The perfect crime: Is Wiper malware connected to Stuxnet, Duqu?

A pattern in Wiper that repeats over and over caused the malware to selectively overwrite only parts of a file. This allowed Wiper to destroy data much more quickly.

Mysterious malware that reportedly attacked Iran’s oil ministry in April shared a file-naming convention almost identical to those used by the state-sponsored Stuxnet and Duqu operations, an indication it may have been related, security researchers said.

The highly destructive malware known as Wiper has never been recovered, but its devastating effects are confirmed in a report published on Wednesday from researchers at Russia-based antivirus provider Kaspersky Lab. It struck as early as last December and used an advanced algorithm to permanently purge large portions of hard drives from computers it infected. Because it struck the same geographic region targeted by Stuxnet, researchers have spent months searching for evidence that links Wiper to the operation, which reportedly was sponsored by the US and Israeli militaries to disrupt Iran’s nuclear program.

Researchers have also looked for links between Wiper and the malware titles dubbed Flame, Duqu, and Gauss, which more recently were found to be spawned by the same software developers as Stuxnet. Flame was discovered by Kaspersky researchers only after they were asked by the International Telecommunications Union to look into incidents involving Wiper. During the course of the investigation, they soon zeroed in on Flame. They’re only now returning their attention to the original probe.

Read 11 remaining paragraphs | Comments


Ars Technica » Technology Lab

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.