Kaspersky: Shamoon malware nothing more than 'quick and dirty'

The malware attacked the hard drives of 30,000 workstations owned by Saudi oil firm Saudi Aramco. After pro-actively disabling network channels, the system was cleaned before major damage could be done -- and Kaspersky Lab consider the attack nothing more than a "quick and dirty" job.

The lab's researcher Dmitry Tarakanov posted an analysis of the malware after pulling apart its code, and the analysis puts sophisticated coding including Stuxnet and Flame into an entirely different league.

A number of "silly" errors were made, including using flawed date comparison and substituting lower case for upper case letters -- something the researcher considers a sign of haste which impacts the effectiveness of the attack:

"But instead of a correct format string, the malware writer used "%S%S%d.%s" with an uppercase "S". This causes a "sprintf" function failure and no full path string is created. Lack of full path means that no file is dropped. No file, no execution. So, the Shamoon malware does not have a functionality to execute other programs."

The inclusion of Wikipedia's burning flag image under its original name US_flag_burning.jpg was considered an "intentional" clue for the image to be found.

This is the image that is used to overwite the master boot record of hard drives, although the latest variant also overwrites 192KB blocks of data with randomly generated information. 

Recognized as W32.Disttrack, the malware also changes the active partitions of an infected machine and wipes "priority" files tagged with download, document, picture, music, video and desktop. Once the wiping 'death' date is read from a .pnf file and checks out, the wiper is activated.

Tarakanov also mentions a confusing aspect of Shamoon -- the fact that it exploits legitimate signed drivers of Eldos’ software RawDisk. At first they thought that it was done for rewriting purposes, but Windows 7 gives standard user access without the need for a signed third-party driver. Yet, Shamoon needs to run with administrator privileges anyway, so the coding seems pointless.

The researcher concluded:

"We've got other clues that people behind creating the Shamoon malware are not high-profile programmers and the nature of their mistakes suggests that they are amateurs albeit skillful amateurs as they did create a quite practicable piece of self-replicating destructive malware.

Unfortunately, we see that the warnings given of malicious software using legitimate kernel-mode applications is not paranoia but reality. Developers of drivers should always keep in mind that cybercriminals and other people who create malware search for covert ways to access a system's Ring0."

The malware first struck Aramco on 15 August. Reports have suggested that a similar attack on Qatar-based natural gas firm RasGas may be down to Shamoon, but this is yet to be confirmed.