The Shamoon malware that hit the hard drives of 30,000 Saudi oil industry PCs last month was more of a “quick and dirty” job by talented amateurs than a skilfully crafted professional cyber-weapon, the analysis concluded.
The analysis was done at the Kaspersky Lab in Moscow, one of the world’s major analyziers of computer attack software. Kaspersky researcher Dmitry Tarakanov drew a mixed picture of the programming skills of Shamoon’s creators and pointed to anti-American content that made Shamoon appear to be Iranian in origin.
Where cyberweapons such as Stuxnet and Flame indulged enigmatic complexity and sophistication, Shamoon’s makers displayed a “gauche” carelessness, including a number of “silly” programming errors.
Most obvious was the programmer’s substitution of an upper case S in place of a lower case necessary to allow the format string “%s%s%d.%s” in the important Shamoon communication module to operate correctly.
And Shamoon’s makers couldn’t resist the rhetorical anti-US device of including a fragment of a JPEG picture of a burning US flag in the disk-overwriting routine.
“The nature of their mistakes suggests that they are amateurs, albeit skillful amateurs, as they did create a quite practicable piece of self-replicating destructive malware,” said Tarakanov.
“The fact that they used a picture of a fragment of a burning US flag possibly shows that the motive of Shamoon’s authors is to create and use malware in a politically driven way.”
Eccentric though it might be, the important point about Shamoon is that it worked.
The malware (also known as DistTrack) struck on August 15, causing major disruption to the Saudi Arabian national oil company, Saudi Aramco. Unconfirmed reports say it was also involved on a similar attack on RasGas, a major Qatar-based liquefied natural gas firm.
Whether sanctioned by Iran or not, Shamoon was almost certainly pro-Iran in sympa-thies, Tarakanov suggested.