.

Wednesday, July 18, 2012

Iran's cyberwar against Israel (updated)

Kaspersky Labs analyzes a number of Trojan Horses and malware examples targeting Israel that are apparently written in Iran, in part one of a two part article.

The malware, nicknamed "Madi" (presumably a reference to the Shiite messianic figure of the Madhi), is not sophisticated. Instead, it relies on tried and true methods of social engineering, relying on naive computer users to allow scripts to run in PowerPoint presentations, ignoring the warnings that Windows gives about potentially dangerous actions.

It is well known in the computer security world that people are too likely to fall for such schemes.



Another method used is to send what appear to be JPG images, but in fact they are programs as well, using a known Microsoft bug where Unicode characters in languages that are written right-to-left can create file names that appear to have the extensions of mere images but in fact are executable programs that can do anything to the computer (in this case, a screen saver):



Once the malware is loaded then the attackers can remotely do anything they want on the infected machines.

Again, these are not sophisticated attacks in the least; hackers have been doing things like this for years. But it only takes one stupid victim to click on that cute photo of nature or puppies to compromise an entire company or government department.

This specific malware can take screenshots at regular intervals and also make audio recordings from the victim's computer, which can then be uploaded to the attackers' machines.

The Jerusalem Post reports that Iran is the target of the malware, even though key parts were written by Farsi speakers. I find that hard to believe given that Hebrew in the Powerpoint above, although the people who created the Trojan are not necessarily the same as those that created the Powerpoint macro that calls the Trojan.

UPDATE: It appears I am right:
After analyzing initial data on the virus when it was first publicized Tuesday, Symantec released a report saying that nearly two thirds of the computers that have been infected by Mahdi are in Israel. That is in sharp contrast to initial assessments Tuesday that claimed that the majority of infected systems were in Iran itself. Computer security firm Kaspersky Labs reported on the Mahdi virus on Tuesday.

(h/t Yoel, Ian)