Malware Spotlight: What are wipers?
Imagine showing up to work and sitting down at your computer on an average day. You turn the computer on, take a sip of coffee, and find that your system has been wiped of all information. This is possibly the worst thing that could happen to an information security professional; unfortunately there is a malware threat that could cause exactly this nightmare scenario.
Enter wipers. The name comes from a single piece of malware which appeared back in 2012, but it has come to be associated with a whole class of malware that has similar data destruction goals.
This article will detail the wiper type of malware. We will explore what wipers are and how they work, real-world examples of the malware and what you can do to prevent this nightmare from happening to you.
A little about wipers
A wiper made major news back in 2014 when it led to massive data destruction. Sony Pictures was preparing to release the film “The Interview,” which portrayed both an interview with North Korean leader Kim Jong-un as well as his brutal death at the hands of James Franco’s character. In what seemed to be a response to this less than flattering portrayal of the North Korean leader, Sony Pictures was hit with a wiper. The attackers demanded that Sony withdraw “The Interview.”
Long story short, the film was not withdrawn, and Sony was hit with a massive, costly loss of data. This attack resulted in an Executive Order by President Barack Obama and further sanctions against North Korea.
Interestingly, some leading cybersecurity experts have shed some doubt on whether the North Korean government was actually responsible, adding further mystique to this infamous attack.
What is a wiper?
The name “wiper” refers to malware that has the purpose of destroying data, causing financial loss or loss of reputation. The point of the malware is not to steal money or information to sell to cybercriminals, but rather the destruction itself.
Why would destruction be the goal? While attackers have their reasons for their actions, the two main reasons appear to be either sending a message (generally political) or to attempt to cover up the attacker’s tracks post-data exfiltration.
Wipers may work in slightly different ways, but this family of malware almost always has the same targets in mind. These three targets are files (data), backups stored on the system and the system boot section.
The most time-consuming of these targets is file destruction, but it may not be exactly what you think. Most wipers do not actually overwrite disk drives because it would simply take too much time. Rather, wipers may write a certain amount of data, something like 100kb, at certain data intervals. This will destroy files randomly. The attack normally concludes with an assault on system recovery tools to prohibit recovery as a potential quick fix.
Real-world examples of wipers
The malware called Wiper was actually not the first appearance of this malware type. Malware researchers believe the first appearance of wipers occurred in 2008 with Narilam, a malware that targeted business and financial software primarily used in Iran. Below are some notable examples of wipers.
Launched by the attack group Cutting Sword of Justice, this example of a wiper targeted Saudi Aramco and other Middle Eastern oil companies in mid-to-late 2012. Shamoon was a crude yet effective wiper that wiped and rendered victim systems unbootable. For those interested, an informative, fine-grained analysis of this attack can be found here.
This crude wiper attacked targets in Iran in 2012 and is apparently not related to previous examples of wiper malware. Instead of writing data at prescribed data intervals, Groovemonitor targeted files on certain dates. When these hard-coded dates occurred, this wiper deleted all files from disk “d:” to disk “i:”.
As the name indicates, this wiper example focused on targets in South Korea. It made its name back in 2013 by attacking media companies and several banks. Based on the “loud” nature of the targets, malware researchers have concluded that this attack was launched by hacktivists or script kiddies looking for their proverbial fifteen minutes of fame.
We mentioned this one earlier, but it’s definitely worth a closer look. Variants of Narilam have been in use since as early as 2008. Narilam does not finish its work in short order like most wipers; instead, Narilam works slowly and may be present on a system for years before it is detected. The hardest thing to deal with is that the corruption it produces is not readily noticeable, increasing the amount of time before the infection can be remedied.
Wiper prevention measures
As demonstrated during previous wiper attacks, purely defensive measures will not prevent a Wiper attack. As discouraging as this may sound, don’t lose heart — there are measures that will at least increase your odds of not being caught by this malware. Some solid recommendations include:
- Regularly back up all important data, preferably offsite
- Harden all information systems to the greatest extent possible
- Recovery, response and business continuity plans should be tested and continuously tightened
- User and network segmentation
- Overlapping anti-malware solutions
Wipers are the kind of stuff information security nightmares are made of. This type of malware can efficiently wipe out nearly all sensitive information on drives and cause a massive amount of both data and financial loss. But while even the strongest defensive measures will not guarantee perfect safety from wipers, following a tight, well-founded cybersecurity response plans, backup and recovery schemes, and wise deployment of anti-malware solutions may greatly reduce the chance that your organization will fall victim to the next wiper attack.
- Secrets of the Wiper: Inside the World’s Most Destructive Malware, Threatpost
- 5 Steps to Mitigating Wiper Malware, TechRepublic
- Destructive Malware: Five Wipers in the Spotlight, Kaspersky
- Wiper Malware Can Wipe You Out, LP3