Tag Archive | Shamoon

The Damage Swell of Saudi Aramco Attack

The New York Times reported about the damages of the attacks on Saudi Aramco, a Saudi Arabian oil firm. The article stated the following, blaming Iran for the attacks on Saudi Aramco along with supporting evidence:

That morning, at 11:08, a person with privileged access to the Saudi state-owned oil company’s computers, unleashed a computer virus to initiate what is regarded as among the most destructive acts of computer sabotage on a company to date. The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.

United States intelligence officials say the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim. But the secretary of defense, Leon E. Panetta, in a recent speech warning of the dangers of computer attacks, cited the Aramco sabotage as “a significant escalation of the cyber threat.” In the Aramco case, hackers who called themselves the “Cutting Sword of Justice” and claimed to be activists upset about Saudi policies in the Middle East took responsibility.

Intelligence officials are still investigating the nature of the RasGas hack also, because it is related to this attack, which involved a malware called Shamoon.

The investigations of Saudi Aramco and RasGas, Qatar’s top natural gas firm, are coming together. Most of the cyberattacks this year have been aimed at erasing data on energy companies’ computers. More updates to come.

Flame malware command-and-control servers reveal earlier origins, among other links

Government malware, Flame, Stuxnet, etc. is expanding and becoming more of a problem. Computer systems are getting even more inventive, but not at the alarming rate that dangerous malware is expanding. There may be more links other than Stuxnet for Flame.

First, computer systems are created for specific purposes, and have been for about forty years now. However, some of the newer computer systems are created to become like robots, which means that the computer system works on its own without user intervention. But, what happens when malware targets the core computer systems of oil industries, energy companies, military plants, etc.? It can cause dangerous and severe consequences if the system were to become compromised.

Second, the Flame malware became uprising just this past May, where it infected over 1000 computers, according to Kaspersky Lab. The victims of the first attack included governmental organizations, educational institutes, and personal users. Most of the attacks were central over West Asia, including Iran, Israel, Syria, Saudi Arabia, Egypt, among others. Supporting a kill command, which would eliminate all traces of the malware from the computer attacked, this command was sent soon after the malware’s exposure. Right now, there are no reported active infections of Flame, or other variants being created.

However, there are derivatives of the Flame malware being created. We reported a few weeks ago about Shamoon being actively distributed using its skiddie approach. There are other links that were recently found (like Gauss) that can relate Flame to command-and-control usage back to 2006. Which means this Flame project could be as much as 6 years old, or is related to malware from then.

Instead of looking like a botnet interface, the Flame command centers look more like content-management systems (CMS), and have many other new approaches. One of its approaches included the three fraudulent certificates, which Microsoft patched to block them back in June.

More news about the findings and C&C servers were fully unveiled to the recent Flame investigation by Kaspersky Lab and the news from Symantec (PDF). Researchers at Kaspersky Lab state they were suspicious about the findings of a development link to Stuxnet back in June, when communication was eavesdropped between the team.

Some of the key developers behind all of this situation include speculation of the US & Israel combined. However, there is no known evidence backing these claims, except for what researchers can reveal about coding types and other methods used.

Much of the articles by Kaspersky Lab and Symantec include the following speculations as well:

  • Four programmers at least tag-teamed on the job of development as their nicknames were left in the code.
  • One-server called home 5000 victim machines during just a one-week period in May, suggesting at least 10,000 victims.
  • The infections weren’t just focused on one-group of organizations or people, but in separate groups of targets in many countries.
  • Many of the targets focused a lot on Iran and Sudan.
  • Different custom protocols were used to communicate with the servers, not just one protocol. Meaning that there were at least four different protocols used to communicate to the servers.
  • Tons of data was stolen, which 5.5 GBs was reported in just one week of data-mining from the malware.
  • The attackers are either mining for government information, or attempting to gain military intelligence.

The developers behind the Flame malware have a lot more secrets, which are being unveiled. More ties are being linked to Stuxnet and Flame, and when the information becomes available, it’ll be here on seCURE Connexion’s blog. The Flame developers obviously have a lot of nerve developing these cyber-weapons. But, many politicians and security experts have warned of this information warfare for years. Here we are at the peak!

To protect your computer from hackers, use Kaspersky’s PURE Total Security:
Kaspersky PURE Total Security

RasGas energy company hacked

One of Qatar’s natual gas companies, RasGas, is the next victim of a cyberattack against an energy company so far in the past month. After following the attack against Saudi Aramco, this attack comes in a similar form: infecting each machine with a virus (of course) causing the company to disable internet access to block the hacker. This disables the ability to fully communicate business across servers of the company.

According to Security Affairs, (As occurred in the case of Saudi Aramco) the malware was not affecting gas extraction and critical processing.

In Saudi Aramco, the Shamoon malware was blamed, and it may be a benefactor in this case, as well. Reporters say there is no damage to any other thing in the company, and it will not take long to clear this problem.

Trojan Shamoon Flawed and Not Up-to-Speed

As we reported a few days ago, Shamoon is a new trojan malware that has the ability to take control of a computer and then infect the MBR. However, from a full study, it does not appear to be as “up-to-speed” as researchers thought.

ThreatPost reports on the issues: “Some clumsy coding discovered during an analysis of the Shamoon malware has led researchers to conclude that it is probably not related to the Wiper malware that hit some Iranian networks recently and likely isn’t the work of serious programmers.”

“This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems,” wrote Kaspersky Lab researcher Dmitry Tarakanov in a Securelist post.

Instead, researchers are seeing that the Shamoon malware only steals data from the machine, before infecting the MBR. Some consider the work of Shamoon malware, like we also do, the work of a skiddie.

Also, it seems the malware is misbehaved, because it relies on a Windows Service, set to Start and Run Automatic. If the Service is stopped, half the malware doesn’t work. This kind of peculiar sense shows that this Shamoon malware may just be a test of the abilities of the hacker, and could possibly lead to other complicative malware.

As usual, stay tuned here for more updates in the future on the Shamoon malware.


New Trojan Malware “Shamoon” Overwrites Files, Infects MBR

Get some Popchips and have seat and read the newest info about a new MBR-infecting malware. Now, let’s keep in mind these won’t be new techniques, just a new name for an old technique.

According to Israeli security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization’s network.

The second stage — which kicks off after the malware has done its dirty work — overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable. via ComputerWorld

For the attacking process, it also allows the command-and-control server to be in effect from a second computer (huh?), in which the first computer originally communicated that data to. Which means, there is an alternative trojan being used on the second computer that accepts the data and communicates to the servers for the hackers privately.

We call this second computer a “master”. Which means it is the core computer used to send data to the server. This second computer can accepts data from multiple computers, not just one first computer (hope that makes sense). This is a similar method to the botmasters we see on the IRC networks. Very similar work done, except only automatic.

Shock is found that malware is crippling the computer, after the data is stolen. Normally, malware writers or hackers tend to just withdraw from a computer and no damage is done, except maybe one or two infected files. It is unknown at this point what the algorithm is to overwrite the files, but it is known that the MBR shall be infected in this process.

What does this malware like to overwrite though? Documents, pictures, videos, etc. It likes to kill personal, salvageable data. Sadly, even after removing the malware, your data cannot be recovered. It doesn’t hold it for ransom. It just overwrites it. Right now, it is also unknown whether or not it overwrites the files with malicious code that – when executed – will distribute more malware to the computer. That is… if the computer can be disinfected of the MBR infection first… and hopefully the operating system is accessed.

In the end, it’s just another malware to be removed!

Now, time for technical details:

Main files:

Reporting agent (keeps in touch with hacker) %systemroot%\system32\netinit.exe

Dropper (distributed malware on system) %systemroot%\system32\trksrv.exe

Kernel Mode Driver (clean driver used to gain root access, so MBR can be infected) %systemroot%\system32\drivers\drdisk.sys

File wiping module (literally wipes files on the system) %systemroot%\system32\[RANDOM_NAME].exe

Service information for trksrv.exe:

Display Name: Distributed Link Tracking Server

Service name: TrkSrv

File name: trksrv.exe

After done with its MBR deletion or modification methods, you may get one of few messages on system startup:

  • Operating System not found (75% of the time probably)
  • (Windows Advanced Options Menu Appears) Windows has failed to start… (10% of the time probably)
  • Blue Screen of Death (other 15% of the time probably)

The statistics in parentheses are only speculation. It is imagined that no matter what, system failure or unlikely to boot is caused by this malware. Beware!


Purchase Malwarebytes’ Anti-Malware to protect against the download and install of computer-controlling malware.

In addition, it is best to have a good data backup plan, in order to prevent damage due to malware like this. Please consider the following as a purchase of your next protection method:

%d bloggers like this: