clock menu more-arrow no yes

Filed under:

Malware targeting energy sector raises specter of Flame virus

New, 9 comments

According to Symantec, the Shamoon malware has targeted "at least one organization in the energy sector," erasing data and rendering hard disks unbootable.

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Shamoon malware data
Shamoon malware data

Security researchers have identified a new variety of malware which appears to be targeting the energy sector, permanently erasing data from affected Windows machines. Flagged as either "W32.Disttrack" or "W32.EraseMBR" and nicknamed Shamoon, the executable contains the word "wiper" in a directory used for debugging, as well as the phrase "ArabianGulf." The words have provoked memories of the Wiper malware that prompted the discovery of Flame, a virus co-developed by the US and Israeli governments to attack Iran's nuclear program.

The malware uses data from a publicly available JPEG to overwrite files

While noting the links, researchers at Kaspersky Lab have downplayed the possibility of a formal connection, speculating that it "is more likely that this is a copycat, the work of script kiddies inspired by the story." A blog post from Symantec notes that Shamoon has been used in "targeted attacks against at least one organization in the energy sector," but does not provide any more information on its real-world deployment. Ars Technica points out that Saudi Arabia's national oil company, Saudi Aramco, was recently hit by a virus, but it is not clear whether the incident is linked.

According to a report from security firm McAfee, the malware uses data from a publicly available JPEG image to overwrite various specific files on its host machines, rendering them useless. It then overwrites the hard disk's master boot record (MBR) and partition tables, making it impossible to boot the machine. The sheer destructiveness of Shamoon has caused some researchers to dismiss it as simple vandalism, though a blog post from Seculert points out that it could be part of a two-stage attack, erasing evidence of previous activities.