Iran’s Computer Emergency Response Team (IR-CERT) issued a warning on Sunday about a newly discovered malicious program that is erasing hard drives on infected systems in that country – just the latest data-destroying malware to appear there.
IR-CERT said that an investigation by its Maher center found that the malware “wipes files on different drives in various predefined times,” including disk partitions and user profiles. However, the malware isn’t widespread and doesn’t appear linked to “other sophisticated targeted attacks,” the alert said – in a possible reference to the Stuxnet and Flame malware, both of which targeted Iranian critical infrastructure.
Subsequent analysis by independent security firms confirmed most of the details of the IR-CERT warning. Writing on Monday, Jamie Blasco of the firm Alien Vault said the malware was “just another wiping malware” and “very simple,” and could have been delivered in a variety of ways – from USB drive to spear phishing attack, or some other method secondary to a “targeted intrusion.”
Symantec, also, has a write up of Batchwiper, calling it “not sophisticated.” Batchwiper has “no visible connection to Stuxnet, Flamer or Gauss based on preliminary analysis,” Symantec wrote on its blog.
While these reports don’t presage some nasty new APT-style menace, they do underscore how attuned the rest of the world has become to whatever is going down in Iran. Indeed, the country that was Stuxnet’s testbed has become a kind of canary in the coal mine for new, sophisticated nation-backed attacks. In November, for example, Symantec sounded the alarm about a sophisticated threat targeting financial firms in Iran – that before Kaspersky Lab threw cold water on the report by disclosing that the malware in question was more than two years old, and targeted low end accounting software made by a Tehran-based firm.