Trojans are becoming more sophisticated and able to covertly get around defenses to accomplish its mission and then cover its tracks in some fashion.
One new Trojan accomplishes this by crippling the victim’s computer after stealing data, a security researcher said.
Dubbed “Shamoon” by most antivirus companies, the malware is perfect for targeted attacks aimed at specific individuals or firms, including at least one in the energy sector.
Shamoon relies on a two-pronged approach. First it takes control of a system connected to the Internet before it spreads to other PCs on an organization’s network, said Israeli security company Seculert.
The second phase, which starts after the malware kicks in, overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable.
“They are looking for ways to cover their tracks,” said Aviv Raff, CTO and co-founder of Seculert.
Seculert and other security companies, including Moscow-based Kaspersky Lab and U.S. antivirus vendor Symantec, have not yet figured out what kind of data Shamoon is looking for, then stealing. They assume that because the malware uses a second infected system to communicate with a hacker-controlled command-and-control (C&C) server, Shamoon is copying files from PCs and sending that information to its masters.
Malware rarely destroys files or wipes the MBR. Most threats try to work quietly to avoid detection as long as possible. Crippling a computer only brings unwanted attention.
“Threats with such destructive payloads are unusual and are not typical of targeted attacks,” Symantec researchers said in a blog post.