Shamoon malware cripples Windows PCs to cover tracks
Targeted attacks end with erased files and unbootable computers
Computerworld - A new Trojan horse tries to covers its tracks by crippling the victim's computer after stealing data, a security researcher said today.
Dubbed "Shamoon" by most antivirus companies, the malware has been used in targeted attacks aimed at specific individuals or firms, including at least one in the energy sector.
According to Israeli security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization's network.
The second stage -- which kicks off after the malware has done its dirty work -- overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable.
"They are looking for ways to cover their tracks," said Aviv Raff, CTO and co-founder of Seculert, in a Friday interview.
Seculert and other security companies, including Moscow-based Kaspersky Lab and U.S. antivirus vendor Symantec, have not yet figured out kind of data Shamoon is looking for, then stealing. They assume that because the malware uses a second infected system to communicate with a hacker-controlled command-and-control (C&C) server, Shamoon is copying files from pillaged PCs and sending that information to its masters.
Malware rarely destroys files or wipes the MBR. Most threats try to work quietly to avoid detection as long as possible. Crippling a computer only brings unwanted attention.
"Threats with such destructive payloads are unusual and are not typical of targeted attacks," said Symantec on a Thursday post to its security response team's blog.
Because a list of overwritten files is transmitted to the C&C server, Raff speculated that Shamoon's makers wanted to "know what and how much got wiped."
The destructiveness of Shamoon -- its distinguishing trait, really -- brought up memories of an attack against Iranian computers earlier this year that also wiped hard drives.
Investigations into that malware by Kaspersky led it to uncover Flame, the sophisticated cyber-spying tool that most have linked to Stuxnet, the worm discovered in 2010 that sabotaged Iran's nuclear program.
Kaspersky was convinced that there was no connection between Shamoon and the data-wiping malware that hit Iran last April, and cited several differences between the two.
"It is more likely that [Shamoon] is a copycat, the work of a script kiddies inspired by the [earlier] story," said a Kaspersky researcher yesterday on the company's blog.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
- Cyber drills like Quantum Dawn 2 vital to security in financial sector
- Quantum Dawn 2 will test Wall Street's cyber readiness
- Pentagon accuses China of cyberattacks on U.S military, business targets
- Spamhaus attacks expose huge open DNS server dangers
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts