Dark Side of Shamoon

By Christopher Elisan, Principal Malware Scientist, RSA FirstWatch team

Recently, there has been some media noise generated by a new malware reportedly attacking targets in the Middle East such as Saudi Aramco. But what exactly does this attack look like once the malware compromised the system?

Most malware nowadays, especially those used in targeted attacks, exhaust all possible stealth techniques to hide their presence and eliminate any chances that might raise any suspicion of their presence. But in the case of Shamoon, it does not fit into this paradigm because its main directive is destruction of the compromised system. Shamoon was designed to express a message and destroy the victim’s file system. The component, SFMSC.EXE, is the one responsible for this mission. Basically, what it does is replace files with an image of a US burning flag, see Figure 1, and ultimately destroys the machine’s file system.

Figure 1: The image used by Shamoon
both as a lure and as part of its malicious

Since its main directive is destruction, this malware does not even attempt to encrypt its body. A simple hex view, as seen in Figure 2, reveals the following string in the malware’s code:


Figure 2: Strings found in the malware body

When active, the malware overwrites files with a copy of the US_flag_burning.JPG. So technically, it behaves as an overwriting virus. Among the files overwritten are shortcut files in the Start Menu and in the QuickLaunch bar. The intent of this is for the user to see the image every time a file is opened or a program is executed using the Start Menu or the QuickLaunch bar. I see this as the digital version of a demonstration or rally of anti-US sentiment which usually includes burning of a US flag and other effigies. But because of bugs in the code, the overwriting process fails. The result is not a copy of the US_flag_burning.JPG but a gray box, as seen in Figure 3, with a piece of the picture seen on the upper left.

Figure 3: The resulting gray box with part
of the picture on the upper left

The reason for this is that the overwriting of the host file seems to happen in 400H byte chunks. The piece of the picture seen on the upper left of the gray box represents the first 400H chunk, which includes the file header. But instead of copying the next 400H chunk, the malware copies the same 400H chunk starting at offset 0 of the file instead of the second chunk starting at offset 401H, hence the corruption.  It does this 192 times resulting in a file size of 196,608 bytes (30,000H bytes).

Aside from overwriting files, the malware also drops two files: f1.INF and f2.INF.  From my experiments, f1.INF was also overwritten while f2.INF on the other hand, was not. It contains the full path and filename of the overwritten files.

Once all the overwriting is done, it destroys the machine’s file system resulting in the complete destruction of the operating system and loss of data contained in the compromised machine.

To have a better understanding of Shamoon, watch the video showing the malware in action:


Christopher C. Elisan, CEH, CSM, MCSE is a Principal Malware Scientist with the RSA FirstWatch team, an advanced threat intelligence research group. Christopher is a seasoned reverse engineer and malware researcher. He has a long history of digital threat research and building anti-malware infrastructure. Christopher is also a frequent speaker and a subject matter expert on  malware, botnets and advanced persistent threats.



2 thoughts on “Dark Side of Shamoon”

  1. Harlan Carvey says:

    “The intent of this is for the user to see the image every time a file is opened or a program is executed…”

    If Shamoon is a wiper virus and it overwrites the MBR, can you provide some insight or thoughts as to how the user would see the image when a file is opened?

    In our testing with a sample of Shamoon, the VM in which it was run was completely corrupted to the point of a BSoD and being unbootable in about 6 minutes. As such I would think that an infected system would be similarly usable.


  2. Christopher Elisan Christopher Elisan says:

    Hi Harlan,

    Thank you for the comment. The result of your testing is similar to mine. The system becomes unusable in less than 10 minutes. The machine will result in a BSoD and once the user reboots, he soon realizes that his OS has completely been corrupted and that the only remedy is to reinstall everything. Obviously, this is a small window of time for the user to do anything else with the machine before it is completely wiped out.

    As for my statement, “The intent of this is for the user to see the image every time a file is opened or a program is executed…,” This is the intent but they poorly executed this. Intent and execution are two different things. It’s like an intention of marrying a supermodel but then the guy ended up with somebody else. I based this statement of mine on the nature of the files being overwritten and an educated guess on the profile of the attackers. The files being overwritten are those that the user will eventually use in a span of less than 10 minutes. The user might open a file he is editing, a browser (using its shortcut) and then instead of the file he wants to see or the program he wants to execute, he is faced with a US burning flag. Confused, the user will start to execute other programs that he thinks might help him like a scanner or whatever tools he has in his system. But since these files or their shortcuts have already been overwritten by the malware, the user sees another US burning flag picture. Then in the next couple of minutes, he is faced with a BSoD and a corrupted system. It’s analogous to having a killer wanting a victim to see his face last before pulling the trigger. But in this instance, the last thing the user sees before his system is destroyed is the image of a US burning flag. The user is not given enough time to collect evidence in the system because that small window of time is just enough for the user to see their anti-US sentiment message and for the machine to be destroyed. This is the human element of this threat. The attackers are banking on the behavior of the user for them to get their message across. Since different users behave differently plus the timing of when the user gets infected vary significantly, there will be those that will fit in the example I described above while there will be those that will not even realized what hit them because probably they got infected, went out to lunch and then when they came back their system is not working anymore. And they are left wondering what happened.

    But then, there are bugs in the code that prevented the copying of the US burning flag. Instead the result is a graybox with part of the picture on the upper left. So even if the user fits into the example I mentioned above they will not see a US burning flag. Therefore, their intent of showing that picture is not successful but the destructive nature of the malware is. They have the intent but they executed poorly.

    Hope this helps.

    Christopher Elisan
    Principal Malware Scientist
    RSA FirstWatch

Leave a Reply

Your email address will not be published. Required fields are marked *