Shamoon – too buggy to be state-sponsored?

“The intent of the attackers behind the Shamoon malware isn't too clear at this point, but the tool is collecting data from infected machines and sending off to parts unknown. That puts it in the league of the cyber espionage tools that have become the favored weapons of attackers of late,” concluded Kaspersky at the time. But cyber espionage tends to be covert, while Shamoon blatantly drew attention to itself by wiping data and making the infected computer unusable.

This in itself seemed to associate Shamoon with the Wiper virus that had been used to attack the Iranian oil industry. “Of course, the ‘wiper’ reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame,” commented a Kaspersky Lab expert with the handle GReAT in a separate report. But further analysis of the wiping mechanism led him to conclude that the two viruses are not related. “It is more likely that this is a copycat, the work of a script kiddies inspired by the story,” concluded the researcher.

This now seems to be prescient. The latest post from Kaspersky’s Anne Saita points to “some clumsy coding” in Shamoon leading “researchers to conclude that it is probably not related to the Wiper malware that hit some Iranian networks recently and likely isn't the work of serious programmers.”

The main coding error revolves around the hard coding of a date within the main executable – the dropper. “This error,” explains researcher Dmitry Tarakanov, “indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems. Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine.”

What’s Hot on Infosecurity Magazine?