Shamoon malware infects computers, steals data, then wipes them

This piece of malware that steals files from infected machines, then makes the computers useless by overwriting their master boot record.

Security researchers are investigating a piece of destructive malware that has the ability to overwrite the master boot record of a computer, and which they suspect is being used in targeted attacks against specific companies.

Shamoon, which is also known as Disttrack, is being used in targeted attacks against at least one organisation in the energy sector, according to Symantec.

“Threats with such destructive payloads are unusual and are not typical of targeted attacks,” Symantec wrote on its security response blog on Friday. “Security response is continuing to analyse this threat and will post more information as it becomes available.”

It affects Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008.

Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware’s command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.