Shamoon Malware Not Only Infects & Steals, It Wipes Data Too
It seems a new malware is on the loose and it's not to be trifled with. Shamoon, the malware in question, is showing up in reports from various security companies. As is the norm for today's typical malware, it attempts to steal information. It searches and takes data from the "Users", "Documents and Settings", "System32/Drivers" and "System32/Config" folders, but this is where it gets nasty as it overwrites the master boot record (MBR). This means the computer is effectively unable to boot.
The Shamoon malware, also known as Disttrack, was considered unusual as "Threats with such destructive payloads are unusual and are not typical of targeted attacks," according to a blog response from Symantec. The malware itself is just a 900KB folder that stores "encrypted resources" according to Kaspersky Labs, with one of them being a signed driver from EldoS, which is a corporate security component provider and is, according to the ZDnet article, used to access raw disks by the malware so it can wipe the MBR.
Overall the Shamoon malware is certainly destructive to say the least and can infect Windows machines as far back as Windows 95. The malware does this by using a two-stage attack method. First up it infects a computer connected to the internet using it as a proxy for communication to the command server. From there it starts it's dirty work by searching out and infecting other computers on the network where it starts to steal the data from the folders we mentioned earlier. After this it executes the payload that wipes the computer's MBR and sends the data that has been collected back to the command server. While the virus itself appears similar to the Flame malware we reported on earlier, Kaspersky has said it looks to be the work of copycats. Users can rest easy though as it appears the malware is being used for targeted attacks and is not widespread.
In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.
Posted by | Fri, Aug 17, 2012 - 05:30 PM