Problem solve Get help with specific problems with your technologies, process and projects.

Prepare for Shamoon malware with data backup and recovery plan

Expert Nick Lewis discusses how to detect Shamoon malware and emphasizes the importance of detailed data backup and recovery plans.

The destructive nature of the Shamoon malware has my team concerned about data-destroying malware that targets...

enterprises. How does data-destroying malware differ from other strands, and are there any unique detection mechanisms that can be implemented, specifically around how the malware may interact with data?

Ask the Expert

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

One of the last-resort options for recovering from most security incidents is to restore from a known, good backup. Unfortunately, not every enterprise takes the necessary steps to be prepared for restoring from a backup.

The Shamoon malware clearly highlights why a good data backup and recovery plan is necessary for information security. Regardless of how the malware infiltrated the endpoint and what data is stored there, the data should be backed up. The Shamoon malware deletes data and then overwrites it to make it difficult to recover the data. This is an uncommon, but not unique, attack method meant to disrupt an organization's operations.

Shamoon is not reported to send the deleted data to the attacker so they can use the data for profit or encrypt the data for ransom, but it uses the same overall methods as most other malware: dropper, payload and remote communication. Detecting Shamoon after its execution does not help remediate the situation, because data is already deleted. It is necessary to proactively block the malware or prevent it from running. A behavioral-based antimalware tool that looks for a large number of delete file systems calls from a nonstandard binary that could flag the behavior for review before data is deleted, but the binary could still potentially delete data depending on how the antimalware tool works. Storing data in a remote location, such as a roaming profile or mapped drive, might make it more difficult for the malware to delete data, but if the malware searches for an environment variable pointing to the home directory or profile storage, it could still potentially be able to delete the files.

This was last published in February 2013

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.