Shamoon malware infects computers, steals data, then wipes them

Shamoon malware infects computers, steals data, then wipes them

Summary: Security companies have detected a piece of malware that steals files from infected machines, then renders the computers useless by overwriting their master boot record.

SHARE:
TOPICS: Security, Malware
44

Security researchers are investigating a piece of destructive malware that has the ability to overwrite the master boot record of a computer, and which they suspect is being used in targeted attacks against specific companies.

Reports of the 'Shamoon' malware began emerging from security companies on Thursday. Like other malware, it steals information, taking data from the 'Users', 'Documents and Settings', and 'System32/Drivers' and 'System32/Config' folders on Windows computers. One unusual characteristic, however, is that it can overwrite the master boot record (MBR) on infected machines, effectively rendering them useless.

Shamoon malware
The Shamoon malware has the ability to overwrite the master boot record of a computer. Image credit: Securelist

Shamoon, which is also known as Disttrack, is being used in targeted attacks against at least one organisation in the energy sector, according to Symantec.

"Threats with such destructive payloads are unusual and are not typical of targeted attacks," Symantec wrote on its security response blog on Friday. "Security response is continuing to analyse this threat and will post more information as it becomes available."

The malware consists of a 900KB folder that contains a number of "encrypted resources", according to Kaspersky Labs. One of these has a signed disk driver from EldoS, a corporate security component provider, which is used for raw disk access by the malware's components.

It affects Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008. Symantec said it has updated its antivirus to protect against the malware.

In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.

"It is still unclear who is behind this attack," Seculert wrote in a blog post. "We will update this blog with more information when it becomes available."

As a side note, though samples of the malware collected by Kaspersky contain a module with a string ending in 'Wiper', the company does not suspect the virus is related to the sophisticated Flame malware, as the name might suggest. Instead, Kaspersky says it believes the malware is the work of copycats.

Topics: Security, Malware

Jack Clark

About Jack Clark

Currently a reporter for ZDNet UK, I previously worked as a technology researcher and reporter for a London-based news agency.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • Hmm

    Not really a brick, mbr can easily be fixed.
    slickjim
    • But....

      If your hard drive partition is wiped, then it doesn't matter that the MBR works.
      f0real
      • You can still get the data back.

        It will just cost $$$,

        Unless they did a 7 pass wipe as well, but I reckon that would get noticed. Just a bit.
        Bozzer
        • Corporate network, remember?

          Any organization, including corporations, where I have worked encouraged end users to save their work on network drives where periodic backups were taken. And, likewise, discouraged users from saving work on their C:\ drives which were not backed up.

          Thus, compliant end users might lose a day or two of work, but not much more.
          Rabid Howler Monkey
    • hmmm II

      if it's so easy to fix why bother with buying antimalware software at all?
      (sure it can theoretically be fixed but at what cost? the point isn't being technically fixable or not)
      mescwb
  • useless?

    Not sure if you should really use the term bricked as it implies you cannot recover from this. You should probably say that the computer cannot be booted, until such time as the master boot record is fixed (usually through an OS reinstall). There is always some debate in the Mobile Phone as to what is bricked and general consensus is that if it can be reloaded, it is not "bricked". Someone feel free to correct me if I am wrong.
    It seems that there is enough FUD surrounding Viruses/Malware without implying that the device is "permanently disabled".
    jkohut
    • Amended

      Thanks for commenting. We've taken another look at the headline and agree, so we've amended the story.
      Jack Clark
      • still needs work

        "then wipes them" sounds like it should say "wipes (deletes?) the MBR"
        gtvr
      • You are welcome.

        I understand there is sometimes a rush to get the information out, I just wanted people to realize that there MIGHT be a way to salvage the installation depending upon how much was deleted. Thanks for fixing the title. Shows that you care about getting the information right.
        jkohut
    • If

      the author is correct, trying to re-install the OS wont work - let alone fix this problem. If the boot-sector & MBR are DOA, a victim of this will need to use a dedicated disk utility to fix (i.e. nuke & repair) the existing MBR. After getting the disk back to square-one: having cleaned and rebuilt boot-sector, then - and only then will they be good to go with re-installing the OS. This is my line of work, so believe me - having done so enough times to be able to diagnose & fix this type of problem blindfolded.

      As for lost data? Good luck recovering the important, lost files & folders from the previously wiped disk (thanks to Shamoon) ... victims in that situation really are gonna need it.

      "...It seems that there is enough FUD surrounding Viruses/Malware without implying that the device is "permanently disabled". "

      Until we know for sure exactly what / how it wipes the drive, we can't say one way or the other if it: (a) simply screws with the install via wiping the drive or (b) bricks a drive (as the blog author basically states Shamoon does). I'm more inclined to think the blog author hasn't thought thru his choice of words - in which case, the drives are *most likely* wiped - but not bricked. Which consequently would mean the drive can be recovered - given the right diagnostics & repair utilities. That is primary problemo #1 right there: average Jane & Joe, generally & typically speaking, don't have the first clue about such things.

      "... I have foreseen rivers of blood in the streets."
      thx-1138_
      • Heck, MonkeyB destroyed the boot record back in the late 90's.

        Just did an fdisk/mbr. Nowadays you just use mbrfix.exe on a bootable floppy, cd/dvd or flash drive. If you use your Windows 7 OS disk, just boot, pick repair computer,command prompt, go to the boot folder, and run "bootsect /nt60 ALL" (without quotes) to fix up all the partitions and reboot. You folks make this stuff all too doom and gloom.
        mrleo1957
        • LOL!

          mrleo1957 wrote:
          "just use mbrfix.exe on a bootable floppy, cd/dvd or flash drive. If you use your Windows 7 OS disk, just boot, pick repair computer,command prompt, go to the boot folder, and run "bootsect /nt60 ALL" (without quotes)

          Ma and Pa Kettle and Joe and Jane 6-pack are gonna love that. (*Almost* as much as they will love the keyboard shortcuts in Windows 8.)
          Rabid Howler Monkey
          • I didn't realise Jane and Joe six pack

            Had so much information worth stealing from their my documents for the criminals to go to this much trouble. Let alone own a corporate network.
            Bozzer
          • Bozzer .. another presumptuous twat

            "... I didn't realise Jane and Joe six pack had so much information worth stealing from their my documents for the criminals to go to this much trouble. Let alone own a corporate network."

            ...Oh, and i suppose you're privy to what every computer user on the planet keeps stored on their PC's, huh? I'd venture that there are alot of average Jane & Joe users that do store valuable data / doc's on their home computers. Dumb? Sure, but that's the nature of the beast that is ... average Jane & Joe.

            It's a huge problem, sure ... but until you can come up with constructive solutions & answers, your arrogant and flippant replies just make you part of the problem - not part of the solution.

            ... This guy!
            thx-1138_
        • mrleo1957 .. well done!

          Another self satisfied techie that spouts on about 'how simple' these things are to do.

          As RHM has already put it, you expect average Jane & Joe to know how to do that when so many won't / can't run anti-virus / anti-malware app's?!?

          Average Jane & Joe are a problem - if they don't have the first clue about where to start or what you're talking about. You're as bad a problem, by assuming most lay-people know wtf fdisk/mbr .. bootsect /nt60 all means ... i mean really? Are you so pompous an @ss that you think non-techies are gonna know that type of stuff???

          And we wonder why average Jane & Joe tend to hate techies ... you're a prime exhibit.

          ...pfffft.
          thx-1138_
          • Most know somebody who can help

            There are many clueless computer users out there, but most have a friend or family member who's computer knowledge is more advanced. I've been that guy a few times - I just wish they'd call before they screw things up quite so completely...
            Greenknight_z
          • I meant "whose"

            Didn't you used to be able to edit your posts here?
            Greenknight_z
  • Shamoon malware infects computers, steals data, then bricks them

    Symantec already has it blocked so kudos to them for the fast response and as a targeted attack against only one sector this has minor impact. More information is needed about how one would get this like if they need to be directed to a site and deliberately click on the link and download the file despite the big warning saying not to. As others have said, the MBR can be fixed using a recovery disk.
    Loverock Davidson-
    • You already know, Loverock . . .

      . . . first, you have to install Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 or Windows Server 2008.
      sporkfighter
      • That was a dumb comment

        Since there are only two real OS's out there that people want or use, Windows and OS X, what else are they going to install? OS X won't runion a PC
        William Farrel