back to article Baby got .BAT: Old-school malware terrifies Iran with del *.*

A surprisingly simple disk-wiping malware has set off alarm bells in Iran after surfacing in the Middle East nation. The software nasty deletes everything on storage drives attached to infected Windows PCs on specific dates, according to the Iranian security emergency response team. The malware was detected in one or more …

COMMENTS

This topic is closed for new posts.
  1. Ol'Peculier
    Flame

    Wouldn't

    Wouldn't

    deltree / rmtree *.* /s be better?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wouldn't

      The files could still possibly be recovered since the commands just remove the file entries from the File Table.

      If you really want to destroy the files you would have to overwrite with random data.

      1. Anonymous Coward
        Anonymous Coward

        Re: If you really want to destroy the files

        You would be surprised at the number of people, who should know better, who try a 'recovery CD' when something goes wrong and proceed to overwrite large portions of the HDD and previous file system tables and only THEN worry about what happened to their data.

      2. Ian Johnston Silver badge
        WTF?

        Re: Wouldn't

        Why random?

      3. Allan George Dyer
        Pint

        Re: Wouldn't

        Possibly recovered - if you happen to know someone who enjoyed doing those really large jigsaw puzzles, with names like "The World's Largest Jigsaw Puzzle" where all the pieces look the same. A moderately large, moderately fragmented disc with the File Table missing would be an excellent Christmas present for them.

        Personally, I'd recommend imaging the disc and restoring from backup...

      4. Anonymous Coward
        Anonymous Coward

        Re: Wouldn't

        why just destroy the data when you can screw with their heads?

        Corrupt the data first, THEN use del *.*

        That way they spend time recovering the data with recovery utilities and still have useless data. Or worse.

    2. Framitz

      Re: Wouldn't

      I had a client some years back that executed a Trojan batch file that attempted this. It failed when it got to critical system files. The harm was undone with a little work and the PC was fine.

    3. LarsG
      Meh

      If

      If an Iranian finds a spelling error in his work it is obviously down to the Great Satan America hacking his pencil and paper.

      Paranoid or what?

  2. Miek
    Linux

    Why is Iran even using Windows ? Are they completely stupid? This is software produced by one of their 'enemies'.

    1. Anonymous Coward
      Anonymous Coward

      @Miek

      Presumably because the list of software produced by their friends is even shorter than the list of friends?

      Given the development of such highly specialised code as Stuxnet, it seems probable that even if the Iranians used some flavour of Linux, those behind Stuxnet will work out how to cause trouble. The supposed security advantages of Linux probably won't help much if you've got the Israelis and the Yanks working together on it.

      1. Miek
        Linux

        Re: @Miek

        "Presumably because the list of software produced by their friends is even shorter than the list of friends?" -- well, there is that, but, if they are capable of developing nuclear power and (alleged) a nuclear weapons program; surely they can knock up an OS of their own.

        "The supposed security advantages of Linux probably won't help much if you've got the Israelis and the Yanks working together on it." -- Absolutely, but, at least it would be more secure than the current system where a 12 year old skiddie can get access, as is the case with Windows.

        "The supposed security advantages of Linux" -- supposed?

        1. Anonymous Coward
          Anonymous Coward

          Re: @Miek

          "if they are capable of developing nuclear power and (alleged) a nuclear weapons program; surely they can knock up an OS of their own."

          You'd have thought so, but there's surprisingly few ground up OS's developed that I've noticed, and I guess this reflects the fact that a true home brew needs the OS authors to write drivers and apps, so that altogether it is rather more than a trifling endeavour? And that assumes that you can write drivers for OEM hardware without their cooperation. Obviously if you just roll your own Linux flavour, that's a lot easier, but you're then making yourself vulnerable to the many clever people who know different flavours of Linux.

          That Linux is more secure I don't dispute - but if placing money on Iranian Linux security holding out against the Israelis, I wouldn't put my money on the penguin.

        2. Anonymous Coward
          Anonymous Coward

          Re: @Miek

          "if they are capable of developing nuclear power and (alleged) a nuclear weapons program; surely they can knock up an OS of their own."

          And if all they know about nuclear power they read about, nicked, or downloaded off the internet, where does that imply they go for their OS?

        3. Anonymous Coward
          Trollface

          Re: @Miek

          ""The supposed security advantages of Linux" -- supposed?"

          Sticking to servers...

          Linux is definitely better than Windows and maybe even that Apple thing, but it is unarguably not as good as some other open offerings (both historically and currently) - even when ignoring 'special purpose' operating systems.

          Linux is good, but it is far from the best that is out there.

          Downvote away if you really think GNU/Linux is as secure as secure gets.

          1. Crazy Operations Guy

            Re: "as secure as secure gets."

            That would be OpenBSD, run by people that actually care about security, unlike Torvalds who has publicly stated that he doesn't give a shit about security.

    2. John G Imrie

      Iran

      Are MS even allowed to sell to Iran?

      1. James Micallef Silver badge
        Pirate

        Re: Iran

        "Are MS even allowed to sell to Iran?"

        I'm sure Iran won't be feeling too guilty about pirating a few copies

      2. Ken Hagan Gold badge

        Re: Iran

        Probably not, now. Then again, unless the end-user is running as admin I think you'd need to be running a version of Windows that installed to FAT, so we're probably talking Win9x or earlier.

        1. Miek
          Linux

          Re: Iran

          I suspect that Windows is shipped to certain countries with certain specifications of encryption removed, it's the encryption used in the software that they don't want exported really.

          1. JustNiz

            Re: Iran

            I can't beleive you actually think Windows encryption is secure.

            1. Adam 1

              Re: Iran

              Why do you think windows encryption is insecure? ( presuming you mean bitlocker)

              Or did I just feed a troll?

          2. Tom 13

            Re: it's the encryption

            Well, that's a part of it. But in the case of Iran, there's more to it than that. Remember there are also sanctions based on human rights violations. Note that I'm not claiming the sanctions have any chance of improving the situation, just that the US government has an additional restriction on them.

        2. Anonymous Coward
          Anonymous Coward

          @Ken Hagen

          "unless the end-user is running as admin"

          If they are falling for this attack, one must also assume they are running with most users logged in as admin :(

      3. JustNiz

        Re: Iran

        I'm sure the CIA and the NSA are only too happy to pay Microsoft to give Windows to the Iranian government for free.

        1. Anonymous Coward
          Anonymous Coward

          Re: Iran

          "I'm sure the CIA and the NSA are only too happy to pay Microsoft to give Windows to the Iranian government for free."

          Probably broadly correct, though I doubt they'd be that obvious as it's likely to raise suspicion. More probable that- as part of their you-scratch-my-back-and-I'll-scratch-yours arrangement- MS simply agree to not cause any problems for people trying to install and activate pirated Windows and other products in Iran.

        2. Fatman
          Mushroom

          Re: ...pay Microsoft to give Windows to the Iranian government for free.

          Of course they would, complete with hidden back doors!!!

          They probably even have a special build of it - just for the "evil" countries.

          What would they call it??

          Windows Swiss Cheese Edition?

      4. Tom 13
        Devil

        Re: Iran

        I expect that after a quick call to the CIA the State Dept will be more than happy to issue an export license through specially chosen suppliers.

    3. Anonymous Coward
      Anonymous Coward

      What else are they going to use Einstein?

      Is there any major OS not produced in the West?

      Linux, Unix, OSX, Windows are all western made.

      1. Anonymous Coward
        Anonymous Coward

        @major OS not produced in the West?

        If I were the Iranians (OK, apart from being less of a dick-dead than their example so far) I would go for Linux simply because it is open enough to allow a reasonable chance of an un-tainted OS for secure use.

        Note, however, that is not saying Linux is totally secure, nor is it saying that Iranian BOFH are good enough to secure a working Internet-connected system against probing by NSA, Mossad, etc.

        All it says is you can check for most obvious back door-like features, something you can't really do with Windows or OSX, and the history of UNIX/Linux is based on default-to-secure behaviour, which has taken MS time to catch up with.

      2. Anonymous Coward
        Anonymous Coward

        "Linux, Unix, OSX, Windows are all western made."

        But I thought open source was a communist conspiracy?

        1. Tom 13
          FAIL

          Re: communist conspiracy?

          Um...

          You do realize Marx was a freeloading Brit right?

          1. Uffish

            Re: communist conspiracy?

            I thought Karl Marx was a Prussian hack for the New York Tribune.

    4. Robert Carnegie Silver badge

      Software made by an enemy

      Wait, why are -we- using Windows, then?

      Big respect for the suggestion that Microsoft Windows cannot be sold to Iran due to concern for human rights. After all, it violates mine. If this is written down somewhere, I want to know particularly if there is a right to not have the PC freeze from time to time for a full minute for NO REASON. Maybe I should move to Iran and get liberated.

  3. Michael H.F. Wilkinson Silver badge
    Joke

    Frightened by del *.*?

    wait till they see

    rm -rf /

    (= F1 on BOFH keyboard)

    or

    shutdown -h now

    (=F2 on BOFH keyboard)

    And there is the even more powerful command for HEX:

    +++ reinstall universe +++

    +++ redo from start +++

    1. hplasm
      Happy

      Re: Frightened by del *.*?

      Doesn't work.

      ++Out of Cheese Error++

    2. Miek
      Joke

      Re: Frightened by del *.*?

      "rm -rf /" -- I think you meant "sudo rm -rf /"

      1. Anonymous Coward
        Anonymous Coward

        Re: Frightened by del *.*?

        You might also want to use the "--no-preserve-root" option in recent Linuxs

        What is the plural of Linux?

        1. Not That Andrew

          Re: Frightened by del *.*?

          Any recent *nix actually, first appeared on Solaris, adopted by the BSDs and only then did GNU add it to their version.

        2. This post has been deleted by its author

          1. Anonymous Coward
            Anonymous Coward

            Re: "What is the plural of Linux?"

            Don't know, but the plural of Unix is Twix.

            Hmmm...twix.

        3. Anonymous Coward
          Anonymous Coward

          Re: Frightened by del *.*?

          Linii?

        4. Anonymous Coward
          Anonymous Coward

          Re: Frightened by del *.*?

          Linuopde

          1. Anonymous Coward
            Anonymous Coward

            Re: Frightened by del *.*?

            What's the singular of MS Windows?

            1. M Gale

              Re: Frightened by del *.*?

              "What's the singular of MS Windows?"

              TIFKAM.

              1. my farts clear the room
                Boffin

                Re: Frightened by del *.*?

                "What's the singular of MS Windows?"

                Pane ......?

            2. JustNiz

              Re: Frightened by del *.*?

              Windows 8.

            3. Christian Berger

              Re: Frightened by del *.*?

              "What's the singular of MS Windows?"

              "Jeanette McKinlay" or "Peter Pretrel" of course. (I wonder who gets that reference)

  4. Matt Bryant Silver badge
    Boffin

    Must be skiddie work.

    Deleting data is very obvious, easily detected and easily repaired. What a pro would do is want access to data, to analyse for secrets without the owner knowing it is happening, or to make small corruptions to the data which renders it useless or misleading but which the owner does not realise until they go to use it. I suspect this is some Saudi or Israeli skiddie/hacktivist getting his lulz rather than the CIA, NSA, MI6, the Mossad, etc.

    1. Ryan 7
      Black Helicopters

      Re: Must be skiddie work.

      That's exactly what they want you to think.

    2. Robert Helpmann??
      Childcatcher

      Re: Must be skiddie work.

      Perhaps, though this sort of harassment combined with other efforts might prove more effective then either technique on its own. Depends on the goal, after all. I would guess you are right, but there is the possibility that the information was extracted and this was done to obscure the act - a bit like setting a building on fire to hide a theft.

      1. Tom 13
        Black Helicopters

        Re: was done to obscure the act

        and depending on how cocky you are, you might even have compromised the data 6 months ago and now moved your penetration work elsewhere, so it's useful to redirect attention to a past infiltration location where they might waste even more precious time.

  5. pixl97

    BAT2EXE

    Heh, I remember making (playful/malicious) bat files in to exe files when I was still a teenager. Good to see the Iranian hacker is only 20 years behind the curve.

    1. Zaphod.Beeblebrox
      Trollface

      Re: BAT2EXE

      Must be a Hipster Hacker.

    2. MegC
      Happy

      Re: BAT2EXE

      Next dispersal method is a CD with autorun.ini set to run the batchfile I guess.

      Or another batchfile that sets all your file attrib's to hidden.

      This is of course if they follow my learning curve as a kid writing things to terrorise my friends / school pc's.

    3. Anonymous Coward
      Anonymous Coward

      Re: BAT2EXE

      nah... much more fun was using a basic hex editor to edit command.com's references to config.sys and auto exec.bat to a hidden system directory with two text files named anything you like.

      Leave the existing autoexec.bat and config.sys in the root folder and watch your 'tech' colleagues get mightly confused why they couldn't update their systems.

      it did have the added benefit in some cases of protecting some machines from their 'technical users'.

  6. BigAndos

    Not far off 4chan

    And their constant attempts to con the gullible with "Delete system32, make your PC run faster"

  7. The Alpha Klutz

    telnet iran 22

    pwnage mode go

  8. Anonymous Coward
    Coat

    I like big .bats and I can not lie

    You other coders can't deny

    That when a script executes with itty bitty waste

    And a C:\ prompt in your face

    You get sprung, wanna pull out your tough

    'Cause you notice that .bat was stuffed

    Deep in the files it's tearing

    I'm hooked and I can't stop staring

    Oh baby, I wanna exec you

    And pipe your output...

    Even Mac boys got to shout

    Baby got .bat

    1. Mako

      @ David W.

      Thank you, that was epic! Had to stifle a mid-office LOL

      [Upclick]

      1. Anonymous Coward
        Anonymous Coward

        Re: @ David W.

        That's good, because I had that damn song stuck in my head for the rest of the day...

        Still, better that then fucking 'Feliz Navidad' - I'd rather get run over by Sir Mixalot's Mercedes than have to listen to that wretched song again.

    2. Fatman
      Happy

      RE: Baby got .bat

      The first time I heard that song, "Baby Got Back", I damn near passed out from laughing so hard.

      Thanks for giving me a good laugh today.

      Oh shit, here comes the slave driver; better get back to work. Five PM tomorrow can not come soon enough!

  9. This post has been deleted by its author

  10. Sir Runcible Spoon
    Joke

    Sir

    These are Iranians - someone sent them a file that was 'executable' with a mouse click - of course they are going to do it! It's a lot easier than buying packet of gravel.

  11. Anonymous Coward
    Anonymous Coward

    This isn't Stuxnet

    This is one of the millions of trivial Windows viruses that are cranked out by bored 12 year olds in their bedrooms. It clearly isn't targeted at Iran, if it's common there it's only because every copy of Windows in Iran is pirated and as such can't get the normal Microsoft security updates. When the other commentors point out that using Linux wouldn't have protected the Iranians against Stuxnet, they are correct but that's entirely beside the point. There is no easy solution to protecting your systems against a determined attack by major nation states but it's pretty easy to protect yourself from 12 year olds. In most of the world a legal copy of Windows, getting the standard security updates, won't be particularly vulnerable. However a legal copy of Windows isn't an option for Iranians unless Steve Balmer has a secret desire to spend the rest of his life in a windowless cell beneath Florence Colorado. They do have the option of rolling an Iranian Linux distribution because there is no way to prevent the Iranians from downloading the source code and compiling their own. A supported Linux distro isn't vulnerable to the machinations of script kiddies.

  12. davidp231
    Trollface

    From BOFH 2006, episode 8:

    "Well I logged in as root earlier and I was just going to try that ps thing you mentioned, but instead I accidentally typed in 'nohup cd /; rm -rf * > /dev/null 2>&1 &' "

    "Okay." he gasps, "Just type in fg."

    "fg, ok, oh bugger, I accidentally typed control-d instead."

    "I...well, I suppose we could have a lesson on reinstalling a box from scratch," he sniffs.

    1. Paul Crawford Silver badge

      Did that once...

      Have a Linux box I was going to wipe & re-install so thought I would try basically the above approach. Was quite surprised how far it got, eventually all of the text vanished from the Gnome desktop being replaced by small blank boxes (guess that was the fonts gone!) and finally it froze. Rebooted with a live CD to inspect the file system and only a handful of directories still existed (those with open 'files' before it finally stopped), but not any files as far as I remember.

      Was impressed by its thoroughness!

      1. Anonymous Coward
        Anonymous Coward

        Re: Did that once...

        The font thing is interesting; it implies that the system is constantly re-rendering the contents of the window. Windows doesn't do that - it requires explicit repaint calls IIRC. So you could roast the fonts and a word processor would look normal until you tried to edit it or scroll the page, I think.

  13. Henry Wertz 1 Gold badge

    notes on this type of attack

    Re: "if they are capable of developing nuclear power and (alleged) a nuclear weapons program; surely they can knock up an OS of their own."

    I'm pretty sure Seiemens developed their nuclear power. That said, as bad as running Windows for anything important is, hardy anybody likes to reinvent the wheel. Very few people start an OS and few of those reach a useful state.

    Re: comments about FAT and such... first, FAT doesn't mean "Windows 95 or older", NT3.5, 4, 2000, XP all supported NTFS but also FAT installs. I've seen FAT installs of Windows 2000 (I don't know why). Secondly, though,from the description in the article this virus was deleting THE USER'S OWN FILES. So, NTFS, ACLs, and proper filesystem permissions, won't do dick against this particular type of attack.

    Well... I feel smug now for using Linux... DEL *.* does nothing, I tells ya. Nothing!! Wait, rm -R *? I have no idea what you're talking about 8-). (But seriously, a .sh file won't run without the execute bit turned on. But, if I were running random executables under Linux something naughty could wipe my home directory if it wanted.)

    1. Anonymous Coward
      Joke

      Re: notes on this type of attack

      Well... I feel smug now for using Linux...

      What do you mean, you feel smug now? I thought that was the default state of all Linux users!

    2. Tom 13

      Re: FAT doesn't mean "Windows 95 or older"

      bitch, bitch, bitch.

      Somebody goes and assumes something positive about a Windows Admin and all you can do is complain.

      Yes, technically you can use FAT on all those other systems. But no competent Admin ever would, so yes, FAT means Windows 9x in the practioner's world.

  14. koolholio
    FAIL

    Backups only as good as the original

    Provided it hasnt deleted the backups or the backup software etc? *laughs* A simple bat file...

This topic is closed for new posts.

Other stories you might like