Wiper, assumptions and difficulties analyzing a malware

During last April many press agencies and security firms published a story related to the detection of a new malware, named Wiper that attacked computers at businesses throughout Iran.

Kaspersky Lab and the International Telecommunications Union (ITU) investigated on the event trying to isolate the malware and analyze it. During the investigation the team of experts didn’t find any agent with characteristics of Wiper but they discovered the malware related to the Flame campaign, including the Gauss module.

Kaspersky team is convinced that Wiper agent wasn’t related to Flame, the cyber espionage platform state sponsored, but Flame is a complex platform able to adapt its behavior simply loading new payload, for example an attractive hypothesis is that Wiper is the last act of a spy action and it is a module loaded trough the Flame platform.

The investigation of the excellent team of Kaspersky have taken a turn when they obtained several hard drive images attacked by Wiper and have analyzed them.

The investigation was very hard because the authors of Wiper have covered every trace related to the attacks, after the activation of Wiper the malware destroy any trace of its presence … at least this was the intention of the designers, but some elements useful to the investigation remained and was the basis for the analysis of experts.

“From some of the destroyed systems we were lucky enough to recover a copy of the registry hive. The registry hive did not contain any malicious drivers or startup entries. However, we came up with the idea to look into the hive slack space for deleted entries. “

What have discovered the researchers?

Just before the pc went down, a specific registry key was created and then deleted. The key was a service named “RAHDAUD64” that pointed to a file on disk named “~DF78.tmp” located in the “C:\WINDOWS\TEMP” folder. The name of the file appears random and always it start with the “~” symbol, circumstance that evoke Duqu malware in the mind of experts.

The file was impossible to recover due the erasing operated by malware, the experts have also discovered that the wiping process implemented follows a specific pattern which was used to trash the files on disk.

“Most of the files that were wiped contain this specific pattern that repeats over and over. Interestingly, it did not overwrite the entire file. In some cases some portions of the file remained intact, every header of the files were destroyed in the first place. This was probably caused by the size of the file. The wiping algorithm was designed to quickly destroy as many files as possible.”

Again Tilded Platform

The researchers noticed that “an abnormally large number of machines” contained the same file name: ~DEB93D.tmp, name that is similar to the ones used by the malware produced with the “Tilded platform” such as Duqu and Stuxnet.  Of course the file is encrypted, but it is easy to note that file start with with bytes “6F C8”, the same in the Duqu PNF main body.

Duqu (Nov 3, 2010):	Wiper ~DEB93D.tmp file
00: ED 6F C8 DA 30 EE D5 01	00: 6F C8 FA AA 40 C5 03 B8

Resuming,  the investigation has demonstrated the existence of a malware named Wiper that hit Iranian systems until late April 2012, what is impressive is the capacity of the malware to erase every single trace of its existence making hard every kind of analysis.

We are facing with another malware that in my opinion is son of a state sponsored project and that has been undetected for a long time eluding antivirus system demonstrating the great skills of its authors.

Wiper was not related to Flame, it appears more close to Duqu and Stuxnet, given the common filenames, but its an hypothesis.

The expert of Kaspersky conclude their analysis saying:

“What is certain is that Wiper was extremely effective and has sparked potential copycats such as Shamoon. The fact that the use of Wiper led to the discovery of the 4- or 5-year-old Flame cyber-espionage campaign raises a major question. If the same people who created Duqu/Stuxnet/Flame also created Wiper, was it worth blowing the cover of a complex cyber-espionage campaign such as Flame just to destroy a few computer systems?”

The question proposed is interesting, my personal opinion is that different groups related to allied states have collaborated sharing information on the techniques to develop these kind of agents, this is happened in a fist phase, subsequently the deploy of the malware is evolved in separated way and in case like this creating an interferences that has made possible the discovery of Flame campaign.

For sure, similar agents are still operative and new ones are under designing … what is worrying is that these agents are increasing in complexity and are able to elude ordinary defense systems, let’s be prepared to a scary scenario.

Pierluigi Paganini

 

References

http://www.securelist.com/en/blog/208193808/What_was_that_Wiper_thing

http://blog.eset.com/2012/08/02/flamer-analysis-framework-reconstruction