The Data-Annihilation Attack Is Back

Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery

The data-destroying Shamoon malware and recent wave of aggressive targeted attacks against utilities in the Middle East should serve as a wake-up call for all types of organizations to be prepared for a whole other aspect of a breach -- losing data and systems to destructive hacks.
Data-destruction attacks are not new, but have been rare in the past decade or so as financially motivated cybercrime and cyberespionage have been at the forefront of threats mainly focused on monetizing stolen information. Hacktivists, meanwhile, have employed data-wiping from time to time, but not in the volume or mass approach that Shamoon can accomplish.
Richard Bejtlich, chief security officer at Mandiant, says these recent attacks should serve as a cautionary tale for all types of organizations. This is something everybody should worry about ... This ability to destroy peoples computers and wipe them clean has been around a couple of decades, but it has taken mass events, probably caused by the Iranian government and its proxies, to wake people up, he says. Utilities are just one victim, chosen for economic and political reasons: It could be anybody.
And Shamoon already is being repurposed for attacking additional victims: Seculert has discovered Shamoon variants already. Weve seen variants with different internal-machine IP addresses used for proxy to send information, says Aviv Raff, co-founder and CTO at Seculert. Its likely the Shamoon attackers because the malware is the same, but with new internal IP addresses, he says. Raff was unable to comment on who the next targets may be, however.
Shamoon, which has been unofficially linked to a recent breach at oil giant Saudi Aramco that took down 30,000 of its workstations, doesnt spy or steal information -- it
deletes it, wiping files and data and crippling the infected machines
themselves by overwriting the victim machines master boot record, which disables it altogether. It also includes a reporting feature that logs the progress of the attack for the attacker.
Despite its nasty effects, Shamoon is actually a fairly rudimentary piece of malware. Researchers from AlienVault Labs and Kaspersky Lab separately
have analyzed the code
and concluded that its likely the work of amateur coders. There are errors in the code that arent characteristic of seasoned programmers.
Dmitry Tarakanov, a Kaspersky Lab Expert, says the way Shamoon is constructed makes it relatively simple to tweak and reuse against another target. We can single out three objects in Shamoon malware that could be taken as some sort of configuration. They are killer time, address of CNC [command and control], and network range from where Shamoon tries infecting computers, he says. The first two parameters can be easily reconfigured, whilst the last one requires rewriting [the Shamoon code] a little bit. So [an] attacker can adjust those settings, recompile [the] program, and reuse it against new target.
The wiper component could easily be packaged with other malware since it doesnt rely on the Shamoon code, says Jaime Blasco, manager of AlienVault Labs. But attackers may instead want to roll their own data-annihilation malware since Shamoon is now on the radar of most antivirus products: On the other hand, it will be better to write your own code using the main idea of Shamoon rather than using the actual components due to the high antivirus detection ratio for Shamoon, Blasco says.
Most organizations probably arent thinking they could be the next victim of a Shamoon or Shamoon-type attack. Neither Saudi Aramco nor
Qatars RasGas
-- which was hit by a similar attack late last month -- have said their data was wiped in the attacks, nor have either pointed to Shamoon as the culprit.
Mandiants Bejtlich says he doubts many organizations have considered the possibility of the widespread destruction of computers in their incident response plan. In my last job, we didnt have that. What if tens of thousands of machines were bleeding? That would have swamped our help desk and IT department. Im not sure how IT would have supported getting people back online while having to do their regular business of handling the enterprise servers and network, he says.
The scorched-earth-type attack would pose a big challenge for most IT departments, he says. IT departments would have to deal with getting the companys critical servers cleaned and back online, for example, potentially leaving end users to fend for themselves. Trying to restore tens of thousands of user machines to a gold image would be problematic, he says, especially if users tried to do it themselves.
[ Containing the attacker in todays persistent threat environment. See
Damage Mitigation As The New Defense
. ]
They might not get patched, or need to have their own data restored, Bejtlich says. I get scared just thinking about it.
It takes a comprehensive IR plan that goes hand-in-hand with a disaster recovery plan, he says. And you need a program out there for finding these guys before they execute their mission: If their mission is to destroy [data], youve got to get ahead of that mission. Im still an advocate for fast detection and response, Bejtlich says.
Even once a machine is cleaned up and restored, the attacker could still be inside and just start all over again, deleting and destroying. So an organizations need to determine whether the attackers are still inside, and what they used to gain access in the first place, he says.
AlienVaults Blasco recommends that enterprises use the same security technologies they use for detecting other malware, but also ensure they have a proper backup system in place in case they are hit with a data-deleting attack. You also have to have backup systems so you can recover the data in case malware is able to remove the data from your systems, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
The Data-Annihilation Attack Is Back