Security researchers lately discover a new type of malware that distinctively assaults Windows computers. A security researcher made such revelation last Friday, August 17th. Anti-virus companies dubbed the latest uncovered malware as “Shamoon,” a 900KB file that uses a lot of encrypted resources to infiltrate Windows computers.
Shamoon is a Trojan virus that works by infiltrating PCs running on Windows OS and then attempts to cover its tracks. After stealing files, it cripples through the victim’s computer. As a result, the files will no longer be usable.
Shamoon malware has been used in targeted assaults. It purportedly aimed at specific firms or individuals, including at least one in the energy sector. This malware relies in on a one-two punch. Before it spreads to other PCs on an organization’s network, it takes control of an online system (a system that is connected to the Internet). This is according to an Australian news website.
The second stage assault manifests after the malware did its dirty work and then kicks off. It tends to overwrite files and the Master Boot Record (MBR) of the machine which makes the PC unbootable. This is definitely causing major headaches to the victims.
In an interview last Friday, the CTO and co-founder for Seculert alerted all Windows PC users against this Trojan horse and further stressed that the malware is looking for ways to cover its tracks. Seculert however has not yet figured out the exact type of file this Shamoon malware is eyeing to assault and steal.
Meanwhile, Seculert and other security firms including Moscow-based Karpersky Lab and U.S. anti-virus vendor Symantec came up with an assumption that Shamoon is copying files from pillaged PC’s and then sends the stolen information to its master. The assumptions are based on the way the malware works.
As discovered earlier, Shamoon utilizes a second infected system to communicate with a hacker-controlled command-and-control (C&C) service. Another speculation based on the nature of the malware claims that the makers of Shamoon wanted to “know what and how much got wiped.” Once it’s done stealing the file it wants, it begins to cripple the infected PCs. Targeted assaults end up with erased files and unbootable computer.
According to Symantec on a Thursday post of its blog, this is yet another unusual attack.
“Threats with such destructive payloads are unusual and are not typical targeted attacks,” Symantec stated on its Thursday blog post regarding the latest Shamoon assault. It added that, “It is more likely that [Shamoon] is a copycat, the work of a script kiddies inspired by the [earlier] story.”
Shamoon’s unique destructive trait can be compared to an assault against the Iranian PCs that happened earlier this year. The prior attack likewise aimed at wiping out the computer’s hard drive. Kaspersky’s investigation on this malware has led to the discovery of a sophisticated cyber-spying tool called Flame. The investigating team found out later that the tool most have connections to a worm discovered in 2010, the Stuxnet. It was Stuxnet that sabotaged the nuclear program of Iran. The security groups however stressed some distinctions and elucidated that Shamoon and Stuxnet are actually not connected.
Since security groups are still finding the right solution for Shamoon, Windows PC users are momentarily advised to be prudent enough on their daily download and use of files.