Symantec has released a new warning after finding that an updated variant of malware Shamoon is in the wild. The new version -- detected by the company as W32.Disttrack -- wipes and destroys files as well as the master boot record (MBR) and changing the active partitions of an infected machine.
Instead of the previous version's methods of overwriting through 192KB blocks complete with a burning U.S. flag, the new variant uses the same size of block with randomly generated data. The wiping date is read from a .pnf file created on the system. Symantec says that the date is checked periodically, and then executes the wiper.
Scanning through a targeted list of 'priority' files, the malware seeks out a target through attempting to open and close the following files to determine access rights:
\\[TARGET IP]\ADMIN$\system32\csrss.exe \\[TARGET IP]\C$\WINDOWS\system32\csrss.exe \\[TARGET IP]\D$\WINDOWS\system32\csrss.exe \\[TARGET IP]\E$\WINDOWS\system32\csrss.exe
According to Symantec's Security Response Team:
"If successful, it will then copy itself to the remote system32 directory and attempt to execute itself using psexec.exe. If unsuccessful, it will try to load itself as a remote service. Once it has successfully looped through all target machines it will delete itself."
The new Shamoon variant targets filed within subfolders that contain the names download, document, picture, music, video and desktop. Once inside, it tries to spread itself within a local network through sharing. Typically, the malware gains control of the domain credentials itself which gives it access to every machine on a local domain.
Last month, Saudi Aramco said that 30,000 workstations became infected this way through a Shamoon attack, and was able to clean the system after proactively disabling network channels.