Great article from CNET.. It states that For the 2nd time in two weeks a virus outbreak has been reported
at an energy company in the mideast. Qatari liquified natural gas
producer RasGas said its corporate network and Web site were down after getting hit by a virus on Monday. Earlier this week the Saudi Aramco oil company confirmed that its network was hit by a virus
two weeks ago, shutting down 30,000 workstations. These are just the latest
attacks targeting organizations in the region recently involving malware
that is designed to steal secrets, wipe data, shut down corporate systems,
and sabotage critical infrastructure. Some believed they are related. Here's a breakdown of some of the malware affecting that region, in rough chronological order
Stuxnet
Discovered in June 2010,
Stuxnet is believed to be the first malware targeted specifically at critical infrastructure systems.
It's thought to have been designed to shut down centrifuges at Iran's
Natanz uranium enrichment plant, where stoppages and other problems
reportedly occurred around that time.
A New York Times report
cited sources who said that Stuxnet was part of a U.S.-Israeli
operation dubbed "Operation Olympic Games," that was begun while
President George W. Bush was in office as an attempt to sabotage Iran's
nuclear program. The sophisticated worm spreads via USB drives and
through four previously unknown holes, known as zero-day
vulnerabilities, in Windows. It used two stolen digital certificates,
was aimed at Siemens supervisory control and data acquisition (SCADA)
systems that were configured to control industrial processes, and
infected programmable logic controllers.
Duqu
The
Duqu worm
emerged in September 2011, and researchers say it shares a lot of code
with Stuxnet but is designed for a different purpose: stealing data for
surveillance or other intelligence efforts. It hit computers in Iran but
did not appear to be directed at industrial or critical infrastructures
specifically. Duqu exploits zero-day Windows kernel vulnerabilities,
uses stolen digital certificates, installs a backdoor, and captures
keystrokes and information that could be used to attack industrial
control systems. "We believe it could be a cyberespionage operation to
gauge the status of Iran's nuclear program," Roel Schouwenberg, senior
researcher at Kaspersky Lab, told CNET.
Gauss
Earlier this month, Kaspersky went public with details on a new espionage or surveillance toolkit called "
Gauss."
The malware was launched around September 2011 and was discovered in
June. The malware was found on computers mostly in Lebanon, Israel, and
Palestine, followed by the U.S. and the United Arab Emirates. Gauss is
capable of stealing browser passwords, online banking accounts, cookies,
and system configurations. Kaspersky says it comes from the same
nation-state "factories" that produced Stuxnet, Duqu, and Flame.
Mahdi
The
data-stealing Mahdi Trojan,
discovered in February 2012 and publicly disclosed in July, is believed
to have been used for espionage since December 2011. Mahdi records
keystrokes, screenshots, and audio and steals text and image files. It
has infected computers primarily in Iran, Israel, Afghanistan, the
United Arab Emirates, and Saudi Arabia, including systems used by
critical infrastructure companies, government embassies, and financial
services firms. Its name comes from references in the code to the word
for the Islamic Messiah. It also includes strings in Farsi and dates in
the Persian calendar format. It's unknown who's responsible for the
malware, which uses social engineering to get people to click on
attachments that have malicious Word or PowerPoint attachments.
Flame
Flame
was discovered in May 2012 during Kaspersky Lab's investigation into a
virus that had hit Iranian Oil Ministry computers in April. Kaspersky
believes the malware, which is designed for intelligence gathering, had
been in the wild since February 2010, but CrySyS Lab in Budapest says it
could have been around as far back as December 2007. Most of the infections were in Iran, but other countries hit were
Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. Flame uses a
fraudulent digital certificate and spreads via USB stick, local network,
or shared printer spool vulnerability and leaves a backdoor on
computers. It can sniff network traffic and record audio, screenshots,
Skype conversations, and keystrokes, as well as download information
from other devices via Bluetooth. It appears to be designed for general
espionage and not targeted at any particular industry. Most of the
infections were reported to be in Iran and appeared to involve stealing
PDF, text, and AutoCAD files.
Flame shares characteristics with Stuxnet and Duqu. It also was
developed as part of the Olympic Games project along with Stuxnet,
according to a
report in The Washington Post.
Wiper
There were reports in April about a malware attack shutting down computer systems at companies in Iran, including the
Oil Ministry, and mentions of a virus called "Wiper," Kaspersky said in a
blog post
yesterday. The malware wipes data from hard drives, placing high
priority on those with a .pnf extension, which are the type of files
Stuxnet and Duqu used, and has other behavioral similarities, according
to Schouwenberg. It also deletes all traces of itself. As a result,
researchers have not been able to get a sample, but they've reviewed
mirror images left on hard drives. The discovery of Wiper led to the
discovery of Flame, which led researchers to Gauss, according to
Schouwenberg. "One major question is, did the people who released Wiper
know about the Flame operation? And if so, did they factor in the
possibility of Flame being discovered because of Wiper?" Schouwenberg
said. "It seems kind of illogical to blow a multiyear cyberespionage
operation just to wipe the machine."
Shamoon
Discovered earlier this month, the Shamoon virus attacks Windows
computers and is designed for espionage. Shamoon was initially confused
with Wiper in some reports but is now believed to be a Wiper copycat
targeting oil companies. A logical error in the code of Shamoon points
to the work of amateurs rather than a nation-state operation,
Schouwenberg said. There is speculation that Shamoon hit Saudi Aramco.
The malware
reportedly was programmed to overwrite files with an image of a burning U.S. flag, as well as to steal data.
