US-CERT Issues Updated Advisory on Destructive Shamoon Malware

Anthony Freed
By | October 17, 2012

Posted in: Network Security Trends

What could be worse than than a pesky malware infection on your organization's networks? How about malware that can annihilate systems and the precious data that resides on them. That's the case with the uber-destructive strain of malicious code dubbed Shamoon.

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) has issued an updated advisory on the cyber espionage tool, also known as W32.DistTrack, which delivers a destructive payload and is thought to have damaged more than 30,000 computers belonging to oil and gas giant Saudi Aramco last August.

"Shamoon is a chilling scenario for any organization- pretty much the worst case scenario for a malware infection," Richard Stiennon, Chief Research Analyst at IT Harvest, said in an email interview with Security Bistro. "That said, many organizations completely wipe infected machines after a successful penetration anyway. It's the unscheduled disruption that could cause devastation".

According to analysis of the malicious code, Shamoon is comprised of three primary components. The first is the "Dropper" module, which constitutes the original infection and allows for the import of the malware's other functionalities. The second module identified is the "Reporter," a process that communicates exfiltrated data back to the command and control (C&C) servers administered by the attackers.

The third and most dangerous component that makes up the Shamoon trifecta is the "Wiper" module which "renders infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data. Once overwritten, the data are not recoverable," the advisory from US-CERT explains.

"Because of the highly destructive functionality of the Shamoon 'Wiper' module, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to organizations vary, depending on the type and number of systems impacted," the advisory warns.

In a speech delivered to the Business Executives for National Security last week, Secretary of Defense Leon Panetta described the Shamoon malware's impact on Saudi Aramco's systems as being "the most destructive attack that the private sector has seen to date."

Yet Kevin McAleavey, architect of the KNOS Project secure operating system, says that the Shamoon code may have some problems of its own. "I find claims of Shamoon being highly sophisticated laughable," McAleavey told Security Bistro. "But programs intended to write garbage to a hard drive that execute can do some pretty serious damage anyway."

McAleavey, who has been involved with antimalware research since 1996, questions the level of coding skill displayed by the malware's authors and whether the data exfiltration module ever functioned correctly.

"Shamoon apparently had been designed as an intelligence-gathering bot, but the amateur hour coding in the malware failed to work as intended given that it was supposed to install additional executables from its C&C network with the purpose of exfiltrating information from the victim machines. Because of the poorly written code within it, this failed to work and the only portion which actually did function as designed was the disk-wipe portion of the code," McAleavey claims.

Though the spread of the malware has thus far been limited, US-CERT is nonetheless taking the potential threat to critical systems located in the U.S. very seriously, providing a long list of recommendations to mitigate the threat of system infection and aid in the detection of the Shamoon malware on networks, including:


  • Looking for the presence of the ElRawDisk driver on systems

  • The execution of daily backups for all critical systems and periodic “offline” backups of critical files to removable media

  • The isolation of critical networks from from business systems

  • Disabling credential caching for all desktop devices

  • Disabling AutoRun and Autoplay for any removable media device

  • Consider restricting account privileges and configuring standard user accounts to prevent execution of unauthorized software

The full US-CERT advisory which contains additional information and recommendations for protecting systems from Shamoon can be found here.

You May Also Be Interested In: