If the Mahdi virus was developed by Iran to attack Israeli systems, then it is doing what it was designed to do, security company Symantec said Wednesday.
After analyzing initial data on the virus when it was first publicized Tuesday, Symantec released a report saying that nearly two thirds of the computers that have been infected by Mahdi are in Israel. That is in sharp contrast to initial assessments Tuesday that claimed that the majority of infected systems were in Iran itself. Computer security firm Kaspersky Lab reported on the Mahdi virus on Tuesday.
The Mahdi virus — named for the prophesied redeemer of Islam, who will unite the entire world to follow the Muslim faith — is not new; it has been observed for at least six months. Discovery of the virus (actually, a Trojan, which appears to be a legitimate program but is in fact up to something nefarious) is credited to Israel’s Seculert, which discovered an email with an attached document that led to a website containing an article about alleged Israeli electronic attacks on Iranian computer systems.
Opening the email also installed a small program that communicated with a “command and control” server. That server was apparently being run by Iranians, Seculert said in a blog post Tuesday. “Interestingly, we found that the communication, and several of the server side components, included strings in Farsi as well as dates in the Persian calendar format.” The program performs a number of functions, such as stealing data, recording audio, and keylogging — recording keystrokes used on secure websites to copy passwords and sensitive data.
Although the latest communications trace indicated that the command and control server was located in Canada, “we were able to track variants of the same malware back to December 2011,” Seculert said. “Back then, the malware communicated with the same domain name, but the server was located in Tehran, Iran.”
Still, the company added, “it is still unclear whether this is a state-sponsored attack or not,” although the functions of the Trojan and the way it communicates indicate that “this operation might require a large investment and financial backing” — such as could be provided by a government.
In its study, Symantec said that Mahdi had the ability to update itself, much like the Flame virus announced by Kaspersky Lab in June (Seculert said that it had collaborated with Kaspersky and found significant similarities between Flame and Mahdi). “The Mahdi Trojan is installed in all types of computers and in many companies, but a preponderance of the infections are in computers belonging to oil companies, government offices, and foreign embassies.” While most of the computers are infected are in Israel, numerous other countries, from the US to New Zealand, have been affected.
That the Mahdi Trojan was built with Israelis in mind is obvious to anyone who comes across it. Several variants of the Trojan have been discovered in email attachments, such as Powerpoint presentations. The slides in the presentation display calm-looking images of mountains, streams, and lakes, and contain instructions to click on the images — in English and in Hebrew. One of the slides, for example, says in English “Would you like to see the Moses,” with a (properly-written) Hebrew translation below. A second slide instructs users to “look at the four central points of the next picture For 30 seconds… please click this file,” with another (this time, less successful) Hebrew translation.
Another variant displays a slide show of a missile destroying a fighter jet; at the end of the show viewers are prompted to click and install an executable file, that actually does nothing; the Trojan itself was installed when the user opened the attachment. Yet another shows a video of a missile test, as well as a pretend nuclear explosion.
In its report, Symantec said that the Mahdi Trojan “did not appear to be too sophisticated,” but if, as Kaspersky and Seculert suspect, Mahdi is part of the larger Flame system, there could be a great deal to worry about. In a presentation in Israel in June, Eugene Kaspersky, head of the virus-searching firm that bears his name, said that Flame was extremely sophisticated and had the ability to significantly compromise the world’s networks. Flame is so sophisticated, he said, that “it represents a new level of cyber threat, one that could be “the beginning of the end of the world as we know it. I have nightmares about it.”