The destructive nature of the Shamoon malware has my team concerned about data-destroying malware that targets enterprises. How does data-destroying malware differ from other strands, and are there any unique detection mechanisms that can be implemented, specifically around how the malware may interact with data?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
One of the last-resort options for recovering from most security incidents is to restore from a known, good backup. Unfortunately, not every enterprise takes the necessary steps to be prepared for restoring from a backup.
The Shamoon malware clearly highlights why a good data backup and recovery plan is necessary for information security. Regardless of how the malware infiltrated the endpoint and what data is stored there, the data should be backed up. The Shamoon malware deletes data and then overwrites it to make it difficult to recover the data. This is an uncommon, but not unique, attack method meant to disrupt an organization's operations.
Shamoon is not reported to send the deleted data to the attacker so they can use the data for profit or encrypt the data for ransom, but it uses the same overall methods as most other malware: dropper, payload and remote communication. Detecting Shamoon after its execution does not help remediate the situation, because data is already deleted. It is necessary to proactively block the malware or prevent it from running. A behavioral-based antimalware tool that looks for a large number of delete file systems calls from a nonstandard binary that could flag the behavior for review before data is deleted, but the binary could still potentially delete data depending on how the antimalware tool works. Storing data in a remote location, such as a roaming profile or mapped drive, might make it more difficult for the malware to delete data, but if the malware searches for an environment variable pointing to the home directory or profile storage, it could still potentially be able to delete the files.
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.