Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Kaspersky Extracts More Clues From Mysterious Wiper Malware

Malware Kaspersky Lab Shares Latest Findings from “Wiper” Investigation

Malware Kaspersky Lab Shares Latest Findings from “Wiper” Investigation

In April, a new type of malware started systematically wiping the contents of hard drives in Iran and other parts of Western Asia. Interestingly, Kaspersky’s investigation into this malware led to the discovery of Flame. However, Kaspersky never stopped looking into what they called “Wiper” (due to its actions), and they’ve recently published some of their findings.

Wiper MalwareThe details released by the Russian anti-virus Lab offer some insight into Wiper’s seriously effective method of systematically destroying a computer one bit of data at a time. As mentioned, it was the investigation into Wiper (prompted by the ITU, or the International Telecommunications Union), which led to the discovery of Flame. Wiper and Flame share some common traits, but actual samples of Wiper itself remain unavailable, the only thing Kaspersky (and other research labs) can discover are traces of the destructive code.

Kaspersky started in May, when they were given hard disk images of the computers that were destroyed by Wiper. The images revealed a specific data wiping pattern and distinctive component name, which started with ~D. This led Kaspersky to remember Duqu and Stuxnet, which used filenames beginning with ~D as well, and were both built on the same attack platform – known as Tilded.

The Kaspersky team kept digging. While searching the Kaspersky Security Network, where customers share anonymous data after an attack, and potentially malicious samples for further study, they identified several files named ~DEB93D.tmp. However, these files were part of something entirely different, and that is where Flame comes in. Despite Flame being discovered during the search for Wiper, Kaspersky’s research team believes Wiper and Flame are two separate and distinct malicious programs.

“Even though we discovered Flame during the search for Wiper, we believe that Wiper was not Flame but a separate and different type of malware,” commented Kaspersky’s Alexander Gostev.

“Wiper’s destructive behavior combined with the filenames that were left on wiped systems strongly resembles a program that used the Tilded platform. Flame’s modular architecture was completely different and was designed to execute a sustained and thorough cyber-espionage campaign. We also did not identify any identical destructive behavior that was used by Wiper during our analysis of Flame.”

However, everything that the security community knows about Wiper is due to trace samples. The malware itself is remains a mystery because no additional incidents involving the same data destruction pattern have occurred since the initial incident. Yet, Kaspersky remains concerned that copycats will emerge, assuming they’re not in the wild already.

Additional details are available here

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...