Shamoon malware infects computers, steals data, then wipes them

Security companies have detected a piece of malware that steals files from infected machines, then renders the computers useless by overwriting their master boot record.
Written by Jack Clark, Contributor

Security researchers are investigating a piece of destructive malware that has the ability to overwrite the master boot record of a computer, and which they suspect is being used in targeted attacks against specific companies.

Reports of the 'Shamoon' malware began emerging from security companies on Thursday. Like other malware, it steals information, taking data from the 'Users', 'Documents and Settings', and 'System32/Drivers' and 'System32/Config' folders on Windows computers. One unusual characteristic, however, is that it can overwrite the master boot record (MBR) on infected machines, effectively rendering them useless.

Shamoon malware
The Shamoon malware has the ability to overwrite the master boot record of a computer. Image credit: Securelist

Shamoon, which is also known as Disttrack, is being used in targeted attacks against at least one organisation in the energy sector, according to Symantec.

"Threats with such destructive payloads are unusual and are not typical of targeted attacks," Symantec wrote on its security response blog on Friday. "Security response is continuing to analyse this threat and will post more information as it becomes available."

The malware consists of a 900KB folder that contains a number of "encrypted resources", according to Kaspersky Labs. One of these has a signed disk driver from EldoS, a corporate security component provider, which is used for raw disk access by the malware's components.

It affects Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008. Symantec said it has updated its antivirus to protect against the malware.

In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.

"It is still unclear who is behind this attack," Seculert wrote in a blog post. "We will update this blog with more information when it becomes available."

As a side note, though samples of the malware collected by Kaspersky contain a module with a string ending in 'Wiper', the company does not suspect the virus is related to the sophisticated Flame malware, as the name might suggest. Instead, Kaspersky says it believes the malware is the work of copycats.

Editorial standards