A new strain of malware capable of wiping hard drives is being described as "simplistic" as well as insidious.
According to Kaspersky's Threatpost blog, the bug is capable of deleting all files on drives D through I, as well as on the desktop. Once the data is deleted, the program then launches a checkdisk command in an apparent attempt to divert attention towards a possible system failure, as opposed to a planned attack.
At this point, the malware, which has been dubbed Trojan.Batchwiper, has only been witnessed in Iran, which reported the attack on Sunday through the Maher Center, Iran's equivalent of CERT.
[Related: The 10 Biggest Security Stories Of 2012]
The attacks launch only on specifically programmed dates, including last week from Dec. 10 through Dec. 12. The configuration of the code leads experts to believe it will become active again for two days starting on Jan. 21. At that point, it appears likely to stand down until May 6. Subsequent attacks appear likely for July and November of 2013, February, May and August of 2014, and February of 2015.
The Threatpost blog quoted Kaspersky Lab researcher Roel Schouwenberg as saying, "This [malware] is as basic as it gets. But if it was effective, that doesn’t matter. If it wasn’t clear already, the era of cyber sabotage has arrived."
The malware, which engages BAT files that are then converted to Windows PE files using a BAT2EXE tool, appears to be unrelated to Shamoon or any of the high-profile attacks witnessed so far. Key file names include Win.32.Maya.a and also GrooveMonitor.exe, which serves as the dropper.
According to a post in the AlienVault blog, the malware is likely deployed through USB drives and spearphishing, or possibly as the second stage of a targeted intrusion.
Data wiping malware has gained notoriety, especially in the Middle East where Shamoon was used to bring IT resources of Aramco, a Saudi Arabian oil company, to a near standstill earlier this year. Investigations into other strains of data wiping malware also led to the discovery of the Flamer virus.
PUBLISHED DEC. 17, 2012