'Undetected' virus was able to destroy PC data

News by Dan Raywood

A piece of malware called 'Wiper' hit targets in Western Asia earlier this year.

A piece of malware called 'Wiper' hit targets in Western Asia earlier this year.

Analysis by Kaspersky Lab found that this had a highly effective method of destroying computer systems, including a unique data wiping pattern. It said that when it was searching for Wiper it came across Flame, although Wiper has not been 'discovered', as the malware was so well written that once it was activated, no data survived.

The report on Wiper said: “Although we've seen traces of the infection, the malware is still unknown because we have not seen any additional wiping incidents that followed the same pattern as Wiper, and no detections of the malware have appeared in the proactive detection components of our security solutions.”

It also said that it may be possible that Wiper will never be discovered, but based on Kaspersky Lab's research and experience, it was reasonably sure that it existed and that it was not related to Flame.

Forensic analysis of the hard disk images that had been wiped found that the malicious program wiped the hard disks of the targeted systems and destroyed all data that could be used to identify the malware. Also, the file system corrupted by Wiper prevented computers from rebooting and caused improper general functioning, meaning that nothing was left after the activation of Wiper on any machine that was analysed and there was little chance of recovering or restoring any data.

The hard disk image analysis also revealed a specific data wiping pattern together with a certain malware component name, which started with ~D. It said that these findings were reminiscent of Duqu and Stuxnet, which also used filenames beginning with ~D, and were both built on the same attack platform, known as Tilded.

The unique wiping pattern was designed to quickly destroy as many files as effectively as possible, including multiple gigabytes at a time, with 75 per cent of targeted machines having their data wiped completely.

Alexander Gostev, chief security expert at Kaspersky Lab, said: “Based on our analysis of the patterns Wiper left on examined hard disk images, there is no doubt that the malware existed and was used to attack computer systems in Western Asia in April of 2012, and probably even earlier - in December of 2011.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews