The Anatomy of Wiper Malware, Part 1: Common Techniques

Originally published by CrowdStrike here.

Written by Ioan Iacob and Iulian Madalin Ionita, CrowdStrike.

This blog post is the first in a four-part series in which an Endpoint Protection Content Research Team will dive into various wipers discovered by the security community over the past 10 years. The goal is to review in depth the various techniques employed by wipers that target the Windows operating system.

Background

A wiper is a type of malware with a single purpose: to erase user data beyond recoverability. Wipers are used to destroy computer networks in public or private companies ranging from industrial to entertainment sectors. Threat actors also use wipers to cover up traces left after an intrusion, weakening their victim's ability to respond.

Wipers gained popularity back in 2012, when Saudi Arabia’s Saudi Aramco and Qatar's RasGas oil companies were targeted by threat actors using the “Shamoon” family of wipers. After four years in which little to no wiper activity was observed, the Shamoon wiper resurfaced in 2016 with threat actors having the same goals and targets in mind.

The year 2017 put multiple wiper families on our radar. A wiper variant of “Petya” was used to target multiple institutions in Ukraine, Russia and western Europe. Institutions in Israel and Germany faced the wipers named “SQLShred" and “Ordinypt,” respectively, which masqueraded as ransomware. Middle Eastern companies again found themselves the target of a wiper, this time one named “StoneDrill."

Little wiper activity was observed in the following three years. In 2018, South Korea was the host of the Olympic games that were targeted by threat actors using “Olympic Destroyer." In late 2019 and early 2020, “Dustman” and “ZeroCleare” were used to target organizations in the energy and industrial sectors from the Middle East.

In 2021 threat actors again targeted the Olympics, now hosted in Tokyo, with a wiper named “Tokyo Olympic Wiper." In the same year, a pro-Palestenian wiper dubbed “IsraBye” was used to target Israeli organizations.

Already, 2022 has been the most active year yet for wipers. Ukraine, while fighting Russian forces in traditional warfare, has seen its government institutions targeted by numerous cyberattacks using the wipers “CaddyWiper,” “DoubleZero,” “DriveSlayer,” “IsaacWiper,” “KillDisk” and “WhisperGate.”

Techniques

Over the years, threat actors have used different strategies to achieve their objectives. During that time, we've studied different adversary strategies that use wipers singularly or in combination with other destructive techniques. While quick and easy techniques can also have quick and easy countermeasures, the more advanced and lengthy ones may give victims a chance to react in time but usually not without difficulty.

Ransomware and wipers share some techniques. Both walk the disk in search of files to modify or corrupt, and both are capable of making data recovery impossible for the victim. But in this latter aspect lies one of the biggest differences between the two threats: ransomware typically enables file restoration for victims who pay the ransom, whereas the objective of wipers is to destroy files beyond recoverability. Another difference is in performance; because wipers need not read the data from disk, they work faster and require fewer resources than ransomware.

One of the easiest techniques we’ve found in the analyzed wiper samples is to merely delete the files on disk. Yet this technique could allow forensics examiners to recover the files by carving them out from the raw disk. Because standard deletion is not a secure method, threat actors have resorted to overwriting target files with bogus data. To increase the speed of the operation, some wipers overwrite only the first part of the target file, while others resort to wiping the Master Boot Record (MBR).

As we'll discuss, these techniques vary in their unique advantages and weaknesses, as well as in the degrees of recoverability of destroyed data. Each of these techniques demands a different course of action to properly detect and respond to the various threats posed by destructive wiper malware families.

File Discovery

In search of files to destroy or corrupt, most wipers recursively iterate through the file system by using Windows APIs like FindFirstFile and FindNextFile.

Figure 1. File iteration via FindFirstFile and FindNextFile APIs

While some wipers immediately overwrite their targets, Apostle, DoubleZero, SQLShred and WhisperGate construct a list of target files to be later processed by the wiping routine. This introduces a bit of overhead before the destructive functionalities are launched, buying the victim time to react.

Wipers are implemented to do as much damage as possible without crashing the operating system. During the file discovery operation, many wipers will implement different strategies to maintain the stability of the operating system. If critical files are overwritten, the machine will crash and the wiper may not achieve the desired outcome. In order to prolong the life of the machine, wipers can delay, skip or prioritize certain targets:

• CaddyWiper, DoubleZero, IsaacWiper, SQLShred, and StoneDrill start the wiping routine with non-OS related drives (including mounted network shares) and directories
• DoubleZero, CaddyWiper, KillDisk, SQLShred, and StoneDrill will skip certain directories (e.g., Windows, Program Files, ProgramData or others) from the wiper routine or delay their destruction at a later time of execution
• KillDisk and WhisperGate skip certain file extensions like DLL, EXE, LIB, SYS
• Ordinypt uses a list of targeted extensions similar to ransomware
• CaddyWiper and SQLShred — if the configuration sets disk destruction — have been observed to first destroy target files and then destroy physical drives or disk volumes

File Overwrite

When it comes to overwriting files, wipers implement different techniques that achieve the same purpose. While some techniques are fairly common, others implement unique methods.

File System API

The standard method to overwrite a file is by using the CreateFile and WriteFile API combination. The first is used to grab a handle to the desired file and the second is used to overwrite the file contents with new data. This basic technique has been seen in multiple wiper families like CaddyWiper, DoubleZero, IsaacWiper, KillDisk, Meteor (including Stardust and Comet variants), Petya wiper, Shamoon, SQLShred, StoneDrill, and WhisperGate. Some wipers overwrite the entire file — a computationally costly operation — while others only overwrite a fixed number of bytes.

Figure 2. Determine file size, allocate memory and write to file

In Figure 2, Destover overwrites the entire file by determining its size via GetFileSize, allocates memory of the same size, excludes files based on their extension and overwrites the file using WriteFile.

File IOCTL

While the previous method was the most common among the researched samples, DoubleZero implements a second mechanism for overwriting files. In order to overwrite the entire file with zeros, this wiper uses the NtFsControlFile API to send the FSCTL_SET_ZERO_DATA control code to the file system driver along with the size of the file to be overwritten.

Figure 3. DoubleZero uses FCSTL_SET_ZERO_DATA to overwrite file contents

File Deletion

When the operating system deletes a file from disk, the corresponding sectors are not overwritten with “null” data, they are only marked as unused. This indicates that the raw sectors are free to use when other files are created. Ordinypt, Olympic wiper and Apostle wipers implement simple file deletion, where files are only deleted, not overwritten. In this case, the data can still be recovered from the disk via file carving techniques used in digital forensics. To make the files unrecoverable, secure file deletion needs to be implemented and it requires the files to be overwritten before they are deleted from the disk.

Most wipers do not need to delete the files because their contents have been destroyed, but some implement file deletion. This is the case of Destover, KillDisk, Meteor (Stardust/Comet), Shamoon, SQLShred, and StoneDrill which overwrite the target files with random bytes. Only after replacing the file contents, the file is deleted from disk via the DeleteFile API.

The following code snippet displays an implementation of File Deletion and File Overwrite found in the Shamoon wiper.

Figure 4. How Shamoon wiper overwrites and deletes files

Although families like Apostle and Ordinypt do not implement a secure deletion, they are still considered destructive because file carving is not a perfect recovery technique.

Drive Destruction

Some wipers go one step further and attempt to destroy the contents of the disk itself, not just files. This approach provides several advantages to attackers and makes recovery more difficult, if not impossible. Because files may be fragmented across the disk, wiping the files will require the hard disk drive actuator arm to commute to multiple locations, thus decreasing wiping speeds. Overwriting the raw sectors in successive order is advantageous because it drastically increases the speed of the wiping operation. This also applies to modern solid state drives where sequential access is still more performant than random access.

Wiping raw sectors also removes any file system information like partitioning tables, journaling, parity data, metadata and even OS protected files. These operations are equivalent to raw full-disk formatting, ensuring that files cannot be recovered via any forensic methods.

Disk Write

Similar to the way files can be overwritten, IsaacWiper, KillDisk, Petya wiper variant, SQLShred, StoneDrill, WhisperGate and DriveSlayer use the same CreateFile and WriteFile APIs to overwrite physical disks (\\.\PhysicalDisk0) and/or volumes (\\.\c:) with either random or predefined bytes buffers. “PhysicalDisk0” is used to access the first sector of a disk, where the Master Boot Record (MBR) is stored, while “\\.\C:” will allow the wiper to reference the first sector of the partition.

Figure 5. Overwrite the MBR of the drive 0 via CreateFile and WriteFile APIs

The code snippet displays an implementation found in various wipers to delete the MBR by directly accessing the disk. The MBR is a structure that resides in the first sector of the disk and holds information about how the disk is formatted into one or multiple partitions. Deleting this structure removes information about the partitions making the system unbootable and also the files present in the partitions inaccessible.

Disk Drive IOCTL

Instead of using the WriteFile APIs for overwriting the physical disk, CaddyWiper wipes the disk by sending it a Input/Output Control (IOCTL) code. The IOCTL_DISK_SET_DRIVE_LAYOUT_EX IOCTL is sent via the DeviceIoControl API alongside a buffer filled with zeros in order to wipe information about drive partitions including MBR and/or GUID Partition Table (GPT).

The code snippet below displays the implementation found in CaddyWiper.

Figure 6. Wipers corrupt the disk layout using IOCTL_DISK_SET_DRIVE_LAYOUT_EX

File Contents

As discussed previously, wipers may implement destructive actions on the contents of the file to reduce chances of recovery. We observed multiple approaches when deciding the data to be written over the target files. Some samples overwrite the files with the same data across the entire length, others randomize the contents, while others write predefined buffers to the target files.

Overwrite with Same Byte Value

A simple method is to write the same byte over the entire file contents. Wiper families like CaddyWiper, DoubleZero, KillDisk, Meteor (with its Stardust/Comet variants) and SQLShred implement this technique.

This method does not add any overhead to the wiping process, but might leave an opportunity to recover the data via magnetic-force microscopy.

Overwrite with Random Bytes

To avoid any potential weakness of the previous method, threat actors can decide to generate random data to be used while overwriting files. Even some forensic tools implement secure wiping by overwriting the disk or file multiple times with random data, leaving no chance for magnetic-force microscopy to recover the data.

Oftentimes the random buffer is generated via the seed and rand functions, followed by a write to the file. Generating random data adds overhead, thus lengthening the wiping times. Destover, IsaacWiper, KillDisk, SQLShred and StoneDrill are a few examples of wipers that overwrite target files with random data.

IsaacWiper implements its own pseudorandom number generator to fill a memory buffer, an implementation of Mersenne Twister PRNG.

Figure 7. Malloc is used to “generate random” bytes that will be written to the file

In Figure 6, Destover takes advantage of a caveat in the malloc function to generate “random” data. Malloc will allocate a memory buffer, but it will contain residual data from previous usage of that memory page that is then written over the entire length of the file.

Overwrite with Predefined Data

The final method to discuss is the use of hard coded data to overwrite files. This method eliminates the overhead introduced by generating random bytes, thus increasing the speed of data destruction.

Shamoon overwrites files with a predefined jpeg image that is hardcoded and obfuscated in the wiper binary. It uses the WriteFile API to write the image; the header of the jpeg is seen in the memory view in the second half of the screenshot.

Figure 8. Debugger view, showcasing the JPEG image being written to a file

In contrast, the wiper IsraBye writes only a message to the file contents, and it does not overwrite every byte in the file content, leaving some data available for forensics analysts to extract. However, even though it is not as destructive as others, this wiper is able to overwrite the file header, reducing the possibility of data carving or recovery.

Figure 9. IsraBye code snippet used to file overwrite and file rename

Summary

Depending on the skill set of different threat actors, wipers have implemented different techniques in order to sabotage the operations of their targets. Most often, wipers use file system specific APIs to iterate through files and overwrite and delete as many as possible.

Some wipers don’t target only the files from the victim’s machine, but may also target the raw disk. This latter technique provides several advantages like increased wiping speeds for example. Also, it may bypass security measures implemented by the file system or operating system and may even be invisible to security products.

To further increase the speed of the operations, some wipers do not overwrite the entire length of the target data, but only parts of it enough to make the files unrecoverable. To increase the destruction capability, randomizing the contents overwritten to the files seems like a good approach, but it becomes a time intensive task. An interesting and time efficient approach seen in some wipers is the usage of malloc to use garbage data to overwrite the target.

In part two of this wiper series, we will dive into how wipers use legitimate third-party drivers to destroy files as well as disk clusters.

Hashes