Forgot your password?
typodupeerror
Security IT

New Malware Wiping Data On Computers In Iran 95

Posted by Soulskill
from the cyberwar-continues dept.
L3sPau1 writes "Iran's computer emergency response team is reporting new malware targeting computers in the country that is wiping data from partitions D through I. It is set to launch on only particular dates. 'Clearly, the attacker was trying to think ahead. After trying to delete all the files on a particular partition the malware runs chkdsk on said partition. I assume the attacker is trying to make the loss of all files look like a software or hardware failure. Next to these BAT2EXE files there's also a 16-bit SLEEP file, which is not malicious. 16-bit files don't actually run on 64-bit versions of Windows. This immediately gives away the malware's presence on a x64 machine.' While there has been other data-wiping malware targeting Iran and other Middle East countries such as Wiper and Shamoon, researchers said there is no immediate connection."
This discussion has been archived. No new comments can be posted.

New Malware Wiping Data On Computers In Iran

Comments Filter:
  • by WWJohnBrowningDo (2792397) on Tuesday December 18, 2012 @05:40PM (#42330617)

    wiping data from partitions D through I

    Thank God I hid all my porn on C drive!

  • Ahhh (Score:5, Funny)

    by stackOVFL (1791898) on Tuesday December 18, 2012 @05:46PM (#42330677)

    The old drone shaped USB drive trick always works!

    • by mjwx (966435)

      The old drone shaped USB drive trick

      That's the third time I've fallen for that this week.

  • by TWX (665546) on Tuesday December 18, 2012 @05:49PM (#42330715)
    ...it's fairly clever to target partitions that aren't the OS partition. I didn't read the article, but if it's targeting all entries mapped on D:-I: then that could be network shares, flash memory, external hard disks, internal extra hard disks, and possibly even files awaiting burn to disc, and with the OS left untouched would not raise suspicion as quickly.
    • by khasim (1285) <brandioch.conner@gmail.com> on Tuesday December 18, 2012 @06:05PM (#42330895)

      A better attack would be to randomly change a few numbers on whatever spreadsheets can be written to. Then make sure to set the "last updated" date time back to the original.

      It will take a few months longer for real damage to be noticed but by that time it will be too widespread and have infected too many spreadsheets.

      If it is even noticed as a "virus".

      • by oodaloop (1229816) on Tuesday December 18, 2012 @06:34PM (#42331193)
        Why don't you just let people fuck up their own spreadsheets the old fashioned way - through stupidity and laziness? Why does every task need to be automated?
      • by BeerCat (685972) on Tuesday December 18, 2012 @06:55PM (#42331407) Homepage

        Indeed - I remember nearly 20 years ago the categories of damage that a computer virus could do:

        Wiping the hard disk = "Minor" (if you have a backup, then recover from the backup)

        Random bit swaps in data files = "Catastrophic" (undetected for long enough that even on a long backup cycle, they are all infected. Worse than that, subtly corrupted files are far harder to correct than merely deleted ones)

      • A better attack would be to randomly change a few numbers on whatever spreadsheets can be written to. Then make sure to set the "last updated" date time back to the original.

        Reminds me of an old dBase virus under MS-DOS. If you got it, it would slowly (over many months) corrupt the data in your files while keeping a hidden list of changes. As you read a corrupted record, it would temporary repair it so everything seemed A-OK.

        Then one fine day it would commit suicide taking it's delta with it, leaving you the corrupted file and months of corrupted backups.

        First one like that I had seen; I thought it was ingenious.

    • by richlv (778496)

      well, one joke still stands. what the fuck are "partitions D through I" ?
      none of the partition table i can set up seems to use anything like that...

      yeah, yeah, i'm complaining about an extremely low level of quality of a slashdot article. and no, original source being crap in that area is no excuse :)

      • Lost in the operator game.. The original article [securelist.com] talks about *drives* D through I on a Windows machine. Some idiot (appears to be Michael Mimoso) decided that "partition" is a more pro-sounding synonym for "drive" and started using both interchangeably in the article from OP. So we are all left scratching our heads. The point I think is that the thing tries to destroy data on network and attached storage devices, rather than wiping C drive which would give itself away much more quickly..

  • by Anonymous Coward

    Well it seems like Iran has become the testing ground for the new weaponized computer arms race.

  • I've never written a batch file over 64k before to warrant such extravagant conversion (Unless you count the REMs)

    Kudos.

  • by Gothmolly (148874) on Tuesday December 18, 2012 @06:24PM (#42331083)

    Why do I picture a guy frantically photoshopping Windows Explorer screenshots to show that there's still data on the D drive?

  • You call it malware.

    I call it a black ops program using my US tax dollars to attack Iran's nuclear weapons program.

    Potato. Tater.

    Same diff.

    • by pclminion (145572)

      A government funded cyber campaign based on BAT2EXE and 16-bit code? Which doesn't even work effectively? If your goal is actually to destroy files, and you are a nation state, then you understand that simply deleting the files using the "del" command is not actually going to destroy any data. (I have no evidence that "del" was used, but hey, they ain't releasing the binary for me to analyze.)

      If this was perpetrated by a nation state, then it must be meant as some kind of weird psy-op to confuse the shit ou

      • Unless it was a delivery vehicle that destroyed its traces.

        I used to write those back in the 80s. One code to deliver. One code to clean up. Then it looks like it was only the latter.

    • by Jeremi (14640)

      I call it a black ops program using my US tax dollars to attack Iran's nuclear weapons program.

      If you want, but when something wipes out all the files on your computer, be sure to refer to it as "someone attacking the USA's nuclear weapons program". Sauce for the gander and all that.

  • So it was written by a tween? From 1989?
    • by gandhi_2 (1108023)

      Ahh yes.

      I remember a semi-nude Vanna White .gif file, gif2exe, and a jr high school labs shared autoexec.bat file....

      Those were the days. In full dithered, grainy awesomeness.

  • Iran is paranoid (Score:3, Insightful)

    by Anonymous Coward on Tuesday December 18, 2012 @08:09PM (#42332065)

    Sophos covered this on their Naked Security blog today. Iran is going off the deep end with this one. The attack could have been written by a 5th grader and contains nothing that is targeted at Iran. Sophos noted that it is amateur compared to Stuxnet, Flame, and the other one widely considered to be written with Iran specifically in mind. Apparently it was a slow day at Iran's CERT.

    • if it is confined to iran it sounds to me like a domestic attacker, seeing how much hell he can cause while only hitting 32(or 16bit but if their nuclear program is running on 16bit windows it truly pity them as the latest they could have would be what 98SE?) bit targets

Everyone can be taught to sculpt: Michelangelo would have had to be taught how not to. So it is with the great programmers.

Working...