Difference between revisions of "Shamoon the Wiper in details"

(Publication) Google search: [1]

Shamoon the Wiper in details
Botnet	Shamoon
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date	2012 / 21 août 2012
Editor/Conference	Kaspersky lab
Link	https://www.securelist.com/en/blog/208193795/Shamoon the Wiper in details (Archive copy)
Author	Dmitry Tarakanov
Type

Abstract

“ We continue to analyse the Shamoon malware. This blog contains information about the internals of the malicious samples involved in this campaign.

Samples nesting The main executable (dropper) includes 3 resources, each maintains a ciphered program. The cipher is pretty simple – xor by dword. This was mentioned in our first blog-post. Resource PKCS12:112 maintains an encoded executable, xor’ed with key value 0xFB5D7F25. It is saved to disk using a name taken from a hardcoded list in the %WINDIR%\System32 folder during the dropper execution. In turn, this module maintains resource READONE :101 (xor key: 0xF052AF15), a driver decoded and saved to disk as %WINDIR%\System32\Drivers\DRDISK.SYS.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1113,
   editor = {Kaspersky lab},
   author = {Dmitry Tarakanov},
   title = {Shamoon the Wiper in details},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{https://www.securelist.com/en/blog/208193795/Shamoon_the_Wiper_in_details}},
 }