Kaspersky Lab Publishes New Research about Wiper, the Destructive Malware Targeting Computer Systems in April 2012
August 29, 2012 –
Woburn, MA - In April 2012 a series of incidents were publicly
reported about a destructive malware program, codenamed Wiper, which was
attacking computer systems related to a number of oil facilities in Western
Asia. In May 2012, Kaspersky Lab’s research team conducted a search prompted by
Telecommunications Union to investigate the incidents and determine the potential threat from
this new malware as it related to global sustainability and security.
Kaspersky Lab’s experts published the research that resulted from the digital
forensic analysis of the hard disk images obtained from the machines attacked
The analysis provides insights into Wiper’s highly
effective method of destroying computer systems, including its unique data
wiping pattern and destructive behavior. Even though the search for Wiper
resulted in the inadvertent discovery of Flame, Wiper itself was not discovered
during the search and is still unidentified. In the meantime, Wiper’s effective
way of destroying machines may have encouraged copycats to create destructive
malware such as Shamoon, which appeared in
Kaspersky Lab confirms that Wiper was responsible for
the attacks launched on computer systems in Western Asia in April 21 - 30,
The analysis of the hard disk images of the computers
that were destroyed by Wiper revealed a specific data wiping pattern together
with a certain malware component name, which started with ~D. These findings
are reminiscent of Duqu and Stuxnet, which also used filenames beginning with
~D, and were both built on the same attack platform - known as Tilded.
Kaspersky Lab began searching for other files starting
with ~D via the Kaspersky Security Network (KSN) to try and find additional
files of Wiper based on the connection with the Tilded platform.
During this process Kaspersky Lab identified a
significant number of files in Western Asia named ~DEB93D.tmp. Further analysis
showed this file was actually part of a different type of malware: Flame. This
is how Kaspersky Lab discovered Flame.
Despite Flame being discovered during the search for
Wiper, Kaspersky Lab’s research team believes Wiper and Flame are two separate
and distinct malicious programs.
Although Kaspersky Lab analyzed traces of the Wiper
infection, the malware is still unknown because no additional wiping incidents
that followed the same pattern occurred, and no detections of the malware have
appeared in Kaspersky Lab’s proactive protection.
Wiper was extremely effective and could spark others
to create new, “copycat” types of destructive malware, such as Shamoon.
Forensic Analysis of
Wiped Computers Kaspersky Lab’s analysis of the hard disk images taken
by the machines destroyed by Wiper showed that the malicious program wiped the
hard disks of the targeted systems and destroyed all of the data that could be
used to identify the malware. The file system corrupted by Wiper prevented
computers from rebooting and caused improper general functioning. Therefore, in
every machine that was analyzed, almost nothing was left after the activation
of Wiper, including the chance of recovering or restoring any data.
However, Kaspersky Lab’s research revealed some
valuable insight including the specific wiping pattern used by the malware
along with certain malware component names and, in some instances, registry
keys that revealed previous file names that were wiped from the hard disk.
These registry keys all pointed to filenames that began with ~D.
Unique Wiping Pattern Analysis of the wiping pattern uncovered a consistent
method that was used on each machine that Wiper was activated on. Wiper’s
algorithm was designed to quickly destroy as many files as effectively as
possible, which can include multiple gigabytes at a time. About three of four
targeted machines had their data completely wiped. The operation focusing on
destroying the first half of the disk then systematically wiping the remaining
files that are required for the system to function properly, leading to the
system finally crashing. In addition, we are aware of Wiper attacks that
targeted PNF files, which would be meaningless if not related to removal of
additional malware components. This was also an interesting finding, since Duqu
and Stuxnet kept their main body encrypted in PNF files.
How the Search for Wiper
Led to the Discovery of Flame Temporary files (TMP) beginning with ~D were also used
by Duqu, which was built on the same attack platform as Stuxnet: the Tilded
platform. Based on this clue, the research team started
looking for other potentially unknown filenames related to Wiper based on the
Tilded platform using KSN, which is the cloud infrastructure used by Kaspersky
Lab products to report telemetry and to deliver instant protection in the forms
of blacklists and heuristic rules designed to catch the newest threats. During
this process Kaspersky Lab’s research team found that several computers in
Western Asia contained the filename “~DEB93D.tmp” .This is how Kaspersky Lab
discovered Flame; however, Wiper was not
found using this method and is still unidentified.
Alexander Gostev, Chief Security Expert of Kaspersky
Lab, said: “Based on our analysis of the patterns Wiper left on examined hard
disk images, there is no doubt that the malware existed and was used to attack
computer systems in Western Asia in April of 2012, and probably even earlier -
in December of 2011. Even though we discovered Flame during the search for
Wiper, we believe that Wiper was not Flame but a separate and different type of
malware. Wiper’s destructive behavior combined with the filenames that were
left on wiped systems strongly resembles a program that used the Tilded
platform. Flame’s modular architecture was completely different and was
designed to execute a sustained and thorough cyber-espionage campaign. We also
did not identify any identical destructive behavior that was used by Wiper
during our analysis of Flame.”
Kaspersky Lab is the world’s largest privately held
vendor of endpoint protection solutions. The company is ranked among the
world’s top four vendors of security solutions for endpoint users*. Throughout
its 15-year history Kaspersky Lab has remained an innovator in IT security and
provides effective digital security solutions for consumers, SMBs and
Enterprises. The company currently operates in almost 200 countries and territories
across the globe, providing protection for over 300 million users worldwide.
Learn more at www.kaspersky.com.
was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by
Vendor, 2010. The rating was published in the IDC report Worldwide IT Security
Products 2011-2015 Forecast and 2010 Vendor Shares – December 2011. The report
ranked software vendors according to earnings from sales of endpoint security
solutions in 2010.