What do Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon have in common?
What’s up with all the malware aimed at the Middle East?
For the second time in two weeks a virus outbreak has been reported at an energy company in that region. Qatari liquified natural gas producerRasGas said its corporate network and Web site were down after getting hit by a virus on Monday. Earlier this week the Saudi Aramco oil company confirmed that its network was hit by a virus two weeks ago, shutting down 30,000 workstations. Neither company identified the virus, but in at least one of the cases it is believed to be malware known as “Shamoon.”
These are just the latest attacks targeting organizations in the region recently involving malware designed to steal secrets, wipe data, shut down corporate computers, and even sabotage nuclear power plants. Some of them are believed to be related, but others are not. Several were discovered in the course of researchers investigating others.
Here’s a breakdown of some of the malware affecting that region, in roughly chronological order:
Discovered in June 2010, Stuxnet is believed to be the first malware targeted specifically at critical infrastructure systems. It’s thought to have been designed to shut down centrifuges at Iran’s Natanz uranium enrichment plant, where stoppages and other problems reportedly occurred around that time. A New York Times report cited sources who said that Stuxnet was part of a U.S.-Israeli operation dubbed “Operation Olympic Games,” that was begun while President George W. Bush was in office as an attempt to sabotage Iran’s nuclear program. The sophisticated worm spreads via USB drives and through four previously unknown holes, known as zero-day vulnerabilities, in Windows. It used two stolen digital certificates, was aimed at Siemens supervisory control and data acquisition (SCADA) systems that were configured to control industrial processes, and infected programmable logic controllers.
The Duqu worm emerged in September 2011, and researchers say it shares a lot of code with Stuxnet but is designed for a different purpose: stealing data for surveillance or other intelligence efforts. It hit computers in Iran but did not appear to be directed at industrial or critical infrastructures specifically. Duqu exploits zero-day Windows kernel vulnerabilities, uses stolen digital certificates, installs a backdoor, and captures keystrokes and information that could be used to attack industrial control systems. “We believe it could be a cyberespionage operation to gauge the status of Iran’s nuclear program,” Roel Schouwenberg, senior researcher at Kaspersky Lab, told CNET today.
Earlier this month, Kaspersky went public with details on a new espionage or surveillance toolkit called “Gauss.” The malware was launched around September 2011 and was discovered in June. The malware was found on computers mostly in Lebanon, Israel, and Palestine, followed by the U.S. and the United Arab Emirates. Gauss is capable of stealing browser passwords, online banking accounts, cookies, and system configurations. Kaspersky says it comes from the same nation-state “factories” that produced Stuxnet, Duqu, and Flame.
The data-stealing Mahdi Trojan, discovered in February 2012 and publicly disclosed in July, is believed to have been used for espionage since December 2011. Mahdi records keystrokes, screenshots, and audio and steals text and image files. It has infected computers primarily in Iran, Israel, Afghanistan, the United Arab Emirates, and Saudi Arabia, including systems used by critical infrastructure companies, government embassies, and financial services firms. Its name comes from references in the code to the word for the Islamic Messiah. It also includes strings in Farsi and dates in the Persian calendar format. It’s unknown who’s responsible for the malware, which uses social engineering to get people to click on attachments that have malicious Word or PowerPoint attachments.
Flame was discovered in May 2012 during Kaspersky Lab’s investigation into a virus that had hit Iranian Oil Ministry computers in April. Kaspersky believes the malware, which is designed for intelligence gathering, had been in the wild since February 2010, but CrySyS Lab in Budapest says it could have been around as far back as December 2007.
Most of the infections were in Iran, but other countries hit were Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. Flame uses a fraudulent digital certificate and spreads via USB stick, local network, or shared printer spool vulnerability and leaves a backdoor on computers. It can sniff network traffic and record audio, screenshots, Skype conversations, and keystrokes, as well as download information from other devices via Bluetooth. It appears to be designed for general espionage and not targeted at any particular industry. Most of the infections were reported to be in Iran and appeared to involve stealing PDF, text, and AutoCAD files. Flame shares characteristics with Stuxnet and Duqu. It also was developed as part of the Olympic Games project along with Stuxnet, according to a report in The Washington Post.
There were reports in April about a malware attack shutting down computer systems at companies in Iran, including the Oil Ministry, and mentions of a virus called “Wiper,” Kaspersky said in a blog post yesterday. The malware wipes data from hard drives, placing high priority on those with a .pnf extension, which are the type of files Stuxnet and Duqu used, and has other behavioral similarities, according to Schouwenberg. It also deletes all traces of itself. As a result, researchers have not been able to get a sample, but they’ve reviewed mirror images left on hard drives. The discovery of Wiper led to the discovery of Flame, which led researchers to Gauss, according to Schouwenberg. “One major question is, did the people who released Wiper know about the Flame operation? And if so, did they factor in the possibility of Flame being discovered because of Wiper?” Schouwenberg said. “It seems kind of illogical to blow a multiyear cyberespionage operation just to wipe the machine.”
Discovered earlier this month, the Shamoon virus attacks Windows computers and is designed for espionage. Shamoon was initially confused with Wiper in some reports but is now believed to be a Wiper copycat targeting oil companies. A logical error in the code of Shamoon points to the work of amateurs rather than a nation-state operation, Schouwenberg said. There is speculation that Shamoon hit Saudi Aramco. The malware reportedly was programmed to overwrite files with an image of a burning U.S. flag, as well as to steal data.