Security researchers for Symantec have been analysing a piece of malware that was directed at one of their Energy Industry customers that was it seems to designed to enact havoc on the targeted organisation. Symantec haven't named the affected company and so far this malware has only been seen targeting one specific organisation.
The malware in order to achieve it's goal, it is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable. The malware known as W32.Disttrack according to Symantec's naming schedule consists of several components:
- Dropper - the main component and source of the original infection. It drops a number of other modules.
- Wiper - this module is responsible for the destructive functionality of the threat.
- Reporter - this module is responsible for reporting infection information back to the attacker.
The dropper installs itself as a service after first dropping the Wiper and Reporter components into place on the system and ensures it can execute on system startup as well as executing a task to keep it running. The wiper removes and replaces an existing device driver with it's own, it will also gather information on possible files to wipe, before overwriting the files with a broken JPEG image. It will then finally overwrite the Master Boot Record on the system.
Interestingly the samples they contain a module with the following string:
This appears to point to the location of code one the machine that was used to build the malware using Visual Studio. Additionally the device driver dropped by the malware is digitally signed by EldoS, a corporate security component provider, the driver is used for raw disk access by the malware.
The reporter component simply reports back to a remote site details of the infected system. You can see more information on this attack here on the Symantec Security Response blog and here on the Kaspersky blog.