The lighter areas have higher entropy, the darker areas, lower. We’ve used a statistical representation (Shannon entropy in blocks of 256K) to represent entropy on disk.
For example, let’s take a look at the following disk which was wiped by Wiper. So the creators of the malware were careful to select wiping algorithms that could achieve maximum efficiency. Wiping a disk that is several hundred gigabytes in size might take hours.
Wiping disk sectors (possibly using a bootkit module).in Documents and Settings, Windows, Program Files) and on all available USB drives connected to the computer. Searching for and wiping all files in certain folders (e.g.Searching for and wiping files based on their extensions.In an attempt to reconstruct the Wiper algorithm we came up with the following sequence: The wiping algorithm was designed to quickly destroy as many files as possible.īased on the pattern that we know had been used when wiping files, we collected Kaspersky Security Network (KSN) statistics on which files had been destroyed. This was probably caused by the size of the file. In some cases some portions of the file remained intact, every header of the files were destroyed in the first place. Interestingly, it did not overwrite the entire file. Most of the files that were wiped contain this specific pattern that repeats over and over. So it’s possible the names were random.Īnother peculiarity of the wiping process was a specific pattern which was used to trash the files on disk: In these other systems, the RAHDAUD64 service pointed to different filenames, such as “~DF11.tmp” and “~DF3C.tmp”. We found the same “wiping” pattern in several of the other systems we analyzed – a service named “RAHDAUD64” which was deleted just before it is wiped – and its file filled with garbage data. We tried to recover the file “~DF78.tmp” from the disk, but found that the physical space where it resided was filled with garbage data. In fact, the name Duqu was coined by the Hungarian researcher Boldizsár Bencsáth from the CrySyS lab because it created files named “~dqXX.tmp”. The moment we saw this, we immediately recalled Duqu, which used filenames of this format. It pointed to a file on disk named “~DF78.tmp”, in the “C:WINDOWSTEMP” folder. Interestingly, on 22 April, just before this system went down, a specific registry key was created and then deleted. However, we came up with the idea to look into the hive slack space for deleted entries.
#Kaspersky rescue disk usb where is trash folder drivers
The registry hive did not contain any malicious drivers or startup entries. It’s important to stress “almost nothing” here because some traces did remain that allowed us to get a better understanding of the attacks.įrom some of the destroyed systems we were lucky enough to recover a copy of the registry hive. So, in every single case we’ve analyzed, almost nothing was left after the activation of Wiper. The creators of Wiper were extremely careful to destroy absolutely every single piece of data which could be used to trace the incidents.
The attacks mostly took place in the last 10 days of the month (between the 21st and 30th ) although we cannot confirm that this was due to a special function being activated on certain dates. Also, we are aware of some very similar incidents that have taken place since December of 2011.
We can now say with certainty that the incidents took place and that the malware responsible for these attacks existed in April 2012. So, months later, we are left wondering: Just what was Wiper? Enter Wiperĭuring the investigation of the mysterious malware attack in April, we were able to obtain and analyze several hard drive images that were attacked by Wiper. Of course, it is possible that one of the last stages of the surveillance was the delivery of a Wiper-related payload, but so far we haven’t seen this anywhere. Given the complexity of Flame, one would expect it to be used for long-term surveillance of targets instead of direct sabotage attacks on computer systems. Although Flame was a highly flexible attack platform, we did not see any evidence of very destructive behavior. It is our firm opinion that Wiper was a separate strain of malware that was not Flame. However, we did discover the nation-state cyber-espionage campaign now known as Flame and later Gauss. Yet, no samples were available from these attacks, causing many to doubt the accuracy of these reports.įollowing these incidents, the International Telecommunications Union (ITU) asked Kaspersky Lab to investigate the incidents and determine the potentially destructive impact of this new malware.Īfter several weeks of research, we failed to find any malware that shared any known properties with Wiper. Several articles mentioned that a virus named Wiper was responsible. In April 2012, several stories were published about a mysterious malware attack shutting down computer systems at businesses throughout Iran.
0 kommentar(er)
