Typhoon-like data wiper is latest computer virus headache

Aug 19, 2012 by Nancy Owano weblog
Source: Kaspersky Lab

(Phys.org) -- A new computer virus is leaving security experts asking what could be the motive and where is the source—but one suspicion is that it is targeting infrastructure in the energy industry. The culprit, called Shamoon, wipes out files and then makes the affected computer unusable.

Guesses that it is going after the energy sector are based on a recent incident where the network for the national oil company in Saudi Arabia was taken offline following a malware intrusion. In a Saudi Aramco statement acknowledging the attack, but not naming any specific virus, the explanation was disruptions were "suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network." It affirmed the continued integrity of its networks.

set about trying to explore details of the virus and issued their statements. According to Symantec, “W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector. It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.”

Kaspersky Lab noted that this new virus has a file named Wiper. “The “wiper” reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame,” said a Kaspersky source.

That led them to ask if this was another Wiper incident similar to the attack in Iran. They answered their own question, No.

“Based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.” Kaspersky Lab called Shamoon “the work of script kiddies.”

Nonetheless, the attack is considered a grown-up headache in that it makes computers unusable. The person’s PC is unbootable. The machine’s data is wiped. A list of the wiped files is passed to the attacker’s center, in turn replacing the files with JPEG images. This move successfully thwarts rescue attempts to get the deleted files back.

What puzzled security sleuths examining Shamoon is that its motive, unlike other worms, was not to steal information, but just to wipe it off. Seculert, security specialists, said the code had unusual characteristics compared with that seen in other attacks."The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files," the company said.

While the malware does not try to steal sensitive information, it does appear to be concerned with names of the files that it deleted and how many files and the IP address of the infected computers.

One Symantec researcher said that, since the malware was an executable, it might arrive at the victim’s workstation as an e-mail attachment.

Generally, security firms examining Shamoon agreed that the malware was not widespread and was launched in very focused attacks.

By Friday, reports coming in from the UK said that, in a post on the website Pastebin.com, the Arab Youth Group claimed responsibility for the attack. The group called the attack a message to Saudi officials.

Explore further: Digital dilemma: How will US respond to Sony hack?

More information: www.securelist.com/en/blog?pri… 1&weblogid=208193786

Related Stories

Global wave of Flame cyber attacks called staggering

May 28, 2012

(Phys.org) -- Kaspersky Lab has discovered complex malware that has been in operation for at least five years, collecting data from countries including both Israel and Iran. Kaspersky experts think the masterminds ...

'Sabpab' Trojan seeks out Mac OS X

Apr 17, 2012

(Phys.org) -- Three compelling reasons that Mac loyalists say justify their love for Macs have been that Macs are 1) the prettiest computers around (2) ideal for any new-age brain that prefers visually rich ...

Flame spy virus gets order to vanish: experts

Jun 10, 2012

US computer security researchers said Sunday that the Flame computer virus that smoldered undetected for years in Middle Eastern energy facilities has gotten orders to vanish, leaving no trace.

Ramnit's heist bags 45,000 Facebook passwords

Jan 06, 2012

(PhysOrg.com) -- Ramnit, the bank-thieving worm, is at it again, this time scoffing up Facebook accounts. The latest oh-look-another-threat is one that security watchers say could get ugly. Ramnit has grown ...

Recommended for you

Britain's UKIP issues online rules after gaffes

14 hours ago

UK Independence Party (UKIP), the British anti-European Union party, has ordered a crackdown on the use of social media by supporters and members following a series of controversies.

Sony saga blends foreign intrigue, star wattage

14 hours ago

The hackers who hit Sony Pictures Entertainment days before Thanksgiving crippled the network, stole gigabytes of data and spilled into public view unreleased films and reams of private and sometimes embarrassing ...

Digital dilemma: How will US respond to Sony hack?

Dec 18, 2014

The detective work blaming North Korea for the Sony hacker break-in appears so far to be largely circumstantial, The Associated Press has learned. The dramatic conclusion of a Korean role is based on subtle ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Arcbird
1 / 5 (10) Aug 19, 2012
It's just the latest scheme of the Rothschilds.
racemethorphan
not rated yet Aug 20, 2012
What leads you to that conclusion? Hardly the sophistication of Flame and StuxNet at work here is it?
GSwift7
1 / 5 (1) Aug 20, 2012
Hardly the sophistication of Flame and StuxNet at work here is it?


Yeah, this is barely news-worthy. This thing sounds like it only affects the computer it is on, so not much danger. I can't imagine a network admin guy running an unknown exe on a server.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.