How Seculert Discovered Shamoon
•Als PPTX, PDF herunterladen•
1 gefällt mir•2,677 views
Seculert discovered a new attack targeting several specific companies in a few industries. The attack is called “Shamoon,” due to a string of a folder name within the malware executable (“C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb”). The interesting part of this malware is that instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the Master Boot Record (MBR) of the computer. Why would someone wipe files in a targeted attack and make the machine unusable? Blog: http://www.seculert.com/blog/2012/08/shamoon-two-stage-targeted-attack.html
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Empfohlen
Empfohlen (20)
How Seculert Discovered Shamoon
- 1. How Seculert Discovered the Shamoon Malware © 2013 Seculert Company, All Rights Reserved
- 2. • Shamoon is a 2-stage attack targeting Oil & Energy companies • Comprised of 3 modules – Dropper – Reporter – Wiper • Extracting data via an internal infected machine proxy 2 Shamoon TargetedAttack #seculertjuly2013© 2013 Seculert Company, All Rights Reserved
- 3. • Spreading itself on the local network via Scheduled Tasks • Abuse a legitimate & signed RawDisk driver to wipe MBR • Wiper module Time Bomb – Wipe drive and MBR at specified dates and times – Others copycat this capability Shamoon TargetedAttack #seculertjuly2013© 2013 Seculert Company, All Rights Reserved 3
- 4. • Initial attack vector is still unknown – Physical access / Insider – Partner – Spear phishing • Time based attack (time bomb) • Worm spreading in local network • Using local machine as a proxy • Most of the victim companies were using solutions which are focused on prevention Shamoon – Why It Wasn’t Prevented #seculertjuly2013 4© 2013 Seculert Company, All Rights Reserved
- 5. • A customer uploaded a suspicious file to the Seculert Elastic Sandbox • Malware behavioral profile was automatically created • Shamoon was detected on another customer using Big Data analysis of their gateway traffic logs • Customers use Seculert API to enhance their on-premises security devices to protect against Shamoon How Seculert Identified Shamoon #seculertjuly2013 5© 2013 Seculert Company, All Rights Reserved
- 6. From Prevention to Protection Persistent attacks require a new approach Big Data analytics Long-term analysis Advanced malware profiling Automated expertise #seculertjuly2013 6© 2013 Seculert Company, All Rights Reserved
- 7. Let Seculert Detect Unknown Malware on Your Network Sign-up Now Immediate Results – No Credit Card Required – Initial Results are FREE! © 2013 Seculert Company, All Rights Reserved
Hinweis der Redaktion
- Shamoon stagesData extractionWiping machines Internal proxy used for both Dropper and Reporter. Worm capabilities to spread itself, by trying to create a scheduled task on remote LAN machines.
- Creating scheduled tasks on remote machines on the local networkEldos signed Internal proxy used for both Dropper and Reporter. Worm capabilities to spread itself, by trying to create a scheduled task on remote LAN machines.