Shamoon

Shamoon Image

While there are plenty of spy Trojans designed to steal sensitive data from an infected computer, Shamoon goes one step further. This dangerous malware infection infiltrates a computer, steals its files, and then overwrites the master boot record, effectively rendering the infected machine useless. Recovering from a Shamoon requires reinstalling the operating system and losing all data on the infected computer. ESG security analysts suspect that Shamoon is part of an organized malware attack against various large companies and that this malware infection is being used in industrial espionage. Fortunately, malware analysts have released updates for reliable anti-malware programs that protect computers from Shamoon's attack. ESG malware analysts recommend updating your software and anti-malware protection to ensure that your computer is safe.

On August 15th of 2012, PC security analysts started to warn computer users about Shamoon. This malware threat steals files located in the Users, System32/Driver, System32/Config, and Documents and Settings folders of computers with the Windows operating system. Although this is not an uncommon characteristic of dangerous spy Trojans, Shamoon also overwrites the infected computer's master boot record. This results in the infected computer becoming useless since it can no longer load its operating system or access its data. Shamoon may also be detected as Disttrack and seems to be part of an attack against large companies, particularly in the energy industry. Malware infections as destructive as Shamoon are actually quite rare and, although not everything about Shamoon is understood completely, Shamoon has been successfully blocked by various anti-malware application.

Understanding a Shamoon Attack

Shamoon is contained in a folder that doesn't take up a lot of space, just under 1 MB. It contains various encrypted files, including a signed disk driver from EldoS, a manufacturer of security components for corporations. Using this signed disk driver, Shamoon can access the infected computer's hard drives. Shamoon has been observed to affect computers running all kind of Windows versions since the Windows 95. Apparently, Shamoon attacks computers in two separate steps. First, Shamoon will access a computer connected to the Internet, installing a backdoor and using the infected computer as a proxy that can be used to download configuration commands from a remote server. Having infiltrated the targeted company, Shamoon can then infect other computers on that company's network in order to steal sensitive data and then wipe those computer's drives. Then, Shamoon sends back that information to a third party.