'Shamoon' Malware May Be Flame 'Copycat' -- Redmondmag.com

'Shamoon' Malware May Be Flame 'Copycat'

By Chris Paoli
08/20/2012

Security researchers have identified a virus that can steal data from a targeted machine and then rewrite over the master boot record of a computer to make it inoperable.

Called Shamoon, the targeted malware is suspected to be involved in an online attack of Saudi Aramco, a Saudi Arabian oil company, last Wednesday.

The virus has been named Shammon by researchers after an associated file: C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb.

According to researchers at security firm Symantec, an individual infected with the virus may notice some irregularities before the system is forced to reboot.

"They will start to see strange things happen, since a lot of the files on their computer have been rewritten," said Kevin Haley, director of Symantec Security Response, to SCMagazine.com. "You may see error messages, and parts of the files on the computer will be rewritten to the point that the machine will fail to work at all."

According to a company blog post, the malware has three distinct components: a "dropper" agent, which is the main agent that initially infects the system; a "wiper" component, which is involved with deleting data necessary for a system to properly function; and a "reporter" module, which sends back targeted information from an infected system back to the attacker.

While the dropper and reporter components are typically associated with targeted malware, the wiper component is somewhat unique to this type of attack. However, it is not unheard of, as a wiper component was also a part of the Flame virus that hit targeted companies in the Middle East this past May.

However, security firm Kaspersky Labs said it doesn't believe that Shamoon is being launched as a weapon by another nation, as rumored to be the case with Flame.
"It is more likely that [Shamoon] is a copycat, the work of a script kiddies inspired by the [Flame] story," said Kaspersky in a blog post.

While the malware may only be the work of a copycat, Symantec said it believes that other energy-related companies in the Middle East may be targeted next. However, information from firms investigating the malware, including Symantec and Kaspersky Lab, have not given any clue as to what kind of information is being relayed back to the attacker.

Due to the highly targeted nature of the virus, the vast majority of users are not in harm's way of Shamoon. However, security firms are reminding enterprises to keep all security software up to date and to apply any OS security updates in a timely manner.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.