'Shamoon' Malware May Be Flame 'Copycat'

Security researchers have identified a virus that can steal data from a targeted machine and then rewrite over the master boot record of a computer to make it inoperable.

Called Shamoon, the targeted malware is suspected to be involved in an online attack of Saudi Aramco, a Saudi Arabian oil company, last Wednesday.

The virus has been named Shammon by researchers after an associated file: C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb.

According to researchers at security firm Symantec, an individual infected with the virus may notice some irregularities before the system is forced to reboot.

"They will start to see strange things happen, since a lot of the files on their computer have been rewritten," said Kevin Haley, director of Symantec Security Response, to "You may see error messages, and parts of the files on the computer will be rewritten to the point that the machine will fail to work at all."

According to a company blog post, the malware has three distinct components: a "dropper" agent, which is the main agent that initially infects the system; a "wiper" component, which is involved with deleting data necessary for a system to properly function; and a "reporter" module, which sends back targeted information from an infected system back to the attacker.

While the dropper and reporter components are typically associated with targeted malware, the wiper component is somewhat unique to this type of attack. However, it is not unheard of, as a wiper component was also a part of the Flame virus that hit targeted companies in the Middle East this past May.

However, security firm Kaspersky Labs said it doesn't believe that Shamoon is being launched as a weapon by another nation, as rumored to be the case with Flame.  
"It is more likely that [Shamoon] is a copycat, the work of a script kiddies inspired by the [Flame] story," said Kaspersky in a blog post.

While the malware may only be the work of a copycat, Symantec said it believes that other energy-related companies in the Middle East may be targeted next. However, information from firms investigating the malware, including Symantec and Kaspersky Lab, have not given any clue as to what kind of information is being relayed back to the attacker.

Due to the highly targeted nature of the virus, the vast majority of users are not in harm's way of Shamoon. However, security firms are reminding enterprises to keep all security software up to date and to apply any OS security updates in a timely manner.  

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube