Some Malware Just Wants to Watch the World Burn

To summarize Costin Raiu, the director of Kaspersky Lab’s research arm, the vast majority of malicious files are what he calls crimeware — computer programs deployed by cybercriminals seeking to

To summarize Costin Raiu, the director of Kaspersky Lab’s research arm, the vast majority of malicious files are what he calls crimeware — computer programs deployed by cybercriminals seeking to make a profit by stealing credentials, data, resources, or money directly. The second most prevalent category of malicious software is designed exclusively for cyber-espionage and is used by a variety of advanced threat actors – often with state, corporate, or other deep-pocketed benefactors. Then there is a third, much smaller category of purely destructive malware – sometimes called wipers.

wipers

As it turns out, early malware was almost entirely destructive in nature. In the late nineties the Internet was not the vast storage place for valuable data that it is today. In addition to that, organized criminals had yet to see the hard financial value in what was – at the time – easily accessible information. Thus, somewhat like modern ransomware, early hackers designed malware that encrypted hard-drives or corrupted machine data in other ways. There was a playful mischievousness to these early trojans and the people developing them. As far as I know, money was not a significant incentive among early malware-authors.

Destructive, wiper-type malware never really went away, but it’s definitely been revitalized with new fervor purpose in the murky age of alleged nation-to-nation and nation-to-corporation attacks.

Wipers remain a tertiary threat at best; one that you or I don’t really have to actively worry about.

In fact, in the last three years, our friends at Securelist have examined no less than five separate wiper-style attacks.

The first, merely called Wiper, was so effective that it even wiped itself off the thousands of Iranian computers it is believed to have infected. Because of this, no one was able to examine Wiper malware samples. In comparison to other destructive malware, this threat was seemingly novel, targeting a slew of what appeared to be random machines. Wiper, however, is significant because – whoever designed it and for whatever purpose – it may well have been the inspiration for the following for pieces of malware.

Shamoon in particular is thought to have descended from the mysterious Wiper malware. This destructive strain found its way onto the networks of what may be the world’s most valuable company and what is definitely its largest daily oil producer, Saudi Aramco. Shamoon made quick work of the Saudi Arabian Oil Company in August of 2012, destroying more than 30,000 corporate workstations. The malware, which some have said originated in Iran even though a hacker group claimed credit for the attack, did not succeed in erasing itself from existence as Wiper did before it. Researchers got their hands on Shamoon, realizing it used crude but effective methods in its attack.

Then there was Narilam, a crafty piece of malware that seemed to target the databases of some financial applications used almost exclusively in Iran. Narilam was different than the others here in that it’s a slow acting malware, designed for long-term sabotage. Kaspersky Lab has identified a number of different versions of Narilam, some dating back as far as 2008. While Narilam and threats like it act slow, they can be quite destructive in the long-term.

There was also the Groovemonitor (aka Maya) malware. Iran’s equivalent to the computer emergency response team first reported what they called Maher in 2012. It’s a fairly simple threat, attacking victim machines more like a bludgeon than a scalpel. Groovemonitor basically has a preset period between two dates. It would attempt to delete every file between those two dates on all machine drives D through I.
The most recent threat, called Dark Seoul, was used in a coordinated attack targeting several banks and broadcasting companies in Seoul, South Korea. This attack was different from the previous ones in both because it did not seem to involve a gulf state (Iran or Saudi Arabia), but also because it was incredibly conspicuous, suggesting that the attackers in this case were out for fame rather than clandestine sabotage.

“The power to wipe tens of thousands of computers at the push of a button or a mouse click represents a powerful asset for any cyber-army,” Raiu wrote in a Securelist report. “This can be an even more devastating blow when coupled with a real world kinetic attack to paralyze a country’s infrastructure.”

Wipers remain a tertiary threat at best; one that you or I don’t really have to actively worry about. After all, there isn’t a whole lot that everyday Internet users can do to protect their water or power utilities against a piece of malware that would erase supervisory control and data acquisition or industrial control systems (the hardware and software that controls power grids, manufacturing, etc.). These are the sorts of threats that need to be monitored and mitigated by specialized security companies, critical infrastructure holders, and – perhaps most importantly – national governments.

The good news – for users in the United States and its close allies at least – is that the U.S. Congress will soon vote on the popular, bipartisan, private sector endorsed National Cybersecurity and Critical Infrastructure Protection Act of 2013. The bill is designed primarily to promote threat-information sharing between the government and the companies that manage critical infrastructure. Similar efforts and legislation are in consideration or already underway in a number of other countries around the world as well.

 

Tips