Research Paints Shamoon Creators as ‘Skillful Amateurs’

Despite seemingly endless pontification, it’s still too early to definitively say whether there’s a connection between the Shamoon malware and recent attacks on Middle Eastern oil firms, yet some of the attackers’ intentions may be getting clearer.

Despite seemingly endless pontification, it’s still too early to definitively say whether there’s a connection between the Shamoon malware and recent attacks on Middle Eastern oil firms, yet some of the attackers’ intentions may be getting clearer.

Research suggests the creators behind the recent Shamoon malware weren’t high profile programmers but instead “skillful amateurs” who may have had politically driven motivations.

A new post by Kaspersky Lab researcher Dmitry Tarakanov on the firm’s Securelist blog helps break down the malware’s technical details and shortcomings further.

In one part of the analysis Tarakanov notes that the malware’s author used a capital “S” instead of a lowercase “s.” This “silly error” lead to a “spring” function failure and made it impossible for the malware to drop a file, let alone execute one.

Elsewhere, two files, “f1.inf” and “f2.inf,” are produced by the malware that pose a fragment of a JPEG of a burning U.S. flag – the presence of the image should be easily noticed and according to Tarakanov was meant to be found. The image continues to populate itself, overwriting the hard drive with the JPEG, crudely filling the entire disk with data.

“The fact that they used a picture of a fragment of a burning US flag possibly shows that the motive of Shamoon’s authors is to create and use malware in a politically driven way. Moreover, they wished that their protest which was embedded into the malware would not go unnoticed,” Tarakanov wrote.

Saudi Aramco, the world’s largest oil company, was hit by a cyber attack in mid-August that wiped out information on 30,000 of the company’s machines. It’s been since theorized that Shamoon, the malware that overwrites the master boot record of infected machines after stealing data, was responsible yet Aramco officials claim investigation of the incident is ongoing.

For more on the Shamoon research, head to Securelist.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.