Tal Pavel

Shamoon the Wiper – A new malware?

/in /by

A new research by Kaspersky Lab has been published today (16 Aug) possibly revealing a new malware, to be known for the time being as Shamoon the Wiper.

The research suggests that this is not the malware known as Wiper, which attacked the Iranian oil industry and served as the basis for the discovery of Flame, but rather an activity inspired by Wiper.

This malware is currently linked to the Middle East only by its name – Shamoon, which originates in the path of one of the modules C:ShamoonArabianGulfwiperreleasewiper.pdb. There is also a reference to “the Arabian Gulf”.

No information has been released so far about the geographical distribution of this malware or about certain sectors that have been affected.

Symantec first published a short message referring to the malware as W32.Disttrack. Later this evening, the company published a more detailed review in its official blog, revealing the malware’s two first features:

* It has been used in targeted attacks against at least one organization of the energy industry.

* It is a destructive malware that corrupts files on the targeted computer in order to put it out of use.

The research further reveals that the malware is made of three parts:

* Dropper – The main component and the original source of infection.

* Wiper – Carries out the corruption of the targeted computer.

* Reporter – A module responsible for reporting the infection back to the attacker.

Symantec’s review ends with the statement that “threats with such destructive payloads are unusual and are not typical of targeted attacks”.

Nevertheless, the profile created by Symantec to this malware indicates that its “risk level” is “very low”, and its geographical distribution and damage level are defined as “low”. The containment and removal of this malware are defined as “easy”. The “number of infections” is “0-49” and the number of infected sites is “0-2”.

Further reports cautiosly suggested a possible link between Kasparsky’s report about this malware specifically targeting the energy industry and another report about ARAMCO deactivating last Wednesday part of its computer system owing to a virus, which, according to the Saudi company, did not harm the production of oil.

This post is also available in: עברית