Shanmoon was discovered by Seculert, Symantec, and Kaspersky Lab on 16 August 2012 that targets 32-bit NT kernel versions of Microsoft Windows. It is a modular virus and is also known as W32.DisTrack. This virus was crafted for cyber-warfare as it spread the malicious-content from an infected machine to other systems connected to the network. The behaviour of the virus and the impact of the malware infection is different from the other malware attacks. When the system is infected with virus it assembles a set of files from a location on the infected machine, upload them to the attacker’s system, and then deletes them. It then over-writes the master boot record of the infected system making it unable to use.
This virus was curated by the cyber thieves to fight against national oil companies of Saudi Arabia and Oatar. Shamoon virus targets computers that runs Windows NT, Windows 9x, and Windows Me.
The Shamoon virus have been found to have similar features of flame virus which was also discovered in 2012. It was developed by cyber-criminals to target educational institutions, governmental organizations and private individuals noticeably people in the Middle East like Iran.
Shamoon virus functions in various stages
- An attacker installs Shamoon on a network
- The infection is passed on to the hard disks of other systems connected in the network by implementing a technique called “dropper”.
- The virus collates the file list on each infected computer from a specific location.
- Complete information about the file is sent by a function termed “reporter” to the hacker.
- There is another function called wiper to erase all the infected files.
- The virus then wipes master boot record (MBR) of the infected system this stops the system from getting rebooted.
An attack on Saudi Aramco workstations was conducted by a group of activists compromising around 30,000 systems in August 2012. The aftermath was challenging, and it took about two weeks to restore to normalcy.
Security experts from IBM X-Force Incident response and Intelligence Services (IRIS) team detected a missing link which involved Shamoon malware attacks that operated against Gulf state Organizations.
These attacks, which occurred in November 2016 and January 2017, reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states. Unlike ransomware, shamoon was developed to infect the hard drives of the victim computer and wiped the master boot record (MBR) and data which cannot be retrievable.
Recent analysis claim that the implementation of Shamoon malware on the targeted network was due to the initial compromise vector and post-compromise operations. It is also proved that the Shamoon virus was deployed and activated only after weeks of initial compromise.
The virus was developed to perform two things
Replace data on hard drives with a picture of a burning American flag while it passes on the IP addresses of the malware-infected computers back to the system connected to the network.
The virus contains three elements
Dropper – The dropper is the prime component and it carries and passes on the source of infection. As the name suggests it drops the wiper and the reporter onto the infected system. It copies itself in the infected system and operates to execute and generate infection all by itself when the Windows starts.
Wiper – This is the second component and its considered to be destructive. This collects all the files from the infected computer and deletes them. The erased files are then wiped on the master boot record and ensures that the user cannot recover the deleted files.
Reporter – The last component is the reporter, it sends information about infection back to the attacker.
The Shamoon Virus can be combated from infecting your PC with help of an antivirus software. Antivirus offered by Comodo consists of distinct features like Viruscope, Host Intrusion Procedure which offers the best protection against any threat.