Shamoon malware virus swipes and wipes PCs
17th Aug 2012 | 17:43
Security analysts are on high alert
A new, swipe-and-wipe malware virus is under investigation by security companies the world over as they try to determine its source and how to keep it from infecting any more PCs.
Called "Shamoon," the virus works by infiltrating a system connected to the internet then spreads to other PCs within that network, including ones without a web connection.
So far, at least one organization has been attacked - Saudi Arabia's national oil company.
"[Shamoon] is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector," a Symantec security system's blog post stated.
"It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR in an effort to render the computer unusable."
What is Shamoon?
Shamoon, also known as Disttrack, nabs data from PC folders like "Documents and Settings" and "System32/Config," stealing information as any malware virus would do.
However, what's different about Shamoon is that it's able to overwrite the master boot record (MBR) of the machines it infiltrates, crippling them completely.
In the case of the Saudi oil company, stolen data was replaced with JPEG images, preventing any future file recovery.
Analysts think Shamoon is a copycat virus, taking cues from the "Wiper" virus that swept through Iran in April, though believe there is no connection between the two.
Shamoon is likely "the work of script kiddies inspired by the story."
Symantec broke down the virus' components into three main parts: dropper, wiper and reporter.
Through each step, Shamoon gathers, destroys and retrieves information for the attacker.
One analyst explained the virus' wiping component as an attempt by the attackers to cover their tracks.
Some think the virus' name may be taken from the Shamoon College of Engineering in Israel.
Another theory has it named after one of the virus' authors - Shamoon means "Simon" in Arabic.