Shamoon Malware Infects Computers, Steals Data, Then Wipes Them

Summary: Security companies have detected a piece of malware that steals files from infected machines, then renders the computers useless by overwriting their master boot record.
Protection scientists are analyzing a piece of dangerous viruses that has the ability to overwrite the expert start history of a pc, and which they suppose is being used in focused strikes against specific organizations.

Reports of the 'Shamoon' viruses began growing from security organizations on Saturday. Like other viruses, it takes details, taking data from the 'Users', 'Documents and Settings', and 'System32/Drivers' and 'System32/Config' files on Windows pc systems. One uncommon attribute, however, is that it can overwrite the expert start history (MBR) on contaminated devices, effectively making them ineffective.

Shamoon, which is also known as Disttrack, is being used in focused strikes against at least one company in the energy industry, according to Symantec.

"Threats with such dangerous payloads are uncommon and are not typical of focused strikes," Symantec had written on its security reaction weblog on Saturday. "Security reaction is continuing to analyze this risk and will publish more details as it becomes available."

The viruses includes a 900KB directory that contains a number of "encrypted resources", according to Kaspersky Laboratories. One of these has a finalized hard drive driver from EldoS, a organization security component provider, which is used for raw hard drive access by the malware's components.

It impacts Windows 95, Windows 98, Windows XP, Windows 200, Windows Windows vista, Windows NT, Windows ME, Windows seven, Windows Hosting server 2003 and Windows Hosting server 2008. Symantec said it has modified its anti-virus to protect against the viruses.

In an research, viruses recognition organization Seculert determined that Shamoon uses a two-stage strike. First it infects a pc connected to the internet and turns this into a proxies to connect back with the malware's command-and-control server. After that, it offices out to other pc systems on the business network, takes details, then completes its payload and baby wipes the devices. Finally, it conveys this to the external command-and-control server.

"It is still ambiguous who is behind this strike," Seculert had written in a writing. "We will upgrade this weblog with more details when it becomes available."

As a side note, though samples of the viruses gathered by Kaspersky contain a component with a sequence ending in 'Wiper', the organization does not suppose the virus is related to the innovative Fire viruses, as the name might suggest. Instead, Kaspersky says it considers the viruses is the work of copycats.

Share this article :
Support :. Copyright © 2015. The Technology Zone - All Rights Reserved
Template Created By Gourav Kashyap Proudly Powered By Blogger