Shamoon malware stealing data and deleting MBRs

Posted on Monday, August 20 2012 @ 21:32 CEST by Thomas De Maesschalck
Security researchers are monitoring the spread of "Shamoon", a new piece of destructive malware first discovered last Thursday. This new worm, which is also known as Disttrack, affects all Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008.

It's unclear who is behind the attack but researchers suspect it's being used in targeted attacks against specific companies. The virus steals information and can overwrite the master boot record (MBR) to render PCs useless.
The malware consists of a 900KB folder that contains a number of "encrypted resources", according to Kaspersky Labs. One of these has a signed disk driver from EldoS, a corporate security component provider, which is used for raw disk access by the malware's components.

In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.
Source: ZD Net

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.


Loading Comments

Share this story!

Latest news

Latest reviews