Kill timer found in Shamoon malware suggests possible connection to Saudi Aramco attack
Shamoon's disk-wiping functionality was set to activate at the exact time when hackers claim to have attacked Saudi Aramco
IDG News Service - A timer found in the Shamoon cyber-sabotage malware discovered last week matches the exact time and date when a hacktivist group claims to have disabled thousands of computers from the network of Saudi Aramco, the national oil company of Saudi Arabia.
"We penetrated a system of Aramco company by using the hacked systems in several countries and then sent a malicious virus to destroy thirty thousand computers networked in this company," a group called the "Cutting Sword of Justice" said in a Pastebin post on Aug. 15. "The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours."
That same day, Saudi Aramco confirmed that some sectors of its computer network were affected by a computer virus that infected workstations used by its employees. However, the incident did not affect the oil production operations in any way, Aramco said at the time.
The news was followed by announcements from several antivirus vendors, including Symantec, McAfee and Kaspersky Lab, about the discovery of a new destructive piece of malware called Shamoon or Disttrack.
Shamoon contains a so-called wiper module designed to overwrite files from certain directories and the hard disk drive's Master Boot Record (MBR) -- a special region of the disk that contains information about its partitions.
Given the similarities between Shamoon's functionality and the hacktivist group's description of the Aramco attack, there is speculation that the malware might be responsible for the Saudi Arabian company's recent computer problems.
Some other bits of information also pointed in this direction, like Symantec's statement that the malware was used in a targeted attack against an unnamed organization from the energy sector or that a path string found inside the malware included a directory called "ArabianGulf."
However, the most convincing piece of evidence found so far consists of a timer that activates the malware's file and MBR wiping functionality.
"The dropper determines whether a specified date has come or not," Kaspersky Lab researcher Dmitry Tarakanov said Tuesday in a blog post. "The hardcoded date is 15th August 2012 08:08 UTC."
This coincides with the exact time and date when the "Cutting Sword of Justice" hackers claimed the so-called destruction of Aramco computers began -- Wednesday, Aug 15, 2012, at 11:08 a.m. local time in Saudi Arabia (UTC+3:00).
"This is only one indication that the events could possibly be related, and that's only if the Pastebin posting is legitimate," Kaspersky Lab chief security expert Alexander Gostev said Thursday via email. "At this time there is not enough concrete evidence to connect the two events."
- Cyberattacks could paralyze U.S., former defense chief warns
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
- Cyber drills like Quantum Dawn 2 vital to security in financial sector
- Quantum Dawn 2 will test Wall Street's cyber readiness
- Pentagon accuses China of cyberattacks on U.S military, business targets
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Gartner 2013 Magic Quadrant for Enterprise Backup/Recovery Software See why CommVault was positioned as the #1 leader in Gartner's 2013 Magic Quadrant for Enterprise Backup/Recovery software for the 3rd year in...
- Forrester Report: CommVault is a Leader in Enterprise Backup and Recovery In this report, Forrester takes a deep dive into the evaluation criteria, how CommVault is positioned and the features and functionality that make...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Malware and Vulnerabilities White Papers |