• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Malware
  • Security
  • Wiper, assumptions and difficulties analyzing a malware

Wiper, assumptions and difficulties analyzing a malware

Pierluigi Paganini August 31, 2012

During last April many press agencies and security firms published a story related to the detection of a new malware, named Wiper that attacked computers at businesses throughout Iran.

Kaspersky Lab and the International Telecommunications Union (ITU) investigated on the event trying to isolate the malware and analyze it. During the investigation the team of experts didn’t find any agent with characteristics of Wiper but they discovered the malware related to the Flame campaign, including the Gauss module.

Kaspersky team is convinced that Wiper agent wasn’t related to Flame, the cyber espionage platform state sponsored, but Flame is a complex platform able to adapt its behavior simply loading new payload, for example an attractive hypothesis is that Wiper is the last act of a spy action and it is a module loaded trough the Flame platform.

The investigation of the excellent team of Kaspersky have taken a turn when they obtained several hard drive images attacked by Wiper and have analyzed them.

The investigation was very hard because the authors of Wiper have covered every trace related to the attacks, after the activation of Wiper the malware destroy any trace of its presence … at least this was the intention of the designers, but some elements useful to the investigation remained and was the basis for the analysis of experts.

“From some of the destroyed systems we were lucky enough to recover a copy of the registry hive. The registry hive did not contain any malicious drivers or startup entries. However, we came up with the idea to look into the hive slack space for deleted entries. “

What have discovered the researchers?

Just before the pc went down, a specific registry key was created and then deleted. The key was a service named “RAHDAUD64” that pointed to a file on disk named “~DF78.tmp” located in the “C:\WINDOWS\TEMP” folder. The name of the file appears random and always it start with the “~” symbol, circumstance that evoke Duqu malware in the mind of experts.

The file was impossible to recover due the erasing operated by malware, the experts have also discovered that the wiping process implemented follows a specific pattern which was used to trash the files on disk.

“Most of the files that were wiped contain this specific pattern that repeats over and over. Interestingly, it did not overwrite the entire file. In some cases some portions of the file remained intact, every header of the files were destroyed in the first place. This was probably caused by the size of the file. The wiping algorithm was designed to quickly destroy as many files as possible.”

Again Tilded Platform

The researchers noticed that “an abnormally large number of machines” contained the same file name: ~DEB93D.tmp, name that is similar to the ones used by the malware produced with the “Tilded platform” such as Duqu and Stuxnet.  Of course the file is encrypted, but it is easy to note that file start with with bytes “6F C8”, the same in the Duqu PNF main body.

Duqu (Nov 3, 2010): Wiper ~DEB93D.tmp file
00: ED 6F C8 DA 30 EE D5 01 00: 6F C8 FA AA 40 C5 03 B8

Resuming,  the investigation has demonstrated the existence of a malware named Wiper that hit Iranian systems until late April 2012, what is impressive is the capacity of the malware to erase every single trace of its existence making hard every kind of analysis.

We are facing with another malware that in my opinion is son of a state sponsored project and that has been undetected for a long time eluding antivirus system demonstrating the great skills of its authors.

Wiper was not related to Flame, it appears more close to Duqu and Stuxnet, given the common filenames, but its an hypothesis.

The expert of Kaspersky conclude their analysis saying:

“What is certain is that Wiper was extremely effective and has sparked potential copycats such as Shamoon. The fact that the use of Wiper led to the discovery of the 4- or 5-year-old Flame cyber-espionage campaign raises a major question. If the same people who created Duqu/Stuxnet/Flame also created Wiper, was it worth blowing the cover of a complex cyber-espionage campaign such as Flame just to destroy a few computer systems?”

The question proposed is interesting, my personal opinion is that different groups related to allied states have collaborated sharing information on the techniques to develop these kind of agents, this is happened in a fist phase, subsequently the deploy of the malware is evolved in separated way and in case like this creating an interferences that has made possible the discovery of Flame campaign.

For sure, similar agents are still operative and new ones are under designing … what is worrying is that these agents are increasing in complexity and are able to elude ordinary defense systems, let’s be prepared to a scary scenario.

Pierluigi Paganini

 

References

http://www.securelist.com/en/blog/208193808/What_was_that_Wiper_thing

http://blog.eset.com/2012/08/02/flamer-analysis-framework-reconstruction

 


facebook linkedin twitter

cyber espionage duqu Flame Gauss Iran malware Shamoon stuxnet Tilded Platform Wiper

you might also like

Pierluigi Paganini July 25, 2025
Koske, a new AI-Generated Linux malware appears in the threat landscape
Read more
Pierluigi Paganini July 25, 2025
Mitel patches critical MiVoice MX-ONE Auth bypass flaw
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    Coyote malware is first-ever malware abusing Windows UI Automation

    Malware / July 24, 2025

    SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

    Security / July 24, 2025

    DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

    Security / July 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT