We’re getting news of a particularly nasty Trojan targeting Windows-based PC today, which anti-virus companies have dubbed “Shamoon.” Like most malware, Shamoon exists to steal data from computers connected to the Internet, but what it does afterward is quite evil. In an effort to cover its tracks, it begins deleting files, including the Master Boot Record. This, naturally, leaves the PC unbootable, and can cause some major headaches. The malware itself is a 900KB file that uses many encrypted resources, as you can see below.
Shamoon doesn’t seem to be widespread, as Seculert reports that it uses a two-stage attack, apparently targeting “several specific companies in a few industries.” Shamoon works its way into a computer that is directly connected to the Internet, and then from there begins to spread to other computers connected to the same network. As stated above, once it’s done stealing what it wants, it begins to cripple the PCs it infected, reminding Kaspersky of the Wiper malware, which attacked PCs in Iran earlier this year and in turn led to the discovery of Flame.
Kaspersky says that it isn’t Wiper, however, pointing out a few key differences. With those differences apparent, Kaspersky says that Shamoon is likely “a copycat, the work of a script kiddies inspired by the story” of Wiper. It’s good to know that Wiper isn’t becoming more widespread, but at the same time its scary that there are those inspired by Wiper’s level of destruction.
Indeed, it’s rare to see malware that actually does damage, as creators typically aren’t interested in anything but stealing information that could lead to some quick cash. With anti-virus companies like Seculert and Kaspersky still looking into Shamoon, this is still a developing story, so keep it tuned to SlashGear for more information – we’ll have additional details if any new ones surface!