Shamoon Malware: Cyber Espionage Tool or Cyber Weapon

Monday, August 20, 2012

Plagiarist Paganini


(Translated from the original Italian)

Cyberspace enjoys no peace. Every time a malware or a botnet is detected and decapitated, a new cyber threat emerges.

This time the new agent that concerns security experts is Shamoon, which is able to destroy files on victim’s PC and overwrite the master boot record.

Compared to all the malware isolated in the last few months, this agent hasn’t been developed merely to spy on targeted devices, as its purpose is to destroy them by making the machines unusable.

The malware attacks Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008.

Some experts are convinced  that there is a relationship between the agent and the malware Wiper, but other researchers deny the hypothesis.

The first team that discovered the malware was Kasperksy Lab that had analyzed some instances of the malware which appeared to be linked to Wiper due to the presence of a module with a string with a name that includes "wiper" as part of it.

Well, someone may have used the string to create a red herring, and the researchers at Kaspersky declared:

"Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original 'Wiper' was using certain service names ('RAHD...') together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,"

Researchers at Seculert who analyzed the malware also discovered that it has the ability to overwrite the machine's MBR, what is interesting in that before Shamoon makes the PC unusable, it gathers data from the unit.

It steals information by taking data from the 'Users', 'Documents and Settings', 'System32/Drivers',and 'System32/Config' folders and sends them to another infected PC on the same internal network, the reason for this strange procedure is still a mystery.

Aviv Raff, Seculert CTO, declared:.

 "The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet,"

Experts from Symantec wrote on their security response blog:

"Threats with such destructive payloads are unusual and are not typical of targeted attacks... Security response is continuing to analyse this threat and will post more information as it becomes available."

Many hypotheses have been proposed, and some experts are convinced that Shamoon is a new state sponsored malware designed for cyber espionage that is also able to destroy the victims' device, perhaps to hide its operations by deleting evidence that can link the agents to the Command & Control servers.

Other researchers believe that we are faced with a true cyber weapon that was designed to be spread inside specific networks with the dual intent to gathering information and destroying the enemy PCs.

Cross-posted from Security Affairs

Possibly Related Articles:
Viruses & Malware
Information Security
malware Windows Cyberwar Attacks cyber weapon Exfiltration Cyber Espionage Shamoon Wiper
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.