Shamoon - what was it?
Computer systems of the oil company Saudi Aramco were attacked on August 15, 2012, its details were not disclosed. It was reported that the company returned to normal operation after 10 days. US Defense Secretary Leon Panetta October 11, 2012, speaking at a cyber security conference in New York saidthat the computers of Saudi Aramco and the Qatari gas production company RasGas were attacked by the Shamoon malware. Some senior US officials claim that Shamoon is of Iranian origin, but they have no direct evidence of this. The Iranian government, in turn, insists on conducting a formal international investigation into the Shamoon attack. Akhavan Bahabadi (Mahdi Akhavan Bahabadi) - Secretary of the National Center, which is engaged in cyberspace of Iran, confirmed that, in their opinion, such statements by Americans are related to political motives, more precisely with the upcoming presidential elections in the United States.
Responsibility for the attack on Saudi Aramco took on the hacking group The Cutting Sword of Justice, motivated by political reasons, accusing Saudi Arabia of organizing unrest in Syria and Bahrain. According to unverified information posted allegedly by the initiators of the attack on pastedbin.com , more than 30,000 computers were infected in Saudi Aramco.
Shamoon samples were analyzed in detail by Kaspersky Lab employees; the first article was published on August 21. Experts came to the conclusion that the attack was of a point-like nature, the samples were not fixed in KSN (Kaspersky Security Network). VPO contains several modules. Inside one of them there is a line:
'C: \ Shamoon \ ArabianGulf \ wiper \ release \ wiper.pdb'. The main functionality of the program is destructive. Many online media outlets publish incorrect information that Shamoon collects information and sends it to a remote server.
Shamoon can receive 2 commands from the command center:
1. run the file downloaded from the server;
2. set the time for 'destruction' of files.
As the address of the command center, either the symbolic name 'home' or the IP address 10.1.252.19 is used. It is noteworthy that this is the so-called internal address, belonging to the special range 10.0.0.0/8, not used on the Internet. The full URL for contacting the command center looks like this: < management server > /ajax_modal/modal/data.asp?mydata = <_ iteration> & uid = <local IP> &. This may indicate that the server should be deployed based on the Internet Information Service.
Due to the author’s error, the function of launching the downloaded file does not work, since the name of the local file is not formed correctly when saving.
The malware automatically checks to see if a certain date has arrived. The date can be specified through the command center, otherwise the date specified inside the code is used, August 15, 2012 08:08 UTC. It should be noted that the author also made a mistake in implementing the function of checking time, which, nevertheless, does not interfere with the intended actions - the destruction of information at a given time. The list of files for destruction is pre-formed on the basis of the specified templates, for example, files in user profiles or files with extensions ini or sys are searched. As a result, two files 'f1.inf' and 'f2.inf' are created in the% WINDIR% \ System32 directory. They contain full paths to files that are filled with garbage to prevent recovery. The garbage is a fragment (192 Kbytes) of a JPEG image of a burning U.S. flag of stars and stripes that can be easily found through Google. Apparently, this was intended by the author and may indicate a certain “political background” of the attack. Lastly, the MBR is erased. This requires direct access to the drive, locked in Windows Vista and above. To provide it, Shamoon uses a legal signed driver from Eldos RawDisk software, the approach described inarticle on insidepro.com. The driver requires an authorization key to work. The key used in Shamoon is trial, so every time you call the driver functions, the current system time is transferred to a random date from August 1 to August 20, 2012. These errors and implementation features allow us to conclude that the author of Shamoon is not a highly qualified programmer.
For self-distribution, Shamoon tries to copy itself to the administrative resources created by Windows by default - ADMIN $, C $, D $, E $. If successful, a task is created using the NetScheduleJobAdd function, which subsequently allows autorun on a remote computer. Naturally, these actions require domain administrator rights. The list of IP addresses is taken either from the command line parameters, or is formed from the current IP address, setting the values of the last octet in the range 1-254 (enumeration).
In September 2012, Symantec published informationabout the discovery of a new version of Shamoon, the modifications are cosmetic in nature. So, some lines are replaced, for example, file lists are called 'data.dat' and 's_data.dat' instead of 'f1.inf' and 'f2.inf'. The remote start method via NetScheduleJobAdd has been replaced with psexec.exe, garbage for writing is generated randomly instead of using part of the image, according to McAfee.
We can assume the following version: attackers gained control of one of the domain controllers inside the perimeter of the organization’s network, studied the network topology and received a list of IP addresses (Shamoon provides for the transfer of a list of IP addresses through command line parameters). The script to control the destruction time was placed on one of the internal servers and its address (10.1.252.19) was encoded inside the malware. The presence of domain administrator rights allowed to solve the problem of mass distribution of malware through administrative resources. There is no reliable data that Saudi Aramco infected Shamoon and infected more than 30,000 computers (for example, the address 10.1.252.19 is not in the lists posted on pastedbin.com), but this explains how Shamoon could infect so many computers, not having in its composition any means of exploiting vulnerabilities of network services. In addition, there was no need to program the function of collecting information, since this could be done using regular OS tools, having the appropriate rights. So, on the one hand, this is an APT attack, on the other hand, its level of training is not high enough.
Responsibility for the attack on Saudi Aramco took on the hacking group The Cutting Sword of Justice, motivated by political reasons, accusing Saudi Arabia of organizing unrest in Syria and Bahrain. According to unverified information posted allegedly by the initiators of the attack on pastedbin.com , more than 30,000 computers were infected in Saudi Aramco.
Shamoon samples were analyzed in detail by Kaspersky Lab employees; the first article was published on August 21. Experts came to the conclusion that the attack was of a point-like nature, the samples were not fixed in KSN (Kaspersky Security Network). VPO contains several modules. Inside one of them there is a line:
'C: \ Shamoon \ ArabianGulf \ wiper \ release \ wiper.pdb'. The main functionality of the program is destructive. Many online media outlets publish incorrect information that Shamoon collects information and sends it to a remote server.
Shamoon can receive 2 commands from the command center:
1. run the file downloaded from the server;
2. set the time for 'destruction' of files.
As the address of the command center, either the symbolic name 'home' or the IP address 10.1.252.19 is used. It is noteworthy that this is the so-called internal address, belonging to the special range 10.0.0.0/8, not used on the Internet. The full URL for contacting the command center looks like this: < management server > /ajax_modal/modal/data.asp?mydata = <_ iteration> & uid = <local IP> &. This may indicate that the server should be deployed based on the Internet Information Service.
Due to the author’s error, the function of launching the downloaded file does not work, since the name of the local file is not formed correctly when saving.
The malware automatically checks to see if a certain date has arrived. The date can be specified through the command center, otherwise the date specified inside the code is used, August 15, 2012 08:08 UTC. It should be noted that the author also made a mistake in implementing the function of checking time, which, nevertheless, does not interfere with the intended actions - the destruction of information at a given time. The list of files for destruction is pre-formed on the basis of the specified templates, for example, files in user profiles or files with extensions ini or sys are searched. As a result, two files 'f1.inf' and 'f2.inf' are created in the% WINDIR% \ System32 directory. They contain full paths to files that are filled with garbage to prevent recovery. The garbage is a fragment (192 Kbytes) of a JPEG image of a burning U.S. flag of stars and stripes that can be easily found through Google. Apparently, this was intended by the author and may indicate a certain “political background” of the attack. Lastly, the MBR is erased. This requires direct access to the drive, locked in Windows Vista and above. To provide it, Shamoon uses a legal signed driver from Eldos RawDisk software, the approach described inarticle on insidepro.com. The driver requires an authorization key to work. The key used in Shamoon is trial, so every time you call the driver functions, the current system time is transferred to a random date from August 1 to August 20, 2012. These errors and implementation features allow us to conclude that the author of Shamoon is not a highly qualified programmer.
For self-distribution, Shamoon tries to copy itself to the administrative resources created by Windows by default - ADMIN $, C $, D $, E $. If successful, a task is created using the NetScheduleJobAdd function, which subsequently allows autorun on a remote computer. Naturally, these actions require domain administrator rights. The list of IP addresses is taken either from the command line parameters, or is formed from the current IP address, setting the values of the last octet in the range 1-254 (enumeration).
In September 2012, Symantec published informationabout the discovery of a new version of Shamoon, the modifications are cosmetic in nature. So, some lines are replaced, for example, file lists are called 'data.dat' and 's_data.dat' instead of 'f1.inf' and 'f2.inf'. The remote start method via NetScheduleJobAdd has been replaced with psexec.exe, garbage for writing is generated randomly instead of using part of the image, according to McAfee.
We can assume the following version: attackers gained control of one of the domain controllers inside the perimeter of the organization’s network, studied the network topology and received a list of IP addresses (Shamoon provides for the transfer of a list of IP addresses through command line parameters). The script to control the destruction time was placed on one of the internal servers and its address (10.1.252.19) was encoded inside the malware. The presence of domain administrator rights allowed to solve the problem of mass distribution of malware through administrative resources. There is no reliable data that Saudi Aramco infected Shamoon and infected more than 30,000 computers (for example, the address 10.1.252.19 is not in the lists posted on pastedbin.com), but this explains how Shamoon could infect so many computers, not having in its composition any means of exploiting vulnerabilities of network services. In addition, there was no need to program the function of collecting information, since this could be done using regular OS tools, having the appropriate rights. So, on the one hand, this is an APT attack, on the other hand, its level of training is not high enough.