Mysterious Wiper malware possibly connected to Stuxnet and Duqu, researchers say

Kaspersky researchers present their findings about the Wiper malware that affected servers at Iran's oil ministry in April

Security researchers from Kaspersky Lab have uncovered information suggesting a possible link between the mysterious malware that attacked Iranian oil ministry computers in April and the Stuxnet and Duqu cyberespionage threats.

Following April reports that data was destroyed on multiple servers in Iran, possibly by a new piece of malware, the International Telecommunication Union (ITU) asked security vendor Kaspersky Lab to investigate the incidents.

Kaspersky's researchers were not able to find the mysterious malware, which was given the name Wiper, because very little data from the affected hard disk drives was recoverable.

However, their investigation led to the discovery of Flame and later Gauss, two highly sophisticated cyberespionage threats believed to have been developed by a nation state.

After reviewing the bits of information extracted from the affected hard drives, the Kaspersky researchers concluded that the Wiper malware did in fact exist, that it used a sophisticated and effective data wiping algorithm and that it was most likely not a Flame component.

"We can now say with certainty that the incidents took place and that the malware responsible for these attacks existed in April 2012," researchers from Kaspersky's global research and analysis team said Wednesday in a blog post. "Also, we are aware of some very similar incidents that have taken place since December of 2011."

Even though a connection to Flame is unlikely, there is some evidence suggesting that Wiper might be related to Stuxnet or Duqu.

For example, on a few of the hard drives analyzed, the researchers found traces of a service called RAHDAUD64 that loaded files named ~DFXX.tmp -- where XX are two random digits -- from the C:\WINDOWS\TEMP folder.

"The moment we saw this, we immediately recalled Duqu, which used filenames of this format," the researchers said. "In fact, the name Duqu was coined by the Hungarian researcher Boldizsar Bencsath from the CrySyS lab because it created files named ?~dqXX.tmp."

Kaspersky's researchers had already established that both Stuxnet and Duqu were created by the same team of developers using the same platform -- dubbed the Tilded Platform because the malware used files with names starting with the "~" (tilde) symbol.

The researchers were not able to recover the ~DFXX.tmp files because they had been overwritten with garbage data during Wiper's data destruction routine.

Another possible link to Stuxnet and Duqu is the fact that Wiper apparently prioritized .PNF files during its data wiping process. Both Duqu and Stuxnet kept their main components in encrypted .PNF files, the Kaspersky researchers said.

The evidence found so far is not sufficiently solid to conclude with certainty that Wiper is related to Stuxnet or Duqu and the truth may never come to light unless a system is discovered where Wiper's data destruction routine somehow failed, the researchers said.

However, if it is related, then it's another piece of a larger puzzle that points to a major nation-state-sponsored cyberespionage and cybersabotage operation in the Middle East. Kaspersky's researchers have already established, based on technical evidence, that Stuxnet, Duqu, Flame and Gauss are related to each other.

According to a New York Times report from June that cited unnamed sources from within the Obama administration, Stuxnet was jointly developed by the U.S. and Israel and was part of a secret operation code-named Olympic Games.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place