Researchers at Symantec and Kaspersky Lab have confirmed the existence of malware that does nothing more than wipe the drive of the host where it is installed. Circulating in low numbers, the malware, named Batchwiper by Symantec, has only been seen in Iran thus far, but does not appear to be related to Stuxnet, Duqu, or Flame.
According to Iran’s CERT, which first reported the threat, the malware wipes files on different drives in various predefined times.
“The samples are not sophisticated and will wipe any drives starting with the drive letters D through I, along with files on the currently logged-in user’s Desktop. After deletion, the threat will then run Chkdsk on the drives,” Symantec explained in a blog post.
Kaspersky Lab’s Roel Schouwenberg agrees. “This is an extremely simplistic attack,” Schouwenberg noted in a blog post. “In essence, the attacker wrote some BAT files and then used a BAT2EXE tool to turn them into Windows PE files. The author seems to have used (a variant of) this particular BAT2EXE tool.”
Thanks to Iran’s CERT, Symantec was able to get samples of the malware and confirm what it does. In addition, the samples from Iran’s CERT were made available to other AV operations, and as such, the detection for Batchwiper went from nearly nothing, to a majority of the security products on the market.
Unfortunately, this does nothing for systems in Iran or other areas where there is no such protection available.
In addition to confirming what the malware does, Symantec also rooted out the destructive dates where data is removed. According to the time clock, 2012’s dates have passed. However Batchwiper will activate again for three days in January (21-23), May (06-08), July (22-24), and November (11-13) next year. There are also dates for 2014 and 2015 accounted for.
“Other than the geographic region there doesn’t seem to be any commonality with this file-deleting malware and the previous attacks we’ve seen,” Schouwenberg added. “This is as basic as it gets. But if it was effective that doesn’t matter. If it wasn’t clear already – the era of cyber-sabotage has arrived. Be prepared.”
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
