Abingdon, UK, 30 August 2012 - Today, Kaspersky Lab publishes research resulting from the digital forensic analysis of the hard disk images obtained from the machines attacked by the Wiper - a destructive malware program attacking computer systems related to oil facilities in Western Asia. In May, Kaspersky Lab’s research team conducted a search prompted by the International Telecommunication Union to investigate the incidents and determine the potential threat from this new malware as it related to global sustainability and security.
The analysis provides insight into Wiper’s highly effective method of destroying computer systems, including its unique data wiping pattern and destructive behaviour. Although the search for Wiper resulted in the inadvertent discovery of Flame, Wiper itself was not discovered during the search and is still unidentified. In the meantime, Wiper’s effective way of destroying machines may have encouraged copycats to create destructive malware such as Shamoon, which appeared in August 2012.
Summary Findings:
Kaspersky Lab confirms that Wiper was responsible for the attacks launched on computer systems in Western Asia in April 2012.
Analysis of hard disk images of the computers destroyed by Wiper revealed a specific data wiping pattern together with a certain malware component name, which started with ~D. These findings are reminiscent of Duqu and Stuxnet, which also used filenames beginning with ~D, and were both built on the same attack platform, known as Tilded.
Kaspersky Lab began searching for other files starting with ~D via the Kaspersky Security Network (KSN) to try and find additional files of Wiper based on the connection with the Tilded platform.
During the process Kaspersky Lab identified a significant number of files in Western Asia named ~DEB93D.tmp. Further analysis showed this file was part of a different type of malware: Flame, which is how Kaspersky Lab discovered Flame.
Despite Flame being discovered during the search for Wiper, Kaspersky Lab’s research team believes Wiper and Flame are two separate and distinct malicious programs.
Although Kaspersky Lab analysed traces of the Wiper infection, the malware is still unknown because no additional wiping incidents that followed the same pattern occurred, and no detections of the malware have appeared in Kaspersky Lab’s proactive protection.
Wiper was extremely effective and could spark others to create new “copycat” types of destructive malware like Shamoon.
Alexander Gostev, Chief Security Expert at Kaspersky Lab, said: “Based on our analysis of the patterns Wiper left on examined hard disk images, there is no doubt that the malware existed and was used to attack computer systems in Western Asia in April of 2012, and probably even earlier - in December of 2011. Even though we discovered Flame during the search for Wiper, we believe that Wiper was not Flame but a separate and different type of malware. Wiper’s destructive behaviour combined with the filenames that were left on wiped systems strongly resembles a program that used the Tilded platform. Flame’s modular architecture was completely different and was designed to execute a sustained and thorough cyber-espionage campaign. We also did not identify any identical destructive behaviour that was used by Wiper during our analysis of Flame.”
Forensic Analysis of Wiped Computers
Kaspersky Lab’s analysis of the hard disk images taken by the machines destroyed by Wiper showed that the malicious program wiped the hard disks of the targeted systems and destroyed all data that could be used to identify the malware. The file system corrupted by Wiper prevented computers from rebooting and caused improper general functioning. This meant nothing was left after the activation of Wiper, on any machine that was analysed with little chance of recovering or restoring any data.
However, Kaspersky Lab’s research did reveal valuable insight, including the specific wiping pattern used by the malware along with certain malware component names and, in some instances, registry keys that revealed previous file names that were wiped from the hard disk. These registry keys all pointed to filenames that began with ~D.
Unique Wiping Pattern
Analysis of the wiping pattern uncovered a consistent method that was used on each machine that Wiper was activated on. Wiper’s algorithm was designed to quickly destroy as many files as effectively as possible - multiple gigabytes at a time. About three of four targeted machines had their data completely wiped. The operation focusing on destroying the first half of the disk then systematically wiping the remaining files that are required for the system to function properly, leading to the system finally crashing. In addition, Kaspersky Lab is aware of Wiper attacks that targeted PNF files, which would be meaningless if not related to removal of additional malware components. This was also an interesting finding, since Duqu and Stuxnet kept their main body encrypted in PNF files.
How the Search for Wiper Led to the Discovery of Flame
Temporary files (TMP) beginning with ~D were also used by Duqu, which was built on the same attack platform as Stuxnet: the Tilded platform. Based on this information, the research team started looking for other potentially unknown filenames related to Wiper based on the Tilded platform. They used KSN - the cloud infrastructure used by Kaspersky Lab products to report telemetry and to deliver instant protection in the forms of blacklists and heuristic rules designed to catch the newest threats. During this process Kaspersky Lab’s research team found that several computers in Western Asia contained the filename “~DEB93D.tmp” which is how Kaspersky Lab discovered Flame; however, Wiper was not found using this method and is still unidentified.
For the full research post on Wiper, please visit Securelist.
