The perfect crime: Is Wiper malware connected to Stuxnet, Duqu?

Mysterious malware that reportedly attacked Iran’s oil ministry in April shared a file-naming convention almost identical to those used by the state-sponsored Stuxnet and Duqu operations, an indication it may have been related, security researchers said.

The highly destructive malware known as Wiper has never been recovered, but its devastating effects are confirmed in a report published on Wednesday from researchers at Russia-based antivirus provider Kaspersky Lab. It struck as early as last December and used an advanced algorithm to permanently purge large portions of hard drives from computers it infected. Because it struck the same geographic region targeted by Stuxnet, researchers have spent months searching for evidence that links Wiper to the operation, which reportedly was sponsored by the US and Israeli militaries to disrupt Iran’s nuclear program.

Researchers have also looked for links between Wiper and the malware titles dubbed Flame, Duqu, and Gauss, which more recently were found to be spawned by the same software developers as Stuxnet. Flame was discovered by Kaspersky researchers only after they were asked by the International Telecommunications Union to look into incidents involving Wiper. During the course of the investigation, they soon zeroed in on Flame. They’re only now returning their attention to the original probe.

The Tilded Platform

The latest Kaspersky report reveals the first evidence that there may be a link. The first: temporary Windows files generated by Wiper begin with a tilde character (~), followed by the letter d (either capital or lower case), followed by other letters or numbers. This “tilded platform,” as researchers have come to call the convention, is also found in both Stuxnet and Duqu. In their investigation, Kaspersky researchers focused on one file in particular, titled ~DEB93D.tmp, which was found on an “abnormally large number of machines” infected by Wiper. They noticed it started with “6F C8,” which happen to be the same bytes present in encrypted format in the main module of a Duqu sample from November 2010.

The second sign linking Wiper to Stuxnet and Duqu was that the malware assigned a high priority to seeking out and destroying encrypted files with names ending in .PNF that were stored in the inf folder that is found on Windows machines. Both Stuxnet and Duqu kept their core contents stored in encrypted PNF files stored in that location.

“If the purpose of the attackers was to make sure the Wiper malware could never be discovered, it makes sense to first wipe the malware components, and only then to wipe other files in the system which could make it crash,” the Kaspersky report explained.

The researchers are careful to note that they can’t be certain Wiper is connected to Stuxnet and Duqu. But if it is, the link raises a major question: why would its creators unleash a highly destructive payload that would almost surely blow the cover of the covert Flame- and Duqu-related operations? One possibility is that the operators underestimated the attention Wiper would bring. If so, that was at least the second error to seriously undermine the operations. The first was a bug in Stuxnet that caused some infected machines to spiral into an endless reboot loop. The disruption is what ultimately led to the discovery of the infections.

But another possibility is that Wiper creators deliberately programmed it to permanently erase evidence that was so sensitive it was worth destroying even if it revealed the operations. If that’s the case, it means researchers have yet to uncover crucial parts of this international whodunnit.

“It’s obviously a huge difference between what effectively is a covert operation and blowing something up,” Kaspersky Lab Expert Roel Schouwenberg told Ars. “They’re kind of worlds apart.”