The Shamoon Attacks Continue

Symantec Security Response has been investigating further reports of infections of W32.Disstrack, the threat used in the Shamoon attacks. W32.Disttrack is a highly destructive threat that destroys files and the master boot record (MBR) of the infected computer, causing maximum disruption.

W32.Disttrack uses a hardcoded wiping date, which is read from a variably named .pnf file it creates on the filesystem. It will periodically check this date and once it has been exceeded, it will then drop and execute the wiper component. The wiper component will wipe the following in order:

  1. A prioritized list of files
  2. Master boot record
  3. Active partition

The list of prioritized files contain the wiper components themselves and files contained in the following folders:

  • %SystemDrive%\Documents and Settings
  • %SystemDrive%\Users
  • %SystemDrive%\Windows\System32\Config

It is specifically targeting files within subfolders containing the following names:

  • download
  • document
  • picture
  • music
  • video
  • desktop

A new variant wipes files by overwriting them using 192 KB blocks of randomly generated data, compared to the previous version that used a 192 KB blocks filled with a partial JPEG image of a burning United States flag.

The initial infection vector remains unconfirmed and may vary in different organizations, but once W32.Disttrack is inside a network, it will attempt to spread to every computer within the local area network through network shares.  While Shamoon may piggyback on existing machine-to-machine credentials, typically Shamoon attackers have gained access to domain credentials and the domain controller itself, allowing them access to all computers on the local domain.

Once a target is found, it will attempt to open and close the following files to determine that it has access:

  • \\[TARGET IP]\ADMIN$\system32\csrss.exe
  • \\[TARGET IP]\C$\WINDOWS\system32\csrss.exe
  • \\[TARGET IP]\D$\WINDOWS\system32\csrss.exe
  • \\[TARGET IP]\E$\WINDOWS\system32\csrss.exe

If successful, it will then copy itself to the remote system32 directory and attempt to execute itself using psexec.exe. If unsuccessful, it will try to load itself as a remote service. Once it has successfully looped through all target computers it will delete itself.
 

DETECTION AND RECOVERY

For customers concerned that they may be impacted by this threat, Symantec Security Response provides the following recommendations:

Prevent infections

  • Ensure network shares are secured and open shares are not allowed
  • Prevent write access to executable files in the system32 directory
  • Detect the presence of psexec.exe
  • Detect network based access to csrss.exe
  • Audit the use of domain credentials and monitor access to the domain controller

Identifying infections

Run a full scan of all machines. W32.Disttrack components will be detected as:

  • W32.Disttrack
  • W32.Disttrack!gen1
  • W32.Disttrack!gen4
  • W32.Disttrack!gen6

The following IPS signature will detect the presence of W32.Disttrack infections:
System Infected: DistTrack Trojan Activity 2

For machines that do not have a Symantec security product installed, the presence of the following may indicate infection:

  • %System%\Drivers\ddr.sys (Note: this is a clean file)
  • %System%\Drives\ddrisk.sys (Note: this is a clean file)
  • A service called ddr

Recovering from infections

Computers that were infected, but shut down prior to the wiper trigger date, may be recoverable using the Norton Boot Removal Tool.

Note: Computer must not be started before the removal tool is run.

This threat has so far only been seen in very limited targeted attacks and the initial infection vector is currently unknown. Symantec Security Response continues to investigate this threat and will provide more information when it becomes available.