One of the things about the investigation into the Flame malware that’s remained unclear for several months now is what ever became of the so-called Wiper virus that had been seen erasing data on machines in Iran and that led researchers to eventually discover Flame. No actual samples of Wiper have been seen, just indirect evidence that the malware existed, but now researchers have analyzed some hard drive images of machines that were affected by Wiper and found that the malware has some links to Duqu and Stuxnet, but was in fact a separate attack and doesn’t appear to have any ties to Flame.
The first indications of Wiper’s emergence came in April when reports of attacks on businesses inside Iran that were destroying data on infected machines began to surface. The malware was wiping certain sections of the hard drive of infected machines, but no one was able to put a finger on exactly how the attacks were happening.
“During the investigation of the mysterious malware attack in April, we were able to obtain and analyze several hard drive images that were attacked by Wiper. We can now say with certainty that the incidents took place and that the malware responsible for these attacks existed in April 2012. Also, we are aware of some very similar incidents that took place in December of 2011,” researchers at Kaspersky Lab wrote in a new analysis of Wiper released Wednesday.
“The creators of Wiper were extremely careful to destroy absolutely every single piece of data which could be used to trace the incidents. So, in every single case we’ve analyzed, almost nothing was left after the activation of Wiper. It’s important to stress ‘almost nothing’ here because some traces did remain that allowed us to get a better understanding of the attacks. From some of the destroyed systems we were lucky enough to recover a copy of the registry hive. The registry hive did not contain any malicious drivers or startup entries. However, we came up with the idea to look into the hive slack space for deleted entries.”
In the course of analyzing the hard drives, the researchers quickly identified a file that had a name similar to those used by Duqu. They tried to recover the file from the disk but found that it had been overwritten by garbage data.
“We found the same “wiping” pattern in several of the other systems we analyzed – a service named ‘RAHDAUD64’ which was deleted just before it is wiped – and its file filled with garbage data. In these other systems, the RAHDAUD64 service pointed to different filenames, such as ‘~DF11.tmp’ and ‘~DF3C.tmp’. So it’s possible the names were random,” the analysis says.
The algorithm used by the Wiper malware employed a specific pattern when erasing data, with the malware searching for and erasing dozens of file types, including Zip files, Word and Excel files, executables, PDFs and many others. It would then destroy files in some specific folders, including Documents and Settings and try to destroy files on any attached USB devices. Wiper would then erase certain sectors of the hard disk.
“Wiping a disk that is several hundred gigabytes in size might take hours. So the creators of the malware were careful to select wiping algorithms that could achieve maximum efficiency,” the analysis says.
One of the other interesting things the researchers found was some similarities between the files that Wiper destroyed and some of the files used by Stuxnet and Duqu.
“Interesting enough, on some systems we noticed that all PNF files in the INF Windows folder were wiped with a higher priority than other files. Once again, this is a connection to Duqu and Stuxnet, which kept their main body in encrypted ‘.PNF’ files,” the researchers said.
After digging through the hard drives and analyzing the traces left by Wiper, the researchers came to the conclusion that the malware was highly effective in destroying not just the data on the machines, but most of the traces of the malware itself.
“There is no doubt that there was a piece of malware known as Wiper that attacked computer systems in Iran (and maybe in other parts of the world) until late April 2012. The malware was so well written that once it was activated, no data survived. So, although we’ve seen traces of the infection, the malware is still unknown because we have not seen any additional wiping incidents that followed the same pattern as Wiper,” the analysis says.