Dark Side of Shamoon

By Christopher Elisan, Principal Malware Scientist, RSA FirstWatch team

Recently, there has been some media noise generated by a new malware reportedly attacking targets in the Middle East such as Saudi Aramco. But what exactly does this attack look like once the malware compromised the system?

Most malware nowadays, especially those used in targeted attacks, exhaust all possible stealth techniques to hide their presence and eliminate any chances that might raise any suspicion of their presence. But in the case of Shamoon, it does not fit into this paradigm because its main directive is destruction of the compromised system. Shamoon was designed to express a message and destroy the victim’s file system. The component, SFMSC.EXE, is the one responsible for this mission. Basically, what it does is replace files with an image of a US burning flag, see Figure 1, and ultimately destroys the machine’s file system.

Figure 1: The image used by Shamoon
both as a lure and as part of its malicious

Since its main directive is destruction, this malware does not even attempt to encrypt its body. A simple hex view, as seen in Figure 2, reveals the following string in the malware’s code:


Figure 2: Strings found in the malware body

When active, the malware overwrites files with a copy of the US_flag_burning.JPG. So technically, it behaves as an overwriting virus. Among the files overwritten are shortcut files in the Start Menu and in the QuickLaunch bar. The intent of this is for the user to see the image every time a file is opened or a program is executed using the Start Menu or the QuickLaunch bar. I see this as the digital version of a demonstration or rally of anti-US sentiment which usually includes burning of a US flag and other effigies. But because of bugs in the code, the overwriting process fails. The result is not a copy of the US_flag_burning.JPG but a gray box, as seen in Figure 3, with a piece of the picture seen on the upper left.

Figure 3: The resulting gray box with part
of the picture on the upper left

The reason for this is that the overwriting of the host file seems to happen in 400H byte chunks. The piece of the picture seen on the upper left of the gray box represents the first 400H chunk, which includes the file header. But instead of copying the next 400H chunk, the malware copies the same 400H chunk starting at offset 0 of the file instead of the second chunk starting at offset 401H, hence the corruption.  It does this 192 times resulting in a file size of 196,608 bytes (30,000H bytes).

Aside from overwriting files, the malware also drops two files: f1.INF and f2.INF.  From my experiments, f1.INF was also overwritten while f2.INF on the other hand, was not. It contains the full path and filename of the overwritten files.

Once all the overwriting is done, it destroys the machine’s file system resulting in the complete destruction of the operating system and loss of data contained in the compromised machine.

To have a better understanding of Shamoon, watch the video showing the malware in action:


Christopher C. Elisan, CEH, CSM, MCSE is a Principal Malware Scientist with the RSA FirstWatch team, an advanced threat intelligence research group. Christopher is a seasoned reverse engineer and malware researcher. He has a long history of digital threat research and building anti-malware infrastructure. Christopher is also a frequent speaker and a subject matter expert on  malware, botnets and advanced persistent threats.



No Comments