Wiper virus shows Duqu, Stuxnet similarities

Powered by SC Magazine

More state-sponsored malware?

A computer virus that in April this year erased hard disks and shut down systems in an attack on Iran's Oil Ministry bears some resemblance to the nation-state sponsored Duqu and Stuxnet malware, according to anti-virus firm Kaspersky Labs.

On its SecureList blog, Kaspersky Labs noted that the Wiper virus used file names common to Duqu and Stuxnet, and speculated that due to this, the three destructive computer programs were related.

Stuxnet rose to infamy last year as it attacked Iran's nuclear fuel enrichment centrifuges. It was followed by the Duqu virus that also aimed to sabotage Iran's nuclear programme.

Although the actual provenance of the malware was yet to be fully ascertained, Kaspersky believed Stuxnet and Duqu to be the work of a government.

The International Telecommunications Union (ITU) asked Kaspersky Labs to analyse the Iranian attacks and work out extent of the damage.

However, Kaspersky had not received any Wiper virus samples, and as the malware used an elaborate and effective technique to erase the hard drives on which it resided, "almost nothing was left" after its activation.

However. by sifting through the remains of data on the wiped disks, Kaspersky Labs recovered a copy of the Windows Registry system settings database. In the Registry hive, Kaspersky discovered a service that created file names, similar in naming format to those written by the Duqu malware.

Wiper isn't related to Flame, another malware discovered by Kaspersky that spread in Middle Eastern countries, but mostly in Iran.

Flame could record sound, keyboard strokes and network traffic, and also take screenshots. It would also attempt to grab information from nearby Bluetooth enabled devices. 

Flame was wiped from the infected systems by its controllers, wiping all traces of it.

Kaspersky Labs said there is no doubt that Wiper existed, attacking computers in Iran and maybe elsewhere in the world. 

However, "the malware was so well written that once it was activated, no data survived," the firm said.

Due to this, Wiper remains unknown and Kaspersky has been unable to create detection for it.

Copyright © iTnews.com.au . All rights reserved.

Wiper virus shows Duqu, Stuxnet similarities
Top Stories
Toll Group to go Google
Poaches Woolworths project manager.
How News Corp's CIO tackled skills in his race to the cloud
What to do when your team’s talents are no longer needed.
Photos: How Thodey transformed Telstra
From turbulent Trujillo to Australia's leading telco.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.