Shamoon – a week later
August 21, 2012
By Roger Thompson

Late last week, word surfaced about a new piece of malware that had apparently attacked an oil company by overwriting all or most files on a victim’s pc, and then overwriting the Master Boot Record. 

My initial reaction, upon looking at the code, was that it was:

1.     A programmer with some skills, but one who didn’t normally write malcode, and

2.     Probably an inside job by a disgruntled employee 

This might still be so, and we can’t really tell one way or another.  But it might equally be a significant attack by a hacking group, because a couple of posts have been made on Pastebin, claiming that some 30,000 pcs at this company were nuked. 

Again, that might be correct, and it might not, and we can’t tell from here.  But if 30,000 pcs (and servers) were nuked over the space of a few hours that would have to really hurt, no matter how you slice it. 

There are two morals to the story. 

First, everyone should find a way to organize an automatic backup of their data. If it’s not automatic, it ain’t gonna happen, and if push ever comes to shove, you’ll never regret the effort you made to back things up. 

Second, everyone needs to find antivirus programs that do not rely on signature scanners as the main line of defense. A decent behavior detector would have noticed this very early, and might well have prevented, or at least minimized the whole affair.

By the way, I made a video of Shamoom nuking a system, for those that are interested.  

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.