Topic: Security

Shamoon malware infects computers, steals data, then wipes them

Summary: Security companies have detected a piece of malware that steals files from infected machines, then renders the computers useless by overwriting their master boot record.

By Jack Clark | August 17, 2012 -- 12:09 GMT (05:09 PDT)

Follow @mappingbabel

Security researchers are investigating a piece of destructive malware that has the ability to overwrite the master boot record of a computer, and which they suspect is being used in targeted attacks against specific companies.

Reports of the 'Shamoon' malware began emerging from security companies on Thursday. Like other malware, it steals information, taking data from the 'Users', 'Documents and Settings', and 'System32/Drivers' and 'System32/Config' folders on Windows computers. One unusual characteristic, however, is that it can overwrite the master boot record (MBR) on infected machines, effectively rendering them useless.

Shamoon, which is also known as Disttrack, is being used in targeted attacks against at least one organisation in the energy sector, according to Symantec.

"Threats with such destructive payloads are unusual and are not typical of targeted attacks," Symantec wrote on its security response blog on Friday. "Security response is continuing to analyse this threat and will post more information as it becomes available."

The malware consists of a 900KB folder that contains a number of "encrypted resources", according to Kaspersky Labs. One of these has a signed disk driver from EldoS, a corporate security component provider, which is used for raw disk access by the malware's components.

It affects Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008. Symantec said it has updated its antivirus to protect against the malware.

In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.

"It is still unclear who is behind this attack," Seculert wrote in a blog post. "We will update this blog with more information when it becomes available."

As a side note, though samples of the malware collected by Kaspersky contain a module with a string ending in 'Wiper', the company does not suspect the virus is related to the sophisticated Flame malware, as the name might suggest. Instead, Kaspersky says it believes the malware is the work of copycats.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments

Log in or register to join the discussion

Hmm

Not really a brick, mbr can easily be fixed.

slickjim
17 August, 2012 12:21

Reply 7 Votes
- But....
  
  If your hard drive partition is wiped, then it doesn't matter that the MBR works.
  
  f0real
  17 August, 2012 23:15
  
  Reply Vote
  - You can still get the data back.
    
    It will just cost $$$,
    
    Unless they did a 7 pass wipe as well, but I reckon that would get noticed. Just a bit.
    
    Bozzer
    18 August, 2012 00:22
    
    Reply 1 Vote
    - Corporate network, remember?
      
      Any organization, including corporations, where I have worked encouraged end users to save their work on network drives where periodic backups were taken. And, likewise, discouraged users from saving work on their C:\ drives which were not backed up.
      
      Thus, compliant end users might lose a day or two of work, but not much more.
      
      Rabid Howler Monkey
      18 August, 2012 01:06
      
      Reply 4 Votes
- hmmm II
  
  if it's so easy to fix why bother with buying antimalware software at all?
  (sure it can theoretically be fixed but at what cost? the point isn't being technically fixable or not)
  
  mescwb
  20 August, 2012 11:50
  
  Reply Vote
useless?

Not sure if you should really use the term bricked as it implies you cannot recover from this. You should probably say that the computer cannot be booted, until such time as the master boot record is fixed (usually through an OS reinstall). There is always some debate in the Mobile Phone as to what is bricked and general consensus is that if it can be reloaded, it is not "bricked". Someone feel free to correct me if I am wrong.
It seems that there is enough FUD surrounding Viruses/Malware without implying that the device is "permanently disabled".

jkohut
17 August, 2012 13:07

Reply 8 Votes
- Amended
  
  Thanks for commenting. We've taken another look at the headline and agree, so we've amended the story.
  
  Jack Clark
  17 August, 2012 13:22
  
  Reply 3 Votes
  - still needs work
    
    "then wipes them" sounds like it should say "wipes (deletes?) the MBR"
    
    gtvr
    17 August, 2012 13:52
    
    Reply 2 Votes
  - You are welcome.
    
    I understand there is sometimes a rush to get the information out, I just wanted people to realize that there MIGHT be a way to salvage the installation depending upon how much was deleted. Thanks for fixing the title. Shows that you care about getting the information right.
    
    jkohut
    17 August, 2012 18:54
    
    Reply 3 Votes
- If
  
  the author is correct, trying to re-install the OS wont work - let alone fix this problem. If the boot-sector & MBR are DOA, a victim of this will need to use a dedicated disk utility to fix (i.e. nuke & repair) the existing MBR. After getting the disk back to square-one: having cleaned and rebuilt boot-sector, then - and only then will they be good to go with re-installing the OS. This is my line of work, so believe me - having done so enough times to be able to diagnose & fix this type of problem blindfolded.
  
  As for lost data? Good luck recovering the important, lost files & folders from the previously wiped disk (thanks to Shamoon) ... victims in that situation really are gonna need it.
  
  "...It seems that there is enough FUD surrounding Viruses/Malware without implying that the device is "permanently disabled". "
  
  Until we know for sure exactly what / how it wipes the drive, we can't say one way or the other if it: (a) simply screws with the install via wiping the drive or (b) bricks a drive (as the blog author basically states Shamoon does). I'm more inclined to think the blog author hasn't thought thru his choice of words - in which case, the drives are *most likely* wiped - but not bricked. Which consequently would mean the drive can be recovered - given the right diagnostics & repair utilities. That is primary problemo #1 right there: average Jane & Joe, generally & typically speaking, don't have the first clue about such things.
  
  "... I have foreseen rivers of blood in the streets."
  
  thx-1138_
  17 August, 2012 15:12
  
  Reply 6 Votes
  - Heck, MonkeyB destroyed the boot record back in the late 90's.
    
    Just did an fdisk/mbr. Nowadays you just use mbrfix.exe on a bootable floppy, cd/dvd or flash drive. If you use your Windows 7 OS disk, just boot, pick repair computer,command prompt, go to the boot folder, and run "bootsect /nt60 ALL" (without quotes) to fix up all the partitions and reboot. You folks make this stuff all too doom and gloom.
    
    mrleo1957
    17 August, 2012 16:14
    
    Reply 7 Votes
    - LOL!
      
      mrleo1957 wrote:
      "just use mbrfix.exe on a bootable floppy, cd/dvd or flash drive. If you use your Windows 7 OS disk, just boot, pick repair computer,command prompt, go to the boot folder, and run "bootsect /nt60 ALL" (without quotes)
      
      Ma and Pa Kettle and Joe and Jane 6-pack are gonna love that. (*Almost* as much as they will love the keyboard shortcuts in Windows 8.)
      
      Rabid Howler Monkey
      17 August, 2012 16:25
      
      Reply 4 Votes
      - I didn't realise Jane and Joe six pack
        
        Had so much information worth stealing from their my documents for the criminals to go to this much trouble. Let alone own a corporate network.
        
        Bozzer
        18 August, 2012 00:26
        
        Reply Vote
      - Bozzer .. another presumptuous twat
        
        "... I didn't realise Jane and Joe six pack had so much information worth stealing from their my documents for the criminals to go to this much trouble. Let alone own a corporate network."
        
        ...Oh, and i suppose you're privy to what every computer user on the planet keeps stored on their PC's, huh? I'd venture that there are alot of average Jane & Joe users that do store valuable data / doc's on their home computers. Dumb? Sure, but that's the nature of the beast that is ... average Jane & Joe.
        
        It's a huge problem, sure ... but until you can come up with constructive solutions & answers, your arrogant and flippant replies just make you part of the problem - not part of the solution.
        
        ... This guy!
        
        thx-1138_
        18 August, 2012 02:39
        
        Reply 2 Votes
    - mrleo1957 .. well done!
      
      Another self satisfied techie that spouts on about 'how simple' these things are to do.
      
      As RHM has already put it, you expect average Jane & Joe to know how to do that when so many won't / can't run anti-virus / anti-malware app's?!?
      
      Average Jane & Joe are a problem - if they don't have the first clue about where to start or what you're talking about. You're as bad a problem, by assuming most lay-people know wtf fdisk/mbr .. bootsect /nt60 all means ... i mean really? Are you so pompous an @ss that you think non-techies are gonna know that type of stuff???
      
      And we wonder why average Jane & Joe tend to hate techies ... you're a prime exhibit.
      
      ...pfffft.
      
      thx-1138_
      18 August, 2012 02:33
      
      Reply 3 Votes
      - Most know somebody who can help
        
        There are many clueless computer users out there, but most have a friend or family member who's computer knowledge is more advanced. I've been that guy a few times - I just wish they'd call before they screw things up quite so completely...
        
        Greenknight_z
        19 August, 2012 11:01
        
        Reply 2 Votes
      - I meant "whose"
        
        Didn't you used to be able to edit your posts here?
        
        Greenknight_z
        19 August, 2012 11:06
        
        Reply 1 Vote
Shamoon malware infects computers, steals data, then bricks them

Symantec already has it blocked so kudos to them for the fast response and as a targeted attack against only one sector this has minor impact. More information is needed about how one would get this like if they need to be directed to a site and deliberately click on the link and download the file despite the big warning saying not to. As others have said, the MBR can be fixed using a recovery disk.

Loverock Davidson-
17 August, 2012 13:22

Reply 4 Votes
- You already know, Loverock . . .
  
  . . . first, you have to install Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 or Windows Server 2008.
  
  sporkfighter
  17 August, 2012 14:28
  
  Reply 3 Votes
  - That was a dumb comment
    
    Since there are only two real OS's out there that people want or use, Windows and OS X, what else are they going to install? OS X won't runion a PC
    
    William Farrel
    17 August, 2012 14:39
    
    Reply 1 Vote