Link spotted between Wiper virus and Stuxnet, Duqu

Share this article:

Researchers now believe the mysterious Wiper virus, which targeted Iran's oil ministry in April by destroying files and erasing data, may be a cousin of Stuxnet and Duqu.

On Wednesday, Kaspersky Lab released a blog post detailing new information about Wiper, a challenging feat as the malware leaves virtually nothing behind to be analyzed.

Roel Schouwenberg, senior researcher at Kaspersky Lab, told SCMagazine.com on Wednesday that a pattern was discovered regarding the way Wiper vanquished information in its path.

“We found that Wiper tries to destroy files with a .pnf extension first, which made us think back to Stuxnet and Duqu, because they also use .pnf extensions to destroy files,” Schouwenberg said.

Though Stuxnet and Flame, sabotage and espionage malware that also targeted systems in the Middle East, are related, Schouwenberg said there appears to be no direct link between Wiper and Flame.

“When we look at how [Wiper] manifests itself in terms of file types on the machine and registry, there doesn't seem to be anything in common,” he said.

Schouwenberg also said that data-wiping Shamoon, which launched attacks on the Middle East energy sector earlier this month, was more than likely a case of Wiper copycats making a less sophisticated piece of malware.

“Maybe those attacks were inspired with all this talk about Wiper,” he said. “We don't see any common links between that and the nation-state sponsored attacks, such as Duqu and Stuxnet.”

Liam Ó Murchú, manager of operations at Symantec Security Response, told SCMagazine.com on Wednesday that with the limited information known about Wiper, it is difficult to confirm a Duqu-Stuxnet link -- but there have been indicators pointing toward this.

“It's very difficult to get precise information on the Wiper threat and to tie it to other threats,” Murchú said. “But we do believe it may have been delivered by the Stuxnet family of threats.”

He said that files starting with “~d” were created temporarily, only to be eradicated, a trait spotted in Stuxnet and Duqu.

According to Schouwenberg, other discoveries about Wiper include information being destroyed in a certain pattern. The malware first scrubs the machine of its own components, then moves on to other files in the system.

Also, Wiper attacks have usually occurred in the last 10 days of the month, between the 21st and 30th, though Kaspersky researchers aren't sure if this means the malware was designed to activate on a certain date.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.