Thursday08 December 2022

New Shamoon Malware May Be An Effort to Copy Flame

Reading time is around minutes.
News light-virus-1

Another day another bit of malware hits the internet. This time the malware is a very nasty bit of code and one that you should be very concerned about. The new malware named Shamoon was first reported on Thursday and has the nasty capability to grab user information before attempting to render the system unusable. Both Symantec and Kaspersky have independently reported on the malware and from their reports on the new bug seem to feel it is definitely worth keeping an eye on.

Symantec (who calls it W32.Disttrack) have a pretty good analysis on the malware and say that it has three main components, the dropper, the wiper and the reporter. As you might imagine each one of these has its own part to play in the infection of the system. Following a trend that started more than 10 years ago, the

Dropper is the main part of the virus and is responsible for bringing in the rest of the gang to help with the damage to your computer. The Wiper is the part of the virus that… well wipes some very important parts of your OS and HDD. The Reporter is what lets the command and control assets know that a system has been infected.

The whole piece of malware is digitally signed and even uses valid components to perform its destructive purposes. The wiper actually uses a valid driver from Eldos that overwrites the drdisk.sys driver. This new, digitally signed, and valid driver allows for raw disk access. With this in place Shamoon can overwrite protected and in use files directly on the disk and also overwrite the Master Boot Record of your system. With this removed your computer will not boot. Although it is possible to rebuild the MBR sector when damaged it can be problematic when it has been completely overwritten.

Both Symantec and Kaspersky agree that Shamoon is not related to the Flame malware, but appears to have been cobbled together from independent pieces to mimic it. Kaspersky says it best:

Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.
It is more likely that this is a copycat, the work of a script kiddies inspired by the story.”

Right now it appears that the virus is used in targeted attacks so there is little chance (as of this writing) that you will get this from browsing the internet. However, things can change if this leaks out into the wild or someone decides to grab this and use portions of it for other purposes. Still the destructive payload is unusual in this type of targeted attack and is certainly a step up from the efforts that were put into Flame which allowed for complete removal of the malware using a similar program called wiper. As usual we concur with Kaspersky and Symantec in their recommendation to make sure you have malware protection and that you keep it up to date.

Discuss this in our Forum

Last modified on Friday, 17 August 2012 10:45

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.