Researchers Warn of Destructive Shamoon Malware

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Researchers at several security firms are warning of new malware called Shamoon, which corrupts files on infected PCs and overwrites the master boot record.

"According to Israeli security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization's network," writes Computerworld's Gregg Keizer. "The second stage -- which kicks off after the malware has done its dirty work -- overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable. 'They are looking for ways to cover their tracks,' said Aviv Raff, CTO and co-founder of Seculert, in a Friday interview."

"According to McAfee, the data is lost permanently and the machine is not recoverable," writes Computer Business Review's Steve Evans.

"The Shamoon malware came to light on Thursday when researchers at Kaspersky Lab said that they had analyzed samples that included some odd and puzzling characteristics," writes Threatpost's Dennis Fisher. "One module in the malware has a string with a name that includes 'wiper' as part of it, something that could point to a connection to the Wiper or Skywiper malware discovered earlier this year. Wiper was erasing files from disks, but it doesn't appear that the two are connected at this point."

"[Shamoon] so far has been aimed at a single energy-sector organization in the Middle East, according to Symantec ... Symantec would not name the victimized firm, and so far has seen the attack only in this one organization," writes Dark Reading's Kelly Jackson Higgins. "What stands out most about the attack is that its aim is destroying files, data, and crippling the infected machines."

"Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks," writes Ars Technica's Dan Goodin. "It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It overwrites disks with a small portion of a JPEG image found on the Internet. ... The malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number."