Defending Against 'Wiper' Malware

New FBI Alert Calls Attention to Threat
Defending Against 'Wiper' Malware

In the wake of the FBI issuing a warning that a U.S. business has been attacked using a dangerous form of "wiper" malware, security experts say businesses must protect themselves against attack code that aims to delete the content of every hard drive it touches.

See Also: Fencing an Imaginary Yard; How to Secure your IP with an Unidentifiable Network Perimeter

Defensive measures organizations can take include segmenting important information to hardened networks, backing up data offsite in case systems get wiped, and investing in appropriate resources to detect breaches quickly (see: Speeding Up Breach Detection).

The FBI alert is reportedly tied to the Nov. 24 hack of Sony Pictures Entertainment, which locked employees out of their PCs, instead displaying a message that their system had been "Hacked By #GOP," referring to a group of attackers calling themselves Guardians of Peace (see Sony Hack: FBI Issues Malware Alert).

Malware Characteristics

The alert is notable because attackers rarely employ wiper malware that's designed to delete the content of drives. To date, wiper malware has only been seen in a handful of attacks, mostly in the Middle East or South Korea, Costin Riau, who heads the information security research team at anti-virus vendor Kaspersky Lab, says in a blog post.

But many information security experts say they've never seen such an attack launched against a business in the United States. "This is somewhat of a watershed event," says Alex Cox, senior manager at information security research organization RSA FirstWatch. "Up until now, we have had very limited examples of large-scale data destruction."

That's because the majority of attack code is designed to steal data - and especially financial or intellectual property details - rather than destroy it. "Wiper-type malware is rare because the motive of modern virus writers is to infect machines silently and avoid detection for as long as possible to enable attackers to control the infected machine for longer and to steal [valuable] information," says Brian Honan, who heads Ireland's computer emergency response team. "Wiper malware, in contrast, is noisy [and] those infected will know straightaway."

Wiper malware attacks the master boot record and core file system operations, says David Kennedy, CEO of TrustedSec, an information security consulting service. "It makes it hard to recover from the malicious software, which could be disastrous for organizations," he says.

This form of malware also operates fairly swiftly, says Shirley Inscoe, an analyst at the consultancy Aite Group. "Once the malware gets into a system, it spreads and could be very difficult to detect and shut down in time to avoid major disruption."

As a result, many information security experts believe that the attack referenced by the FBI may not be the work of garden-variety cybercriminals. "Data deletion would typically be associated with hacktivism - deletion of backups - or strategic political or wartime goals, such as Stuxnet," Cox says. "Destroying access to a network doesn't really fit the cybercrime model - where criminals want to retain quiet access to continue their theft - or the APT model where nation-states want to retain access for espionage purposes. A dead network is a network that gives no data."

As the Sony Pictures attack demonstrates, wiper malware can also be used to disrupt an entire business. "When I think of such threats, it's Shamoon that comes to mind," says Sean Sullivan, security adviser at Finnish anti-virus firm F-Secure, referring to malware that was used in August 2012 to wipe an estimated 30,000 PCs at Saudi Aramco, Saudi Arabia's state-owned petroleum and natural gas producer. Security experts never identified exactly who launched Shamoon.

Wiper malware has typically been the domain of someone who wants to air a grievance, says John Hultquist, who heads the cyber-espionage practice at threat-intelligence firm iSight Partners. "Even though it has practical effects - for instance, halting oil production or shutting down operations - its greatest impact is perception - the message being sent," he says.

Defensive Measures

Organizations can take several steps to protect themselves against wiper malware, starting with using segmented networks, F-Secure's Sullivan says. "Isolate important intellectual property to hardened networks," he advises. "Access those networks 'remotely' - [using] some kind of remote desktop software." That adds a security layer that makes it more difficult for attackers' malware to access - or wipe - PCs connected to that network.

Backing up data is also essential, in case systems get wiped and must be reinstalled, and such backups must be disconnected from the network, lest they get deleted by the same wiper malware. "Continual, offsite data backups are critical for any organization," says Michael Sutton, vice president of security research at cloud security firm Zscaler. "Backups can be a challenge with a mobile workforce when devices rarely return to the corporate office, but Internet-based backup solutions provide a means of remote backup so long as an Internet connection is available."

In addition, organizations that received the FBI alert can use the file structure for the malicious software, which was provided, to help detect a malware intrusion, Kennedy at TrustedSec says. "However, note that these [file structures] could change when deployed in other systems," he says. "The best approach is still having multiple layers of defense in order to prevent an attack from occurring in the first place."

The attack against Sony also illustrates the critical importance of having business continuity and disaster recovery plans, says Rick Holland, principal security analyst at Forrester Research. "InfoSec teams need to be highly engaged with the groups that put these plans together," he says. Servers are obviously included in such plans, but they also need to extend to workstations and desktops that are critical to business operations, Holland adds.

"Events like this could lead organizations to research virtual desktop deployments, which make recovering from these types of attacks much easier," he says.

Investing appropriate resources into quickly detecting breaches is also essential. "The unfortunate reality of today's threat landscape is that enterprises will be breached," Sutton says. "When that occurs, it is essential that the breach is quickly identified and isolated as to limit the overall damage."


About the Author




Around the Network