By Lucian Constantin | IDG News Service August 30, 2012
Kaspersky security researchers present their findings about Wiper malware affecting servers at Iran’s oil ministry in April
Security researchers from Kaspersky Lab have uncovered information suggesting a possible link between the mysterious malware that attacked Iranian oil ministry computers in April and the Stuxnet and Duqu cyber espionage threats.
Following April reports that data was destroyed on multiple servers in Iran, possibly by a new piece of malware, the International Telecommunication Union (ITU) asked security vendor Kaspersky Lab to investigate the incidents.
[ Also on InfoWorld: Stuxnet marks the start of the next security arms race. | Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld’s “Fight Today’s Malware” Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld’s Security Central newsletter. ]
Kaspersky’s researchers were not able to find the mysterious malware, which was given the name Wiper, because very little data from the affected hard disk drives was recoverable.
After reviewing the bits of information extracted from the affected hard drives, the Kaspersky researchers concluded that the Wiper malware did in fact exist, that it used a sophisticated and effective data wiping algorithm and that it was most likely not a Flame component.
“We can now say with certainty that the incidents took place and that the malware responsible for these attacks existed in April 2012,” researchers from Kaspersky’s global research and analysis team said Wednesday in a blog post. “Also, we are aware of some very similar incidents that have taken place since December of 2011.”
Even though a connection to Flame is unlikely, there is some evidence suggesting that Wiper might be related to Stuxnet or Duqu.
For example, on a few of the hard drives analyzed, the researchers found traces of a service called RAHDAUD64 that loaded files named ~DFXX.tmp — where XX are two random digits — from the C:\WINDOWS\TEMP folder.
“The moment we saw this, we immediately recalled Duqu, which used filenames of this format,” the researchers said. “In fact, the name Duqu was coined by the Hungarian researcher Boldizsar Bencsath from the CrySyS lab because it created files named ?~dqXX.tmp.”
Kaspersky’s researchers had already established that both Stuxnet and Duqu were created by the same team of developers using the same platform — dubbed the Tilded Platform because the malware used files with names starting with the “~” (tilde) symbol.
The researchers were not able to recover the ~DFXX.tmp files because they had been overwritten with garbage data during Wiper’s data destruction routine.
Another possible link to Stuxnet and Duqu is the fact that Wiper apparently prioritized .PNF files during its data wiping process. Both Duqu and Stuxnet kept their main components in encrypted .PNF files, the Kaspersky researchers said.
The evidence found so far is not sufficiently solid to conclude with certainty that Wiper is related to Stuxnet or Duqu and the truth may never come to light unless a system is discovered where Wiper’s data destruction routine somehow failed, the researchers said.
However, if it is related, then it’s another piece of a larger puzzle that points to a major nation-state-sponsored cyberespionage and cybersabotage operation in the Middle East. Kaspersky’s researchers have already established, based on technical evidence, that Stuxnet, Duqu, Flame and Gauss are related to each other.
According to a New York Times report from June that cited unnamed sources from within the Obama administration, Stuxnet was jointly developed by the U.S. and Israel and was part of a secret operation code-named Olympic Games