Malware 101: Wiperware and other destructive malware

Malware authors are human, and humans sometimes make mistakes. Ransomware authors sometimes make mistakes that prevent the data from being decrypted when a ransom is paid, or sometimes there is no intention of ever restoring the data. Malware that renders data unrecoverable is referred to as wiperware and may come in the form of miscoded ransomware, malware masquerading as ransomware, or simply destroy the files without ever asking for a ransom.

The goal of wiperware, as well as ransomware when the ransom isn't paid, is destruction of data. Any malware that destroys data or severely disrupts networks can be considered destructive malware, which are the types being covered in this article. Destructive malware has been around for many years and in different forms, wiperware being one of the newer and most damaging forms.

How deleters and flooders cause destruction and disruption

While wiperware typically utilizes techniques that render the files unrecoverable, a simpler form of similar malware simply deletes the files and is appropriately called deleters. When a file is simply deleted — whether by malware or a user — the file's data still exists on the disk until it is overwritten by new data, which depending on the space available and how many new files are being generated could be take some time. With specialized software and techniques, the remaining data can be recovered, and in many cases this includes the entire file. This is why ransomware and wiperware use means that overwrite the data in the original file, and it is also why legitimate utilities exist to overwrite the file data when recovery of sensitive data is a concern.

Malware with the goal of destruction or disruption doesn't always just target the infected victim, however. Flooders send out large amounts of network traffic from the infected device, which not only would disrupt the network the device is connected to but also the network of the traffic recipients if that is a different network. Spammers sometimes use flooders to send their spam emails, SMS, or other types of messages to a large number of recipients, while other flooders might combine multiple infected instances in a distributed denial of service (DDoS) attack. Attackers might even user flooders to target rival groups, for example flooding the rival's internet relay chat (IRC) channel.

How zip bombs target anti-malware software

While attackers have rivals within their community, their biggest rival is anti-malware software. Attempting to thwart that software is a constant battle of wits, with malware authors trying to evade detection and anti-malware software vendors trying to detect the malware. Sometimes, however, the malware authors attack the anti-malware software itself. It is very common for malware to try to delete any detected antivirus software installed on the victim device, but one particular type of destructive malware — the zip bomb — attempts to target even advanced and cloud-hosted anti-malware software.

A zip bomb takes advantage of anti-malware software inspecting the contents of compressed files by recursively nesting specially crafted compressed files that, when unpacked recursively, will overwhelm the system's memory and/or disk space (depending on how the files are being decompressed), causing it to crash. For systems decompressing files to disk rather than in memory, a mess of files from the zip bomb is also likely left to clean up in order to recover the disk space.

While money is the most common goal of most malware, destruction and disruption are also quite common goals, especially with nation-state attackers (often referred to as advanced persistent threats or APTs) engaged in cyberwarfare against countries with interests that don't align. Hacktivists might also utilize destructive malware against organizations they oppose, and bored teenagers with too much time and knowledge can use these types of malware as revenge or simply to create chaos because they can.

You can read the rest of the Malware 101 series here.