Virus wist computers in Midden-Oosten

donderdag 16 augustus 2012, 17:29 door Redactie, 6 reacties

Het Noorse anti-virusbedrijf Norman meldt dat het een virus heeft ontdekt dat computers in het Midden-Oosten zou wissen. DistTrack, zoals de malware wordt genoemd, installeert zichzelf als een service op besmette computers genaamd TRKSVR.EXE. Na een korte periode overschrijft DistTrack alle uitvoerbare bestanden alsmede verschillende delen van de harde schijf, waardoor gegevens niet meer te herstellen zouden zijn.

In de ontsleutelde gedeelten van het virus troffen onderzoekers de projectnaam C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb aan. Verdere details ontbreken nog, maar Norman wijst naar geruchten dat DistTrack achter "vernietigende acties" in het Midden-Oosten zou zitten. Vandaag werd bekend dat het grootste oliebedrijf ter wereld, het Saoedische Saudi Aramco, door malware was besmet. Of het om hetzelfde virus gaat is onbekend.

Reacties (6)
16-08-2012, 18:14 door Anoniem
Omslachtig zeg, maak dan een nep directory entry
16-08-2012, 20:11 door Anoniem
Dat is inderdaad hetzelfde virus.....
17-08-2012, 07:28 door Anoniem
Meer info:
17-08-2012, 07:31 door grrr
Meer info:

Sourcefire is aware of at least one ongoing incident in the energy vertical involving a threat named "DistTrack". This is a new, destructive threat that has not perviously been seen in the wild. At this time, the earliest known sightings were on 8/14. Preliminary indications are that this malware is currently targetted in nature as no wide-spread activity has been detected.

This threat involves several files that perform different functions. The core of the malware set is a 32-bit executable named trksvr.exe and is internally identified as "Distributed Link Tracking Server". This file purports to be from Microsoft Corporation with a version number of 5.2.3790.0. This file is responsible for dropping additional files involved in the malware set. In some cases this file has been reported as str.exe.

The trkssvr.exe file drops three files: a reporter executable, a data destruction executable and 64-bit executable, also named tsksvr.exe that runs as a service. The reporter executable is responsible for communicating with a C&C server. An interesting part of this executable is that its hard-coded with the C&C address in the .rdata block, as well as a URL for communicating. The URL in .rdata is /ajax_modal/modal/data.asp and the construct for reporting is http://%s%s?%s=%s&%s=%s&state=%d (you'll see the parameter names mydata and uid as separate unicode strings in .rdata as well). While communicating with the C&C server, it uses "you" as the user-agent string. The request appears on the wire as:

GET /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0
User-Agent: you

The danger from this malware comes from the data destruction component. In short, this application does not pull any punches. Four hours after infection, it overwrites data files with a portion of a jpeg file, targetting files in "Documents and Settings", "Users", "Windows\System32\Drivers and "Windows\System32\Config". Once this is done the file overwrites the MBR of the machine, rendering it unable to boot. Any analysis of this malware should occur only on virtual machines or on computers you are ready to completely rebuild.

Analysis of this threat and its behavior in the wild are ongoing. Detection for these threats is already in place for FireAMP, Snort and ClamAV. In IPS mode, Snort will prevent contact with the command and control server and identify infected hosts. Protection is provided by ClamAV and FireAMP. Additionally, FireAMP's Threat Root Cause and quarantining capability will provide additional incident response and mitigation capability. Here is a list of currently available detection:

FireAMP : W32.Distrack.AP
ClamAV : Win.Trojan.DistTrack
ClamAV : Win.Trojan.DistTrack-1
Snort: BOTNET-CNC Win.Trojan.DistTrack command and control traffic (23893)
Snort: BLACKLIST User-Agent known malicious user agent - you", (23903)

Additional detection will be released as analysis and research generate further actionable data.

You know, it isn't often that we can say something is targeted and also talk about a widely distributed, devastating payload like this one. While all the facts aren't yet available, someone somewhere made a very interesting decision.
17-08-2012, 08:54 door [Account Verwijderd]
17-08-2012, 13:29 door NepZeb
En hoeveel milliseconden is dat dan van jou vandaan?

Deze posting is gelocked. Reageren is niet meer mogelijk.