The destructive nature of the Shamoon malware has my team concerned about data-destroying malware that targets enterprises. How does data-destroying malware differ from other strands, and are there any unique detection mechanisms that can be implemented, specifically around how the malware may interact with data?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
One of the last-resort options for recovering from most security incidents is to restore from a known, good backup. Unfortunately, not every enterprise takes the necessary steps to be prepared for restoring from a backup.
The Shamoon malware clearly highlights why a good data backup and recovery plan is necessary for information security. Regardless of how the malware infiltrated the endpoint and what data is stored there, the data should be backed up. The Shamoon malware deletes data and then overwrites it to make it difficult to recover the data. This is an uncommon, but not unique, attack method meant to disrupt an organization's operations.
Shamoon is not reported to send the deleted data to the attacker so they can use the data for profit or encrypt the data for ransom, but it uses the same overall methods as most other malware: dropper, payload and remote communication. Detecting Shamoon after its execution does not help remediate the situation, because data is already deleted. It is necessary to proactively block the malware or prevent it from running. A behavioral-based antimalware tool that looks for a large number of delete file systems calls from a nonstandard binary that could flag the behavior for review before data is deleted, but the binary could still potentially delete data depending on how the antimalware tool works. Storing data in a remote location, such as a roaming profile or mapped drive, might make it more difficult for the malware to delete data, but if the malware searches for an environment variable pointing to the home directory or profile storage, it could still potentially be able to delete the files.
This was first published in February 2013