Kaspersky Extracts More Clues From Mysterious Wiper Malware

Malware Kaspersky Lab Shares Latest Findings from “Wiper” Investigation

In April, a new type of malware started systematically wiping the contents of hard drives in Iran and other parts of Western Asia. Interestingly, Kaspersky’s investigation into this malware led to the discovery of Flame. However, Kaspersky never stopped looking into what they called “Wiper” (due to its actions), and they’ve recently published some of their findings.

The details released by the Russian anti-virus Lab offer some insight into Wiper’s seriously effective method of systematically destroying a computer one bit of data at a time. As mentioned, it was the investigation into Wiper (prompted by the ITU, or the International Telecommunications Union), which led to the discovery of Flame. Wiper and Flame share some common traits, but actual samples of Wiper itself remain unavailable, the only thing Kaspersky (and other research labs) can discover are traces of the destructive code.

Kaspersky started in May, when they were given hard disk images of the computers that were destroyed by Wiper. The images revealed a specific data wiping pattern and distinctive component name, which started with ~D. This led Kaspersky to remember Duqu and Stuxnet, which used filenames beginning with ~D as well, and were both built on the same attack platform – known as Tilded.

The Kaspersky team kept digging. While searching the Kaspersky Security Network, where customers share anonymous data after an attack, and potentially malicious samples for further study, they identified several files named ~DEB93D.tmp. However, these files were part of something entirely different, and that is where Flame comes in. Despite Flame being discovered during the search for Wiper, Kaspersky’s research team believes Wiper and Flame are two separate and distinct malicious programs.

“Even though we discovered Flame during the search for Wiper, we believe that Wiper was not Flame but a separate and different type of malware,” commented Kaspersky’s Alexander Gostev.

“Wiper’s destructive behavior combined with the filenames that were left on wiped systems strongly resembles a program that used the Tilded platform. Flame’s modular architecture was completely different and was designed to execute a sustained and thorough cyber-espionage campaign. We also did not identify any identical destructive behavior that was used by Wiper during our analysis of Flame.”

However, everything that the security community knows about Wiper is due to trace samples. The malware itself is remains a mystery because no additional incidents involving the same data destruction pattern have occurred since the initial incident. Yet, Kaspersky remains concerned that copycats will emerge, assuming they’re not in the wild already.

Additional details are available here.