Malware Spotlight: What are wipers?
Introduction
Imagine showing up to work and sitting down at your computer on an average day. You turn the computer on, take a sip of coffee, and find that your system has been wiped of all information. This is possibly the worst thing that could happen to an information security professional; unfortunately there is a malware threat that could cause exactly this nightmare scenario.
Enter wipers. The name comes from a single piece of malware which appeared back in 2012, but it has come to be associated with a whole class of malware that has similar data destruction goals.
Become a certified reverse engineer!
This article will detail the wiper type of malware. We will explore what wipers are and how they work, real-world examples of the malware and what you can do to prevent this nightmare from happening to you.
A little about wipers
A wiper made major news back in 2014 when it led to massive data destruction. Sony Pictures was preparing to release the film “The Interview,” which portrayed both an interview with North Korean leader Kim Jong-un as well as his brutal death at the hands of James Franco’s character. In what seemed to be a response to this less than flattering portrayal of the North Korean leader, Sony Pictures was hit with a wiper. The attackers demanded that Sony withdraw “The Interview.”
Long story short, the film was not withdrawn, and Sony was hit with a massive, costly loss of data. This attack resulted in an Executive Order by President Barack Obama and further sanctions against North Korea.
Interestingly, some leading cybersecurity experts have shed some doubt on whether the North Korean government was actually responsible, adding further mystique to this infamous attack.
What is a wiper?
The name “wiper” refers to malware that has the purpose of destroying data, causing financial loss or loss of reputation. The point of the malware is not to steal money or information to sell to cybercriminals, but rather the destruction itself.
Why would destruction be the goal? While attackers have their reasons for their actions, the two main reasons appear to be either sending a message (generally political) or to attempt to cover up the attacker’s tracks post-data exfiltration.
Wipers may work in slightly different ways, but this family of malware almost always has the same targets in mind. These three targets are files (data), backups stored on the system and the system boot section.
The most time-consuming of these targets is file destruction, but it may not be exactly what you think. Most wipers do not actually overwrite disk drives because it would simply take too much time. Rather, wipers may write a certain amount of data, something like 100kb, at certain data intervals. This will destroy files randomly. The attack normally concludes with an assault on system recovery tools to prohibit recovery as a potential quick fix.
Real-world examples of wipers
The malware called Wiper was actually not the first appearance of this malware type. Malware researchers believe the first appearance of wipers occurred in 2008 with Narilam, a malware that targeted business and financial software primarily used in Iran. Below are some notable examples of wipers.
Shamoon
Launched by the attack group Cutting Sword of Justice, this example of a wiper targeted Saudi Aramco and other Middle Eastern oil companies in mid-to-late 2012. Shamoon was a crude yet effective wiper that wiped and rendered victim systems unbootable. For those interested, an informative, fine-grained analysis of this attack can be found here.
Groovemonitor/Maya
This crude wiper attacked targets in Iran in 2012 and is apparently not related to previous examples of wiper malware. Instead of writing data at prescribed data intervals, Groovemonitor targeted files on certain dates. When these hard-coded dates occurred, this wiper deleted all files from disk “d:” to disk “i:”.
Dark Seoul
As the name indicates, this wiper example focused on targets in South Korea. It made its name back in 2013 by attacking media companies and several banks. Based on the “loud” nature of the targets, malware researchers have concluded that this attack was launched by hacktivists or script kiddies looking for their proverbial fifteen minutes of fame.
Narilam
We mentioned this one earlier, but it’s definitely worth a closer look. Variants of Narilam have been in use since as early as 2008. Narilam does not finish its work in short order like most wipers; instead, Narilam works slowly and may be present on a system for years before it is detected. The hardest thing to deal with is that the corruption it produces is not readily noticeable, increasing the amount of time before the infection can be remedied.
Wiper prevention measures
As demonstrated during previous wiper attacks, purely defensive measures will not prevent a Wiper attack. As discouraging as this may sound, don’t lose heart — there are measures that will at least increase your odds of not being caught by this malware. Some solid recommendations include:
- Regularly back up all important data, preferably offsite
- Harden all information systems to the greatest extent possible
- Recovery, response and business continuity plans should be tested and continuously tightened
- User and network segmentation
- Overlapping anti-malware solutions
Conclusion
Wipers are the kind of stuff information security nightmares are made of. This type of malware can efficiently wipe out nearly all sensitive information on drives and cause a massive amount of both data and financial loss. But while even the strongest defensive measures will not guarantee perfect safety from wipers, following a tight, well-founded cybersecurity response plans, backup and recovery schemes, and wise deployment of anti-malware solutions may greatly reduce the chance that your organization will fall victim to the next wiper attack.
Sources
- Secrets of the Wiper: Inside the World’s Most Destructive Malware, Threatpost
- 5 Steps to Mitigating Wiper Malware, TechRepublic
- Destructive Malware: Five Wipers in the Spotlight, Kaspersky
- Wiper Malware Can Wipe You Out, LP3
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Malware Spotlight: What are wipers?
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis