Shamoon Virus Contains Amateur Coding Error That Suggests It Isn’t State Sponsored

Peter Suciu for — Your Universe Online

The devil is often in the details, and sometimes those details can provide would-be sleuths with clues. This is certainly the case in the new mystery virus known as “Shamoon,” which was discovered by researchers at Symantec and McAfee last week.

Also known as “Disttrack,” the virus is notable in that it contains the string “wiper” in the Windows file directory that its developers used when compiling it. The malware reportedly has the potential to permanently wipe data from an infected hard drive, rendering the targeted machine almost unusable.

This particular super virus was also notable in that it had specific targets in mind, and wasn´t something that was just making its rounds online. The mystery malware recently wreaked havoc on specific energy sector computers, but this week some new details surfaced, and as noted the devil is in the details.

In this case the “detail” is actually what has been reported to be an amateur programming error, one that is not typically found in state-sponsored attacks. The flaw was discovered by researchers at Russia-based Kaspersky Lab.

In a blog post on Tuesday, researchers called out the flaw, noting:

“At that stage, the author has used an interesting trick to ensure malware persistence across reboots: it changes the configuration of the ℠LanmanWorkstation´ service (visible name: ℠Workstation´). It makes this service dependent on the ‘TrkSvr´. This means that whenever ℠Workstation´ starts, it also runs the ℠TrkSvr´. But, usually the ℠Workstation´ is run automatically when the operating system loads.”

“There is an easier way to force the OS to run a service at startup — just set up the appropriate option of a particular service. Moreover, ℠TrkSvr´ gets created by malware with that option adjusted to start automatically. Why the author followed this method, with dependencies, is difficult to understand.”

Easier or not, online reports suggest that this particular handling of the code is just one notable question in the coding. Kaspersky Lab also questions the use of the timeline and suggests, ““¦the author has failed. The condition contains a corrupted logic to do this.”

The blog post added:

“For example, if the year is 2013 but the current month is less than the target month (say February), then the condition would return a result as if the current date lies before the August 2012 checkpoint value. In fact, this logic is simply flawed and incorrect. This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems. Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine.”

The conclusion from this is that an experienced programmer didn´t create Shamoon, which indicates that earlier reports that it was perhaps an example of a state-sponsored cyber-attack aimed at a foreign power is unlikely.

While it was originally believed that Shamoon could have been an offshoot of the Wiper malware that attacked Iranian systems, it seems that Shamoon could be little more than a badly coded copycat. This isn´t to say that it isn´t a potential threat — and given the damage it can do, it remains very much a concern.

But the questions now are who made it, why they made it and most ominous what can we expect next?

Evidence did surface on Wednesday that could answer at least some of the above questions. ThreatPost, the Kaspersky Lab Security News Service, reported on Wednesday morning that “a group calling itself the Cutting Sword of Justice is claiming responsibility for an attack on the massive Saudi oil company Aramoc, which some experts believe employed Shamoon to destroy data on thousands of machines.”

This attack occurred on August 15, and took down the company´s main website.

While Aramco hasn´t responded to the claims, and it would be easy for any group to make such claims, it could help answer those burning questions — which suggests that Shamoon was indeed a copycat attempt to create a Wiper style malware attack.

And although it apparently contained errors the attack was at least partially successful. In these types of attacks it appears that perfection isn´t necessary to get results.