Wiper virus shows Duqu, Stuxnet similarities

Powered by SC Magazine
 

More state-sponsored malware?

A computer virus that in April this year erased hard disks and shut down systems in an attack on Iran's Oil Ministry bears some resemblance to the nation-state sponsored Duqu and Stuxnet malware, according to anti-virus firm Kaspersky Labs.

On its SecureList blog, Kaspersky Labs noted that the Wiper virus used file names common to Duqu and Stuxnet, and speculated that due to this, the three destructive computer programs were related.

Stuxnet rose to infamy last year as it attacked Iran's nuclear fuel enrichment centrifuges. It was followed by the Duqu virus that also aimed to sabotage Iran's nuclear programme.

Although the actual provenance of the malware was yet to be fully ascertained, Kaspersky believed Stuxnet and Duqu to be the work of a government.

The International Telecommunications Union (ITU) asked Kaspersky Labs to analyse the Iranian attacks and work out extent of the damage.

However, Kaspersky had not received any Wiper virus samples, and as the malware used an elaborate and effective technique to erase the hard drives on which it resided, "almost nothing was left" after its activation.

However. by sifting through the remains of data on the wiped disks, Kaspersky Labs recovered a copy of the Windows Registry system settings database. In the Registry hive, Kaspersky discovered a service that created file names, similar in naming format to those written by the Duqu malware.

Wiper isn't related to Flame, another malware discovered by Kaspersky that spread in Middle Eastern countries, but mostly in Iran.

Flame could record sound, keyboard strokes and network traffic, and also take screenshots. It would also attempt to grab information from nearby Bluetooth enabled devices. 

Flame was wiped from the infected systems by its controllers, wiping all traces of it.

Kaspersky Labs said there is no doubt that Wiper existed, attacking computers in Iran and maybe elsewhere in the world. 

However, "the malware was so well written that once it was activated, no data survived," the firm said.

Due to this, Wiper remains unknown and Kaspersky has been unable to create detection for it.

Copyright © iTnews.com.au . All rights reserved.


Wiper virus shows Duqu, Stuxnet similarities
 
 
 
Top Stories
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  26%
TOTAL VOTES: 241

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  63%
 
No
  37%
TOTAL VOTES: 75

Vote