W32.DistTrack, also known as “Shamoon,” is an information-stealing malware that also includes a destructive module. Shamoon renders infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data. Once overwritten, the data are not recoverable.
Based on initial reporting and analysis of the malware, no evidence exists that Shamoon specifically targets industrial control systems (ICSs) components or U.S. government agencies.
According to Symantec, Shamoon has three primary functional components:
1. Dropper—the main component and source of the original infection. It installs a number of other modules.
2. Wiper—this module is responsible for the destructive functionality of the malware.
3. Reporter—this module is responsible for reporting infection information back to the attacker.
After the initial infection, Shamoon spreads via network shares to infect additional machines on the network. Symantec first detected Shamoon on August 16, 2012, and estimates only few infections exist worldwide (less than 50).
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and US-CERT for tracking and correlation against other incidents.
Because of the highly destructive functionality of the Shamoon “Wiper” module, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to organizations vary, depending on the type and number of systems impacted.
ICS-CERT and US-CERT encourage organizations to:
• Update antivirus definitions for detection of the Shamoon (DistTrack) malware.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Exercise caution when using removable media, including USB drives.
• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
• Place control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT and US-CERT remind organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
ICS-CERT recommends that organizations review the ICS-CERT Technical Information Paper ICS-TIP-12-146-01 Cyber Intrusion Mitigation Strategies or high-level strategies that can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the US-CERT Web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
The full ICS-CERT advisory can be found here: