Malware wars heat up: Shamoon steals, wipes and leaves PCs unbootable

You know it’s not wise to open email attachments, but if you choose to ignore that wisdom then there’s a malware in the wild that could make your digital life miserable. Shamoon is a new malware that can do more than corrupt, destroy or delete files; it can overwrite the master boot record and leave a computer unusable. There is speculation that it spreads via an executable hidden in an email attachment that if opened on a Windows computer, "It can be difficult getting anything working again," warned Symantec researcher Liam O Murchu. “If your computer gets hit and you can't reboot, you have a real problem,” Techworld reported.


“Why would someone invest time to prepare a campaign, send a spear-phishing email with a malicious document attached and waste a 0-day vulnerability in order to silently install a sophisticated malware?” Seculert asked. But Symantec reported this mystery malware was “used in specific targeted attacks against at least one organization in the energy sector.” Help Net Security added that Saudi Aramco, the world’s largest oil company, was hit by a large malware infection and may have caused major disruptions in their network. Although Saudi Aramco said the “interruption has had no impact whatsoever on any of the company’s production operations,” there are “unconfirmed reports via Twitter and Pastebin” alleging “that a large number of systems were completely wiped and that both web and mail servers, as well as the domain controller were also hit in the attack.”

Shamoon doesn’t even try to stay under the radar and covertly collect data. Seculert wrote, “While it's rare to find this type of malware in targeted attacks, our friends at Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran, that were infected with another unknown malware. This then lead Kaspersky to the discovery of Flame.”

Kaspersky asked, “Is this the malware known as Wiper, that attacked Iran in April 2012?” But after analyzing the malware, Kaspersky determined, “It is more likely that this is a copycat, the work of a script kiddies inspired by the story.”

“Shamoon is collecting the names of the files it has overwritten and sending this information to another internal machine within the compromised company network.” After analysis, Seculert wrote that is a two-stage targeted attack:

  • The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
  • Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy.

Meanwhile in Syria, activists, journalists and opposition group members are under targeted malware attacks from pro-Syrian government hackers. The EFF reported that AntiHacker, a fake security tool, promises to provide Auto-Protect & Auto-Detect & Security & Quick scan and analyzing, but in reality the software covertly installs surveillance instead of security protection on computers. AntiHacker “installs a remote access tool called DarkComet RAT, which allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more.” The EFF added, “This version of DarkComet is not detectable by any anti-virus software as of August 1, 2012. However, it is detectable by the DarkComet RAT removal tool, written by the same developer that originally wrote DarkComet RAT.”

Although the new cyber-espionage Gauss malware is related to Flame and Stuxnet, it blended “nation-state cyber-surveillance with an online banking Trojan.” Kaspersky Lab said many mysteries remain unraveled such as why does malware install ‘Palida Narrow’ a previously unknown font? Was one of the Gauss malware writers a typeface design fan? Researchers said they don’t know “what the purpose of the font is, but ... its presence on a PC is a good indicator of a Gauss infection." There are detection tools on CrySyS Lab and Securelist to check if a machine is infected. Another mystery is the encrypted payload. "Despite our best efforts, we were unable to break the encryption." Kaspersky appealed to cryptographers to help break the encryption and extract the hidden payload.

Yet another mystery to the morphing malware saga was previously reported by F-Secure. Supposedly Iranian nuclear facilities were hit with malware that made AC/DC’s Thunderstruck blast at maximum volume in the middle of the night.

While the music fan in me thought that was pretty cool, was the malware writer a heavy metal fan or was it cyberwarfare PSYOPS operations to weaponize AC/DC’s music? Although F-Secure’s Mikko Hypponen was able to “confirm that the researcher was sending and receiving emails from within the AEOI,” Iran denied it and F-Secure never confirmed it really happened.

Without a doubt though, the malware wars are heating up. Krypt3ia reported:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon