To summarise Costin Raiu, the director of Kaspersky Lab\u2019s research arm, the vast majority of malicious files are what he calls crimeware \u2013\u00a0computer programs deployed by cybercriminals seeking to make a profit by stealing credentials, data, resources, or money directly. The second most prevalent category of malicious software is designed exclusively for cyber-espionage and is used by a variety of advanced threat actors \u2013 often with state, corporate, or other deep-pocketed benefactors. Then there is a third, much smaller category of purely destructive malware \u2013\u00a0sometimes called wipers.<\/p>\n
As it turns out, early malware was almost entirely destructive in nature. In the late nineties the Internet was not the vast storage place for valuable data that it is today. In addition to that, organised criminals had yet to see the hard financial value in what was \u2013 at the time \u2013\u00a0easily accessible information. Thus, somewhat like modern ransomware<\/a>, early hackers designed malware that encrypted hard-drives or corrupted machine data in other ways. There was a playful mischievousness to these early trojans and the people developing them. As far as I know, money was not a significant incentive among early malware-authors.<\/p>\n Destructive, wiper-type malware never really went away, but it\u2019s definitely been revitalised with new fervour purpose in the murky age of alleged nation-to-nation and nation-to-corporation attacks.<\/p>\n In fact, in the last three years, our friends at Securelist<\/a> have examined no less than five separate wiper-style attacks.<\/p>\n The first, merely called Wiper<\/a>, was so effective that it even wiped itself off the thousands of Iranian computers it is believed to have infected. Because of this, no one was able to examine Wiper malware samples. In comparison to other destructive malware, this threat was seemingly novel, targeting a slew of what appeared to be random machines. Wiper, however, is significant because \u2013 whoever designed it and for whatever purpose \u2013 it may well have been the inspiration for the following four pieces of malware.<\/p>\n Shamoon<\/a> in particular is thought to have descended from the mysterious Wiper malware. This destructive strain found its way onto the networks of what may be the world\u2019s most valuable company and what is definitely its largest daily oil producer, Saudi Aramco. Shamoon made quick work of the Saudi Arabian Oil Company in August of 2012, destroying more than 30,000 corporate workstations. The malware, which some have said originated in Iran even though a hacker group claimed credit for the attack, did not succeed in erasing itself from existence as Wiper did before it. Researchers got their hands on Shamoon, realising it used crude but effective methods in its attack.<\/p>\n Then there was Narilam<\/a>, a crafty piece of malware that seemed to target the databases of some financial applications used almost exclusively in Iran. Narilam differed to the others here in that it\u2019s a slow acting malware, designed for long-term sabotage. Kaspersky Lab has identified a number of different versions of Narilam, some dating back as far as 2008. While Narilam and threats like it act slowly, they can be quite destructive in the long-term.<\/p>\n There was also the Groovemonitor<\/a> (aka Maya) malware. Iran\u2019s equivalent to the computer emergency response team first reported what they called Maher in 2012. It\u2019s a fairly simple threat, attacking victim machines more like a bludgeon than a scalpel. Groovemonitor basically has a preset period between two dates. It would attempt to delete every file between those two dates on all machine drives D through I. \u2028The most recent threat, called Dark Seoul<\/a>, was used in a coordinated attack targeting several banks and broadcasting companies in Seoul, South Korea. This attack was different from the previous ones in both, because it did not seem to involve a gulf state (Iran or Saudi Arabia), but also because it was incredibly conspicuous, suggesting that the attackers in this case were out for fame rather than clandestine sabotage.<\/p>\n \u201cThe power to wipe tens of thousands of computers at the push of a button or a mouse click represents a powerful asset for any cyber-army,\u201d Raiu wrote in a Securelist report. \u201cThis can be an even more devastating blow when coupled with a real-world kinetic attack to paralyse a country\u2019s infrastructure.\u201d<\/p>\n Wipers remain a tertiary threat at best; one that you or I don\u2019t really have to actively worry about. After all, there isn\u2019t a whole lot that everyday Internet users can do to protect their water or power utilities against a piece of malware that would erase supervisory control and data acquisition or industrial control systems (the hardware and software that controls power grids, manufacturing, etc). These are the sorts of threats that need to be monitored and mitigated by specialised security companies, critical infrastructure holders, and \u2013 perhaps most importantly \u2013 national governments.<\/p>\n