Cyber security experts are warning of a particularly destructive new malware that steals data then attempts to cover its tracks by crippling the host computer.
The malware, which has been separately dubbed “Shamoon” and “Disstrack”, has reportedly been used in targeted attacks against a number of firms and specific individuals, and once again these targets appear to be centered in the Middle East.
Shamoon, so-called because of a file name identified within its code, has the potential to cause enormous damage because once it gets inside an internal network, it’s able to affect all computers within that sphere, collecting their files and transferring them to an unknown server before erasing them all from the hosts.
It’s rumoured that Shamoon is responsible for last week’s attack on the Saudi oil company Aramco, which had to shut down its main system following an attack by unspecified malware.
Symantec reported that Shamoon has so far attacked 50 computers worldwide.
One of the unusual things about Shamoon is that not only does it erase everything it steals, but it goes further, overwriting the host computer’s master boot record and preventing it from starting up.
This unique ‘feature’ of the spyware has led to much speculation within the industry about who or what could be behind Shamoon. It might be that the malware acts as some kind of “cleanup” tool to disguise the presence of a previous infection, or alternatively it could be that Shamoon is just the work of amateurs.
According to Kaspersky Lab, Shamoon shares many similarities with the recently discovered Gauss, and the Flame virus that successfully managed to evade security experts for five years before it was identified; both incorporate something called a “wiper” feature that allows them to clean up all traces of their activity on an infected computer – however, Kaspersky says that the “wipers” found on Shamoon and Flame are totally different.
“It is more likely that this is a copycat, the work of a script kiddies inspired by the [Flame] story,” said the company in its blog.
One clue to the origins of Shamoon could come from an image snippet it uses to overwrite all of the documents and files it finds in infected machines – pictured on Symantec’s website, the image snippet appears to contain an American flag.