Kaspersky unpacks 'Wiper' malware
In April 2012, several reports about a mysterious malware attack shutting down computer systems at businesses throughout Iran surfaced. It was widely speculated that a virus named Wiper was responsible. However, no samples were available from these attacks, causing many to doubt the accuracy of these reports.
Following these incidents, the International Telecommunication Union (ITU) asked Kaspersky Lab to investigate the incidents and determine the potentially destructive impact of this new malware.
After several weeks of research, Kaspersky failed to reveal any malware that shared any known properties with Wiper; however, its analysis of the hard disk images taken by the machines destroyed by Wiper indicated that the malicious program wiped the hard disks of the targeted systems and destroyed all of the data that could be used to identify the malware.
According to Vitaly Kamluk, chief malware expert, Global Research & Analysis Team at Kaspersky Lab, the attackers wanted to ensure Wiper malware would remain undiscovered. “It makes sense to first wipe the malware components, and only then to wipe other files in the system that could make it crash. The Wiper also corrupted various file formats, including archives, office documents, images and even source codes.”
He says the malware was so well written that, once it was activated, no data survived. So, although Kaspersky has seen traces of the infection, the malware is still unknown because Kaspersky has not seen any additional wiping incidents that followed the same pattern as Wiper, and no detections of the malware have appeared in the proactive detection components of Kaspersky's security solutions.
“At the time, there was insufficient information to back these findings; however, through this research, we then discovered the nation-state cyber-espionage campaign now known as Flame and later Gauss. It is our firm opinion that Wiper was a separate strain of malware that was not associated with Flame given the complexity of Flame - one would expect it to be used for long-term surveillance of targets instead of direct sabotage attacks on computer systems.”
Kamluk says the creators of Wiper were extremely careful to destroy absolutely every single piece of data that could be used to trace the incidents. “So, in every single case we've analysed, almost nothing was left after the activation of Wiper. It's important to stress 'almost nothing' here, because certain traces did remain that enabled us to get a better understanding of the attacks.”
He says Wiper attacks the hard disks of the targeted systems and wipes and destroys all of the data that could be used to identify the malware. Most of the files that were wiped contain a specific pattern that repeats over and over. “Interestingly, it did not overwrite the entire file. In some cases, some portions of the file remained intact, where every header of the files was destroyed the first time round. This was probably caused by the size of the file. The wiping algorithm was designed to quickly destroy as many files as possible.”
Based on the pattern that Kaspersky knew had been used when wiping files, the company collected Kaspersky Security Network (KSN) statistics on which files had been destroyed. In an attempt to reconstruct the Wiper algorithm, it came up with the following sequence:
1. Searching for and wiping files based on their extensions.
2. Searching for and wiping all files in certain folders (eg in Documents and Settings, Windows, Program Files) and on all available USB drives connected to the computer.
3. Wiping disk sectors (possibly using a bootkit module)
In terms of the malware monetising itself, it is possible that Kaspersky will never find out what Wiper was exactly. “However, based on our experience, we are reasonably sure that it existed and that it was not related to Flame. The Wiper attack didn't look like a typical cyber criminal attack, because its purpose seemed to be financial damage and not financial profit.”
Similarly, he said it is also impossible to be sure as to whether this was a nation-state-sponsored attack. “To draw such conclusions, we have to analyse at least the code of executable files.”
The number of infections is not precisely known, but during the investigation of the mysterious malware attack in April, Kaspersky was able to obtain and analyse several hard drive images that were attacked by Wiper. “We can now say with certainty that the incidents took place and that the malware responsible for these attacks existed in April 2012. Also, we are aware of some very similar incidents that took place since December of 2011. We don't have exact estimation of victims, however, it already hit the news in April 2012 that hundreds of systems were affected in Iran.”
He advises that, as with any security threat, the best way to prevent a malware infection is to have a comprehensive security solution installed. “Kaspersky Lab has a range of different solutions to combat these and other malware infections. Also, we recommend to refrain from using removable drives completely, where applicable. Never open attachments from unknown e-mail senders on a computer attached to your corporate networks. And, of course, always keep your OS and its components up to date.”