Shamoon Malware Steals Data, Makes Computers Unusable

Several security firms this week highlighted new malware that appears to be targeting specific companies in the energy industry.

Though Shamoon includes components that reminded security analysts of the Flame malware, the threat does not appear to be widespread.

According to Symantec, Shamoon "is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable."

Seculert said this approach is puzzling. "Why would someone wipe files in a targeted attack and make the machine unusable?" the firm wrote in a blog post.

Seculert said "it's rare to find this type of malware in targeted attacks." The firm suggested Shamoon is a two-stage attack: the attackers take control of an internal machine connected to the Web and use it as a proxy to the external Command-and-Control (C2) server, which infects other internal machines; once the other machines are infected, Shamoon is released, wiping the malware and stolen data.

"It is still unclear who is behind the attack," Seculert said.

Shamoon, which is Arabic for Simon, got its name thanks to the associated file: C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb.

"The 'wiper' reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame," according to Kaspersky Lab.

"Our opinion, based on researching several systems attacked by the original Wiper, is that it is not," Kaspersky said in a separate blog post. "The original 'Wiper' was using certain service names ('RAHD...') together with specific filenames for its drivers ('%temp%\~dxxx.tmp') which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware."

Kaspersky speculated that Shamoon is "the work of a script kiddies inspired by the [wiper] story. Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often."

In collecting data about Shamoon in recent days, Kaspersky only identified two instances of Shamoon in the wild, both of which appear to be from Chinese security researchers. "So we can conclude that the malware is not widespread and it was probably only used in very focused targeted attacks," the firm said.

About Our Expert

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio