Wiper May have Links with DuQu, Stuxnet; Kaspersky Analysis Indicates

Security Leave a comment

According to Kaspersky, Wiper has a couple of characteristics that it shares with DuQu and Stuxnet indicating that probably the malware has its roots in US and Israel. Still the security company says that the evidence might just be circumstantial and that one shouldn’t come to conclusions just yet.

Wiper is known to have targeted systems of the Iranian Oil Ministry and National Iranian Oil Company. Government of Iran has said that the malware’s main aim was to go about searching and destroying data but, it didn’t leave any permanent scar as the ministry had a backup of all the essential data.

Very less information is available about Wiper as it doesn’t leave any traces behind once it is done with its dirty deeds. Researchers at Kaspersky did manage to get their hands onto some evidence on some of the systems that weren’t completely wiped. Evidence of Wiper came in the form of a registry key for a service named “RAHDAUD64” that was present on the machines before they were erased.

Kaspersky believes that wiping activity occurred between April 21 and April 30. The first clue of resemblance between Wiper and DuQu emerges here. A system which went down on April 22 gave the researchers the evidence of the registry key. Before the system went down, Wiper created and deleted a registry key for the aforementioned service and this particular key pointed to a file on disk called “~DF78.tmp”. The similarity here is that DuQu also went about creating a number of temporary files on infected systems with ~DQ as the file name prefix.

The second amazing find is the manner in which Wiper goes about wiping the systems clean. The main aim of the malware is to “quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time.”

What is interesting here is that for deletion the malware treats files with .pnf extension to be at a high priority. Why is this interesting? DuQu and Stuxnet both stored data in .pnf files and with these files being a priority for Wiper, researchers are of the opinion that the main goal of Wiper was to find any traces of Stuxnet and DuQu and delete them.

 

The research is not complete yet and further evidence will shed more light on the origins of this dreaded malware.

Ravi is the founder of Parity Media and currently acting as an editor of ParityNews.com. He is a technology enthusiast with keen interest in information security. Ravi has over 6 years of experience and is keen on raising general awareness about technology in society.