers around (2) ideal for any new-age brain that prefers visually rich ...

Flame spy virus gets order to vanish: experts

Jun 10, 2012

US computer security researchers said Sunday that the Flame computer virus that smoldered undetected for years in Middle Eastern energy facilities has gotten orders to vanish, leaving no trace.

Ramnit's heist bags 45,000 Facebook passwords

Jan 06, 2012

(PhysOrg.com) -- Ramnit, the bank-thieving worm, is at it again, this time scoffing up Facebook accounts. The latest oh-look-another-threat is one that security watchers say could get ugly. Ramnit has grown ...

Recommended for you

Twitter rules out Turkey office amid tax row

2 hours ago

Social networking company Twitter on Wednesday rejected demands from the Turkish government to open an office there, following accusations of tax evasion and a two-week ban on the service.

How does false information spread online?

5 hours ago

Last summer the World Economic Forum (WEF) invited its 1,500 council members to identify top trends facing the world, including what should be done about them. The WEF consists of 80 councils covering a wide range of issues including social media. Members come ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

1 / 5 (10) Aug 19, 2012
It's just the latest scheme of the Rothschilds.
not rated yet Aug 20, 2012
What leads you to that conclusion? Hardly the sophistication of Flame and StuxNet at work here is it?
1 / 5 (1) Aug 20, 2012
Hardly the sophistication of Flame and StuxNet at work here is it?

Yeah, this is barely news-worthy. This thing sounds like it only affects the computer it is on, so not much danger. I can't imagine a network admin guy running an unknown exe on a server.

More news stories

Quantenna promises 10-gigabit Wi-Fi by next year

(Phys.org) —Quantenna Communications has announced that it has plans for releasing a chipset that will be capable of delivering 10Gbps WiFi to/from routers, bridges and computers by sometime next year. ...

Unlocking secrets of new solar material

(Phys.org) —A new solar material that has the same crystal structure as a mineral first found in the Ural Mountains in 1839 is shooting up the efficiency charts faster than almost anything researchers have ...

Floating nuclear plants could ride out tsunamis

When an earthquake and tsunami struck the Fukushima Daiichi nuclear plant complex in 2011, neither the quake nor the inundation caused the ensuing contamination. Rather, it was the aftereffects—specifically, ...

New US-Spanish firm says targets rich mobile ad market

Spanish telecoms firm Telefonica and US investment giant Blackstone launched a mobile telephone advertising venture on Wednesday, challenging internet giants such as Google and Facebook in a multi-billion-dollar ...

Progress in the fight against quantum dissipation

(Phys.org) —Scientists at Yale have confirmed a 50-year-old, previously untested theoretical prediction in physics and improved the energy storage time of a quantum switch by several orders of magnitude. ...