backtop


Print

Attack vector differs slightly from the "Wiper" the malware used to attack the Iranian oil industry

Using a malware package named "Flame" with tools with names like "Wiper", U.S. and Israeli intelligence teams are suspected of a concerted campaign designed to cripple Iran's oil industry, a key supplier of Chinese demand and lifeblood of the Middle Eastern giant's economy.

But now the U.S. energy sector finds itself under attack by a somewhat similar piece of malware dubbed Shamoon or Disttrack by researchers at Symantec Corp. (SYMC) and Intel Corp. (INTC) subsidiary McAfee.

The malware is named for its resident directory -- C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb  -- which, of course, is likely to change as new variants pop up.  Shamoon means "Simon" in Arabic.  There's also Shamoon College of Engineering in Israel -- another possible local name connection.

The malware contains a string in its compilation directory "wiper", making it clear that the authors intended it as at least a homage to the Iran-targeting Wiper.  But Kaspersky Lab says that unlike Stuxnet -- where the U.S.'s anti-Iranian code was decompiled and used by malicious hackers -- the new malware is likely only an imitation, not repackaging.

The code uses different file and service names than the original Wiper.  It also attacks with different attack pattern, though the net goal is the same -- to destroy hard drive data on infected energy sector computers.  

Kaspersky Labs' analysis team writes, "It is more likely that this is a copycat, the work of script kiddies inspired by the story."

But if script kiddies wrote the malware, they must be some pretty good ones.  The malware has advanced networked propagation code, and overwrites the hard drive with a JPEG image found on the internet, preventing data recovery.  While not exactly rocket science, those little touches are the kinds of sophistication oft overlooked by novice hackers.

Saudi Arabia
Shamoon may have struck Saudi Arabia's oil industry, though infections are limited.
[Image Source: CNBC]

The state-owned Saudi Arabian Oil Comp., the world's largest oil producer and privately held company, announced this week that it was struck by a malware attack.  It was unclear, however, whether Shamoon or a similar variant was responsible for the attack on one of America's largest foreign oil suppliers.

What is clear, based on expert reports is that the extent of infections is small, with Symantec reporting less than 50 systems infected.  

Sources: Symantec, McAfee





"DailyTech is the best kept secret on the Internet." -- Larry Barber






Most Popular ArticlesSony’s 4K OLED Smart TV
August 13, 2017, 6:20 AM
SoundCloud survives the budge scare
August 12, 2017, 6:38 AM
Ticwatch E and S on Kickstarter
August 11, 2017, 6:00 AM
MSI GL62M 7REX Gaming Laptop
August 14, 2017, 6:00 AM
HTC U11 – Newly Certified for Bluetooth 5.1
August 14, 2017, 6:58 AM

Latest Blog Posts
Xiaomi Mi 6 Smartphone.
Nenfort Golit - Aug 8, 2017, 6:00 AM
ASUS 23-inch Monitor
Nenfort Golit - Aug 4, 2017, 6:00 AM






botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki