Cyber Attack: Shamoon Malware Infects, Steals, Wipes MBR

By Wolfgang Gruener
published

There is a new malware making the rounds that has security researchers scratching their heads.

Shamoon, also known as Disttrack, is unusual as it infects a PC, steals certain data, sends the data to another infected PC and then overwrites the PC's master boot record, which makes the system virtually useless.

There has been some speculation why the attacker may have an interest in actually destroying the infected PC. Kaspersky Labs hinted that the 900 KB malware could be related to Wiper, that was used in a cyber attack on Iran in April. After an analysis, the company concluded that this malware is more likely to come from "scriptkiddies" who were inspired by Wiper.

"Our opinion, based on researching several systems attacked by the original Wiper, is that it is not," Kaspersky wrote in a blog post. "The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware."

However, Kaspersky also said that there have been only two reports of Shamoon in the wild, both cases in China, which led them to believe that the malware was used in "very focused targeted attacks."

Symantec followed up with a detailed description of a 3-phase attacked structure consisting of a dropper, wiper and reporter component that were used "against at least one organization in the energy sector."

Wolfgang Gruener
36 Comments Comment from the forums
  • pharoahhalfdead
    "Scriptkiddies?..." Is this another article about Anonymous? lol
    Reply
  • freggo
    I'd like to spend 10 minutes alone with the idiot who created this, in a sound proof room; I will bring my favorite baseball bat.
    Reply
  • wiinippongamer
    ^wow dude you're a badass.
    Reply
  • jhansonxi
    Shamoon, also known as Disttrack, is unusual as it infects a PC, steals certain data, sends the data to another infected PC and then overwrites the PC's master boot record, which makes the system virtually useless.
    Scary, but it's not PC-specific. It's just more Windows malware. Obviously not the usual suspects since most malware is used to gain control of a system for spying or botnets.
    Reply
  • thorkle
    freggoI'd like to spend 10 minutes alone with the idiot who created this, in a sound proof room; I will bring my favorite baseball bat.
    Why do you have do many baseball bats that you would have a favorite bat? :-P
    Reply
  • face-plants
    According to the BBC's reporting on the Shamoon bug 2 days ago, it was a Saudi Arabian company, Aramco (their national oil provider and one of the largest in the world) not a Chinese one who first announced they were infected.
    Reply
  • kristoffe
    Good article, and if you're worried about it, just make a record of your MBR to a USB drive or dropbox it to yourself.

    http://www.ghacks.net/2010/09/01/how-to-backup-and-restore-the-mbr-in-windows/

    you can also start your pc up with HIREN'S BOOT CD and restore your MBR from the backup you have made as well :)

    http://www.hiren.info/pages/bootcd
    Reply
  • cRACKmONKEY421
    "makes the system virtually useless"

    I guess fixmbr doesn't work?
    Reply
  • djcolley
    Must be a real problem for people that still own PCs
    Reply
  • olaf
    yawwwnnn lame nothing more then a hindrance rly ... your data is still on the drive, makes for good business i guess if you fix computers :D
    Reply