Dear Fellow Technophiles,

In these pages, we try to stick to those subjects that are tied directly or indirectly to your investment success. However, when a story is interesting enough to command attention outside of that space, at times we cannot resist veering off course just momentarily to explore it. This time around, it is a piece of so-called "malware" - the catchall term for viruses, as well as other bad software that doesn't quite fit the definition of a virus - designed to seek and, uncharacteristic of today's usual malware, destroy. It appears, as with an increasing amount of today's miscreant programming, that the author might have a specific target in mind.

Now, on to our tale of wanton destruction...

Sincerely,

Chief Technology Investment Strategist
Casey Research

A New "Cyberweapon" Targeting the Energy Sector?

"Shamoon." It sounds like a new act at Sea World. But it's actually the name that's been given to the latest computer virus making waves. In the past few months we've seen not one but two viruses affecting millions of Macs, once incorrectly thought invulnerable to viruses by many of their devoted users.

These come on the heels of another new virus making the rounds for Android phones. Hidden inside seemingly legitimate applications, it makes unauthorized payments via SMS to pay for online gaming time for Chinese hackers.

While that might sound like a complex way to earn some game time, it is not that unusual in the land of security researchers, who are more than accustomed to viruses perpetrating financial scams. These days, the overwhelming majority of malware is intended for exactly that. It's rare to find those old-fashioned, "guy with a grudge wipes his company's network"-style destructive viruses. After all, if you can collect bank-account data and passwords from a machine, why kill the goose that laid the golden egg?

But this is exactly what has caught the attention of the security sector with Shamoon - it's a killer. This new virus was discovered just days ago; it appears to infect hosts remotely, then "wipe" their hard drives. That's computer parlance for destroying all the data and rendering the target computer unusable. It does this by deleting a small but critical piece of data called the "Master Boot Record" that maps out to the computer how to read all the 1s and 0s on the drive. Without it, the computer cannot tell a copy of Microsoft Windows and a stack of family photos from a bunch of random noise.

Family photos do not appear to be the target of this destructive virus, however. It seems to be more laser-guided missile than atomic bomb. First observed on a handful of computers in China, it next popped up - according to security firm Kaspersky Labs - at an undisclosed "energy-sector" client.

When security researchers first began unraveling Shamoon's multiple encrypted layers, they began to spot similarities to the famed "Flame" virus that arose this spring, and which stole sensitive information from the computers of Iran, Israel, Syria, Sudan, Egypt, and other Middle Eastern countries. [Ed. Note: For more on Flame, check out the piece we published on it in these pages back in June.] While Flame was designed solely for spying (it could read email, record audio, take screenshots, monitor keystrokes, and more), Shamoon instead took the seemingly odd step of destroying the hosts it infected... but not until after it did a little snooping of its own, in search of "interesting" files, according to Kaspersky.

Shamoon, however, appears to be the work of different creators. While it shares a few tricks with Flame, it also dispenses with some of its most complex and unique parts, and shows telltale signs of the simpler construction often deployed in more run-of-the-mill malware. Thus, at first security researchers were quick to blame the lookalike virus on "script kiddies" - the derogatory industry term used to describe independent hackers who often make a hobby of virus design and distribution (and more commonly these days, make a living at it as well, working with organized crime).

Unfortunately, increasing evidence is pointing toward more professional writers than Kaspersky first fingered. Reports from the BBC indicate that, instead of attacking systems at random, the virus is specifically aimed at the energy industry, and thus is reminiscent of two earlier worms - Stuxnet and Duqu - that targeted the same.

Duqu first emerged in early September 2011. The virus worked its way through the files of energy-industry computers, looking for information to help compromise industrial control systems responsible for safely running the energy infrastructure we all depend upon. It was not destructive. Instead, it tried to remain undetected as long as possible in order to gather as much sensitive data as possible.

Stuxnet, its predecessor - widely believed to be the work of the same authors and almost certainly state-sponsored - had a slightly more insidious goal: disrupting the operations of nuclear power plants, in particular those of Iran, according to some experts. Stuxnet worked its way into industrial systems via a "zero-day" security vulnerability (the kind of unknown and undisclosed hack that allows a virus writer to reach even the most well-protected systems by coming in through a route not otherwise known to outsiders) in Microsoft Windows, just as Duqu and now Shamoon do. It could have resulted in the sabotage of research equipment or even a nuclear meltdown. The point was to set the Iranian nuclear program back many years, if not deal it a fatal blow. And that would have been the result, had Stuxnet reached its full potential.

Shamoon, on the other hand, seems to be content with a more wanton but simplistic form of destruction. The virus spreads throughout the network of affected systems, copying data it finds to remote servers, then wiping the target machine clean, having found what it was looking for and moved onto another system. It leaves nothing behind but a sliver of an image file, bearing what might possibly be a portion of a white star on a blue background, not unlike that which appears on an American flag:

The housecleaning-like function has led security researchers to speculate about what's going on here. Some think that it might be part of a more complex, two-part attack in which Shamoon simply aids the introduction of another attack into the network, and deletes its own infection in order to cover its tracks. Others have proposed that the data destruction is to ensure that only the attacker has access to the stolen data, possibly in preparation for some sort of extortion to come (it would by no means be the first virus with built-in blackmailing capabilities).

Regardless, it appears that the infection was enough to cause Saudi Arabian oil company Saudi Aramco to shut down its network on Tuesday. It insists, in statements given to BBC, that no "primary components of the network" have yet been affected. The company is so far not being 100% transparent about whether it is in fact Shamoon to blame for its "sudden disruption," but the timing has led many in the industry to make the link already.

That Shamoon builds on the work of Flame and other viruses that came before it should be of no surprise. Computer software, once written - and widely covered, analyzed, and picked apart by security firms - has a tendency to spread like wild pollen. There is little if anything that can be done to prevent bits of each successful generation of viruses from migrating to those that follow it, incorporating new innovations and one-upping the (necessarily) reactive security industry time and again. And now, as nation-states have clearly stepped into the game of cyberwarfare (once again adapting the tools of organized crime to their own benefit), the platform on which the next generation of viruses is being built will include portions of the virtual equivalents to cyberweapons that have been developed - whether from script kiddies, gangsters, friends, or foes.

What is to come from Shamoon, which is Arabic for "Simon," remains to be seen. Now that it has been discovered, security firms should be able to effectively fight this variant. But it will not be long before something else comes to take its place.

This time it is a hard-drive wiper of unknown origin, directed at the energy industry. Next time the source might be an Iran armed with a copy of the Stuxnet code once pointed its way, along with a fresh zero-day vulnerability bought from a hacker chat room for a few thousand dollars (or rubles or yuan)... and aimed right back at our own nuclear power plants, oil refineries, or natural-gas pipelines.

It may just be that World War III is already getting under way, and that the first shots fired were bits and bytes.