It seems that in the current threat environment, not a single day passes without warning of a new risk. While it can be difficult to stay on top of this ever-changing landscape, it’s in users best interest – particularly those in the enterprise sector – to remain apprised of the emerging techniques being used by malicious actors.
Recently, the Federal Bureau of Investigations issued a statement warning businesses about the latest threat being utilized by hackers. This vulnerability comes in the form of an infection called wiper malware, and is being connected with last year’s large-scale breach of Sony Pictures. After seeing what the entertainment company went through following its attack, many companies are taking the FBI’s warning very seriously and are looking to better bolster their protections against wiper malware.
FBI warns businesses about wiper malware
When the FBI comes forward with an announcement, it is usually not one that businesses and individuals ignore. At the beginning of December 2014, FBI officials issued a flash warning encouraging U.S.-based companies to raise their awareness of and protection against wiper malware. And although the report didn’t specifically call out Sony as the victim of a wiper malware attack, the warning was timed in such a way that many experts believed the entertainment firm’s breach spurred the FBI’s warning, ThreatPost noted.
Wiper malware is especially damaging due to its unique capabilities. The flash alert – which the FBI only issues to organizations it believes are at specific risk – noted that the sample is able to breach hard drives, override the data housed there and as a result, make the machines inoperable.
Wiper malware: In use before the Sony breach
While Sony’s case likely caused the FBI to issue this most recent warning, ThreatPost noted that this is not the first time a breach has occurred due to wiper malware. In the summer of 2012, Saudi oil firm Aramco fell victim to an attack at the hands of Shamoon, a wiper malware sample. The infection affected thousands of workstations at the company, stealing data and overwriting the Master Boot Record on each hard drive. Interestingly, though, this attack did not interrupt oil production at the facility, but did render workstations unusable.
That same year, businesses in Iran were also attacked by wiper malware, which led Kaspersky Lab and CrySys researchers to discover the Flame malware sample. This sample displayed the same capabilities as other wiper attacks, and was specifically utilized by hackers in attacks on Middle Eastern targets.
The Sony attack analyzed
However, the most high-profile attack involving wiper malware to date is that of Sony Pictures. TrendLabs researchers recently analyzed the malware used in the breach, wherein hackers seemingly connected to the Guardians of Peace were able to wholly compromise the network and steal considerable amounts of content and sensitive data, including employee details, business information and unreleased Sony films.
Upon investigation, Trend Micro experts were able to pinpoint the sample used in the attacks. The sample is known as BKDR_WIPALL, but in the first stage of attack, it utilizes an attack chain beginning with BKDR_WIPALL.A, the main installer that comes camouflaged as an executable file called “diskpartmg16.exe.” The strain leverages XOR 0x67 encryption to cover its tracks and safeguard authentication credentials used to breach the victim’s shared network.
The attack then deploys the BKDR_WIPALL.B sample, masked as a file called “igfxtrayex.exe. This file is responsible for the damage seen with wiper malware.
“Once it’s dropped, BKDR_WIPALL.B sleeps for 10 minutes, after which it starts deleting files and stops the Microsoft Exchange Information Store service,” Security Affairs contributor Pierluigi Paganini wrote. “The threat then sleeps for two hours and forces a system reboot.”
Trend Micro researchers also discovered a similar wiper malware variant known as BKDR_WIPALL.D that deploys BKDR_WIPALL.C. This sample in turn installs an image file called “walls.bmp,” which displays the “Hacked by GOP” image, accompanied by the red skull graphic that Sony Pictures reported seeing on its system after the breach. The image also warned victims that the GOP had “obtained all your internal data including your secrets and top secrets,” which became evident after unreleased films began appearing on underground marketplaces.
While investigators are still looking into the Sony attack, all other breaches coming as a result of wiper malware end in the same manner: Hackers make off with stolen data and leave behind inoperable systems overwritten by the infection.
Currently, the best way to protect against such an infection is awareness and proper network monitoring. With a granular view of activities taking place on the network, administrators are better able to respond should suspicious or dangerous files appear or be installed. This ensures that any damage that these files – such as those connected with wiper malware – intend to carry out can be prevented.
