Security researchers from Kaspersky Lab have uncovered information suggesting a possible link between the mysterious malware that attacked Iranian oil ministry computers in April and the Stuxnet and Duqu cyber espionage threats.
Following April reports that data was destroyed on multiple servers in Iran, possibly by a new piece of malware, the International Telecommunication Union (ITU) asked security vendor Kaspersky Lab to investigate the incidents.
[ Also on InfoWorld: Stuxnet marks the start of the next security arms race. | Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
Kaspersky's researchers were not able to find the mysterious malware, which was given the name Wiper, because very little data from the affected hard disk drives was recoverable.
However, their investigation led to the discovery of Flame and later Gauss, two highly sophisticated cyber espionage threats believed to have been developed by a nation state.
After reviewing the bits of information extracted from the affected hard drives, the Kaspersky researchers concluded that the Wiper malware did in fact exist, that it used a sophisticated and effective data wiping algorithm and that it was most likely not a Flame component.
"We can now say with certainty that the incidents took place and that the malware responsible for these attacks existed in April 2012," researchers from Kaspersky's global research and analysis team said Wednesday in a blog post. "Also, we are aware of some very similar incidents that have taken place since December of 2011."
Even though a connection to Flame is unlikely, there is some evidence suggesting that Wiper might be related to Stuxnet or Duqu.
For example, on a few of the hard drives analyzed, the researchers found traces of a service called RAHDAUD64 that loaded files named ~DFXX.tmp -- where XX are two random digits -- from the C:\WINDOWS\TEMP folder.
"The moment we saw this, we immediately recalled Duqu, which used filenames of this format," the researchers said. "In fact, the name Duqu was coined by the Hungarian researcher Boldizsar Bencsath from the CrySyS lab because it created files named ?~dqXX.tmp."
Kaspersky's researchers had already established that both Stuxnet and Duqu were created by the same team of developers using the same platform -- dubbed the Tilded Platform because the malware used files with names starting with the "~" (tilde) symbol.
