December 18, 2012
Iranian computers are being targeted by malware that wipes entire disk partitions clean, according to an advisory issued by that country’s Computer Emergency Response Team Coordination Center.
Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I, along with any files stored on the Windows desktop of the user who is logged in when it’s executed, according to security researchers who independently confirmed the findings. The reports come seven months after an investigation into another wiper program targeting the region led to the discovery of Flame, the highly sophisticated espionage malware reportedly designed by the US and Israel to spy on Iran. Wiper, as the earlier wiping program is known, shared a file-naming convention almost identical to those used by the state-sponsored Stuxnet and Duqu operations, an indication it may have been related, security researchers said.
Separate wiping malware known as Shamoon wreaked havoc on some energy-sector computers, including 30,000 workstations operated by Saudi Aramco, the world’s largest oil producer. Unlike Wiper, the Shamoon code base is considered rudimentary, raising the possibility that it was developed by hacktivists or other amateur coders. Batchwiper, which gets its name because its destructive payload is contained in a batch file, also appears to be rudimentary.