Iranian computers under attack by ‘Batchwiper’ malware

Iran internetA new malware with the ability to delete entire partitions of hard drives, including all files stored within them, has been discovered by Iranian authorities according to an alert issued on Sunday by the Iranian Computer Emergency Response Team Co-ordination Center (CERTCC).

The CERTCC alert reports that the malware – appropriately named “Batchwiper” – can wipe any and all drive partitions that start with the letters D through I. Additionally, Batchwiper will erase files stored on the desktop of the active user at the time the malware activates. The malware’s name derives from its method of delivery, with the malware apparently contained in a batch file. According to a blog post from anti-malware experts Kaspersky Lab, Batchwiper “is an extremely simplistic attack,” which checks the current date against a number of pre-defined dates. “If the date matches,” Kaspersky Lab’s Roel explained, “it will wait for 50 minutes and then try to delete all files from drive D through I.”

The dates discovered run in intervals from December 10, 2012 through February 4, 2015 (There are four date ranges in 2013, three in 2014, and one each in 2012 and 2015); “Clearly, the attacker was trying to think ahead,” Roel notes. “After trying to delete all the files on a particular partition the malware runs [check disk] on said partition. I assume the attacker is trying to make the loss of all files look like a software or hardware failure.”

Batchwiper also has the ability to disguise itself from antivirus softwares. “Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by antivirus,” The Iranian CERTCC alert comments.

The CERTCC described the spread of Batchwiper as a targeted attack, but also noted that the “attack” has a rather limited reach. “It is not considered to be widely distributed,” the alert said, adding that the malware “is simple in design and it is not any similarity to the other sophisticated targeted attacks.”

Batchwiper apparently arrives via a file with the name GrooveMonitor.exe, which includes three other files (“SLEEP.EXE,” “jucheck.exe” and “juboot.exe”) once extracted. GrooveMonitor, however, is a difficult identifier to watch out for, as it is a name more commonly associated with a (real) Microsoft Office 2007 document collaboration feature called Microsoft Office Groove. Beyond that, however, CERTCC remains uncertain as to how the malware is being shared or the nature of its origins.

Kaspersky Labs seems equally in the dark, noting that there doesn’t appear to be any connection between the malware and previous, similar, wiper attacks such as Flame. The Labs does, however, back up the notion of it being a targeted attack on Iranian systems, pointing out that “we also don’t have any reports of this malware from the wild.”


[Image credit: Kheng Guan Toh/Shutterstock]