AV-Comparatives AV-Comparatives tests Anti-Virus Software protection against the Hermetic Wiper malware

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Gandalf_The_Grey

Level 64
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,349
Austrian IT-security testing lab AV-Comparatives has tested protection against the recently-emerged Hermetic Wiper malware.

The data-wiping malware has been used in international targeted attacks. Its aim is not to steal money or data, but simply to make victims’ computers unusable. To do this, it abuses the services of a legitimate company that makes disk partitioning software. This type of utility can create, modify and delete the data storage areas (partitions) of a computer’s system disk. Hermetic Wiper makes (unauthorised) use of this useful utility program to corrupt the system disk’s boot information, meaning that the computer cannot start up. The malware then overwrites the partitions on the disk, making the data on them unreadable, even if the disk is transferred to an uninfected computer.

In an attempt to avoid detection, Hermetic Wiper also makes use of a digital code-signing certificate (an indicator of genuine, non-malicious software), which was apparently stolen.

AV-Comparatives has run a malware protection test of programs made by vendors in both its Consumer and Enterprise Main Test Series for protection against variants of Hermetic Wiper. These are:

Enterprise Endpoint Security Vendors

Acronis, Avast, Bitdefender, Cisco, CrowdStrike, Cybereason, Elastic, ESET, Fortinet, G Data, K7, Kaspersky, Malwarebytes, Microsoft, Sophos, Trellix, VIPRE, VMware and WatchGuard.

Consumer Anti-Virus Vendors

Avast, AVG, Avira, Bitdefender, ESET, G Data, K7, Kaspersky, Malwarebytes, McAfee, Microsoft, NortonLifeLock, Panda, Total Defense, TotalAV, Trend Micro and VIPRE.

The Hermetic Wiper malware threats have been tested using the Real-World Protection Test framework, developed by AV-Comparatives.

Date and Time of testing: 25 February 2022, 1530 CET.

All of the tested products were able to protect the system effectively against multiple variants of the Hermetic Wiper malware.

General Advise

In any conflicts, not only the current ones, an increase of cyberthreats is possible for authorities, institutions and organizations. In addition, an increased threat situation can be expected for all companies and organizations that are located in geographical exposed regions or have a recognizable relationship with them (e.g. trading partners, etc.). Furthermore, disinformation campaigns might be used. It must be taken into account that cyber operations are can be carried out in the phase of preparation of possible escalation stages, such as armed conflicts.

The implementation of the internationally available recommendations is strongly recommended.

Using strong Cybersecurity software and a list of proven measures to strengthen cyber resilience has been published by AV-Comparatives, ENISA and CERT-EU.
 

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
792
I’m really confused. So if basically everything including a stock install with Defender effectively protects against this wiper, what am I missing? Is it because they’ve all pushed out signatures in the last 2 days to cover it? Which products would’ve prevented the zero day attack?

Surely it worked against something otherwise a state sponsored attacker wouldn’t be so stupid as to try it.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
I’m really confused. So if basically everything including a stock install with Defender effectively protects against this wiper, what am I missing? Is it because they’ve all pushed out signatures in the last 2 days to cover it? Which products would’ve prevented the zero day attack?

Surely it worked against something otherwise a state sponsored attacker wouldn’t be so stupid as to try it.

The malware was tested in the Real-World scenario. So, the AVs could block the malicious URL, suspicious VBA macro in the document, etc, without even detecting the wiper. Other methods were not tested. In some attacks, the wiper was delivered after the network had been already compromised by the attackers.
 

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
792
The malware was tested in the Real-World scenario. So, the AVs could block the malicious URL, suspicious VBA macro in the document, etc, without even detecting the wiper. Other methods were not tested. In some attacks, the wiper was delivered after the network had been already compromised by the attackers.
That makes sense. Definitely the mechanism of delivery makes a huge difference, not to mention anything else like a phishing campaign or local exploit that could have been used in conjunction.

In that sense it feels slightly irresponsible to not analyze or explain that aspect. The original article makes it sound like if you have any of a dozen AVs you don’t need to worry about this threat, which I’m not convinced is true.
 

cruelsister

Level 40
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 13, 2013
2,902
The attacks started probably in November 2021
Although the certificate for Hermetica Digital Ltd was issued in April 2021, I think early January is more probable as the timestamp of the prevalent malware was from late December. It's important to note that the poor guy from Cyprus that owns the company (not a software person in any way- he just writes text for games!) had no idea that a certificate was issued for him at all.

In all probability this was a simple impersonation routine between the Blackhats and the company that provided the digital certificate- the Blackhats being the criminals, DigiCert being apathetic, and the victim being oblivious to all.
 
Top