It appeared from nowhere last April, attacked computers in Iran and then destroyed almost all evidence of its existence. But what was the super-destructive malware now dubbed ‘Wiper’?
Evidence for the malware emerged in April after the Iranian Oil Ministry announced that some of its installations had been attacked by a ‘worm’ that was deleting numerous types of data files from hard drives.
At the time, security watchers were left guessing about what might have caused the attack but the fact that it appeared to be focused on Iran and the Middle East raised suspicions that this was another cyber-attack along the lines of 2010’s Stuxnet assault on the state's nuclear plants.
Researchers set about trying to pin down what had become known thanks to its data-destroying capabilities as ‘Wiper’ and today, as Kaspersky’s latest analysis makes plain, the evidence remains tantalising but fragmentary.
Because the malware was designed to remove all traces of its existence, the job of hunting it down has proved hard work. The company’s best guess is that it was written on what is called the ‘Tilded’ cyber-malware platform which means it must be related to Stuxnet malware and its mysterious companion, Duqu.
The evidence? Mainly, tiny pointers that Wiper had named a registry key using the same file-naming format as Duqu as well as forensic evidence that it did the same for temp files.
Not much then, but in the world of software such common features are likely very unlikely to be a coincidence.
And this is what marks out these pieces of malware form the vast number of criminal and commercial malware that currently exist – the huge care taken over some aspects of their design.
Wiper didn’t just wipe files, it was set up using algorithms that had been chosen by an expert because they could cause annihilate the maximum number of files in the shortest possible time, that is before admins could react to what was happening. A nuisance or commercial attack would be unlikely to bother with such sophistication.
What was Wiper trying to achieve? Perhaps its destruction of hard drives was an end in itself or possibly it was attempting to destroy evidence of something that preceded it. Kaspersky doesn’t speculate on the latter point because there is, of course, no evidence to support the notion.
“Wiper’s destructive behaviour combined with the filenames that were left on wiped systems strongly resembles a program that used the Tilded platform [used by Stuxnet and Duqu],” confirmed Kaspersky researcher, Alexander Gostev.
They could find no connection to other famous malware types, Flame and Gauss, discovered in fact as a result of the company’s investigation into Wiper at the International Telecommunications Union (ITU), another victim.
“Flame’s modular architecture was completely different and was designed to execute a sustained and thorough cyber-espionage campaign. We also did not identify any identical destructive behaviour that was used by Wiper during our analysis of Flame,” he said.
Whatever Wiper was, it was active in April 2012 and possibly as early as December 2011,
So far there is no evidence linking Wiper (or any of the other malware examples) to a recent attack, dubbed Shamoon, which recently assaulted at least two Saudi Arabian energy back using similar disk-wiping tactics. That looks more like a copycat attack picking up on Wiper’s success, possibly with a pro-Iranian origin.