A New Computer Worm Hits Iran And The Mideast
Doug Bernard | Washington DC
Computer networks across the Middle East once again are being hit by a nasty computer worm that seems intent on stealing as much information about users as possible, all under a cloak of hidden digital code.
Digital security analysts this week identified the malware as the “Mahdi” virus, so-named after key malicious folders and files installed on infected computers, labeled in Persian as “madi.” In the Shiite tradition of Islam, the Mahdi is the 12th Imam of Islam, a messiah-like figure whose prophesied return will “redeem” or “cleanse” Islamic tradition and custom.
Like Flame, Seculert’s Aviv Raff says Mahdi is actually a trojan horse, engineered to secretly record all manner of data on infected computers, sending copies of emails, text documents, screen shots and even audio recordings to unidentified command servers. “The aim was to create a document containing information [and send it out to a remote user], which was to be used for [an unknown] future mission,” Raff told the Jerusalem Post. In short, Madhi – much like Flame – is a spy.
However, Raff and other researchers at Kaspersky are quick to add that Mahdi’s similarity to Flame ends there. “The code of the malware is different, as well as the way it communicates with the command-and-control servers,” says Raff.
Like most other malware, there’s confusion about who is controlling Mahdi, and what its main targets are. In a blog post, Seculert researchers assert “the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries.” Other hotspot nations, says Seculert, include Afghanistan, the UAE and Saudi Arabia.
Researchers at rival security firm Symantec, however, reached different conclusions. “Targets of the Madi campaign appear to be all over the spectrum but include oil companies, US-based think tanks, a foreign consulate, as well as various governmental agencies, including some in the energy sector,” say Symantec analysts. They identify Israel as the most infected nation, followed by the U.S., New Zealand, Greece and a host of other countries.
The two firms also disagree as to who may be controlling Mahdi. Seculert identified command servers based in Iran and Canada, while Symantec linked the malware to controlling computers in Iran and Azerbaijan. In a post this week, Symantec speculated Mahdi’s authors may be “an unknown Farsi-speaking hacker with a broad agenda.”
Responding to this disagreement, Seculert’s Aviv Raff wrote in an email to VOA’s Mana Rabiee: “It seems as if Symantec’s statistics refer to variants which communicate only with a C&C server which is used mostly for the targeted entities in Israel.” Both firms have said they expect to release updated research on their websites soon.
For its part, the Iranian government, through the semi-official Fars News Agency, is disputing these reports as falsifications “reported only by an Israeli firm.” Western media, it says, are attempting to “downplay Iranian cyber capability” by spreading malicious rumors of a virus it says may not even exist. “If this were the product of Iran,” concludes the Fars report, “it would definitely be too professional to be noticed or found so easily and it would have been, at least, as complicated and advanced as Stuxnet, Duqu and Flam[e].”
That claim notwithstanding, it appears Mahdi is real, and represents a significant security breach to infected computers and networks. And whoever authored and controls it, the Mahdi infection is likely to continue spreading for some time.