Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Mystery 'Wiper' malware linked to 'Duqu', says security firm

April attacks on Iranian oil firm part of wider campaign

Article comments

It appeared from nowhere last April, attacked computers in Iran and then destroyed almost all evidence of its existence. But what was the super-destructive malware now dubbed ‘Wiper’?

Evidence for the malware emerged in April after the Iranian Oil Ministry announced that some of its installations had been attacked by a ‘worm’ that was deleting numerous types of data files from hard drives.

At the time, security watchers were left guessing about what might have caused the attack but the fact that it appeared to be focused on Iran and the Middle East raised suspicions that this was another cyber-attack along the lines of 2010’s Stuxnet assault on the state's nuclear plants.

Researchers set about trying to pin down what had become known thanks to its data-destroying capabilities as ‘Wiper’ and today, as Kaspersky’s latest analysis makes plain, the evidence remains tantalising but fragmentary.

Because the malware was designed to remove all traces of its existence, the job of hunting it down has proved hard work. The company’s best guess is that it was written on what is called the ‘Tilded’ cyber-malware platform which means it must be related to Stuxnet malware and its mysterious companion, Duqu.

The evidence? Mainly, tiny pointers that Wiper had named a registry key using the same file-naming format as Duqu as well as forensic evidence that it did the same for temp files.

Not much then, but in the world of software such common features are likely very unlikely to be a coincidence.

And this is what marks out these pieces of malware form the vast number of criminal and commercial malware that currently exist – the huge care taken over some aspects of their design.

Wiper didn’t just wipe files, it was set up using algorithms that had been chosen by an expert because they could cause annihilate the maximum number of files in the shortest possible time, that is before admins could react to what was happening. A nuisance or commercial attack would be unlikely to bother with such sophistication.

What was Wiper trying to achieve? Perhaps its destruction of hard drives was an end in itself or possibly it was attempting to destroy evidence of something that preceded it. Kaspersky doesn’t speculate on the latter point because there is, of course, no evidence to support the notion.

“Wiper’s destructive behaviour combined with the filenames that were left on wiped systems strongly resembles a program that used the Tilded platform [used by Stuxnet and Duqu],” confirmed Kaspersky researcher, Alexander Gostev.

They could find no connection to other famous malware types, Flame and Gauss, discovered in fact as a result of the company’s investigation into Wiper at the International Telecommunications Union (ITU), another victim.

“Flame’s modular architecture was completely different and was designed to execute a sustained and thorough cyber-espionage campaign. We also did not identify any identical destructive behaviour that was used by Wiper during our analysis of Flame,” he said.

Whatever Wiper was, it was active in April 2012 and possibly as early as December 2011,

So far there is no evidence linking Wiper (or any of the other malware examples) to a recent attack, dubbed Shamoon, which recently assaulted at least two Saudi Arabian energy back using similar disk-wiping tactics. That looks more like a copycat attack picking up on Wiper’s success, possibly with a pro-Iranian origin.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *