Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Drive Wiping Malware Surfaces in Iran

Researchers at Symantec and Kaspersky Lab have confirmed the existence of malware that does nothing more than wipe the drive of the host where it is installed. Circulating in low numbers, the malware, named Batchwiper by Symantec, has only been seen in Iran thus far, but does not appear to be related to Stuxnet, Duqu, or Flame.

According to Iran’s CERT, which first reported the threat, the malware wipes files on different drives in various predefined times.

Researchers at Symantec and Kaspersky Lab have confirmed the existence of malware that does nothing more than wipe the drive of the host where it is installed. Circulating in low numbers, the malware, named Batchwiper by Symantec, has only been seen in Iran thus far, but does not appear to be related to Stuxnet, Duqu, or Flame.

According to Iran’s CERT, which first reported the threat, the malware wipes files on different drives in various predefined times.

“The samples are not sophisticated and will wipe any drives starting with the drive letters D through I, along with files on the currently logged-in user’s Desktop. After deletion, the threat will then run Chkdsk on the drives,” Symantec explained in a blog post.

Kaspersky Lab’s Roel Schouwenberg agrees. “This is an extremely simplistic attack,” Schouwenberg noted in a blog post. “In essence, the attacker wrote some BAT files and then used a BAT2EXE tool to turn them into Windows PE files. The author seems to have used (a variant of) this particular BAT2EXE tool.”

Thanks to Iran’s CERT, Symantec was able to get samples of the malware and confirm what it does. In addition, the samples from Iran’s CERT were made available to other AV operations, and as such, the detection for Batchwiper went from nearly nothing, to a majority of the security products on the market.

Unfortunately, this does nothing for systems in Iran or other areas where there is no such protection available.

In addition to confirming what the malware does, Symantec also rooted out the destructive dates where data is removed. According to the time clock, 2012’s dates have passed. However Batchwiper will activate again for three days in January (21-23), May (06-08), July (22-24), and November (11-13) next year. There are also dates for 2014 and 2015 accounted for.

“Other than the geographic region there doesn’t seem to be any commonality with this file-deleting malware and the previous attacks we’ve seen,” Schouwenberg added. “This is as basic as it gets. But if it was effective that doesn’t matter. If it wasn’t clear already – the era of cyber-sabotage has arrived. Be prepared.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.