Shamoon, also known as Disttrack, is a modular computer virus discovered by Seculert in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector. Its discovery was announced on 16 August 2012 by Symantec, Kaspersky Lab, and Seculert. Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.
The virus has been noted to have behaviour differing from other malware attacks, intended for cyber espionage. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record of the infected computer, making it unbootable.
There has been some speculation why the attacker may have an interest in actually destroying the infected PC. Kaspersky Labs hinted that the 900 KB malware could be related to Wiper, that was used in a cyber attack on Iran in April. After an analysis, the company concluded that this malware is more likely to come from "scriptkiddies" who were inspired by Wiper.
The virus has hit companies within the oil and energy sectors. A group named "Cutting Sword of Justice" claimed responsibility for an attack on 35,000 Saudi Aramco workstations, causing the company to spend a week restoring their services. The group later indicated that the Shamoon virus had been used in the attack. Computer systems at RasGas were also knocked offline by an unidentified computer virus, with some security experts attributing the damage to Shamoon.
Shamoon made a surprise comeback in November 2016 according to Symantec, and it was involved in a new attack on 23 January 2017.
Payload
The malware had a default configuration that triggered the disk-wiping payload at 8:45pm local time on Thursday, November 17. The Saudi Arabian working week runs from Sunday to Thursday. It would appear that the attack was timed to occur after most staff had gone home for the weekend in the hope of reducing the chance of discovery before maximum damage could be caused.
Shamoon uses a number of components to infect computers. The first component is a dropper, which creates a service with the name ‘NtsSrv’ to remain persistent on the infected computer. It spreads across a local network by copying itself on to other computers and will drop additional components to infected computers. The dropper comes in 32-bit and 64-bit versions. If the 32-bit dropper detects a 64-bit architecture, it will drop the 64-bit version.
The second component is the wiper(different from the malware wiper),which drops a third component, known as the Eldos driver. This enables access to the hard disk directly from user-mode without the need of Windows APIs. The wiper uses the Eldos driver to overwrite the hard disk with the photos of a Syrian boy.