Embed Size (px)
Citation preview
How Seculert Discovered the Shamoon
Malware
© 2013 Seculert Company, All Rights Reserved
• Shamoon is a 2-stage attack targeting Oil & Energy companies
• Comprised of 3 modules
– Dropper
– Reporter
– Wiper
• Extracting data via an internal infected machine proxy
2
Shamoon Targeted Attack
#seculertjuly2013© 2013 Seculert Company, All Rights Reserved
• Spreading itself on the local network via Scheduled Tasks
• Abuse a legitimate & signed RawDisk driver to wipe MBR
• Wiper module Time Bomb
– Wipe drive and MBR at specified dates and times
– Others copycat this capability
Shamoon Targeted Attack
#seculertjuly2013© 2013 Seculert Company, All Rights Reserved 3
• Initial attack vector is still unknown
– Physical access / Insider
– Partner
– Spear phishing
• Time based attack (time bomb)
• Worm spreading in local network
• Using local machine as a proxy
• Most of the victim companies were using solutions which are focused on prevention
Shamoon – Why It Wasn’t Prevented
#seculertjuly2013 4© 2013 Seculert Company, All Rights Reserved
• A customer uploaded a suspicious file to the Seculert Elastic Sandbox
• Malware behavioral profile was automatically created
• Shamoon was detected on another customer using Big Data analysis of their gateway traffic logs
• Customers use Seculert API to enhance their on-premises security devices to protect against Shamoon
How Seculert Identified Shamoon
#seculertjuly2013 5© 2013 Seculert Company, All Rights Reserved
From Prevention to Protection
Persistent attacks require a new approach
Big Data analytics
Long-term analysis
Advanced malware profiling
Automated expertise
#seculertjuly2013 6© 2013 Seculert Company, All Rights Reserved
Let Seculert Detect Unknown Malware on Your
Network
Sign-up Now
Immediate Results – No Credit Card Required – Initial Results are FREE!
© 2013 Seculert Company, All Rights Reserved
