by Dan Goodin
|A pattern in Wiper that repeats over and over caused the malware to selectively overwrite only parts of a file. This allowed Wiper to destroy data much more quickly. Courtesy of Kaspersky Lab|
Mysterious malware that reportedly attacked Iran's oil ministry in April shared a file-naming convention almost identical to those used by the state-sponsored Stuxnet and Duqu operations, an indication it may have been related, security researchers said.
The highly destructive malware known as Wiper has never been recovered, but its devastating effects are confirmed in a report from researchers at Russia-based antivirus provider Kaspersky Lab. It struck as early as last December and used an advanced algorithm to permanently purge large portions of hard drives from computers it infected. Because it struck the same geographic region targeted by Stuxnet, researchers have spent months searching for evidence that links Wiper to the operation, which reportedly was sponsored by the US and Israeli militaries to disrupt Iran's nuclear program.
Researchers have also looked for links between Wiper and the malware titles dubbed Flame, Duqu and Gauss, which more recently were found to be spawned by the same software developers as Stuxnet. Flame was discovered by Kaspersky researchers only after they were asked by the International Telecommunications Union to look into incidents involving Wiper. During the course of the investigation, they soon zeroed in on Flame. They're only now returning their attention to the original probe.
Source: Ars Technica