The Shamoon or Disttrack malware appears to have been written to steal data and then wipe infected PCs.
Published Tuesday, 21 August 2012
By Mark Sutton
Security researchers have uncovered a new piece of malware, dubbed ‘Shamoon', which appears in part to have targeted energy sector companies and other organisations in the Middle East.
Shamoon, also known as Disttrack, seems to be designed to steal data from infected PCs, but also has a highly destructive payload which can overwrite files and the Master Boot Record (MBR) of the machine, making it unbootable.
Kaspersky Lab said the malware was not very widespread, and was probably only used in very focused targeted attacks.
The malware operates by infecting a PC connected to the internet, which is then used as a proxy to communicate with the master command and control server. The malware then spreads to other PCs on the network, steals information, then executes its payload and wipes the machines, before communicating back to the external command-and-control server.
A security expert with Kaspersky Lab said that it was unusual for a hacker to go to the effort of creating malware to steal data and then not to try to cover their tracks. The analyst also noted that although there are similarities with the Wiper malware that attacked systems in Iran in April, it is most likely a copycat malware created by less skilled individuals.
"Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original ‘Wiper' was using certain service names ("RAHD...") together with specific filenames for its drivers ("%temp%\~dxxx.tmp") which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware," the company said on its Securelist blog.
"It is more likely that this is a copycat, the work of a script kiddies inspired by the story. Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often."