Batchwiper (a/k/a GrooveMonitor) deletes drives and desktop. The Iranian CERT is sounding the alarm over another bit of data-deleting malware it's discovered on PCs in the country. It's simple, but effective. And there's no obvious connection to Gauss, Flame, or Stuxnet.
In IT Blogwatch, bloggers get to the bottom of the nastiness.
Your humble blogwatcher curated these bloggy bits for your entertainment.
Arik Hesseldahl reports:
Its primary function is deleting Windows hard drive partitions, but it does so only within nine specific date ranges. ... It may be a case of simplicity being the ultimate sophistication, as Leonardo da Vinci put it...an interesting feint after a string of highly sophisticated digital weapons.
...In being less than cutting-edge, the malware carries with it the cloak of plausible deniability. ... There’s also less of a chance that the world’s computer criminals will learn anything new and nasty from the uber-hackers at the CIA and Mossad. MORE
And Dan Goodin adds:
Dubbed Batchwiper, the malware systematically wipes any drive partitions...D through I, along with...the Windows desktop.
...It remains unclear how Batchwiper is spreading. MORE
Iran's Maher Center first sounded the alarm:
Latest investigation...in cyber space identified a new targeted data wiping malware. ... Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. ... This targeted attack [has no] similarity to the other sophisticated targeted attacks. MORE
In Russia, Roel Schouwenberg reads YOU:
Batchwiper shows up in Task Manager as...GrooveMonitor.exe...juboot.exe, jucheck.exe, WmiPrv.exe, and SLEEP.EXE.
...Some speculate that the malware is transferred via external drives...while others say it could be spread via insiders...or as part of another attack. MORE
But Jaime Blasco just yawns:
The piece of code is very simple. [It] uses reg.exe to create a registry key that the malware uses to maintain persistence. ... Then jucheck.exe is executed that creates...jucheck.bat. ... [When] executed, the juboot.exe file is deleted as well as the GrooveMonitor.exe [it] checks the system date and if it matches one of the predefined dates it...checks for system drives...deletes every file on those drives [and] the [Desktop] folder. MORE
So what's the significance, Paul Roberts?
While these reports don’t presage some nasty new APT-style menace, they do underscore how attuned the rest of the world has become to whatever is going down in Iran. ...a kind of canary in the coal mine for new, sophisticated nation-backed attacks. MORE