Mystery 'Wiper' malware linked to 'Duqu', says security firm

April attacks on Iranian oil firm part of wider campaign

It appeared from nowhere last April, attacked computers in Iran and then destroyed almost all evidence of its existence. But what was the super-destructive malware now dubbed 'Wiper'?

Evidence for the malware emerged in April after the Iranian Oil Ministry announced that some of its installations had been attacked by a 'worm' that was deleting numerous types of data files from hard drives.

At the time, security watchers were left guessing about what might have caused the attack but the fact that it appeared to be focused on Iran and the Middle East raised suspicions that this was another cyber-attack along the lines of 2010's Stuxnet assault on the state's nuclear plants.

Researchers set about trying to pin down what had become known thanks to its data-destroying capabilities as 'Wiper' and today, as Kaspersky's latest analysis makes plain, the evidence remains tantalising but fragmentary.

Because the malware was designed to remove all traces of its existence, the job of hunting it down has proved hard work. The company's best guess is that it was written on what is called the 'Tilded' cyber-malware platform which means it must be related to Stuxnet malware and its mysterious companion, Duqu.

The evidence? Mainly, tiny pointers that Wiper had named a registry key using the same file-naming format as Duqu as well as forensic evidence that it did the same for temp files.

Not much then, but in the world of software such common features are likely very unlikely to be a coincidence.

And this is what marks out these pieces of malware form the vast number of criminal and commercial malware that currently exist - the huge care taken over some aspects of their design.

Wiper didn't just wipe files, it was set up using algorithms that had been chosen by an expert because they could cause annihilate the maximum number of files in the shortest possible time, that is before admins could react to what was happening. A nuisance or commercial attack would be unlikely to bother with such sophistication.

What was Wiper trying to achieve? Perhaps its destruction of hard drives was an end in itself or possibly it was attempting to destroy evidence of something that preceded it. Kaspersky doesn't speculate on the latter point because there is, of course, no evidence to support the notion.

"Wiper's destructive behaviour combined with the filenames that were left on wiped systems strongly resembles a program that used the Tilded platform [used by Stuxnet and Duqu]," confirmed Kaspersky researcher, Alexander Gostev.

They could find no connection to other famous malware types, Flame and Gauss, discovered in fact as a result of the company's investigation into Wiper at the International Telecommunications Union (ITU), another victim.

"Flame's modular architecture was completely different and was designed to execute a sustained and thorough cyber-espionage campaign. We also did not identify any identical destructive behaviour that was used by Wiper during our analysis of Flame," he said.

Whatever Wiper was, it was active in April 2012 and possibly as early as December 2011,

So far there is no evidence linking Wiper (or any of the other malware examples) to a recent attack, dubbed Shamoon, which recently assaulted at least two Saudi Arabian energy back using similar disk-wiping tactics. That looks more like a copycat attack picking up on Wiper's success, possibly with a pro-Iranian origin.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place