the virus or malware 'Shamoon' that harmed Saudi Aramco

The search for the meaning of word ‘Shamoon’ yielded no results just as it does leaving no trace.  The war is fought on different plane and cyber defence becomes more difficult and most sought after.

Saudi Aramco,  officially the Saudi Arabian Oil Company, is a Saudi Arabian nationaloil and natural gas company based in Dhahran, Saudi Arabia worth hundreds of billions as it holds barrels of crude oil reserves.  The Company  owns the Ghawar Field, the world's largest oil field, and the Shaybah Field, one of the world's largest oil fields.  This is nothing about the riches of Saudi or the oil wealth of Saudi Aramco, but how its electronic gadgets were rendered useless by ‘Shamoon’ on 15^th of August 2012.     The US Defense Secretary Leon Panetta is quoted as stating that the  “Shamoon” virus that attacked Saudi Arabia’s state oil company, ARAMCO, was probably the most destructive attack the business sector has seen to date. 

Often the Computers and electronic devices that we use malfunction, probably attacked and affected by Computer Virus.  It is nothing physical but a computer program that can replicate itself and spread from one computer.  Technically, a worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Whatever be thy name, they harm a computer system's data or performance.  Potentially, it is the insincere, not so straight-forward ‘human mind’ which often causes destruction, harm, backstabbing, and doing all possible harm even to near, known an dear, even when they mean no harm.  

There is antidote in the form of ‘Antivirus or anti-virus software’ that could  prevent, detect and remove malware.  They use  a variety of strategies searching for known patterns of data within executable code. However, it is possible for a computer to be infected with new malware for which no signature is yet known.

Shamoon, also known as Disttrack, is a modular computer virus discovered in 2012 that attacks computers running the Microsoft Windows operating system. The virus is being used for cyber espionage in the energy sector.  Its discovery was announced on 16 August 2012 by Symantec, Kaspersky Lab and Seculert.  The virus has been noted as unique for having differing behaviour from other malware cyber espionage attacks.  Shamoon is capable of spreading to other computers on the network, through exploitation of shared hard drives. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, erase and then send information about these files back to the attacker. Finally, the virus will overwrite the master boot record of the system to prevent it from booting.   

10 days after the’shamoon’ malware attack which reportedly floored 30,000 workstations at the oil giant, Saudi Aramco spoke of putting its network back online. The workstations have since been cleaned and restored to service.  The firm said its core business of oil production and exploration was not affected by the attack, which resulted in a decision to suspend Saudi Aramco's website for a period of a few days, presumably as a precaution. Corporate remote access services were also suspended as a result of the attack. Oil and production systems were run off "isolated network systems unaffected by the attack, which the firm has pledged to investigate. 

Addressing business leaders in New York, U.S. Defense Secretary Leon Panetta  described the virus as sophisticated and noted that a similar attack days later struck Qatar's natural gas firm, Rasgas. He said Shamoon included a routine called a "wiper," coded to self-execute, which replaced crucial system files with an image of a burning U.S. flag. It also overwrote all the real data on the machine with what he called garbage data.

However, Kaspersky Lab considers the attack nothing more than a "quick and dirty" job.  The lab’s analysis  after pulling apart its code, puts sophisticated coding including Stuxnet and Flame into an entirely different league.  It states that ‘shamoon’ has bunch of silly errors including usage of flawed date comparison and clear exhibition of haste which impacts the effectiveness of the attack.  The technical analysis speaks of the malware not having a functionality to execute other programs.  So some expert analysts in the market say that the people behind creating the Shamoon malware are not high-profile programmers and the nature of their mistakes suggests that they are amateurs albeit skillful amateurs as they did create a quite practicable piece of self-replicating destructive malware.

Unfortunately, whether the malware was created by an expert or raw work of an amateur, the potential damage is lurking and can be devastating.  A knife in the hand of an attacker will cause harm, irrespective of whether the user is an intelligent person or a mad person. A mad person can cause more harm !!  A previously unknown group called Cutting Sword of Justice claimed responsibility for creating this ‘shamoon’ mess.

With regards – S. Sampathkumar.

12^th Oct 2012.