Answer

Prepare for Shamoon malware with data backup and recovery plan

The destructive nature of the Shamoon malware has my team concerned about data-destroying malware that targets enterprises. How does data-destroying malware differ from other strands, and are there any unique detection mechanisms that can be implemented, specifically around how the malware may interact with data?

    Requires Free Membership to View

Ask the Expert

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

One of the last-resort options for recovering from most security incidents is to restore from a known, good backup. Unfortunately, not every enterprise takes the necessary steps to be prepared for restoring from a backup.

The Shamoon malware clearly highlights why a good data backup and recovery plan is necessary for information security. Regardless of how the malware infiltrated the endpoint and what data is stored there, the data should be backed up. The Shamoon malware deletes data and then overwrites it to make it difficult to recover the data. This is an uncommon, but not unique, attack method meant to disrupt an organization's operations.

Shamoon is not reported to send the deleted data to the attacker so they can use the data for profit or encrypt the data for ransom, but it uses the same overall methods as most other malware: dropper, payload and remote communication. Detecting Shamoon after its execution does not help remediate the situation, because data is already deleted. It is necessary to proactively block the malware or prevent it from running. A behavioral-based antimalware tool that looks for a large number of delete file systems calls from a nonstandard binary that could flag the behavior for review before data is deleted, but the binary could still potentially delete data depending on how the antimalware tool works. Storing data in a remote location, such as a roaming profile or mapped drive, might make it more difficult for the malware to delete data, but if the malware searches for an environment variable pointing to the home directory or profile storage, it could still potentially be able to delete the files.

This was first published in February 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: