Wiper (malware)
   HOME

TheInfoList



Click Here for Items Related To - Wiper (malware)
OR:
Wiper (malware) on:   [Wikipedia]   [Google]   [Amazon]

In
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
, a wiper is a class of
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
intended to
erase Erase may refer to: *Data erasure, a method of software-based overwriting that completely destroys all electronic data *Data remanence, the residual representation of data that has been, in some way, nominally erased or removed * ''Erase'' (album ...
(wipe, hence the name) the
hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
of the computer it infects, maliciously deleting data and programs.


Examples

A piece of malware referred to as "Wiper" was allegedly used in attacks against Iranian oil companies. In 2012, the
International Telecommunication Union The International Telecommunication Union is a specialized agency of the United Nations responsible for many matters related to information and communication technologies. It was established on 17 May 1865 as the International Telegraph Unio ...
supplied
Kaspersky Lab Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...
with hard drives allegedly damaged by Wiper for analysis. While a sample of the alleged malware could not be found, Kaspersky discovered traces of a separate piece of malware known as
Flame A flame (from Latin ''flamma'') is the visible, gaseous part of a fire. It is caused by a highly exothermic chemical reaction taking place in a thin zone. When flames are hot enough to have ionized gaseous components of sufficient density they ...
. The
Shamoon Shamoon ( fa, شمعون), also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the atta ...
malware contained a disk wiping mechanism; it was employed in 2012 and 2016 malware attacks targeting Saudi energy companies, and utilized a commercial direct drive access driver known as
Rawdisk In computing, the term raw disk, often referred to as raw, is used to refer to hard disk access at a raw, binary level, beneath the file system level, and using partition data at the MBR. A notable example is in the context of platform virtual ...
. The original variant overwrote files with portions of an image of a
burning Combustion, or burning, is a high-temperature exothermic redox chemical reaction between a fuel (the reductant) and an oxidant, usually atmospheric oxygen, that produces oxidized, often gaseous products, in a mixture termed as smoke. Combusti ...
U.S. flag The national flag of the United States of America, often referred to as the ''American flag'' or the ''U.S. flag'', consists of thirteen equal horizontal stripes of red (top and bottom) alternating with white, with a blue rectangle in the ca ...
. The 2016 variant was nearly identical, except using an image of the body of Alan Kurdi instead. A wiping component was used as part of the malware employed by the
Lazarus Group Lazarus Group (also known by other monikers such as Guardians of Peace or Whois Team ) is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, resea ...
—a cybercrime group with alleged ties to
North Korea North Korea, officially the Democratic People's Republic of Korea (DPRK), is a country in East Asia. It constitutes the northern half of the Korea, Korean Peninsula and shares borders with China and Russia to the north, at the Yalu River, Y ...
, during the 2013 South Korea cyberattack, and the 2014 Sony Pictures hack. The Sony hack also utilized RawDisk. In 2017, computers in several countries—most prominently
Ukraine Ukraine ( uk, Україна, Ukraïna, ) is a country in Eastern Europe. It is the second-largest European country after Russia, which it borders to the east and northeast. Ukraine covers approximately . Prior to the ongoing Russian inv ...
, were infected by a variant of the Petya
ransomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...
, which had been modified to effectively act as a wiper. The malware infects the master boot record with a
payload Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...
that encrypts the internal file table of the
NTFS New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred fil ...
file system In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
. Although it still demanded a ransom, it was found that the code had been significantly modified so that the payload could not actually revert its changes, even if the ransom were successfully paid. Several variants of wiper malware were discovered during the
Russian invasion of Ukraine On 24 February 2022, in a major escalation of the Russo-Ukrainian War, which began in 2014. The invasion has resulted in tens of thousands of deaths on both sides. It has caused Europe's largest refugee crisis since World War II. An ...
in early 2022 on computer systems associated with Ukraine. Named ''CaddyWiper'', ''HermeticWiper'', ''IsaacWiper'', and '' FoxBlade'' by researchers, the programs showed little relation to each other, prompting speculation, that they were created by different state-sponsored actors in Russia especially for this occasion.


References

{{reflist, 30em Types of malware