Shamoon Malware : Permanently wiping data from Energy Industry Computers
Malware researchers have uncovered an attack targeting an organization in the energy industry that attempts to wreak havoc by permanently wiping data from an infected computer's hard drive and rendering the machine unusable. Symantec would not name the victimized firm, and so far has seen the attack only in this one organization.
W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector. It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.
W32.Disttrack consists of several components:
1. Dropper—the main component and source of the original infection. It drops a number of other modules.
2. Wiper—this module is responsible for the destructive functionality of the threat.
3. Reporter—this module is responsible for reporting infection information back to the attacker.
"Ten years ago we used to see purely malicious threats like this," muses Symantec researcher Liam O Murchu. The likely scenario for the victim would be an experience in which the computer is booting up, but all the files get erased, and the computer collapses into a non-bootable state.
Saudi Arabia-based Saudi Aramco, the world’s largest crude exporter, was reportedly hit by a computer virus this week that entered its network through personal computers. Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks. It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It overwrites disks with a small portion of a JPEG image found on the Internet.