Wiper Malware That Hit Iran Left Possible Clues of Its Origins

Wiper left a trace of its existence on some hard drives, in the form of a registry key (highlighted in blue at left). Image courtesy of Kaspersky Lab

How does a security company study a strain of malware that systematically wipes a hard drive clean, including any traces of its own code? And is there any evidence that Wiper, one particular flavor of malware that hit computers in Iran’s oil industry in the spring, is connected to nation-state tools such as Stuxnet?

In an attempt to answer these questions and others about several pieces of malware that have cropped up recently, Kaspersky Lab has released new details about its investigation of Wiper.

According to Kaspersky, Wiper shares a couple of characteristics with the DuQu and Stuxnet attacks that suggest it might have been developed by Israel and the U.S. – the nations believed to be behind DuQu and Stuxnet. But, the researchers say in a blog post published Wednesday, that the similarities are circumstantial and not enough to draw firm conclusions just yet.

They also say Wiper is not related to Shamoon, a piece of malware that attacked computers in Saudi Arabia this month. Kaspersky believes, however, that Wiper was likely the inspiration for the less sophisticated attackers behind Shamoon.

Wiper was an aggressive piece of malware that targeted machines belonging to the Iranian Oil Ministry and the National Iranian Oil Company in April.

Iranian officials said at the time the malware was uncovered that it was designed to steal and destroy data. But they insisted that Wiper caused no permanent damage, because the Oil Ministry maintained a backup of essential and non-essential data.

No one has ever found a sample of Wiper in order to study its code and determine exactly what it did to machines in Iran, but Kaspersky did obtain mirror images of “dozens” of hard drives that had been hit by the malware.

Although the disks were thoroughly wiped in most cases, leaving no malware behind – or much of anything else – the researchers did find evidence of its previous existence on some of the systems that weren’t completely wiped. The evidence came in the form of a registry key that pointed to files that had been on the machines before being erased.

According to Kaspersky, the wiping activity occurred between April 21 and April 30. Wiper’s erase operation focused initially on destroying data on the first half of a disk, then systematically erasing system files, causing the systems to crash and preventing them from rebooting.

On April 22, just before one of the systems went down, the malware created and deleted a registry key for a service named “RAHDAUD64.” This pointed to a file on disk called “~DF78.tmp” that had been in the Windows temp folder before being deleted.

The structure of the file name harkens back to DuQu, which also created a number of temporary files on infected systems that all began with the prefix ~DQ.

Wiper has one other interesting characteristic that suggests a circumstantial connection to DuQu and Stuxnet.

According to Kaspersky, the malware’s algorithm is “designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time.”

In the process of deleting files on infected systems, it places a higher priority on going after files with a .pnf extension.

This is interesting because both Duqu and Stuxnet stored their primary files in .pnf files, which Kaspersky says is uncommon for malware. This suggests that one of Wiper’s primary goals may have been to search infected systems for any traces of Stuxnet, DuQu or other pieces of malware created by the same gang and eliminate them.

But Roel Schouwenberg, senior antivirus researcher for Kaspersky, cautions against jumping to conclusions.

“Without having a look at the actual code [for Wiper], I’m very hesitant to say this has to be related to DuQu and Stuxnet,” he says. “There is definitely a possibility that Wiper is related to [them], but I think it’s still up in the air to say with strong confidence that most likely these operations are related.”

If Wiper was used to eliminate traces of earlier malicious operations, the Kaspersky researchers say the attackers made a big mistake, since it was Wiper that led to the discovery of another malware attack known as Flame.

Flame was discovered by Kaspersky in May after the UN’s International Telecommunications Union asked the company to investigate reports from Iran about malware attacking oil industry computers. Iran had called the malware “Wiper.” Although Kaspersky never found any Wiper files on systems it examined, in looking for evidence of it, researchers uncovered files for a second piece of malware, which they called Flame.

Flame is a sophisticated toolkit used for espionage that was found primarily on systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa.

“If these machines hadn’t been wiped, then most likely the Flame operation would not have been discovered for some foreseeable amount of time,” Schouwenberg says. “If we’re talking about a situation where the same guys behind Flame are also behind Wiper, then they obviously had to make some sort of call” about wiping out these machines at the risk of exposing their other operations.

Kaspersky found evidence that linked Flame directly to Stuxnet and its creators, but says there is currently nothing linking Flame directly to Wiper. The two pieces of malware appear to have completely different functions — Flame is used for espionage, and Wiper is used for sabotage to destroy data. Although Flame can be updated by its creators with various modules, including conceivably a module that would destroy data, there has never been any evidence found that Flame had a module that was used to destroy data on machines or wipe out hard drives.

As for Shamoon, the latest piece of malware discovered attacking machines in the Middle East, Kaspersky believes it is a poor copycat of Wiper. Like Wiper, Shamoon targeted the oil industry — in this case Saudi Arabia’s national oil company, Aramco. Saudi Arabia acknowledged last weekend that 30,000 computers were hit in the malware attack. The malware replaced data on machines with images of a burning U.S. flag.

Kaspersky has said that Shamoon’s unsophisticated design, as well as at least one mistake found in the code, indicates it was not created by nation-state actors, as Flame, DuQu and Stuxnet were. A group of hackers calling themselves “Cutting Sword of Justice,” has taken credit for the attack on Aramco’s computers, suggesting they were behind Shamoon.