Shamoon (Troj/Mdrop-ELD) - Targeted destructive malware explained

Filed Under: Malware, SophosLabs

I work in SophosLabs, and one of my jobs is to write detections for new malware. What makes this piece of malware stand apart is that it is targeted.

On the afternoon of 15 August, SophosLabs received a file called str.exe that claimed to be a Microsoft file:

screenshot of the properties of str.exe

At first glance, the file didn't look to be legitimate, so I launched the program. It copied itself to:

c:\windows\system32\trksvr.exe

The file contained some interesting strings:

trksvr.exe
trksrv.exe
testdomain.com
\System32\cmd.exe /c "ping -n 30 127.0.0.1 >;nul && sc config TrkSvr binpath= system32\trksrv.exe && ping -n 10 127.0.0.1 >;nul && sc start TrkSvr"

Immediately, I became suspicious. There is the apparent misspelling of trksvr (it is also called trksrv in the file - spot the difference?), the use of testdomain.com, and the hackerish way that the code started itself as a service.

The more technical of you might have noticed that the code is interspersed by the command ping -n 30 127.0.0.1, which pauses between actions (about 30 seconds each time on my test machine).

I was confident it was malicious. And, because no other security lab seemed to detect the file, I picked a name, Troj/MDrop-ELD, wrote a quick detection, and went home.

The next day, we saw a flurry of queries about a "new" piece of malware called Disttrack or Shamoon. It turned out that it was the same piece of malware that I had detected the previous night. So one of my colleagues did some more detailed analysis.

Thanks to Darrel for the following information:

Troj/MDrop-ELD is a targeted attack; due to some quirks of the malware, there's currently no chance of data exfiltration (unless you happen to be the company targeted by this attack).

Troj/MDrop-ELD attempts to contact IP address 10.1.252.19 - this is probably the internal IP address of the first owned machine in the target's network - on ports 1103 (xrl) and 1104 (adobeserver).

Troj/MDrop-ELD attempts to gather information about the target's machines:

dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i download
2>;nul >;f1.inf
dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i document
2>;nul >;>;f1.inf
dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i download 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i document 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i picture 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i video 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i music 2>;nul >;>;f1.inf dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i desktop
2>;nul >;f2.inf
dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i desktop 2>;nul >;>;f2.inf dir C:\Windows\System32\Drivers /s /b /a:-D 2>;nul >;>;f2.inf dir C:\Windows\System32\Config /s /b /a:-D 2>;nul | findstr -v -i systemprofile 2>;nul >;>;f2.inf dir f1.inf /s /b 2>;nul >;>;f1.inf dir f2.inf /s /b 2>;nul >;>;f1.inf

This Trojan then attempts to overwrite a number of files in the *userprofile areas of the disk, killing various .lnk, .bmp, .ini, .cab etc file types with a broken JPG (JFIF) file. It also attempts to overwrite the MBR, rendering the machine unbootable. This is most likely being used to obfuscate the source of the user's infection and prevent Data Recovery on the system.

While this is going to be quite frustrating and annoying for users, the good news is that this piece of malware doesn't do anything unrecoverable. The various overwritten files are non-critical ones, so infected machines can be fixed with a fixmbr command from some boot media.

Sophos customers have been protected against this attack since Wednesday 15 August. As always, we are reminded that it is important to back up systems regularly. This particular piece of malware didn't destroy important files permanently, but the next one might.

Trojan image from Shutterstock.

, , , , ,

You might like

9 Responses to Shamoon (Troj/Mdrop-ELD) - Targeted destructive malware explained

  1. Freida Gray · 804 days ago

    Can this file be deleted from your system safely ?

  2. Anonymous · 803 days ago

    Looks to actually be the Shamoon virus the BBC is reporting
    http://www.bbc.com/news/technology-19293797

  3. aname · 801 days ago

    um, is it safe to visit the url you linked?

    • Paul Ducklin · 801 days ago

      Thanks for your question...I removed the link and thus any confusion with it :-)

    • Graham Cluley · 801 days ago

      The Contagio blog? Yeah, that should be fine.

  4. aname · 801 days ago

    well, already went there. does it give you malware by visiting?

    • Graham Cluley · 801 days ago

      No, visiting that blog article doesn't infect your computer.

  5. Guest · 787 days ago

    When I visit this web site, my trend micro AV shoots me a message saying this site (http://nakedsecurity.sophos.com/2012/08/17/targeted-destructive-malware-explained-trojmdrop-eld/) has a "dangerous" link (odb.outbrain.com) and it's being blocked....

    According to TM : "The latest tests indicate that this URL contains malicious software or could defraud visitors."

    heads up...

    • Graham Cluley · 787 days ago

      I suspect Trend Micro has misclassified the Outbrain site. Outbrain is the widget that provides "You might also like" links to other stories on our site.

      Some websites use Outbrain to link to content on *third*-party websites (which may have been infected at some point). We don't do that on Naked Security, so you don't have to worry. However, I suspect if Trend is giving you that message they have been a little too errmm.. enthusiastic in assuming anything involving Outbrain is dangerous.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.