Summary: Kaspersky's analysis of Shamoon malware has concluded it was a job pulled off by talented amateurs.
The malware attacked the hard drives of 30,000 workstations owned by Saudi oil firm Saudi Aramco. After pro-actively disabling network channels, the system was cleaned before major damage could be done -- and Kaspersky Lab consider the attack nothing more than a "quick and dirty" job.
The lab's specialist Dmitry Tarakanov published an research of the viruses after taking apart its value, and the research places innovative programming such as Stuxnet and Fire into an entirely different group.
A number of "silly" errors were made, such as using defective time frame evaluation and replacing lower situation for higher situation characters -- something the specialist views a indication of hurry which effects the potency of the attack:
"But instead of a correct structure sequence, the viruses author used "%S%S%d.%s" with an uppercase "S". This causes a "sprintf" operate failing and no complete direction sequence is designed. Deficiency of complete direction means that no information file is decreased. No information file, no performance. So, the Shamoon viruses does not have a performance to perform other applications."
The addition of Wikipedia's losing banner image under its unique name US_flag_burning.jpg was regarded an "intentional" idea for the image to be found.
This is the image that is used to overwite the expert start history of hard disks, although the newest version also overwrites 192KB prevents of information with at random produced information.
Recognized as W32.Disttrack, the viruses also changes the effective categories of an contaminated device and baby wipes "priority" information files marked with obtain, papers, image, music, video and pc. Once the clearing off 'death' time frame is read from a .pnf information file and assessments out, the windsheild wiper is triggered.
Tarakanov also refers to a complicated element of Shamoon -- the fact that it uses genuine finalized individuals of Eldos’ application RawDisk. At first they thought that it was done for spinning requirements, but Windows seven gives conventional individual accessibility without the need for a finalized third-party car owner. Yet, Shamoon needs to run with manager rights anyway, so the programming seems useless.
The specialist concluded:
"We've got other signs that individuals behind developing the Shamoon viruses are not high-profile developers and the characteristics of their errors indicates that they are beginners at the same time competent beginners as they did make a quite possible piece of self-replicating dangerous viruses.
Unfortunately, we see that the alerts given of harmful application using genuine kernel-mode applications is not fear but truth. Designers of individuals should always keep in mind that cybercriminals and other individuals who make viruses search for concealed ways to accessibility a body Ring0."
The viruses first hit Aramco on 15 Aug. Reviews have recommended that a similar strike on Qatar-based natural gas company RasGas may be down to Shamoon, but this is yet to be verified.
A number of "silly" errors were made, such as using defective time frame evaluation and replacing lower situation for higher situation characters -- something the specialist views a indication of hurry which effects the potency of the attack:
"But instead of a correct structure sequence, the viruses author used "%S%S%d.%s" with an uppercase "S". This causes a "sprintf" operate failing and no complete direction sequence is designed. Deficiency of complete direction means that no information file is decreased. No information file, no performance. So, the Shamoon viruses does not have a performance to perform other applications."
The addition of Wikipedia's losing banner image under its unique name US_flag_burning.jpg was regarded an "intentional" idea for the image to be found.
This is the image that is used to overwite the expert start history of hard disks, although the newest version also overwrites 192KB prevents of information with at random produced information.
Recognized as W32.Disttrack, the viruses also changes the effective categories of an contaminated device and baby wipes "priority" information files marked with obtain, papers, image, music, video and pc. Once the clearing off 'death' time frame is read from a .pnf information file and assessments out, the windsheild wiper is triggered.
Tarakanov also refers to a complicated element of Shamoon -- the fact that it uses genuine finalized individuals of Eldos’ application RawDisk. At first they thought that it was done for spinning requirements, but Windows seven gives conventional individual accessibility without the need for a finalized third-party car owner. Yet, Shamoon needs to run with manager rights anyway, so the programming seems useless.
The specialist concluded:
"We've got other signs that individuals behind developing the Shamoon viruses are not high-profile developers and the characteristics of their errors indicates that they are beginners at the same time competent beginners as they did make a quite possible piece of self-replicating dangerous viruses.
Unfortunately, we see that the alerts given of harmful application using genuine kernel-mode applications is not fear but truth. Designers of individuals should always keep in mind that cybercriminals and other individuals who make viruses search for concealed ways to accessibility a body Ring0."
The viruses first hit Aramco on 15 Aug. Reviews have recommended that a similar strike on Qatar-based natural gas company RasGas may be down to Shamoon, but this is yet to be verified.
