Attack of the Clones

Remember that "Pandora's box" that security bloggers and experts were warning about once it was reported that Stuxnet might have come from a government body?

Well, it looks like the occupants of said box are slowly starting to trickle out. News came out this week that a Saudi oil company was hit by an info-stealing, rootkit-deleting virus -- one very similar to Stuxnet and one that looks like Flame's younger brother (if you squint your eyes).

The virus, called Shamoon, is a targeted malware that retrieves and transmit wanted data back to the attackers, while, at the same time, rewrites Windows machines' rootkits, making them inoperable -- a tactic that the average scum hacker doesn't employ.

That's because the majority of malware is created for the sole purpose of stealing personal info (like credit card numbers). It wouldn't do any good to launch a virus that alerts the user that they've been compromised (and a perfectly working machine that just up and quits on you is a good sign of a compromise). How would your neighborhood jerk hacker have time to use that credit card number they've spent so much time acquiring if you've already cancelled the card?

On the other hand, when, say a government body wants to grab info on the inner workings of a plutonium enrichment plant, destroying all evidence of your identity is far more important than alerting your target that you've already infiltrated their system. It's a bit harder to abandon a billion dollar facility if you know another government knows the inner workings.

Now before Mark Russinovich starts penning his next novel based on the exploits of this particular virus, it's worth noting that security experts believe Shamoon isn't part of any global action by a government body -- it was more than likely the work of an individual who decided to play copycat after seeing the news on Stuxnet and Flame.

About the Author

Chris Paoli is the site producer for and

comments powered by Disqus

Reader Comments:

Mon, Aug 27, 2012 Paul from Long Island

It doesn't re-write Windows' machines rootkits - which they shouldn't have as they are another type of malware. It re-writes the boot sector or master boot reord which prevents the machines from starting the OS.

Wed, Aug 22, 2012 ibsteve2u Commonwealth of Pennsylvania

Given that you say the target was Saudi oil, you next have to ask the questions "An individual working on their own? Or an individual working for someone or some group that is interested in in the price oil and how it can e manipulated? Or an individual or group interested in the political ramifications of changes in the price of oil given the fact that the cost of energy immediately impacts an economy? Or both of the latter two?" Just the oil speculation aspect could be monetized in the billions of dollars range...the political ramifications of timely changes in the cost of energy, however, jump up into the trillions of dollar range when you include what changes in the control of certain governments means in terms of regulatory costs, taxes, holidays. And there are third parties - third party countries, that is - who have shown an interest in ensuring that specific political parties control certain other countries. I doubt that they'd be above making a little money while they were at it, either. Darn shame our Republicans have had so much success at enforcing America's addiction to oil...I'd much rather be bored with this story as just another example of lax security than...curious.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.