Today news broke that at least one organization in the energy sector was hit by malware named Shamoon or DistTrack. We’ve been looking at the related malware samples and can confirm that Websense products that have our Advanced Classification Engine (ACE) have had proactive detection in place since 13 December, 2010, more than 18 months prior to this attack.
Once enabled, the malware is very aggressive and destructive, something that is rarely seen in attacks. Most attacks are designed to be persistent on a system for a long period of time. Shamoon/DistTrack does the opposite in that it overwrites files on the hard-drive, after which it overwrites the master boot record (MBR), rendering the computer un-bootable.
The malware consists of three components:
- Dropper – This is the most essential component in that it installs the malware. It is also the file that ACE has been detecting.
- Wiper – This is the component that overwrites files and the MBR.
- Reporter – This module reports a list of found files to the C&C.
As mentioned earlier, the Dropper has been detected since 13 December, 2010. Detection for the Wiper and Reporter components was added this morning.
When the Dropper executes, it installs several files on the system, including a signed driver (not malicious) that is used to interact with the file system. We are not sure how the malware writers were able to sign the file using a 3rd party organization’s certificate. Most likely it was stolen in a previous attack.
Here are some MD5s of samples involved in this attack:
We're continuing to monitor the situation.