Disttrack/Shamoon Malware Overwrites Files

دیسنا - پایگاه اطلاع رسانی امنیت اطلاعات ایران .

توضیحات ترندمیکرو درباره ویروس کامپیوتری Disttrack/Shamoon

Disttrack/Shamoon Malware Overwrites Files

Last week reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A via pattern file 9.328.04.

Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.

How it works:

Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks. It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It drops two primary components:

TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. It then overwrites disks with a small portion of a JPEG image found on the Internet. Once overwritten, these files can no longer be restored or opened.

On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer. It also uses what appears to be a legitimate system driver to gain low-level access to a hard drive so it can wipe the master boot record Windows machines rely on to boot up. The malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number.

How to identify an infection:

Unlike most malware, which rarely destroy files or wipe the Master Boot Record, Shamoon cripples the victims computer once it has stolen the data and is rendered unusable. However PC virus logs will still be able to indicate whether an infection has occurred.

How can Trend Micro protect you:

Trend Micro's solutions supported by the Trend Micro™ Smart Protection Network™ can detect and prevent the execution of the malicious files via file reputation technology.

Deep Security 8 provides a comprehensive, adaptive, and highly efficient server security platform that protects enterprise applications and data from breaches and business disruptions without expensive emergency patching.  It's modules provide agentless and agent-based protection, including anti-malware, intrusion detection and prevention, firewall, web application protection, integrity monitoring, and log inspection.

OfficeScan 10.6 detects and block more threats, as proven in real-world tests, whilst the IDF plug-in, improves visibility of security status, enabling more rapid identification of threats and faster incident response

Mobile Security 8 reduces security risks by ensuring the proper device configurations and adds protections to prevent malware and reduce the risk of compromised devices

اخبار ترندمیکرو در دیسنا

اخبار تهدیدات و ویروسها در دیسنا

دیسنا - پایگاه اطلاع رسانی امنیت اطلاعات ایران .