'Shamoon' Malware May Be Flame 'Copycat'

Security researchers have identified a virus that can steal data from a targeted machine and then rewrite over the master boot record of a computer to make it inoperable.

Called Shamoon, the targeted malware is suspected to be involved in an online attack of Saudi Aramco, a Saudi Arabian oil company, last Wednesday.

The virus has been named Shammon by researchers after an associated file: C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb.

According to researchers at security firm Symantec, an individual infected with the virus may notice some irregularities before the system is forced to reboot.

"They will start to see strange things happen, since a lot of the files on their computer have been rewritten," said Kevin Haley, director of Symantec Security Response, to "You may see error messages, and parts of the files on the computer will be rewritten to the point that the machine will fail to work at all."

According to a company blog post, the malware has three distinct components: a "dropper" agent, which is the main agent that initially infects the system; a "wiper" component, which is involved with deleting data necessary for a system to properly function; and a "reporter" module, which sends back targeted information from an infected system back to the attacker.

While the dropper and reporter components are typically associated with targeted malware, the wiper component is somewhat unique to this type of attack. However, it is not unheard of, as a wiper component was also a part of the Flame virus that hit targeted companies in the Middle East this past May.

However, security firm Kaspersky Labs said it doesn't believe that Shamoon is being launched as a weapon by another nation, as rumored to be the case with Flame.  
"It is more likely that [Shamoon] is a copycat, the work of a script kiddies inspired by the [Flame] story," said Kaspersky in a blog post.

While the malware may only be the work of a copycat, Symantec said it believes that other energy-related companies in the Middle East may be targeted next. However, information from firms investigating the malware, including Symantec and Kaspersky Lab, have not given any clue as to what kind of information is being relayed back to the attacker.

Due to the highly targeted nature of the virus, the vast majority of users are not in harm's way of Shamoon. However, security firms are reminding enterprises to keep all security software up to date and to apply any OS security updates in a timely manner.  

About the Author

Chris Paoli is the site producer for and


  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.