Soon after Microsoft announced a new security patch, there is a new threat on the horizon: Shamoon, a Trojan horse, which tries to covers its tracks by damaging the victim's computer after stealing data. In the end, you will get rich with some erased files and worse than this, you can become the owner of an unbootable computer, meaning that Shamoon is quite serious and you should watch your back.
Shamoon, A New Threat For Windows PCs
According to Bloomberg, at least one important Asian organization was hit by this fresh malware. The Saudi Aramco, the world’s largest crude exporter faced Shamoon, which entered its network through personal computers. For the moment, the company said parts of its network linked to oil production weren’t affected and its systems are perfectly functional.
Shamoon or Disttrack for McAfee was born as a targeted attack for companies in the energy sector. According to Israeli security company Seculert, Shamoon relied on a classical pattern: firstly it took control of a system connected to the Internet and then corrupted the other PCs on an organization's network. If you are lucky, you can get away with this delicate damage, but Shamoon can do something incredibly evil: it overwrites files, through a small portion of a JPEG image found on the Internet and becomes the Master Boot Record (MBR) of the machine. No hacker is directly interested in this step, but according to Seculert, it's a very smart way to cover the tracks of the attack, so the Israeli company expects to come across this behavior during the weeks to come.
Shamoon, A New Threat For Windows PCs
Besides Seculert, Kaspersky Lab and Symantec are struggling to find out what kind of data Shamoon is after, after all it looks like a hacker-controlled command-and-control pattern, but the overwriting phase is quite curious, traditionally malware rarely destroys files or wipes the MBR, there is no time for such self-protective measures. You can say that Shamoon would love to return once again on the same computer and gather more information or simply, it's a teenage affair, to see how tough a hacking could be. From this point of view, Kaspersky is positive that Shamoon is a copy of kiddies inspired by Flame.
If you are curious about the origins of its name, Kaspersky believes that Shamoon could be either a reference to the Shamoon College of Engineering in Israel or a reference to the Arabic equivalent of the name Simon, Kaspersky's report said.
All researchers agree to one detail, Shamoon contains the string Wiper in the corrupted Windows file directory, which immediately evoked memories of a previous malware also known as Wiper, reportedly pointed out as attacker for Iran's oil ministry in this April.
Source: Securelist
11
