Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Madi' Cyber Espionage Malware Hits Middle East Targets

Posted by timothy on from the just-can't-catch-a-break-sometimes dept.

DavidGilbert99 writes "Following the discovery of the highly-complex Flame virus in May, two security companies (Seculert and Kaspersky Lab) have uncovered a new cyber-espionage threat against the Middle East. Madi, or Madhi, is an information-stealing trojan which is technically a lot simpler than Flame or Stuxnet but is specifically targeting people in critical infrastructure companies, financial services and government embassies, which are mainly located in Iran, Israel and Afghanistan. The Madi creators use social engineering techniques to spread, embedding the malware in various documents including text files and PowerPoint presentations. It is unclear if the malware is state-sponsored or not, but it has already stolen several gigabytes of information and is still active."

30 of 45 comments (clear)

  1. Digital Spies by sandytaru · · Score: 5, Funny

    The more I hear about these sophisticated spying viruses with the cute names, the more I imagine them as the digital equivalent of James Bond, little tuxedos and all. "My name is Bond. James Bond.zip. I'm an international attachment of mystery."

    --
    Occasionally living proof of the Ballmer peak.
    1. Re:Digital Spies by rainmouse · · Score: 1, Insightful

      Do Kaspersky get to name them? Being that they are seemingly the only security company in the world capable of detecting viruses written by Israel and paid for by US tax dollars... ahem sorry by anarchists.

    2. Re:Digital Spies by PolygamousRanchKid+ · · Score: 1

      Actually, you are not far off, being that it spreads via social engineering. That is the oldest spy tool in the book.

      . . . and look how James Bond used it very successfully with, . . . um . . ., "Pussy Galore" . . .

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    3. Re:Digital Spies by Vlad_the_Inhaler · · Score: 2

      You have to wonder if - based in Russia as they are - they are the only ones allowed to report this stuff. I'm not particularly surprised that Norton are useless here but there are two companies based in Germany who should be doing better work, assuming the viruses (virii?) show their elegant haaircuts in Germany.
      As to the GP, how do the viruses take their martinis? A tuxedo alone does not make a secret agent.

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
    4. Re:Digital Spies by V+for+Vendetta · · Score: 1

      Flame got its name from itself, as it referenced itself in module and constant names as FLAME_

      See for example screenshots of its source here and here. Or do a Google picture search for Flame yourself.

  2. Iran again? by tokencode · · Score: 2, Insightful

    Given that the spear-phishing targets are mostly in Iran, I'm going to go out on a limb and say this is probably not the work of some 15 year old playing around or russia organized crime...

  3. Text files? Go on.... by davidwr · · Score: 3, Interesting

    "embedding the malware in various documents including text files"

    I assume they mean word-processing or other "not quite plain text" files, or perhaps "text files that are really textual representations of computer instructions" e.g. text files that embed macros that are interpreted by the text-processing software.

    While it's theoretically possible for a carefully-crafted plain-text file to exploit a security vulnerability in a particular text-processing program, it would have to be a narrowly targeted attack and it would be easily defeated by now-alert customers who simply change to a different text-processing program.

    It's also theoretically possible that there is an exploit in the text-handing APIs of the operating environment in use by the intended targets.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  4. 'Mahdi' eh? by fuzzyfuzzyfungus · · Score: 1

    So, does somebody think that their malware is actually a figure in islamic eschatology, are they engaging in some sort of wordplay for the lulz, or are the social engineers capitalizing on suspected mahdi-enthusiasm among their targets, in a way roughly analogous to the hilariously overt christianity of nigerian spammers?

    1. Re:'Mahdi' eh? by Hatta · · Score: 1

      are they engaging in some sort of wordplay for the lulz

      Come now, hacking is serious business.

      --
      Give me Classic Slashdot or give me death!
    2. Re:'Mahdi' eh? by LordGr8one · · Score: 2

      None of the above. They're just Dune fanatics.

  5. MAH-DI!! by Antipater · · Score: 1

    He has ridden a worm, and changed the passwords of life! The Bene Gnusserit prophecy was true! He is the Mahdi!!

    MAHDI! MAHDI! MAHDI!!

    --
    Everything is better with chainsaws.
    1. Re:MAH-DI!! by fuzzyfuzzyfungus · · Score: 1

      He who controls the bytes controls the universe...

    2. Re:MAH-DI!! by scorp1us · · Score: 1

      Close, "Maud'dib" I also thought Mahdi

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    3. Re:MAH-DI!! by scorp1us · · Score: 3, Informative

      Mahdi - redeemer of Islam.

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    4. Re:MAH-DI!! by Antipater · · Score: 1

      *sigh* You know, if you want to kill a joke with an "actually..." you should at least make sure you're right before you post.

      --
      Everything is better with chainsaws.
    5. Re:MAH-DI!! by Ambitwistor · · Score: 1

      "Mahdi" is also used in Dune, along with "Lisan al Gaib" and other terms. "Mahdi" is, as someone else pointed out, a real term in Islam, upon which the Fremen mythology was based (Zensunni Wanderers).

    6. Re:MAH-DI!! by ThatsNotPudding · · Score: 1

      Religion - beyond redemption.

    7. Re:MAH-DI!! by scorp1us · · Score: 1

      I thought it funny that they planned to need redeeming.

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
  6. Mon dieu! Several Gigabytes! by jpapon · · Score: 2
    Oh no! Several GIGABYTES of information?

    That means they've stolen anywhere from half of a South Park season to several millions of pages of plain text!

    What a useful measure!

    --
    -- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
    1. Re:Mon dieu! Several Gigabytes! by Brannoncyll · · Score: 1

      Oh no! Several GIGABYTES of information?

      That means they've stolen anywhere from half of a South Park season to several millions of pages of plain text!

      What a useful measure!

      Or half of The Fellowship of the Ring, Extended Edition.

    2. Re:Mon dieu! Several Gigabytes! by Anarchduke · · Score: 1

      They've stolen Frodo? Oh god no the humanity!

      --
      who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
    3. Re:Mon dieu! Several Gigabytes! by Brannoncyll · · Score: 1

      They've stolen Frodo? Oh god no the humanity!

      Just the boring part in the Shire. Reports just in that several top-level members of US intelligence have been found slumped dead at their desks after apparently being forced to endure the tedium of the first half of The Fellowship of the Ring, Extended Edition.

  7. Re:Text files? Go on.... by bhlowe · · Score: 1

    I was wondering about that too.. Only thing I could think of was batch or shell scripts...

  8. Sunununumbnut, again? by G3ckoG33k · · Score: 1

    Could it be Sunununumbnut, again?

    http://www.huffingtonpost.com/2012/07/17/john-sununu-obama_n_1679803.html#comments

    His strategies would ruin Americans' future faster than the Spanish flu. Sununu, the eternal numbnut.

  9. Re:Text files? Go on.... by Baloroth · · Score: 4, Informative

    It's possible they mean files that appear as text to the user. Ars Technica mentions they use "Right to Left Override" to make it look like executable files aren't (they might show up as a .jpg, for example, complete with a jpg icon) to the end user. If the creators are clever, they could even have it launch the appropriate viewer to make it look like they opened the kind of file they did. So it isn't hard to imagine they did the same with .txt files, although given the context with "PowerPoint" they probably did mean .doc files or the like.

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  10. Re:Text files? Go on.... by Znork · · Score: 1

    See, that's where the aforementioned social engineering aspect comes in, the text file contains instructions to save it as funcatscript.sh, type chmod +x funcatscript.sh and then run ./funcatscript.sh to see some fun kittens happen. Of course, that will just mail the script to all mail addresses found in the users mailbox followed by a cat /bin/cat which, to the consternation of the user, simply isn't a very funny cat.

  11. Re:Text files? Go on.... by gmuslera · · Score: 2

    If they used advanced enough social engineering techniques could be plain ascii txt files with an instruction to i.e. base64 decode them and execute it for a nice surprise. The main executable part in social engineering attacks is the people.

  12. Re:Text files? Go on.... by davidwr · · Score: 1

    With a name like funcatscript I expect the contents of stdin to wind up in stdout. Only in a fun, scripty way.

    Of course, if it's malware, I may wind up with a lot more than I bargained for in stdout.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. REALLY advanced social engineering by davidwr · · Score: 1

    If they used advanced enough social engineering techniques could be plain ascii txt files with an instruction to i.e. base64 decode them and execute it for a nice surprise. The main executable part in social engineering attacks is the people.

    If it were really advanced, it would be something called README.TXT that says

    "To see pictures of cats, fax, email, or overnight-courier copies of all of your corporate secrets to ...."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  14. News article spelling the name wrong :-) by billstewart · · Score: 3, Informative

    They probably got it wrong because of translating from Russian and back, but it's "Mahdi" in the source code and the file directory shown in the article. Also, that's the standard English-language spelling for the Mahdi, who's approximately the Muslim version of the Messiah (depending on which branch of Islam you're talking to - it comes from hadiths and tradition rather than directly from the Quran.) So it's kind of an arrogant thing to name your program - does that mean it was really done by the Israelis, or by some Arab haxx0r-k1dd13?

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks