'Shamoon' Spyware Searches, Then Destroys
An original copy of the 'Search and Destroy' 1973 single by Iggy and the Stooges.
CREDIT: Columbia Records
A nasty new piece of malware has been discovered in the Middle East targeting energy companies. Unlike Stuxnet, Duqu or Flame, which stalked the same ground, this one's purely, strangely destructive.
Dubbed "Shamoon" after a filename found in its code, the spyware infects all the computers in an internal network, then effectively erases them — but not before collecting the names of the files it's overwritten and sending them out to an unknown command-and-control server.
It may have already hit Saudi Aramco, Saudi Arabia's state-owned oil-production company, which said Wednesday that it had shut down its main computer systems after an unspecified malware intrusion.
Symantec said that the malware, which it calls "W32:Disttrack," had infected fewer than 50 machines worldwide.
Shamoon ("Simon" in Arabic) even goes so far as to overwrite an infected machine's master boot record, the first thing a computer looks for when it starts up.
"Why would someone wipe files in a targeted attack and make the machine unusable?" wondered a posting yesterday (Aug. 16) on the official blog of the Israeli Internet-security firm Seculert.
It's possible that Shamoon is working as the "cleanup crew" with another piece of malware, and serves only to cover up the other malware's existence. But almost all malware, whether criminal or state-controlled, tries to fly under the radar and remain as unobtrusive as possible.
For example, Flame, the state-sponsored spyware discovered earlier this summer, was out "in the wild" for an estimated 5 years before malware researchers spotted it. That extremely long time is testimony to its sophistication.
Shamoon incorporates a feature called "Wiper," also a hallmark of Flame, which cleaned up after itself by erasing traces of its own activities.
However, Kaspersky Lab, one of the organizations that found Flame, says Shamoon's "Wiper" is completely different, and that Shamoon may be the work of amateurs.
"It is more likely that this is a copycat, the work of a script kiddies inspired by the [Flame] story," said the official Kaspersky blog.
Fly the (false) flag
There are tantalizing tidbits buried in the Shamoon code that might, or might not, provide clues to its author's identities, or at least nationalities.
The malware uses a snippet of a larger image to overwrite all the document, music, image and video files it can find. The image, which can be viewed on the Symantec website, looks like part of the American flag.
The feature that wipes the master boot record has links to a London data-security firm called EldoS.
Kaspersky said in its blog posting that EldoS' digital certificate was either stolen or forged to create Shamoon, which would imply a certain level of skill on the part of its authors.
However, Symantec's drier analysis of Shamoon noted that the boot-record wiper is a "clean disk driver" that "may be used for legitimate purposes."
In a blog posting earlier today, Eugene Mayevski, chief technology officer of EldoS, angrily lashed out at Kaspersky's assertions that the certificate was stolen.
"Some not-identified script kiddies have crafted a malware which wipes victim's disks. To do actual wiping they have used our driver, probably stolen from some of our clients' software," Mayevski wrote.
"Kaspersky Labs and several other wanna-be-specialists from other companies have made conclusion that those script kiddies managed to create the driver and sign it using 'stolen private cryptographic key of EldoS Corporation,'" he added. "That misleads people and takes [the] analysis in [the] wrong direction."