Shamoon the Wiper: further details (Part II)
Jump to navigation
Jump to search
(Publication) Google search: [1]
| Shamoon the Wiper: further details (Part II) | |
|---|---|
| Botnet | Shamoon |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 11 septembre 2012 |
| Editor/Conference | Kaspersky lab |
| Link | http://www.securelist.com/en/blog/208193834/Shamoon The Wiper further details Part II (Archive copy) |
| Author | Dmitry Tarakanov |
| Type | |
Abstract
“ We leave the speculation up to others and concentrate strictly on sharing technical details. This is the continuation of our investigation into Shamoon:
NETINIT.EXE
The main Shamoon module has a resource PKCS7:113 that maintains an executable which is saved to disk as %WINDIR%\System32\NETINIT.EXE and this program poses a module to communicate with CNC. This program waits for parameters to be run with. The author was not too creative and coded a handling of just two argument values which can be “0” or “1”.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1154,
editor = {Kaspersky lab},
author = {Dmitry Tarakanov},
title = {Shamoon the Wiper: further details (Part II)},
date = {Error: Invalid time.},
month = Error: Invalid time.,
year = {2012},
howpublished = {\url{http://www.securelist.com/en/blog/208193834/Shamoon_The_Wiper_further_details_Part_II}},
}