'Shamoon' cyberweapon the work of amateurs, Kaspersky says

No 'Flame' masterpiece but damaged 30,000 PCs

The 'Shamoon' malware that nixed the hard drives of 30,000 Saudi oil industry PCs in August was more of a 'quick and dirty' job by talented amateurs than a skilfully crafted professional cyberweapon, an analysis has concluded.

After pulling apart the code, Kaspersky Lab's researcher Dmitry Tarakanov draws a mixed picture of the programming skills of Shamoon's creators.

Where cyberweapons such as Stuxnet and Flame indulged enigmatic complexity and sophistication, Shamoon's makers displayed a gauche carelessness, including a number of "silly" programming errors.

Most obvious was the programmer's substitution of an upper case 'S' in place of a lower case necessary to allow the format string '%s%s%d.%s' in the important Shamoon communication module operate correctly, a sign of haste.

And Shamoon's makers just couldn't resist the rhetorical anti-US device of including a fragment of a Wikipedia-sourced Jpeg of a burning US flag in the disk-overwriting routine, a deliberate act according to Kaspersky's researchers.

The same Jpeg fragment is used to overwrite the master boot record of targeted hard drives, an almost comic device to use in such a serious attack.

"By all appearances, the clue was intentionally put there for the photo to be found."

Oddly, Shamoon hijacked the signed driver in games maker Eidos's RawDisk software to access the MBR for no obvious reason; Windows 7 gives such access without the need for a signed third-party driver.

"The nature of their mistakes suggests that they are amateurs albeit skillful amateurs as they did create a quite practicable piece of self-replicating destructive malware," said Tarakanov.

"The fact that they used a picture of a fragment of a burning US flag possibly shows that the motive of Shamoon's authors is to create and use malware in a politically driven way."

Eccentric it might be but the important point about Shamoon is that it worked.

The malware (also known as DistTrack) struck on 15 August, causing major disruption to the Saudi Arabian national oil company Aramco. Unconfirmed reports say it was also involved on a similar attack on RasGas, a major Qatar-based liquefied natural gas firm.

Whether sanctioned by Iran or not, Shamoon almost was almost certainly pro-Iran in sympathies and was possibly aided by spies inside the targeted firms reports has suggested.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Secure, identity-based protection for your endpoints

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »