Wiper malware could be connected to Stuxnet and Duqu, researchers say
Kaspersky researchers present their findings about the Wiper malware that affected servers at Iran's oil ministry in April
IDG News Service - Security researchers from Kaspersky Lab have uncovered information suggesting a possible link between the mysterious malware that attacked Iranian oil ministry computers in April and the Stuxnet and Duqu cyberespionage threats.
Following April reports that data was destroyed on multiple servers in Iran, possibly by a new piece of malware, the International Telecommunication Union (ITU) asked security vendor Kaspersky Lab to investigate the incidents.
Kaspersky's researchers were not able to find the mysterious malware, which was given the name Wiper, because very little data from the affected hard disk drives was recoverable.
After reviewing the bits of information extracted from the affected hard drives, the Kaspersky researchers concluded that the Wiper malware did in fact exist, that it used a sophisticated and effective data wiping algorithm and that it was most likely not a Flame component.
"We can now say with certainty that the incidents took place and that the malware responsible for these attacks existed in April 2012," researchers from Kaspersky's global research and analysis team said Wednesday in a blog post. "Also, we are aware of some very similar incidents that have taken place since December of 2011."
Even though a connection to Flame is unlikely, there is some evidence suggesting that Wiper might be related to Stuxnet or Duqu.
For example, on a few of the hard drives analyzed, the researchers found traces of a service called RAHDAUD64 that loaded files named ~DFXX.tmp -- where XX are two random digits -- from the C:\WINDOWS\TEMP folder.
"The moment we saw this, we immediately recalled Duqu, which used filenames of this format," the researchers said. "In fact, the name Duqu was coined by the Hungarian researcher Boldizsar Bencsath from the CrySyS lab because it created files named ?~dqXX.tmpA."
Kaspersky's researchers had already established that both Stuxnet and Duqu were created by the same team of developers using the same platform -- dubbed the Tilded Platform because the malware used files with names starting with the "~" (tilde) symbol.
The researchers were not able to recover the ~DFXX.tmp files because they had been overwritten with garbage data during Wiper's data destruction routine.
Another possible link to Stuxnet and Duqu is the fact that Wiper apparently prioritized .PNF files during its data wiping process. Both Duqu and Stuxnet kept their main components in encrypted .PNF files, the Kaspersky researchers said.
The evidence found so far is not sufficiently solid to conclude with certainty that Wiper is related to Stuxnet or Duqu and the truth may never come to light unless a system is discovered where Wiper's data destruction routine somehow failed, the researchers said.
However, if it is related, then it's another piece of a larger puzzle that points to a major nation-state-sponsored cyberespionage and cybersabotage operation in the Middle East. Kaspersky's researchers have already established, based on technical evidence, that Stuxnet, Duqu, Flame and Gauss are related to each other.
According to a New York Times report from June that cited unnamed sources from within the Obama administration, Stuxnet was jointly developed by the U.S. and Israel and was part of a secret operation code-named Olympic Games.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts