Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/29/2012
02:24 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Kaspersky Lab Publishes New Research about Wiper, the Destructive Malware Targeting Computer Systems In April 2012

Analysis provides insights into Wiper’s highly effective method of destroying computer systems

August 29, 2012 – Woburn, MA - In April 2012 a series of incidents were publicly reported about a destructive malware program, codenamed Wiper, which was attacking computer systems related to a number of oil facilities in Western Asia. In May 2012, Kaspersky Lab’s research team conducted a search prompted by the International Telecommunications Union to investigate the incidents and determine the potential threat from this new malware as it related to global sustainability and security.

Today Kaspersky Lab’s experts published the research that resulted from the digital forensic analysis of the hard disk images obtained from the machines attacked by Wiper.

The analysis provides insights into Wiper’s highly effective method of destroying computer systems, including its unique data wiping pattern and destructive behavior. Even though the search for Wiper resulted in the inadvertent discovery of Flame, Wiper itself was not discovered during the search and is still unidentified. In the meantime, Wiper’s effective way of destroying machines may have encouraged copycats to create destructive malware such as Shamoon, which appeared in August 2012.

Summary Findings:

Kaspersky Lab confirms that Wiper was responsible for the attacks launched on computer systems in Western Asia in April 21 - 30, 2012. The analysis of the hard disk images of the computers that were destroyed by Wiper revealed a specific data wiping pattern together with a certain malware component name, which started with ~D. These findings are reminiscent of Duqu and Stuxnet, which also used filenames beginning with ~D, and were both built on the same attack platform - known as Tilded. Kaspersky Lab began searching for other files starting with ~D via the Kaspersky Security Network (KSN) to try and find additional files of Wiper based on the connection with the Tilded platform. During this process Kaspersky Lab identified a significant number of files in Western Asia named ~DEB93D.tmp. Further analysis showed this file was actually part of a different type of malware: Flame. This is how Kaspersky Lab discovered Flame. Despite Flame being discovered during the search for Wiper, Kaspersky Lab’s research team believes Wiper and Flame are two separate and distinct malicious programs. Although Kaspersky Lab analyzed traces of the Wiper infection, the malware is still unknown because no additional wiping incidents that followed the same pattern occurred, and no detections of the malware have appeared in Kaspersky Lab’s proactive protection. Wiper was extremely effective and could spark others to create new, “copycat” types of destructive malware, such as Shamoon.

Forensic Analysis of Wiped Computers Kaspersky Lab’s analysis of the hard disk images taken by the machines destroyed by Wiper showed that the malicious program wiped the hard disks of the targeted systems and destroyed all of the data that could be used to identify the malware. The file system corrupted by Wiper prevented computers from rebooting and caused improper general functioning. Therefore, in every machine that was analyzed, almost nothing was left after the activation of Wiper, including the chance of recovering or restoring any data.

However, Kaspersky Lab’s research revealed some valuable insight including the specific wiping pattern used by the malware along with certain malware component names and, in some instances, registry keys that revealed previous file names that were wiped from the hard disk. These registry keys all pointed to filenames that began with ~D.

Unique Wiping Pattern Analysis of the wiping pattern uncovered a consistent method that was used on each machine that Wiper was activated on. Wiper’s algorithm was designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time. About three of four targeted machines had their data completely wiped. The operation focusing on destroying the first half of the disk then systematically wiping the remaining files that are required for the system to function properly, leading to the system finally crashing. In addition, we are aware of Wiper attacks that targeted PNF files, which would be meaningless if not related to removal of additional malware components. This was also an interesting finding, since Duqu and Stuxnet kept their main body encrypted in PNF files.

How the Search for Wiper Led to the Discovery of Flame Temporary files (TMP) beginning with ~D were also used by Duqu, which was built on the same attack platform as Stuxnet: the Tilded platform. Based on this clue, the research team started looking for other potentially unknown filenames related to Wiper based on the Tilded platform using KSN, which is the cloud infrastructure used by Kaspersky Lab products to report telemetry and to deliver instant protection in the forms of blacklists and heuristic rules designed to catch the newest threats. During this process Kaspersky Lab’s research team found that several computers in Western Asia contained the filename “~DEB93D.tmp” .This is how Kaspersky Lab discovered Flame; however, Wiper was not found using this method and is still unidentified.

Alexander Gostev, Chief Security Expert of Kaspersky Lab, said: “Based on our analysis of the patterns Wiper left on examined hard disk images, there is no doubt that the malware existed and was used to attack computer systems in Western Asia in April of 2012, and probably even earlier - in December of 2011. Even though we discovered Flame during the search for Wiper, we believe that Wiper was not Flame but a separate and different type of malware. Wiper’s destructive behavior combined with the filenames that were left on wiped systems strongly resembles a program that used the Tilded platform. Flame’s modular architecture was completely different and was designed to execute a sustained and thorough cyber-espionage campaign. We also did not identify any identical destructive behavior that was used by Wiper during our analysis of Flame.”

For the full research post on Wiper, please visit Securelist.com.

About Kaspersky Lab Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for consumers, SMBs and Enterprises. The company currently

operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.

*The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2010. The rating was published in the IDC report Worldwide IT Security Products 2011-2015 Forecast and 2010 Vendor Shares – December 2011. The report ranked software vendors according to earnings from sales of endpoint security solutions in 2010.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.