Here’s something to be thankful for -- Malware authors are only human. The designers of Shamoon, the data-wiping malware that hit Saudi Aramco in August, made a big goof.
Shamoon erases the very file necessary to keep the Windows operating system up and running, which means an infected computer shuts down and reboots before Shamoon can completely wipe out its host's data.
“I would look at that as a design flaw,” said Will Irace, vice president of threat research at General Dynamics Fidelis Cybersecurity Solutions, a business unit formed in August when General Dynamics completed its purchase of Fidelis, a 70-person company based in Waltham, Ma.
After the August attack, General Dynamics obtained a sample of the Shamoon code -- the company won't say how -- and ran it through a series of tests. They discovered they could “make a complete recovery of Shamoon-infected file systems,” according to a threat advisory released on Fidelis’ Threat Geek blog.
Even so, Shamoon was a big inconvenience for oil producer Saudi Aramco, not to mention a wakeup call for anyone who assumed malware designers were always more interested in stealing than destroying.
Thirty thousand of Aramco’s work stations were impacted by the malware, according to the Saudi Arabia-based Al Arabiya news service. On Sept. 12, the news service quoted Aramco as saying its networks were functioning normally again and that oil production was never threatened.
Shamoon's goal could turn out to be more notable than its impact: “The level of malice that you see in Shamoon is a little unusual. It phones home for command and control to find out what its mission is, and its mission generally is to destroy,” Irace said.
Irace doesn’t expect Shamoon to race around the world. Why? “Its propagation technique is through a channel that doesn’t usually penetrate Internet access points,” he explained.
Once Shamoon is injected into an organization, it “looks around for other Windows machines on the network for which it has the necessary privileges to write a copy of itself,” Irace said.
As much as anything, the Shamoon aftermath was a chance for Fidelis to test its marriage with General Dynamics. Fidelis specializes in malware detection; General Dynamics is best known for helping agencies and businesses recover from attacks. Executives want to bring the two skills together, which is why they set out to see if they could recover data from a computer infected with Shamoon.
Shamoon was “the first exercise of what I expect to be a regular series of these sorts of collaborations and advisories that help customers attack problems from both directions: detection and recovery,” Irace said.