Shamoon - what was it?
Computer systems of the oil company Saudi Aramco on August 15, 2012 were attacked, its details were not disclosed. It was reported that the company returned to normal operation after 10 days. On October 11, 2012, US Defense Secretary Leon Panetta, speaking at a conference on cyber security in New York, reported that the computers of Saudi Aramco and the Qatar gas production company RasGas had been attacked by the Shamoon malware. Some senior US officials claim that Shamoon is of Iranian origin, but they have no direct evidence of this. The Iranian government, in turn, insists on conducting an official international investigation into the Shamoon attack. Akhavan Bahabadi (Mahdi Akhavan Bahabadi) - Secretary of the National Center, which deals with the cyberspace of Iran, confirmed that, in their opinion, this kind of statements of Americans are connected with political motives, more precisely with the upcoming elections for the presidency of the United States.
Responsibility for the attack on Saudi Aramco claimed the hacking group The Cutting Sword of Justice (Hacker), motivating its act for political reasons, accusing Saudi Arabia of organizing unrest in Syria and Bahrain. According to unverified information posted allegedly by the initiators of the attack on pastedbin.com , more than 30,000 computers were infected in Saudi Aramco.
Shamoon samples were analyzed in detail by Kaspersky Lab employees, the first article was published on August 21. The experts concluded that the attack was a point character, the samples were not recorded in the KSN (Kaspersky Security Network). VPO contains several modules. Inside one of them there is a line:
')
'C: \ Shamoon \ ArabianGulf \ wiper \ release \ wiper.pdb'. The main functionality of the program is destructive. Many online media publish incorrect information that Shamoon collects information and sends it to a remote server.
Shamoon can take 2 teams from the command center:
1. run the file downloaded from the server;
2. Set the time to 'destroy' files.
The address of the command center is either the symbolic name 'home' or the IP address 10.1.252.19. It is noteworthy that this is the so-called internal address, belonging to a special range 10.0.0.0/8, not used on the Internet. The full URL for communication with the command center looks like this: < management server > /ajax_modal/modal/data.asp?mydata = <_ iteration> & uid = <local IP> & state = <random number> . This may indicate that the server should be deployed based on the Internet Information Service.
Due to the author's error, the launch function of the downloaded file does not work, because the name of the local file is incorrectly generated when it is saved.
VPO periodically checks whether a specific date has arrived. The date can be specified via the command center, otherwise the date specified inside the code, August 15th, 2012 at 08:08 UTC, is used. It should be noted that the author also made an error in the implementation of the time check function, which, however, does not interfere with the planned actions - the destruction of information at a specified time. The list of files for destruction is preliminarily formed on the basis of specified templates, for example, files in user profiles or files with ini or sys extensions are searched. As a result, two files 'f1.inf' and 'f2.inf' are created in the% WINDIR% \ System32 directory. They contain full paths to files that are filled with garbage for the impossibility of recovery. Garbage is a fragment (192 Kbytes) of JPEG images of a burning USA star-flag that can be easily found via Google. Apparently, it was conceived by the author and may indicate some "political background" of the attack. The last is erased MBR. This requires direct disk access, blocked in Windows Vista and higher. To provide it, Shamoon uses the legal signed driver from Eldos's RawDisk software, the approach described in the article on insidepro.com. The driver requires an authorization key to work. The key used in Shamoon is a trial one, so every time the driver functions are called, the current system time is translated to a random date from August 1st to August 20th, 2012. These errors and implementation features allow us to conclude that Shamoon is not a highly qualified programmer.
For self-replication, Shamoon tries to copy itself into the administrative resources created by the Windows operating system by default - ADMIN $, C $, D $, E $. In case of success, the task is created using the NetScheduleJobAdd function, which allows subsequent autorun on the remote computer. Naturally, these actions require domain administrator rights. The list of IP addresses is taken either from the command line parameters, or formed from the current IP address, setting the values of the last octet in the 1-254 range (brute force).
In September 2012, Symantec published information about the discovery of a new version of Shamoon, modifications are cosmetic. So, some lines are replaced, for example file lists are called 'data.dat' and 's_data.dat' instead of 'f1.inf' and 'f2.inf'. The remote launch method via NetScheduleJobAdd has been replaced by the use of psexec.exe, garbage for recording is generated randomly instead of using a part of the image, according to information from McAfee.
We can assume the following version: the attackers gained control over one of the domain controllers inside the organization's network perimeter, studied the network topology and obtained a list of IP addresses (Shamoon provides for the transfer of a list of IP addresses via command line parameters). The script for managing the time of destruction was placed on one of the internal servers and its address (10.1.252.19) was encoded inside the malware. The presence of domain administrator rights allowed to solve the problem of mass distribution of malware through administrative resources. There are no reliable data that Saudi Aramco hit Shamoon and more than 30,000 computers were infected (for example, the address 10.1.252.19 is not in the lists posted on pastedbin.com), however, this explains how Shamoon could infect such a large number of computers without no means of exploiting network service vulnerabilities. In addition, there was no need to program the information collection function, since this could be done by standard OS tools, having the appropriate rights. So, on the one hand, this is the APT attack, on the other hand, the level of its preparation is not high enough.
Responsibility for the attack on Saudi Aramco claimed the hacking group The Cutting Sword of Justice (Hacker), motivating its act for political reasons, accusing Saudi Arabia of organizing unrest in Syria and Bahrain. According to unverified information posted allegedly by the initiators of the attack on pastedbin.com , more than 30,000 computers were infected in Saudi Aramco.
Shamoon samples were analyzed in detail by Kaspersky Lab employees, the first article was published on August 21. The experts concluded that the attack was a point character, the samples were not recorded in the KSN (Kaspersky Security Network). VPO contains several modules. Inside one of them there is a line:
')
'C: \ Shamoon \ ArabianGulf \ wiper \ release \ wiper.pdb'. The main functionality of the program is destructive. Many online media publish incorrect information that Shamoon collects information and sends it to a remote server.
Shamoon can take 2 teams from the command center:
1. run the file downloaded from the server;
2. Set the time to 'destroy' files.
The address of the command center is either the symbolic name 'home' or the IP address 10.1.252.19. It is noteworthy that this is the so-called internal address, belonging to a special range 10.0.0.0/8, not used on the Internet. The full URL for communication with the command center looks like this: < management server > /ajax_modal/modal/data.asp?mydata = <_ iteration> & uid = <local IP> & state = <random number> . This may indicate that the server should be deployed based on the Internet Information Service.
Due to the author's error, the launch function of the downloaded file does not work, because the name of the local file is incorrectly generated when it is saved.
VPO periodically checks whether a specific date has arrived. The date can be specified via the command center, otherwise the date specified inside the code, August 15th, 2012 at 08:08 UTC, is used. It should be noted that the author also made an error in the implementation of the time check function, which, however, does not interfere with the planned actions - the destruction of information at a specified time. The list of files for destruction is preliminarily formed on the basis of specified templates, for example, files in user profiles or files with ini or sys extensions are searched. As a result, two files 'f1.inf' and 'f2.inf' are created in the% WINDIR% \ System32 directory. They contain full paths to files that are filled with garbage for the impossibility of recovery. Garbage is a fragment (192 Kbytes) of JPEG images of a burning USA star-flag that can be easily found via Google. Apparently, it was conceived by the author and may indicate some "political background" of the attack. The last is erased MBR. This requires direct disk access, blocked in Windows Vista and higher. To provide it, Shamoon uses the legal signed driver from Eldos's RawDisk software, the approach described in the article on insidepro.com. The driver requires an authorization key to work. The key used in Shamoon is a trial one, so every time the driver functions are called, the current system time is translated to a random date from August 1st to August 20th, 2012. These errors and implementation features allow us to conclude that Shamoon is not a highly qualified programmer.
For self-replication, Shamoon tries to copy itself into the administrative resources created by the Windows operating system by default - ADMIN $, C $, D $, E $. In case of success, the task is created using the NetScheduleJobAdd function, which allows subsequent autorun on the remote computer. Naturally, these actions require domain administrator rights. The list of IP addresses is taken either from the command line parameters, or formed from the current IP address, setting the values of the last octet in the 1-254 range (brute force).
In September 2012, Symantec published information about the discovery of a new version of Shamoon, modifications are cosmetic. So, some lines are replaced, for example file lists are called 'data.dat' and 's_data.dat' instead of 'f1.inf' and 'f2.inf'. The remote launch method via NetScheduleJobAdd has been replaced by the use of psexec.exe, garbage for recording is generated randomly instead of using a part of the image, according to information from McAfee.
We can assume the following version: the attackers gained control over one of the domain controllers inside the organization's network perimeter, studied the network topology and obtained a list of IP addresses (Shamoon provides for the transfer of a list of IP addresses via command line parameters). The script for managing the time of destruction was placed on one of the internal servers and its address (10.1.252.19) was encoded inside the malware. The presence of domain administrator rights allowed to solve the problem of mass distribution of malware through administrative resources. There are no reliable data that Saudi Aramco hit Shamoon and more than 30,000 computers were infected (for example, the address 10.1.252.19 is not in the lists posted on pastedbin.com), however, this explains how Shamoon could infect such a large number of computers without no means of exploiting network service vulnerabilities. In addition, there was no need to program the information collection function, since this could be done by standard OS tools, having the appropriate rights. So, on the one hand, this is the APT attack, on the other hand, the level of its preparation is not high enough.
Source: https://habr.com/ru/post/159049/
All Articles