U.S., Israel behind New Iran Attack

Wednesday, December 19, 2012 @ 06:12 PM gHale

By Richard Sale
The new virus hitting Iran that targets computers and wipes entire disk partitions clean is a joint U.S.-Israel attack, CIA sources said.

In what seems like a very similar attack scenario as the August Shamoon virus that hit Middle East energy companies, the virus implantation in Iran actually occurred before the Shamoon attack, the sources said.

Flame: ‘20 Times Larger than Stuxnet’
Shamoon Target: Aramco Production
Stuxnet Hit 4 Oil Companies
Impact of Shamoon on SCADA Security
Iran behind Shamoon Attack
Shamoon Mitigations Shelter Systems

The story on the Iran attack broke two days ago by Ars Technica and the former senior CIA officials, who requested anonymity because they are close to the investigation, confirmed to ISSSource the U.S. and Isreal were behind the Tehran-focused attack. Right now who or what the new virus is targeting remains unclear.

Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I, along with any files stored on the Windows desktop of the user logged in when the program executes, according to security researchers who independently confirmed the findings.

The reports come seven months after an investigation into a separate wiper program targeting the region led to the discovery of Flame, the highly sophisticated espionage malware reportedly designed by the U.S. and Israel to spy on Iran. The original wiper program, named Wiper, was interesting because it shared a file-naming convention almost identical to those used by the state-sponsored Stuxnet and Duqu operations, an indication it may have been related, security researchers said.

A separate wiping malware known as Shamoon wreaked havoc on some energy sector computers in the Middle East, including destroying hard drives at least 30,000 workstations operated by Saudi Aramco, the world’s largest oil producer. Unlike Wiper, the Shamoon code base is very rudimentary, raising the possibility that hacktivists or other amateur coders developed it. Batchwiper, which gets its name because of its destructive payload is contained in a batch file, also appears to be rudimentary.

“Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by antivirus,” said the Iranian CERT advisory, which published Sunday.

The virus, however, is not probably widely distributed. This targeted attack is simple in design and there is no similarity to the other sophisticated targeted attacks. One thing this malware does is it is able to remain active even after a machine reboots. It does this by adding a registry entry. The RAR archive dropper name is GrooveMonitor.exe, presumably to disguise it as a legitimate Windows Office 2007 service. GrooveMonitor.exe then drops additional files named juboot.exe, jucheck.exe, SLEEP.EXE, and WmiPrv.exe.

The batch file programming allows it to wipe drives only on certain dates, with the next one being January 21. Previous dates listed in the file include December 11, 12, and 13, suggesting the malware campaign may have been active for the past week and may already have inflicted damage.

It remains unclear how Batchwiper is spreading. Possibilities, researchers said, include the use of USB drives, malicious insiders, spear phishing campaigns or “probably as the second stage of a targeted intrusion.”
Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.

Leave a Reply

You must be logged in to post a comment.