Skip to content

Shamoon Malware, cyber espionage tool, cyber weapon or …

by paganinip on August 19th, 2012
shamoon-malware-securelist

The cyberspace has no peace, every time a malware or a botnet is detected and decapitated a new cyber threat is coming, this time a new agent scare security experts, its name is Shamoon and is able to destroy files on victim’s pc and overwrite the master boot record of its disks.

In different way respect all the malware isolated in the last months, this agent hasn’t been developed only to spy on victims but its purpose it destroy them making the machine unusable. The malware attacks Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008.

Some experts are convinced  that there is a relationship between the agent and the malware Wiper, but other researchers deny the hypothesis.

The first team that discovered the malware was Kasperksy Lab that had analyzed some instances of the malware that presented links to wiper due the presence in a module of a string with a name that includes “wiper” as part of it.

Well this just a hypothesis even someone may have used the string to create a red herring, the expert of Kaspersky declared:

“Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD…”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,”

The researcher of Seculert who analyzed the malware have also discovered that it has also the ability to overwrite the machine’s MBR, what is interesting is that before Shamoon make unusable the pc it gathers data from the victim, it steals information, taking data from the ‘Users’, ‘Documents and Settings’, and ‘System32/Drivers’ and ‘System32/Config’ folders on Windows computers, and send them to another infected PC on the same internal network, the reason of this strange procedure is still a mystery.

Aviv Raff, Seculert CTO, declared:.

 “The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet,”

Experts from Symantec firm wrote on their security response blog.

“Threats with such destructive payloads are unusual and are not typical of targeted attacks,” “Security response is continuing to analyse this threat and will post more information as it becomes available.”

Many hypothesis have been proposed, some experts are sure that Shamoon is a new state sponsored malware for cyber espionage that is also able to destroy the victims maybe to hide its operations deleting every evidence that can link the clients to Command & Control servers, other researchers believe that we are facing with a true cyber weapon that have to be spread inside specific networks with the dual intent to gather information and destroy the enemy pcs.

Pierluigi Paganini

From → Malware, Security