More data-wiping malware found in Iran
Batchwiper is unsophisticated malware, but can cause a lot of damage, researchers say
IDG News Service - A new piece of malware that deletes entire partitions and user files from infected computers has been found in Iran, according to an alert issued Sunday by Maher, Iran's Computer Emergency Response Team Coordination Center (CERTCC).
Maher Center described the new threat as a targeted attack, but said that it has a simple design and is not similar to other sophisticated targeted attacks previously seen in the region. "Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software," the center said in its advisory.
Several security companies have confirmed Maher's findings and said the threat is unsophisticated.
The malware is designed to delete all data from disk partitions identified with letters D to I, as well as files located on the desktop of the currently logged in user, security researchers from antivirus vendor Symantec said Monday in a blog post.
The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013. However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware's configuration, suggesting that it may have been in distribution for at least two months.
The Maher Center said the malware's installer, also known as the dropper, is called GrooveMonitor.exe. That filename was likely chosen as a disguise because it is normally associated with a legitimate Microsoft Office 2007 document collaboration feature called Microsoft Office Groove.
According to an analysis of the new threat by researchers from security firm AlienVault, when the installer is executed, it adds a registry entry that ensure the malware's persistence across system reboots and creates a Windows batch file containing the data wiping routine.
Because of its use of batch files -- script files to be executed by the Windows shell program -- the malware has been dubbed "Batchwiper."
It's not clear how the malware is being distributed. The dropper could be deployed using several vectors, ranging from spearphishing emails, infected USB drives, some other malware already running on computers, or an internal actor uploading it to network shares, AlienVault Labs manager Jaime Blasco said via email.
Despite the fact that this malware is not sophisticated, if its wiping routines are executed, it can do a lot of damage, Blasco said.
Batchwiper is not the first data wiping malware found in the Middle East. Earlier this year, an investigation into a mysterious piece of malware that reportedly destroyed data from Iranian energy sector servers led to the discovery of the Flame cyberespionage threat.
In August, security researchers identified another unrelated piece of malware with data wiping capabilities called Shamoon. The malware is believed to have been used in an attack against Saudi Aramco, Saudi Arabia's national oil company, and affected of thousands of computer systems.
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!