Sandworm Storm Mac OS
MAC MINIMUM REQUIREMENTS. Intel Core 2 Duo Processor 2.1GHz or higher (PPC not supported) 8GB RAM; Mac OSX 10.7 or later; 7200 RPM or faster (non energy saving) hard drive for sample streaming; PC MINIMUM REQUIREMENTS. Intel Core 2 Duo, or AMD Dual Core 2.1GHz or higher; 8GB RAM; Windows 7 or later; Sound card with ASIO drivers. Open source 10.5 or higher OpenArena: OpenLieroX: Dark Charlie 2007 Action/strategy Open source 10.3 or higher OpenTTD: Operation Desert Storm: Orbiter: Orbz: Oregon Trail II: MECC 1996 Adventure Commercial 7.1 or higher Osmos: OSX SkyFighters 1945: Otis: OttoMatic: Out of the Park Baseball 10: Out of the Sun: Domark Software 1994 Flight.
The Sandworm Team hacking group is part of Unit 74455 of the Russian Main Intelligence Directorate (GRU), the US Department of Justice (DoJ) claimed as it unsealed an indictment against six hackers and alleged members on Monday.
Sandworm Team attacks
“These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: Ukraine; Georgia; elections in France; efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort,” the DoJ alleges.
“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.”
At the same time, the UK National Cyber Security Centre says that they asses “with high confidence” that the group has been actively targeting organizations involved in the 2020 Olympic and Paralympic Games before they were postponed.
“In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games. The GRU deployed of hacking operations. Chairman of the State Parliament committee on international affairs Dmitry Novikov says this is part of 'information war against Russia'. https://t.co/ifSuCM23VN
— Lukasz Olejnik (@lukOlejnik) October 20, 2020
It’s unusual to see the US mount criminal charges against intelligence officers that were engaged in cyber-espionage operations outside the US, but the rationale here is that many of the attacks resulted in real-world consequences that were aimed at undermining the target countries’ governments and destabilizing the countries themselves, and that they affected individuals, civilian critical infrastructure (including organizations in the US), and private sector companies.
“The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims,” commented US Attorney Scott W. Brady for the Western District of Pennsylvania.
There are currently no laws and norms regulating cyber attacks and cyber espionage in peacetime, but earlier this year Russian Federation president Vladimir Putin called for an agreement between Russia and the US that would guarantee the two nations would not try to meddle with each other’s elections and internal affairs via “cyber” means.
This latest round of indictments by the US is unlikely to act as a deterrent but, as Dr. Panayotis Yannakogeorgos recently told Help Net Security, indictments and public attribution of attacks serve several other purposes.
Another interesting result of this indictment may be felt by insurance companies and their customers that have suffered disruption due to cyber attacks mounted by nation-states. Some of their insurance policies may not cover cyber incidents that could be considered an “act of war” (e.g., the NotPetya attacks).
Thanks to Gabor Szappanos of SophosLabs for his work on this article.
You may have heard or seen mention of the latest catchily-named malware attack: “Sandworm.”
The name is rather dramatically borrowed from the famous 1960s science fiction epic Dune, where it refers to a sort of worm-like creature, hundreds or even thousands of metres long and as good as indestructible except with nuclear weapons.
In the current context, the name applies to a strain of malware, announced with fanfare by a security company that claims to have seen it used recently in the wild in targeted attacks.
These attacks are said to have been “used in [a] Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.”
The attack relies on a vulnerability in Windows known as CVE-2014-4114, patched in Bulletin MS14-060 of Microsoft’s October 2014 Patch Tuesday.
That makes the attack used by Sandworm a so-called zero-day exploit, because the vulnerability was first exploited before a patch was available.
→ The terminology “zero day” refers to the fact that there were zero days that you could have been patched in advance.
Combine a zero-day exploit and claims of Russian espionage with a catchy name and an all-devouring logo and you have a magnetic-sounding story.
Fortunately, the Sandworm malware is a lot easier to deal with than its interplanetary annelid namesake.
In fact, in malware terms, it’s not a worm at all.
Here’s what you need to know.
How Sandworm arrives
The malware travels in a Powerpoint file that refers to an .INF file, where INF is the Windows extension given to a special sort of information file used during software setup.
INF files were once a fruitful vehicle for malware authors, thanks to a special file named AUTORUN.INF that could be used on removable drives such as USB memory sticks to specify a program that would run automatically when the drive was plugged in.
AUTORUN.INF files are no longer allowed to run programs automatically, however, so that risk has as good as vanished.
But INF files can still be used for installation-oriented tasks such as putting files into place (and optionally renaming them), and setting entries in the registry.
That’s enough to install malware that will run later on, even if it’s not sufficient to infect your computer right away.
How Sandworm works
In the Sandworm attack, the malicious Powerpoint file that kicks things off actually refers to an INF file with a remote filename, using a UNC path.
→ UNC paths are those special Windows filenames that include a server name, not just a drive letter and a directory name, such as SERVERSHAREFILE.TXT for servers on your own network, or 198.51.100.5REMOTE.DAT for a file located by IP number.
Windows is supposed to block applications like Powerpoint from sucking in and launching external files in this way, for obvious security reasons, but the Sandworm attackers found, or at least acquired, a vulnerability that made it possible anyway.
Sandworm Storm Mac Os 11
In the attack, the malicious Powerpoint file pulls in two files from a remote server that combine to deliver the malware payload.
The files have the innocent-looking names slides.inf and slide1.gif, as though they were part of the presentation itself.
But slide1.gif is actually an executable (program) file, and slides.inf is an installer file that renames slide1.gif to slide1.gif.exe before adding a registry entry that will run the offending program when you next logon.
In other words, even without the ability to run a program directly, the Powerpoint-INF-and-GIF cocktail is enough to install a program that will run later on.
Even though the malware itself is not embedded inside the malicious Powerpoint file, it is fetched in what is often called a drive-by install – one that happens without any pop-up dialog or warning that would let you stop it by choice.
Sandworm Storm Mac Os Download
What to do?
Unlike the sandworms of the desert planet Arrakis in the Dune saga, you don’t need high explosives, or disk-wiping tools, to counteract this threat.
Applying Microsoft’s MS14-060 patch will close the hole on which this vulnerability relies.
Additionally, security products can:
- Identify booby trapped files that exploit the vulnerability, thus preventing them from opening in the first place.
- Block the “call home” traffic used in known attacks in order to prevent payload code or data from being retrieved, even on unpatched computers.
Sophos products detect and block “Sandwormed” Powerpoint files as Troj/20144114-A. The slide1.gif malware file referred to above is blocked as Mal/Generic-S. The servers used in the “call home” of the attack are also blocked to prevent the download of any other malware that might be published there.