2 Replies Latest reply on Aug 20, 2012 12:15 AM by derluc10 Branched to a new discussion.

    W32/DistTrack Trojan

    Hayton

      From McAfee Security Advisory MTIS 12-132, recently issued :

       

      ===============================================================================

      [MTIS12-132-E]

      W32/DistTrack Trojan

      ===============================================================================

      Threat Identifier(s):                  W32/DistTrack

      Threat Type:                              Malware

      Risk Assessment:                  Low

      Main Threat Vectors:               WAN; LAN; Peer-to-Peer Networks

      User Interaction Required:    Yes

       

      Description:                     

      W32/DistTrack is a highly-destructive Trojan capable of overwriting data on targeted machines. Machines infected by it are rendered useless as most of the files, the MBR and the partition tables are overwritten with garbage data. The overwritten data is lost and is not recoverable.  The initial infection vector is as of yet unknown, but the malware has the capability of spreading via Admin$ shares. When the initial executable is run it creates a copy of itself in the %SystemRoot%\System32 folder using the name tsksvr.exe. This dropped executable is the wiper module and is responsible for overwriting various files on the hard disk and also the MBR and Boot Sector. The wiper module also drops a file called drdisk.sys, which is a standard component from a commercial application that is used to allow programs low level access to hard disk drives. The Wiper module then uses this to overwrite the MBR and partition tables of the hard disk. The data used to overwrite these sectors is again the JPEG data as shown above. This renders the hard disk unusable and will not be recognized by the system after rebooting.

       

      Importance:                       Low. This threat has gained media attention.

       

      McAfee Product Coverage *

       

      DAT files:                       

      Coverage is provided as "W32/DistTrack" in the 6805 DATs, released August 15. A stand-alone Stinger tools is also available for download.

       

       

      For more information see

      https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 23000/PD23936/en_US/McAfee%20Labs%20Threat%20Advisory-%20W32-DistTrack.pdf

       

      Edit - Alternatively, try the following link (which I was unable to verify because the server was down)

      https://kc.mcafee.com/corporate/index?page=content&id=PD23936

       

      The information in kc.mcafee.com is intended for Business users.  The Extra.DAT and Stinger downloads though should be effective on Home User systems.

      https://kc.mcafee.com/corporate/index?page=content&id=KB75963

       

      Message was edited by: Hayton on 21/08/12 13:20:42 IST
        • 1. Re: W32/DistTrack Trojan
          Hayton

          I was wondering why McAfee made such a fuss over this one. Perhaps this is the answer : it's the same infection that the BBC website noted here -

          "Shamoon virus targets energy sector infrastructure"

           

           

          "It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable," wrote security firm Symantec.

           

           

          McAfee's being a bit sniffy because Symantec got to it first

           

          The Symantec article identifies this as "W32/DistTrack". For now, you probably shouldn't worry too much unless you're a big player in the Saudi oil business. Of course, in the malware-generation subculture any innovation will soon be copied by others, so the techniques used in this one will appear elsewhere eventually.

          • 2. Re: W32/DistTrack Trojan

            Actually, it was a McAfee customer who experienced the initial infection(s).  Someone searching for information on the malware can see this in that McAfee issued detection/protection for W32/Disttrack with DAT 6805 a day before Symantec, in their own malware report, claims it was discovered.

             

            Symantec and others received their information on DistTrack from the published McAfee Threat Advisory, just like everyone else.

             

            And, notice that all of the news about shamoon broke days after McAfee posted a detailed analysis of  the Disttrack threat.  As happens often another vendor gave this malware a more newsworthy name and the media ran with it.  Until it had a 'cool' name nobody cared.