Batchwiper Malware Hits Iran

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Iran's National Computer Emergency Response Team (CERT) recently announced that it had identified new data-wiping malware targeting specific systems within the country. "Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software," the announcement states.

"The malware was detected in one or more targeted attacks, although the identity of the intended victim is not known," writes The Register's John Leyden. "Its operation is similar to the data-destroying worm Shamoon that ransacked Gulf oil giants earlier this year, but the two pieces of software otherwise appear unrelated."

"Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I, along with any files stored on the Windows desktop of the user who is logged in when it's executed, according to security researchers who independently confirmed the findings," writes Ars Technica's Dan Goodin.

"After trying to delete all the files on a particular partition the malware runs chkdsk on said partition," writes Kaspersky senior senior anti-virus researcher Roel Schouwenberg. "I assume the attacker is trying to make the loss of all files look like a software or hardware failure."

"The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013," writes InfoWorld's Lucian Constantin. "However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware's configuration, suggesting that it may have been in distribution for at least two months."

"It's not clear how the malware is being distributed," writes InfoWorld's Lucian Constantin. "The dropper could be deployed using several vectors, ranging from spearphishing emails, infected USB drives, some other malware already running on computers, or an internal actor uploading it to network shares, AlienVault Labs manager Jaime Blasco said via email. Despite the fact that this malware is not sophisticated, if its wiping routines are executed, it can do a lot of damage, Blasco said."

"Why Iran is drawing attention to this is anybody's guess," writes Sophos' Chester Wisniewski. "It does go to show that malware doesn't need to be sophisticated to cause trouble though. If you can execute arbitrary files, all it takes is a few lines in a batch file and some wrappers to cause serious damage."