Shamoon Malware Wreaks Havoc; Deletes Data for Good

Security researchers from Symantec as well as Kaspersky both security companies have reported one fresh malicious program viz. Shamoon that recently attacked an organization within the energy sector of the Middle East, while being capable of erasing files from the computers it infected as also changing the MBR (Master Boot Record) content on the same. Although evidences show that the program maybe associated with Wiper, the security experts are convinced it's one kind of red herring.

Actually, it was when the experts reported of a few unusual and bewildering features in samples they'd examined that the Shamoon's picture emerged. The malware reportedly, contained one module that had a string the moniker of which included the word "wiper." That probably suggested an association with the 'Skywiper' or 'Wiper' malicious programs found previously during the current year (2012). And even as files were getting deleted from hard disks due to Wiper, there's little surety about any connection between the two malware as of now.

Shamoon is peculiar since there's every effort by it towards making sure that the system owner doesn't ever get to retrieve his lost files one which's a rare occurrence with targeted online assaults. The malware has the ability to propagate of its own i.e. without user interaction, and thereby infect PCs within a shared network. There's also superimposition on disks by Shamoon of certain Joint Photographic Experts Group (JPEG) picture, though partially, after finding it on the Net.

It (meaning Shamoon) as well contacts its remote controllers to inform the total files it erased; the infected PC's Internet Protocol address; as well as one random number. Evidently, based on the details Shamoon's creators utilized while developing the malware, the program stayed within the C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb Windows directory.

Interestingly, Manager of North American Operations Liam O Murchu for Symantec Security Technology and Response states that the Shamoon attack is unprecedented other than the latest assault against the oil industry computers of the Iranian government. Devoid of espionage, ex-filtration, monetary theft, information theft or ransom demand, the Shamoon purely works maliciously, Murchu adds. Darkreading.com published this in news on August 16, 2012.

Related article: SANS Highlights Twenty Top Hacker Targets

» SPAMfighter News - 8/22/2012