Kaspersky looks at the wreckage of Wiper malware

Kaspersky had been prompted by the International Telecommunication Union to examine the effect of some new and very destructive malware, which has been dubbed ‘Wiper’. It was while looking for Wiper that Kaspersky accidentally discovered Flame – but Wiper was not, and has not been found. The reason is clear; Wiper destroys disks; and in doing so it wipes out itself if not evidence of its existence.

Stuxnet and Duqu both use components with filenames commencing ~D. On the basis that Wiper might be similarly related, Kaspersky searched for other files starting in the same manner. It found what it calls “a significant number of files in Western Asia named ~DEB93D.tmp.” It wasn’t Wiper – it was the first discovery of Flame.

Nevertheless, Kaspersky was able to examine some of the disks that had been destroyed by Wiper, and found a number of clues. Firstly, it is confident that Flame and Wiper are two separate tools. They may, however, all belong to the same stable of ‘nation-state’ cyberweapons: Stuxnet, Duqu, Flame and now Wiper – because even Wiper has left remnants of ~D files. But Wiper is so efficient at removing all traces of itself (it would seem that it destroys itself on disk before attempting to wipe the hard drive), that Kaspersky concludes, “It may be possible that we will never find out what Wiper was, but based on our experience, we are reasonably sure that it existed, and that it was not related to Flame.”

Nor is Shamoon part of Wiper. Shamoon is not in the same class as Wiper. “What is certain is that Wiper was extremely effective and has sparked potential copycats such as Shamoon,” comments the company.

The unspoken conclusion, however, is that if Wiper existed, it still exists even if only in someone’s laboratory. It has already been used as a weapon, and possibly more than once. “We are aware,” comments Kaspersky, “of some very similar incidents that have taken place since December of 2011.” The danger is that this unknown weapon could be used again by some unknown actor – so the search for Wiper and a possible defense continues.

What’s Hot on Infosecurity Magazine?