Iran attacked with data-wiping malware, report says

Country's computer security team reported the attack on Sunday, saying it was aimed at systems of specific organizations

The Iranian team that handles cybersecurity threats reported that the country's computer systems were the target of malware capable of wiping disk partitions clean of data.

The MAHER Center of Iranian National Computer Emergency Response Team reported the attack on Sunday, but did not list the targets. The organization did describe the attack as "targeted," meaning it was aimed at systems of specific organizations.

Iran has been the target of cyber-sabotage malware before. In 2010, the Stuxnet worm attacked the country's nuclear facilities, damaging centrifuges used to enrich uranium. The New York Times reported in June that the attack was a joint effort of the U.S. and Israel.

The latest attack is far less sophisticated than Stuxnet. The malware was used in an "extremely simplistic" assault in which the attacker wrote a batch program and then used a BAT2EXE tool to turn it into a file that could run on a Windows Preinstallation Environment (PE), Roel Schouwenberg, a security expert with Kaspersky Lab, wrote on Monday on the company's SecureList blog.

Batch programs, also called BAT files, are used to run repetitive tasks, such as backups. Windows PE is a lightweight version of the operating system that is used to deploy Windows on workstations and servers and to troubleshoot the OS when it is offline.

[See also: How to plan an industrial cyber-sabotage operation -- A look at Stuxnet]

The destructive payload within the BAT file will try to delete all files in drives D through I, Schouwenberg said. It will also try to do the same on the infected desktop.

"Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software," the Iranian CERT said.

The malware seemed designed to go after older systems, implying that the targets were computers used to do mundane activities like operating as a server or controller, said Murray Jennex, an associate professor at San Diego State University and an expert in international information systems.

The attack also could have been aimed at PCs used by an engineer in the field or systems in educational facilities, Jennex said. But he said he didn't believe the malware was sophisticated enough to affect Iran's main research support systems.

"However, I wouldn't be quick to say Iran is being attacked as the report says nothing about tracing the attack and it would not surprise me if this is an internal attack, either by dissidents or to take some of the [cyberespionage] heat off of Iran," Jennex told CSO Online.

In its code analysis, Kaspersky said the malware, dubbed Trojan.Win32.Maya.a, tries to cover its tracks by running check disk, a command on Windows used to fix file system errors or check on the status of hard disks.

"I assume the attacker is trying to make the loss of all files look like a software or hardware failure," Schouwenberg said.

Windows PCs running 64-bit versions of the OS will receive a warning if the malware tries to run. That's because the payload includes a 16-bit executable called SLEEP.exe, Schouwenberg said. Because 16-bit files won't run on 64-bit versions of Windows, trying to do so launches a warning notifying the user that a program won't start or run.

There's nothing in the code linking the malware to other targeted cyberattacks on Iran. Besides Stuxnet, security experts discovered this year the Stuxnet cousin Flame that tried to steal data primarily from computer systems in Iran and Palestine.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline