A new piece of malware has been uncovered in the wild. This malware, dubbed Shamoon by Symantec (also referred to as Disttrack by McAfee), has the capability to overwrite the Master Boot Record, which will ensure the computer operates as a very expensive paper weight until repaired. Symantec uncovered the malware while wiping data from a hard drive at an unnamed energy company.
This malware consists of three (3) components:
Once the malware is installed on the system, it will attempt to copy itself to the following shares:
The malware will also create a service (TrkSvr) to start itself whenever Windows boots. SecureState recommends updating antivirus signatures and adding an IDS signature for the following HTTP GET request:
Symantec has reported that the Reporter component uses the following format to send infection information back to the attacker:
[MYDATA]—a number that specifies how many files were overwritten
[UID]—the IP address of the compromised computer
[STATE]—a random number