A new Trojan horse has been discovered that attempts to cover its tracks by crippling the infected PC after stealing the data. Known as “Shamoon” by most antivirus companies, the malware has been used in targeted attacks aimed at specific individuals or firms, including at least one in the energy sector.
According to recent reports, Shamoon relies on a one-two punch. The first part of the attack takes control of a system connected to the internet before spreading the virus to other PCs on an organization’s network. The second part starts after the malware has done its job, overwriting files and the Master Boot Record of the machine, which makes the PC unbootable.
According to CTO and Co-Founder of Seculert (who discovered the malware) Aviv Raff, “They are looking for ways to cover their tracks.” Seculert, along with other security firms, have yet to figure out what kind of data Shamoon is looking for and stealing. One theory is that, since the malware uses a second infected system to communicate with a hacker-controlled command-and-control server, Shamoon is copying files from pillaged PCs and sending that information to its operators.
Malware doesn’t typically destroy files or wipe the MBR. Most threats attempt to work quietly to avoid detection as long as possible. Crippling a computer only brings unwanted attention. “Threats with such a destructive payloads are unusual and are not typical of targeted attacks,” Symantec added.
Due to the fact that a list of overwritten files is transmitted to the C&C server, Raff speculates that Shamoon’s makers wanted to “know what and how much got wiped.” The destructiveness of Shamoon has also made memories resurface of an attack against Iranian computers earlier this year that also wiped hard drives.
There doesn’t appear to be any connection between Shamoon and the data-wiping malware that attacked Iran back in April because there are a lot of differences between the two. According to Kaspersky, “It is more likely that Shamoon is a copycat, the work of a script kiddies inspired by the earlier story.”
Source: Shamoon malware cripples Windows PCs to cover tracks