New Virus Attacks Energy Sector
August 17, 2012

Shamoon Virus Attacks Energy Sector Computers

Peter Suciu for — Your Universe Online

At one time or another, most computer users have gotten that email that warns of a super virus that has the potential to overwrite the master boot record of a computer and delete the entire hard drive. This threat sounds so outrageous that it is hard to take it seriously.

However, this week, reports of the “Shamoon” malware emerged and this one could be the real deal. Also known as “Disttrack,” it was discovered by researchers at Symantec and McAfee, and it is notable in that it contains the string “wiper” in the Windows file directory that its developers used when compiling it.

The malware has the potential to permanently wipe data from an infected computer hard drive and thus render that machine unusable. But should the average user be worried?

No, at least unless that average user is running a computer in the energy industry, which apparently is the target of this malware. In fact, Shamoon seems to have been designed with specific targets in mind, namely those of the energy sector.

Moreover, this new malware could be some extension or revision of the virus known as “Wiper” that reportedly attacked Iran´s oil ministry in April. This led to the discovery of state-sponsored Flame malware, which is now believed to originated in the United States.

Shamoon, like other malware, has the ability to steal information as well, taking data from various folders on a computer hard drive. It reportedly can pull data from the “Users,” “Documents and Settings,” “System32/Drivers,” and even “System32/Config” folders on Windows based computers. But what makes Shamoon very unique is that it has that aforementioned ability to render a machine useless. It does so by in essence overwriting the master boot record (MBR) on infected machines.

This makes Shamoon highly unusual in that it apparently goes to great lengths to ensure that data on infected computers is destroyed and further unrecoverable. This is not usually seen in targeted attacks. It is able to accomplish its objectives by overwriting the infected disks with a portion of JPEG images found online, thus ensuring that efforts to restore data are virtually impossible.

It also has been designed and programmed with unique self-propagation capabilities that allow it to spread from computer to computer using shared network drives, thus creating the ability to take down an entire network.

This particular malware reportedly consists of a 900KB folder that contains a number of “encrypted resources,” according to researchers at Kaspersky labs. The malware affects Window 95, Windows 98, Windows XP, Windows 2000, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008 machines.

On Friday Symantec announced that it has updated its antivirus programs to protect against Shamoon. But at present time most users probably don´t have a reason for concern. And. as noted. this virus has not simply leaked out to the Internet but is apparently being used in a form of cyber-warfare against very specific targets. This is in itself a unique twist on the use of such malware.

On Friday Symantec noted in a blog post, “Threats with such destructive payloads are unusual and are not typical of targeted attacks. Security response is continuing to analyze this threat and will post more information as it becomes available”

As of Friday researchers had not identified any victims of Shamoon, yet in its blog post Symantec did note that the victims included “at least one organization in the energy sector.”

Online reports noted that Saudi Arabian-based Saudi Aramo, which is the world´s largest crude oil exporter, was in fact hit by a computer virus this week, and that malware had entered its network through personal computers. The company has since responded that its network linked to oil production wasn´t affected and that systems will resume full operations soon.

As of its discovering on Thursday it was reported that Shamoon has in fact infected fewer than 50 systems. However, given its potential for wreaking havoc and wrecking systems, it isn´t hard to see that this could be one to actually worry about.