English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Shamoon the Wiper - Copycats at Work

GReAT
Kaspersky Lab Expert
Posted August 16, 16:05  GMT
Tags: Targeted Attacks, Microsoft, Wiper
0.7
 

Earlier today, we received an interesting collection of samples from colleagues at another anti-malware company.

The samples are especially interesting because they contain a module with the following string:

C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb

Of course, the ?wiper reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame.

The malware is a 900KB PE file that contains a number of encrypted resources:

Shamoon resources

The resources 112, 113 and 116 are encrypted using a 4 byte XOR operation. They keys for decryption, including another resource from one of the binaries are:

{0x25, 0x7f, 0x5d, 0xfb}
{0x17, 0xd4, 0xba, 0x00}
{0x5c, 0xc2, 0x1a, 0xbb}
{0x15, 0xaf, 0x52, 0xf0}

The malware appears to be collecting information about ?interesting files on the infected system:

dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i download 2>nul >f1.inf
dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
dir C:\Users\ /s /b /a:-D 2>nul  | findstr -i download 2>nul >>f1.inf
dir C:\Users\ /s /b /a:-D 2>nul  | findstr -i document 2>nul >>f1.inf
dir C:\Users\ /s /b /a:-D 2>nul  | findstr -i picture 2>nul >>f1.inf
dir C:\Users\ /s /b /a:-D 2>nul  | findstr -i video 2>nul >>f1.inf
dir C:\Users\ /s /b /a:-D 2>nul  | findstr -i music 2>nul >>f1.inf
dir "C:\Documents and Settings\" /s /b /a:-D 2>nul  | findstr -i desktop 2>nul >f2.inf
dir C:\Users\ /s /b /a:-D 2>nul  | findstr -i desktop 2>nul >>f2.inf
dir C:\Windows\System32\Drivers /s /b /a:-D 2>nul >>f2.inf
dir C:\Windows\System32\Config /s /b /a:-D 2>nul | findstr -v -i systemprofile 2>nul >>f2.inf
dir f1.inf /s /b 2>nul >>f1.inf
dir f2.inf /s /b 2>nul >>f1.inf

Inside resource 112, another resource (101) exists which contains a signed disk driver:

The disk driver itself does not appear to be malicious. However, it is used for raw disk access by the malware components to wipe the MBR of infected systems.

Interestingly, the driver is signed by EldoS Corporation, a company that has a mission to ?Help people feel confident about integrity and security of valuable information, according to their website.

Also:

EldoS Corporation is an international company specializing in development of security-related software components for corporate market and individual software developers.

Of course, one big question emerges: ?Is this the malware known as Wiper, that attacked Iran in April 2012?

Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original ?Wiper was using certain service names (?RAHD...) together with specific filenames for its drivers (?%temp%\~dxxx.tmp) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.

It is more likely that this is a copycat, the work of a script kiddies inspired by the story. Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.

We detect the 32 bit components of the malware as Trojan.Win32.EraseMBR.a. The 64 bit component is detected as Trojan.Win64.EraseMBR.a. We proactively detected the main dropper by heuristics as "HEUR:Trojan.Win32.Generic"

PS: We are not yet sure of the meaning of ?Shamoon. It could be a reference to the Shamoon College of Engineering http://www.sce.ac.il/eng/. Or, it could simply be the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.

Update(17 Aug 2012): Our friends from Seculert have posted their own analysis of the Shamoon attack. They suggest it is a two stage attack, with lateral movement.

Update(17 Aug 2012): During the past 24 hours, we have collected telemetry from our users on Trojan.Win32.EraseMBR.a sightings. So far, there are only two reports, both from China, which appear to be security researchers. So we can conclude that the malware is not widespread and it was probably only used in very focused targeted attacks.


9 comments

Oldest first
Threaded view
 

georgek1029

2012 Aug 17, 19:53
1
 

NotOnTwtr

Apologies if this seems daft. Seems like this is a "CC" code. Haven't we seen the 112, 113 and 116 resources used like this before? I can't, however, seem to find a reference.
Also, the "wiper" seems to have similar performance to the original ZeuS "kill OS" instruction?

Reply    

Unkn0wn0x0

2012 Aug 18, 01:09
-1
 

i want the malware link :) !

i want the malware link :) !

plz

Reply    

Hanan Natan

2012 Aug 19, 01:16
0
 

I think that your reference to the Shamoon College of Engineering is a big mistake.

You should remove it , since i know this college and it is very reputable in Israel, it is called Shamoon because it is the name of the founder.

Reply    

M F

2012 Aug 19, 12:12
0
 

The Real Wiper

"Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware."

This information reminded me of Tilded Platform!
Why don't you guys publish more details on this? the patterns which had overwritten data on HDDs, registry keys, etc...?
Maybe someone could find a sample at last.

Reply    

f0real

2012 Aug 19, 21:02
0
 

Question About the Code

Is the malware executable programmed to only wipe the targeted computer, or will it wipe any disk that it is run on?

Reply    

Salman Kerala

2012 Aug 20, 04:41
0
 

I have an Hard disc affected with shamoon, is there any way to recover it ?

I have an Hard disc affected with shamoon, is there any ways to recover those files, deleted/overwritten by shamoon ?

Reply    

Michael_Mike

2012 Aug 20, 09:50
0
 

Re: I have an Hard disc affected with shamoon, is there any way to recover it ?

I have no idea how shamoon is performing deletion, nor I am a data recovery specialist. You might want to wait for more qualified people to reply.

Did you try any data recovery software? If none of them succeed, you might want to give a try to photorec or testdisk. Last time I tested them I got a ridiculously high amount of data out of my hdd. While many of those file were corrupted, OpenOffice was still capable to open most of them (unlike microsoft office).

Beware to not overwrite your hdd. I would suggest make a raw copy of your hdd to another one, and doing the test with that copy. Use dd or any software to make an entire copy of the disk, sector by sector.

Again, if your data really worth a lot of money, wait for a reply from professional. What I suggest may be more appropriate to someone whom just want to try to recuperate as much as possible before a complete re-installlation.

Reply    

Salman Kerala

2012 Aug 30, 20:33
0
 

Re: Re: I have an Hard disc affected with shamoon, is there any way to recover it ?

Thanks for your replay, I am also not a specialist in this, when I connect this HDD with any other windows pc , it is not responding. when connect it with unix system it shows 0 bit, and you mentioned to take a raw copy of hdd to another one, but how ? I can't do anything, If any one get any more update to recover this , pls inform it here.Thanks

Reply    

Michael_Mike

2012 Aug 20, 10:05
1
 

The orignial wiper was using pattern?

Was that pattern like those described in that paper (section 3). It seems that the copycat were far from implementing something like this. Did they made a zero-fill drive?

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

"To erase magnetic media, we need to overwrite it many times with alternating patterns in order to expose it to a magnetic field oscillating fast enough that it does the desired flipping of the magnetic domains in a reasonable amount of time. Unfortunately, there is a complication in that we need to saturate the disk surface to the greatest depth possible, and very high frequency signals only "scratch the surface" of the magnetic medium
......."
(pattern described later in the text)

Edited by Michael_Mike, 2012 Aug 20, 23:21

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog