The ‘Shamoon’ malware that nixed the hard drives of 30,000 Saudi oil industry PCs in August was more of a ‘quick and dirty’ job by talented amateurs than a skilfully crafted professional cyberweapon, an analysis has concluded.
After pulling apart the code, Kaspersky Lab’s researcher Dmitry Tarakanov draws a mixed picture of the programming skills of Shamoon’s creators.
Where cyberweapons such as Stuxnet and Flame indulged enigmatic complexity and sophistication, Shamoon’s makers displayed a gauche carelessness, including a number of “silly” programming errors.
Most obvious was the programmer’s substitution of an upper case ‘S’ in place of a lower case necessary to allow the format string ‘%s%s%d.%s’ in the important Shamoon communication module operate correctly, a sign of haste.
And Shamoon’s makers just couldn’t resist the rhetorical anti-US device of including a fragment of a Wikipedia-sourced Jpeg of a burning US flag in the disk-overwriting routine, a deliberate act according to Kaspersky’s researchers.
The same Jpeg fragment is used to overwrite the master boot record of targeted hard drives, an almost comic device to use in such a serious attack.
“By all appearances, the clue was intentionally put there for the photo to be found.”
Oddly, Shamoon hijacked the signed driver in games maker Eidos’s RawDisk software to access the MBR for no obvious reason; Windows 7 gives such access without the need for a signed third-party driver.
“The nature of their mistakes suggests that they are amateurs albeit skillful amateurs as they did create a quite practicable piece of self-replicating destructive malware,” said Tarakanov.
“The fact that they used a picture of a fragment of a burning US flag possibly shows that the motive of Shamoon’s authors is to create and use malware in a politically driven way.”
Eccentric it might be but the important point about Shamoon is that it worked.
The malware (also known as DistTrack) struck on 15 August, causing major disruption to the Saudi Arabian national oil company Aramco. Unconfirmed reports say it was also involved on a similar attack on RasGas, a major Qatar-based liquefied natural gas firm.
Whether sanctioned by Iran or not, Shamoon almost was almost certainly pro-Iran in sympathies and was possibly aided by spies inside the targeted firms reports has suggested.