Money Matters - Simplified

Shamoon malware steals and wipes data after corrupting computers

Security specialists have detected a malware that steals files from infected machines, then renders several computers on a network unusable by overwriting their master boot record. They suspect it is being used to target attacks against specific companies.

According to experts, the threat was known to have had hit "at least one organisation" in the energy sector. "It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable," wrote security firm Symantec.

The malware
The malware consists of a 900KB folder that contains a number of "encrypted resources", according to Kaspersky Labs. One of these has a signed disk driver from EldoS, a corporate security component provider, which is used for raw disk access by the malware's components.

'Shamoon' malware steals information, taking data from the 'Users', 'Documents and Settings', and 'System32/Drivers' and 'System32/Config' folders on Windows computers like Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008.

How it effects
In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server.

After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server. During this process, the attack replaces the deleted files with JPEG images, obstructing any potential file recovery by the victim.

"It is still unclear who is behind this attack," Seculert wrote in a blog post. "We will update this blog with more information when it becomes available."

Seculert, an Israel-based security specialist, also analysed the malicious code and concluded that it had unusual characteristics compared with other recent attacks.
"The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files," the company said.

Shamoon is the latest in a line of attacks that have targeted infrastructure. One of the most high-profile attacks in recent times was Stuxnet, which was designed to hit nuclear infrastructure in Iran.
Others, like Duqu, have sought to infiltrate networks in order to steal data.