The Mahdi Mystery

Visit the front pageVisit your profilePublish a blog post

Since mid-June someone has been conducting Internet based attacks against specific civilian, military, and government officials in Iran and other Middle Eastern countries.

This attack delivers a secret software program that monitors PCs it gets into, passing back keyboard activity, video and audio recordings (activity around the infected PC) and documents. This bit of "malware" is being called Mahdi and examination of it seems to indicate that it comes from Iran.

This is interesting, as about half the computers infected are in Iran, but seven percent are in Israel and just about every nation in the region has a few infected computers (according to computer security firms). So far, less than a thousand PCs appear to have been infected.

This kind of attack is usually carried out in the form of official looking email, with a file attached, sent to specific individuals at business, academic, military or government organizations. It is usually an email they weren't expecting.

This is known in the trade as "spear fishing" (or "spear phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends data from the email recipient's PC to the spear fisher's computer. In the last few years, an increasing number of military, corporate and government personnel have received these official-looking emails with a PDF document attached, and asking for prompt attention. Mahdi used a number of different deceptive file types to deliver its malware.

By early July if was believed that Mahdi was dead, especially for those with anti-virus software, since the security firms know what Mahdi looks like and its control servers in Iran had been shut down. But by late July another version of Mahdi was detected, with several improvements.

Examination of the viruses and related bits of computer code indicate that most of this stuff was created by Farsi (Iranian) speaking programmers, and all movement of command and stolen data led back to servers in Iran. This, however, could have been part of a deception to hide the real source of Mahdi, as the main target appears to have been Iran.

Published by:

siavash's picture

Name
siavash

Country
NL