Alarm about the Disttrack/Shamoon Malware
got this handy email from TrenMicro, would like to share it with you:
Disttrack/Shamoon Malware Overwrites Files
Last week reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A via pattern file 9.328.04.
Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.
How it works:
Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks. It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It drops two primary components:
TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. It then overwrites disks with a small portion of a JPEG image found on the Internet. Once overwritten, these files can no longer be restored or opened.
On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer. It also uses what appears to be a legitimate system driver to gain low-level access to a hard drive so it can wipe the master boot record Windows machines rely on to boot up. The malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number.
How to identify an infection:
Unlike most malware, which rarely destroy files or wipe the Master Boot Record, Shamoon cripples the victims computer once it has stolen the data and is rendered unusable. However PC virus logs will still be able to indicate whether an infection has occurred.
Leave a Reply Cancel reply
My Book: XenDesktop Starter
Symantec Backup Exec BExpert No. 20
Linked In
Follow me on Twitter
the New Experts-Exchange.com
Blog Stats
- 235,423 Visits
Share This Blog
Categories
- Active Directory
- announcements
- ARCserve
- BackupExec
- bla bla bla
- Book Reviewes
- Career Development
- Citrix
- Cloud
- Deep in Active Directory
- Egypt
- Exchange
- Exchange 2010
- Exchange 2010 AKA E14
- Exchange and UC
- Exchange Server 2013
- FCS
- forefront
- Hyper-v
- IPility Training Offerings
- IT Events
- Lync
- Lync 2010
- Microsoft
- MOM/SCOM
- MVP
- Netapp
- Netbackup
- News
- OCS 2007 R2/CS14
- OCS2007 R2
- Office 365
- Opalis
- RSA
- SCVMM
- Security related
- SMS/SCCM
- Social Media
- Softgrid
- Storage
- Storage and Networking
- Symantec
- System Center
- Uncategorized
- Unified Communications
- كلام في السياسة
- VDI
- VirtualBox
- VMware
- Windows Server 2012
- Wirless related
- Xenapp
- Xendesktop
- الش
- حقائق غير تاريخية
Recent Posts
- Installing Symantec Encryption Server & Exchange 2010 Configuration Part2–Understand key Management
- Installing Symantec Encryption Management Server and Exchange 2010 Configuration Part1
- Thoughts on DLP in modern business…
- Dude, What are the 5 elements I must consider in my virtual machine backups?
- Boosting your career and knowledge in Active Directory
Archives
- May 2013 (3)
- April 2013 (3)
- March 2013 (4)
- February 2013 (1)
- January 2013 (3)
- December 2012 (4)
- November 2012 (1)
- October 2012 (5)
- September 2012 (19)
- August 2012 (4)
- July 2012 (5)
- June 2012 (9)
- March 2012 (6)
- February 2012 (1)
- January 2012 (1)
- December 2011 (4)
- November 2011 (1)
- October 2011 (3)
- September 2011 (4)
- August 2011 (1)
- June 2011 (1)
- April 2011 (7)
- February 2011 (5)
- January 2011 (6)
- December 2010 (4)
- November 2010 (5)
- October 2010 (14)
- September 2010 (4)
- August 2010 (9)
- July 2010 (17)
- June 2010 (23)
- May 2010 (23)
- April 2010 (7)
- March 2010 (9)
- February 2010 (5)
- January 2010 (1)
- December 2009 (7)
- November 2009 (4)
- September 2009 (5)
- August 2009 (13)
- May 2009 (2)
- April 2009 (3)
- January 2009 (2)
- December 2008 (5)
- November 2008 (4)
- October 2008 (7)
- July 2008 (2)
- June 2008 (2)
- May 2008 (2)
- April 2008 (30)
- March 2008 (60)
- February 2008 (1)
My Tweets
- RT @QuanTechResume: Hitachi unveils cloud solutions and services for enterprises buff.ly/16895MY 1 hour ago
- RT @js3012: #Symantec nominated for Storage Innovators of the Year - vote for us here bit.ly/HUDqyL 1 hour ago
- @paulrobichaux congrats Paul, wish you all the best. 1 hour ago
- RT @jveldh: Within a few days the Exchange Virtual Conference starts, did you already subscribe? exchangevirtualconference.com #MsExchange #IamMEC 2 hours ago
- RT @jveldh: Finally weekend, time to listen to the latest episode of #TheUCArchitects theucarchitects.com #MsExchange #Lync #IamMEC 2 hours ago
Recent Visitors Traffic
Cool Blogs
Exchange Team Blog.
http://msexchangeteam.com/
Jonas Anderson Blog
http://www.testlabs.se/blog/
