Only article I have seen saying they are pinpointing this to a specific USB insert in a specific machine by a specific insider!
Very detailed information about Shamoon. One of the better articles.
At first glance, the file didn't look to be legitimate, so I launched the program. It copied itself to:
c:\windows\system32\trksvr.exe
The file contained some interesting strings:
trksvr.exe
trksrv.exe
testdomain.com
\System32\cmd.exe /c "ping -n 30 127.0.0.1 >;nul && sc config TrkSvr binpath= system32\trksrv.exe && ping -n 10 127.0.0.1 >;nul && sc start TrkSvr"
Only article I have seen saying they are pinpointing this to a specific USB insert in a specific machine by a specific insider!
The reason why is relatively simple ...
The number of people involved in ICS is a much smaller and more confined group. (if outsourced, then to direct stakeholders - the vendors)
ICS is not has no direct connection to the Internet. No email, no web browsing.
Shamoon propagates using file shares, best firewall practices do not allow file shares between systems on either side of the firewall.
Speculates that they reverse engineered parts of Flame
82 items | 18 visits
Information related to the Wiper Attack in August 2013
Updated on Jun 25, 14
Created on Aug 23, 13
Category: Computers & Internet
URL: