Shamoon the Wiper: further details (Part II)
Jump to navigation
Jump to search
(Publication) Google search: [1]
Shamoon the Wiper: further details (Part II) | |
---|---|
Botnet | Shamoon |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 11 septembre 2012 |
Editor/Conference | Kaspersky lab |
Link | http://www.securelist.com/en/blog/208193834/Shamoon The Wiper further details Part II (Archive copy) |
Author | Dmitry Tarakanov |
Type |
Abstract
“ We leave the speculation up to others and concentrate strictly on sharing technical details. This is the continuation of our investigation into Shamoon:
NETINIT.EXE
The main Shamoon module has a resource PKCS7:113 that maintains an executable which is saved to disk as %WINDIR%\System32\NETINIT.EXE and this program poses a module to communicate with CNC. This program waits for parameters to be run with. The author was not too creative and coded a handling of just two argument values which can be “0” or “1”.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1154, editor = {Kaspersky lab}, author = {Dmitry Tarakanov}, title = {Shamoon the Wiper: further details (Part II)}, date = {Error: Invalid time.}, month = Error: Invalid time., year = {2012}, howpublished = {\url{http://www.securelist.com/en/blog/208193834/Shamoon_The_Wiper_further_details_Part_II}}, }