Every single day, Kaspersky Lab processes more than 300,000 new malware samples. The vast majority of these malicious files is what we call crimeware -- computer programs designed for financial profit and used by cyber-criminals to make money. From the remaining percentage, a small amount are designed exclusively for cyber-espionage and used by a variety of advanced threat actors.
What is left is an even smaller percentage of the total and includes rare, unusual things. Wipers, which are highly destructive programs, are some of the rarest kinds of malware, however, their usage has spiked over the last few years.
Back in the old days, most of the malware was written by computer enthusiasts, cyber-hooligans and pranksters. Hence, destructive viruses, or Trojans, were much more common. Some examples include BadSectors, a computer virus that would mark disk sectors as bad, even if they weren’t, resulting in subtle corruption of data. Another example was OneHalf, a computer virus that would encrypt the hard drive cylinder-by-cylinder, transparently decrypting it on the fly while active. If one were to remove the virus,that would leave the data on the disk in encrypted format, without an easy way to decrypt it.
Perhaps the best known example is CIH, also known as Chernobyl. CIH, named after the initials of its author, Chen Ing-hau, was a computer virus that had the ability to wipe the BIOS flash memory. Computers affected by CIH couldn’t boot up anymore. This wasn’t a major problem for PCs, which had the BIOS memory in the form of a removal chip that could be reprogrammed on another system; however, for laptop owners, the CIH virus was quite destructive.
Over the last few years, we’ve seen a number of major incidents involving destructive malware. We’ve decided to put together a brief summary the most important Wiper incidents:
In late-2011, early-2012, reports emerged about computer systems that were compromised and rendered unbootable. The extent of the damage to these systems was so big that almost no data was recoverable. Some artefacts from the wiped systems indicated a possible link with Stuxnet and Duqu; however, these were never proven. The malware responsible for these attacks was named the "Wiper"; we wrote about it here.
The Wiper appeared to use two methods to attack systems. Files with certain “hot” extensions were filled with trash, then the whole computer hard disk would be filled with trash. While it is unknown how this was possible without crashing the operating systems, some solutions that might have been used includedevice drivers loaded at boot, or simply a malicious bootkit.
Our investigation into the Wiper led to the discovery of Flame; which we now believe was an unrelated malware. To our knowledge, even today, the Wiper remains a mystery.
In August 2012, a large number of computers (believed to be more than 30,000) at Saudi Aramco were wiped and rendered unbootable. We wrote about this incident here.
In this case, the malware responsible for the attacks was identified and recovered. Shamoon used a simple and crude wiping method that proved to be quite effective. Although responsibility for the Shamoon attack was claimed by hackers from a group named “Cutting Sword of Justice”, the details remain murky.
After the Saudi Aramco attack, another similar attack was uncovered, at the Rasgas company in Qatar.
Some media reports indicated that despite the credits, perhaps Iranian hackers were behind this attack. One forgotten artefact in the malware “Shamoon for Arabian Gulf” seems to indicate otherwise; as Iranian programmers would have most likely called this “Persian Gulf”. (see Wikipedia)
Narilam is an interesting piece of malware; it affects databases for some very specific computer software, which is mostly used in Iran. The corruptions it produces are subtle and can be difficult to notice. If Narilam is allowed to run for years on a computer system, the effects can be quite devastating, as modifications cannot be easily identified. As opposed to the Wiper, Narilam is a slow acting malware, designed for long term sabotage. We’ve identified many different versions of Narilam, some of them active since 2008.
We’ve described the Groovemonitor/Maya attacks here.
This malware was first reported by the Iranian Maher CERT, in 2012. Relatively simplistic, the malware was rather crude in its actions. Groovemonitor triggers on certain dates, which are hardcoded in its body, from 10 December 2012 until 4 February 2015. On such dates, it simply deletes all the files on disks “d:” to “i:”
We covered the Dark Seoul attacks here.
The Dark Seoul, as its name suggests, was used in a coordinated attack against several banks and media companies in Seoul, South Korea. The attacks were reported in May 2013, although the group behind the attacks appears to have been active for much longer, perhaps since as early as 2009.
As one can see from the list above, most of the Wiper-style attacks during the past few years have been in the Middle East. However, as observed from these incidents, this kind of malware can be a highly effective type of cyber-weapon. The power to wipe tens of thousands of computers at the push of a button or a mouse click represents a powerful asset for any cyber-army. This can be an even more devastating blow when coupled with a real world kinetic attack to paralyze a country’s infrastructure.
To summarize, Wiper-style attacks are kind of rare nowadays, as the main focus of malware is financial profit. The danger comes from coupling Wiper style attacks with the fact that more and more critical infrastructure weaknesses are uncovered every day.
We estimate that Wiper attacks will continue and may become even more popular in the near future, as means of attacking critical infrastructure at precise times, to cause widespread damage.