Shamoon Malware Steals Data, Overwrites MBR

A new piece of malware known as Shamoon that has the ability to destroy files on infected machines and overwrite the master boot record has researchers scratching their heads, wondering what the tool’s purpose might be and why the attackers behind it would destroy infected PCs. There are some indications that the malware could be related to Wiper, but researchers believe this is a red herring.

A new piece of malware known as Shamoon that has the ability to destroy files on infected machines and overwrite the master boot record has researchers scratching their heads, wondering what the tool’s purpose might be and why the attackers behind it would destroy infected PCs. There are some indications that the malware could be related to Wiper, but researchers believe this is a red herring.

The Shamoon malware came to light on Thursday when researchers at Kasperksy Lab said that they had analyzed samples that included some odd and puzzling characteristics. One module in the malware has a string with a name that includes “wiper” as part of it, something that could point to a connection to the Wiper or Skywiper malware discovered earlier this year. Wiper was erasing files from disks, but it doesn’t appear that the two are connected at this point.

“Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD…”) together with specific filenames for its drivers (“%temp%~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,” Kaspersky researchers said.

However, researchers at Seculert who looked at Shamoon found that the malware not only has the ability to destroy data on infected PCs, but it also can overwrite the machine’s MBR, making the PC essentially useless. They discovered that before Shamoon executes its destructive instructions, it collects data from various files on the infected machine and then feeds that data to another infected PC on the same internal network. It’s a confusing routine, but there may be a reason for it.

“The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet,” Aviv Raff, Seculert CTO, said in his analysis.

After the attackers got whatever information they wanted off of the Shamoon-infected PCs, they then executed the instructions to delete the data on the hard disk and overwrite the MBR. Shamoon then communicates the results back to the command-and-control server through the internal proxy, Seculert said.

The intent of the attackers behind the Shamoon malware isn’t too clear at this point, but the tool is collecting data from infected machines and sending off to parts unknown. That puts it in the league of the cyber espionage tools that have become the favored weapons of attackers of late.

Suggested articles

Discussion

  • Anonymous on

    Why dont people just stop being dicks.  A boiling point is coming and massive changes (not good ones) will follow.  You cant keep playing the freedom and privacy card, then act like undisciplined children setting fires everywhere and not expect the community, not to mention enforcement, to continue to just sit and watch.

  • LFMAN on

    Lolfag !

  • hibeamr on

    Interestingly, the process followed by this malware is a slight twist on old-school malware from the late 80s - 90's.  That is, the old disk-infector malware of old, everything from Stoned to Michaelangelo (and thousands of other disk infector examples), infected the MBR with it's own code and move the legit MBR code to another storage location on the disk. That was how A/V products at the time dealt with and repaired infected disks - they learned where the legit code was stored, and then built the recovery/replacement of that legit code into their signature for the specific virus. Even the "advanced" viruses of the day that encrypted their code in the boot sector of a disk were "moving" the legit boot sector code to another disk location, meaning it was relatively easy to find and restore to its proper location.

    From what I read in this post, it seems this malware is following a similar process, but the twist is the malware is storing the system info (the MBR info plus stolen data???) on the other, internal proxy machine that was commandeered. Yeah, I am probably over-simplifying it, and I don't see an indication as to how long the info is kept on the proxy machine . . . just offering up food for thought, as this post conjured up some memories from my early days of battling viruses. (Ah, the good ol' days of just having to worry about disk infectors and file infectors; then multipartite and macro viruses had to come and ruin the party, and now look where we are! <g>)

    For those that care . . .

    Interesting anecdote/history lesson #1: The most efficient/effective disk infector virus at the time was Stoned; proof was in its longevity and in the thousands of variants produced, all based on its core code and processes. One of the earliest, original virus researchers (I don't recall the name, so I apologize in advance for the lack of attribution) determined, however, that there was a simple way to innoculate a disk from ever getting infected with Stoned. See, Stoned employed one of the first self-preservation techniques in malware, by first checking to see if the system it was activated on was already infected with itself: if it was, the virus code terminated; if it was not, the virus would infect the boot sector with its code and proceed. This virus researcher found that if he manually inserted the first four bytes of Stoned code into a disk boot sector, that was enought for the virus to think the disk/system was already infected and it would leave the system alone. Henceforth, anytime the system was inadvertently booted with a Stoned-infected diskette (remember those?!?), the Stoned code would see those first four bytes and terminate. Brilliant!

    Interesting anecdote/history lesson #2: The first encrypting-overwriting disk infector virus we found (Monkey, I think it was; sorry - getting old) proved to be a significant complication for A/V software, as it simply overwrote the boot sector with its (encrypted) virus code. With no legit boot sector code stored elsewhere, the A/V software could not effect a repair. Patricia Hoffman, a well-known virus researcher at that time, published in her licensed VSUM database that the only way to recover from this virus was actually very simple: run Norton Disk Doctor from the Norton Utilities suite (now owned by Symantec). Us old farts that are familiar with NDD know that it assessed a disk in one of two ways, first trying to do so logicially (using the MBR, FAT, OS config files, etc.) and, if that didn't work, would go in via the physical disk using interrupt 13H. Since the encrypted virus code was inhabiting the boot sector, NDD was unable to see the disk logically, so it automatically tried to see/assess it via the physical disk interrupt. NDD would then see that the boot sector was "all screwed up" and innocently ask the user, "do you want me to fix that?" Select Yes, and NDD would repair the boot sector and all was well. Brilliantly simple!

    (Sorry - I suspect only those in their 40's and older might appreciate the two anecdotes.)

    -hibeamr-

  • Anonymous on

    I see two possibilities here.  The virus writers might be just testing their product, or they might be disabling the infected computer to prevent further analysis/action by the user(s).  Perhaps they are doing both.

    Regards,

  • Saud AL-Harbi on

    According to my IT experience, No one can trigger this kind of virus to make it work unless he has an addministrative previligae.

    I think Aramco gentlemen should start thinking about this point.

    Kind Regards

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.