In April 2012 a series of incidents were publicly reported about a destructive malware program, codenamed Wiper, which was attacking computer systems related to a number of oil facilities in Western Asia.

In May 2012, Kaspersky Lab’s research team conducted a search prompted by the International Telecommunication Union to investigate the incidents and determine the potential threat from this new malware as it related to global sustainability and security.

Today Kaspersky Lab’s experts published the research that resulted from the digital forensic analysis of the hard disk images obtained from the machines attacked by Wiper.

The analysis provides insights into Wiper’s highly effective method of destroying computer systems, including its unique data wiping pattern and destructive behavior. Even though the search for Wiper resulted in the inadvertent discovery of Flame, Wiper itself was not discovered during the search and is still unidentified.

In the meantime, Wiper’s effective way of destroying machines may have encouraged copycats to create destructive malware such as Shamoon, which appeared in August 2012.

Summary findings:

• Kaspersky Lab confirms that Wiper was responsible for the attacks launched on computer systems in Western Asia in April 21 - 30, 2012.
• The analysis of the hard disk images of the computers that were destroyed by Wiper revealed a specific data wiping pattern together with a certain malware component name, which started with ~D. These findings are reminiscent of Duqu and Stuxnet, which also used filenames beginning with ~D, and were both built on the same attack platform - known as Tilded.
• Kaspersky Lab began searching for other files starting with ~D via the Kaspersky Security Network (KSN) to try and find additional files of Wiper based on the connection with the Tilded platform.
• During this process Kaspersky Lab identified a significant number of files in Western Asia named ~DEB93D.tmp. Further analysis showed this file was actually part of a different type of malware: Flame. This is how Kaspersky Lab discovered Flame.
• Despite Flame being discovered during the search for Wiper, Kaspersky Lab’s research team believes Wiper and Flame are two separate and distinct malicious programs.
• Although Kaspersky Lab analyzed traces of the Wiper infection, the malware is still unknown because no additional wiping incidents that followed the same pattern occurred, and no detections of the malware have appeared in Kaspersky Lab’s proactive protection.
• Wiper was extremely effective and could spark others to create new, “copycat” types of destructive malware, such as Shamoon.

Forensic analysis of wiped computers

Kaspersky Lab’s analysis of the hard disk images taken by the machines destroyed by Wiper showed that the malicious program wiped the hard disks of the targeted systems and destroyed all of the data that could be used to identify the malware.

The file system corrupted by Wiper prevented computers from rebooting and caused improper general functioning. Therefore, in every machine that was analyzed, almost nothing was left after the activation of Wiper, including the chance of recovering or restoring any data.

However, Kaspersky Lab’s research revealed some valuable insight including the specific wiping pattern used by the malware along with certain malware component names and, in some instances, registry keys that revealed previous file names that were wiped from the hard disk. These registry keys all pointed to filenames that began with ~D.

Unique wiping pattern

Analysis of the wiping pattern uncovered a consistent method that was used on each machine that Wiper was activated on. Wiper’s algorithm was designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time.

About three of four targeted machines had their data completely wiped. The operation focusing on destroying the first half of the disk then systematically wiping the remaining files that are required for the system to function properly, leading to the system finally crashing.

In addition, we are aware of Wiper attacks that targeted PNF files, which would be meaningless if not related to removal of additional malware components. This was also an interesting finding, since Duqu and Stuxnet kept their main body encrypted in PNF files.

How the search for Wiper led to the discovery of Flame

Temporary files (TMP) beginning with ~D were also used by Duqu, which was built on the same attack platform as Stuxnet: the Tilded platform. Based on this clue, the research team started looking for other potentially unknown filenames related to Wiper based on the Tilded platform using KSN, which is the cloud infrastructure used by Kaspersky Lab products to report telemetry and to deliver instant protection in the forms of blacklists and heuristic rules designed to catch the newest threats.

During this process Kaspersky Lab’s research team found that several computers in Western Asia contained the filename “~DEB93D.tmp” .This is how Kaspersky Lab discovered Flame; however, Wiper was not found using this method and is still unidentified.

Alexander Gostev, Chief Security Expert of Kaspersky Lab, said: “Based on our analysis of the patterns Wiper left on examined hard disk images, there is no doubt that the malware existed and was used to attack computer systems in Western Asia in April of 2012, and probably even earlier - in December of 2011. Even though we discovered Flame during the search for Wiper, we believe that Wiper was not Flame but a separate and different type of malware. Wiper’s destructive behavior combined with the filenames that were left on wiped systems strongly resembles a program that used the Tilded platform. Flame’s modular architecture was completely different and was designed to execute a sustained and thorough cyber-espionage campaign. We also did not identify any identical destructive behavior that was used by Wiper during our analysis of Flame.”