Typhoon-like data wiper is latest computer virus headache

Aug 19, 2012 by Nancy Owano weblog
Source: Kaspersky Lab

(Phys.org) -- A new computer virus is leaving security experts asking what could be the motive and where is the source—but one suspicion is that it is targeting infrastructure in the energy industry. The culprit, called Shamoon, wipes out files and then makes the affected computer unusable.

Guesses that it is going after the energy sector are based on a recent incident where the network for the national oil company in Saudi Arabia was taken offline following a malware intrusion. In a Saudi Aramco statement acknowledging the attack, but not naming any specific virus, the explanation was disruptions were "suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network." It affirmed the continued integrity of its networks.

set about trying to explore details of the virus and issued their statements. According to Symantec, “W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector. It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.”

Kaspersky Lab noted that this new virus has a file named Wiper. “The “wiper” reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame,” said a Kaspersky source.

That led them to ask if this was another Wiper incident similar to the attack in Iran. They answered their own question, No.

“Based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.” Kaspersky Lab called Shamoon “the work of script kiddies.”

Nonetheless, the attack is considered a grown-up headache in that it makes computers unusable. The person’s PC is unbootable. The machine’s data is wiped. A list of the wiped files is passed to the attacker’s center, in turn replacing the files with JPEG images. This move successfully thwarts rescue attempts to get the deleted files back.

What puzzled security sleuths examining Shamoon is that its motive, unlike other worms, was not to steal information, but just to wipe it off. Seculert, security specialists, said the code had unusual characteristics compared with that seen in other attacks."The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files," the company said.

While the malware does not try to steal sensitive information, it does appear to be concerned with names of the files that it deleted and how many files and the IP address of the infected computers.

One Symantec researcher said that, since the malware was an executable, it might arrive at the victim’s workstation as an e-mail attachment.

Generally, security firms examining Shamoon agreed that the malware was not widespread and was launched in very focused attacks.

By Friday, reports coming in from the UK said that, in a post on the website Pastebin.com, the Arab Youth Group claimed responsibility for the attack. The group called the attack a message to Saudi officials.

Explore further: Google searches hold key to future market crashes

More information: www.securelist.com/en/blog?pri… 1&weblogid=208193786

Related Stories

Global wave of Flame cyber attacks called staggering

May 28, 2012

(Phys.org) -- Kaspersky Lab has discovered complex malware that has been in operation for at least five years, collecting data from countries including both Israel and Iran. Kaspersky experts think the masterminds ...

'Sabpab' Trojan seeks out Mac OS X

Apr 17, 2012

(Phys.org) -- Three compelling reasons that Mac loyalists say justify their love for Macs have been that Macs are 1) the prettiest computers around (2) ideal for any new-age brain that prefers visually rich ...

Flame spy virus gets order to vanish: experts

Jun 10, 2012

US computer security researchers said Sunday that the Flame computer virus that smoldered undetected for years in Middle Eastern energy facilities has gotten orders to vanish, leaving no trace.

Ramnit's heist bags 45,000 Facebook passwords

Jan 06, 2012

(PhysOrg.com) -- Ramnit, the bank-thieving worm, is at it again, this time scoffing up Facebook accounts. The latest oh-look-another-threat is one that security watchers say could get ugly. Ramnit has grown ...

Recommended for you

T-Mobile deal helps Rhapsody hit 2M paying subs

8 minutes ago

(AP)—Rhapsody International Inc. said Tuesday its partnership with T-Mobile US Inc. has helped boost its number of paying subscribers to more than 2 million, up from 1.7 million in April.

Airbnb woos business travelers

21 minutes ago

Airbnb on Monday set out to woo business travelers to its service that lets people turn unused rooms in homes into de facto hotel space.

Google searches hold key to future market crashes

11 hours ago

A team of researchers from Warwick Business School and Boston University have developed a method to automatically identify topics that people search for on Google before subsequent stock market falls.

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Arcbird
1 / 5 (10) Aug 19, 2012
It's just the latest scheme of the Rothschilds.
racemethorphan
not rated yet Aug 20, 2012
What leads you to that conclusion? Hardly the sophistication of Flame and StuxNet at work here is it?
GSwift7
1 / 5 (1) Aug 20, 2012
Hardly the sophistication of Flame and StuxNet at work here is it?


Yeah, this is barely news-worthy. This thing sounds like it only affects the computer it is on, so not much danger. I can't imagine a network admin guy running an unknown exe on a server.