Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

'Madi' Cyber Espionage Malware Hits Middle East Targets

timothy posted more than 2 years ago | from the just-can't-catch-a-break-sometimes dept.

Security 45

DavidGilbert99 writes "Following the discovery of the highly-complex Flame virus in May, two security companies (Seculert and Kaspersky Lab) have uncovered a new cyber-espionage threat against the Middle East. Madi, or Madhi, is an information-stealing trojan which is technically a lot simpler than Flame or Stuxnet but is specifically targeting people in critical infrastructure companies, financial services and government embassies, which are mainly located in Iran, Israel and Afghanistan. The Madi creators use social engineering techniques to spread, embedding the malware in various documents including text files and PowerPoint presentations. It is unclear if the malware is state-sponsored or not, but it has already stolen several gigabytes of information and is still active."

cancel ×

45 comments

Sorry! There are no comments related to the filter you selected.

Digital Spies (5, Funny)

sandytaru (1158959) | more than 2 years ago | (#40676149)

The more I hear about these sophisticated spying viruses with the cute names, the more I imagine them as the digital equivalent of James Bond, little tuxedos and all. "My name is Bond. James Bond.zip. I'm an international attachment of mystery."

Re:Digital Spies (0)

Anonymous Coward | more than 2 years ago | (#40676235)

The more I hear about these sophisticated spying viruses with the cute names, the more I imagine them as the digital equivalent of James Bond, little tuxedos and all. "My name is Bond. James Bond.zip. I'm an international attachment of mystery."

Madhi is not a cute name. In Islam it is the name of an eschatological character that will appear at the end of the age.

Re:Digital Spies (1, Insightful)

rainmouse (1784278) | more than 2 years ago | (#40676289)

Do Kaspersky get to name them? Being that they are seemingly the only security company in the world capable of detecting viruses written by Israel and paid for by US tax dollars... ahem sorry by anarchists.

Re:Digital Spies (2)

Vlad_the_Inhaler (32958) | more than 2 years ago | (#40676575)

You have to wonder if - based in Russia as they are - they are the only ones allowed to report this stuff. I'm not particularly surprised that Norton are useless here but there are two companies based in Germany who should be doing better work, assuming the viruses (virii?) show their elegant haaircuts in Germany.
As to the GP, how do the viruses take their martinis? A tuxedo alone does not make a secret agent.

Re:Digital Spies (0)

Anonymous Coward | more than 2 years ago | (#40685081)

structured not obfuscated

Re:Digital Spies (0)

Anonymous Coward | more than 2 years ago | (#40676601)

No. The name is derived from the 'C' source file containing int main();
So, Madhi was named after madhi.c.

I thought all of this was basic stuff - jeez, doesn't anyone use SCCS anymore?

CAPTCHA = sported (definitely)

News article spelling the name wrong :-) (3, Informative)

billstewart (78916) | more than 2 years ago | (#40678189)

They probably got it wrong because of translating from Russian and back, but it's "Mahdi" in the source code and the file directory shown in the article. Also, that's the standard English-language spelling for the Mahdi [wikimedia.org] , who's approximately the Muslim version of the Messiah (depending on which branch of Islam you're talking to - it comes from hadiths and tradition rather than directly from the Quran.) So it's kind of an arrogant thing to name your program - does that mean it was really done by the Israelis, or by some Arab haxx0r-k1dd13?

Re:News article spelling the name wrong :-) (0)

Anonymous Coward | more than 2 years ago | (#40679961)

nope, they didn't get it wrong. just trying not to offend religious sensibilities and sensitivities.

Re:Digital Spies (0)

Anonymous Coward | more than 2 years ago | (#40679431)

Yes, Kaspersky get to name them because Kaspersky Labs are the ones who create them.
For the Fuhrer Putin, double-playing his friends and foes is business as usual. Don't forget he is "ex" KGB...
And a good ol' espionage technique is to keep everybody at odds between each other.

I know tha... wait!
(What's this dark gray GMC Yukon doing on my driveway...?)
OK guys, gotta go now!
The "suits" have found me...

Re:Digital Spies (1)

V for Vendetta (1204898) | more than 2 years ago | (#40687089)

Flame got its name from itself, as it referenced itself in module and constant names as FLAME_

See for example screenshots of its source here [news.com.au] and here [technoid.com.au] . Or do a Google picture search for Flame yourself.

Re:Digital Spies (1)

PolygamousRanchKid (1290638) | more than 2 years ago | (#40676523)

Actually, you are not far off, being that it spreads via social engineering. That is the oldest spy tool in the book.

. . . and look how James Bond used it very successfully with, . . . um . . ., "Pussy Galore" . . .

Re:Digital Spies (0)

Anonymous Coward | more than 2 years ago | (#40679815)

James Bond does lead generation. That's what the politically correct term for cyber-espionage is now.

Re:Digital Spies (0)

Anonymous Coward | more than 2 years ago | (#40679873)

Who used the term "sophisticated"?

Iran again? (2, Insightful)

tokencode (1952944) | more than 2 years ago | (#40676165)

Given that the spear-phishing targets are mostly in Iran, I'm going to go out on a limb and say this is probably not the work of some 15 year old playing around or russia organized crime...

Take Cyber Threats to the Physical Level (0)

Anonymous Coward | more than 2 years ago | (#40676207)

Instead of being so sneaky, make about a dozen viruses, malware, trojans, etc. that all send out emails, pop-up windows, inserting text into documents and spreadsheets that say: "Stone the Prophet! He is the Devil!", "The Koran is the Devils' Book!", "Radioactive Decay Diminishes the Prophet!", or some such. Then stand back and watch them destroy all their computers and network infrastructure to try to get rid of it.

Text files? Go on.... (3, Interesting)

davidwr (791652) | more than 2 years ago | (#40676255)

"embedding the malware in various documents including text files"

I assume they mean word-processing or other "not quite plain text" files, or perhaps "text files that are really textual representations of computer instructions" e.g. text files that embed macros that are interpreted by the text-processing software.

While it's theoretically possible for a carefully-crafted plain-text file to exploit a security vulnerability in a particular text-processing program, it would have to be a narrowly targeted attack and it would be easily defeated by now-alert customers who simply change to a different text-processing program.

It's also theoretically possible that there is an exploit in the text-handing APIs of the operating environment in use by the intended targets.

Re:Text files? Go on.... (1)

bhlowe (1803290) | more than 2 years ago | (#40676397)

I was wondering about that too.. Only thing I could think of was batch or shell scripts...

Re:Text files? Go on.... (1)

Znork (31774) | more than 2 years ago | (#40676517)

See, that's where the aforementioned social engineering aspect comes in, the text file contains instructions to save it as funcatscript.sh, type chmod +x funcatscript.sh and then run ./funcatscript.sh to see some fun kittens happen. Of course, that will just mail the script to all mail addresses found in the users mailbox followed by a cat /bin/cat which, to the consternation of the user, simply isn't a very funny cat.

Re:Text files? Go on.... (1)

davidwr (791652) | more than 2 years ago | (#40676749)

With a name like funcatscript I expect the contents of stdin to wind up in stdout. Only in a fun, scripty way.

Of course, if it's malware, I may wind up with a lot more than I bargained for in stdout.

Re:Text files? Go on.... (4, Informative)

Baloroth (2370816) | more than 2 years ago | (#40676459)

It's possible they mean files that appear as text to the user. Ars Technica [arstechnica.com] mentions they use "Right to Left Override" to make it look like executable files aren't (they might show up as a .jpg, for example, complete with a jpg icon) to the end user. If the creators are clever, they could even have it launch the appropriate viewer to make it look like they opened the kind of file they did. So it isn't hard to imagine they did the same with .txt files, although given the context with "PowerPoint" they probably did mean .doc files or the like.

Re:Text files? Go on.... (0)

Anonymous Coward | more than 2 years ago | (#40679805)

No, the RTLO techniques were used to deliver .scr executables that appeared as ".jpg" files to the targets. Check out the screenshot on the securelist blog post.

Re:Text files? Go on.... (2)

gmuslera (3436) | more than 2 years ago | (#40676715)

If they used advanced enough social engineering techniques could be plain ascii txt files with an instruction to i.e. base64 decode them and execute it for a nice surprise. The main executable part in social engineering attacks is the people.

REALLY advanced social engineering (1)

davidwr (791652) | more than 2 years ago | (#40676853)

If they used advanced enough social engineering techniques could be plain ascii txt files with an instruction to i.e. base64 decode them and execute it for a nice surprise. The main executable part in social engineering attacks is the people.

If it were really advanced, it would be something called README.TXT that says

"To see pictures of cats, fax, email, or overnight-courier copies of all of your corporate secrets to ...."

Re:Text files? Go on.... (0)

Anonymous Coward | more than 2 years ago | (#40679791)

Hey guys, the .txt files contain double encoded base64 representations of the images and articles. Yep, ANSI.

'Mahdi' eh? (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#40676263)

So, does somebody think that their malware is actually a figure in islamic eschatology, are they engaging in some sort of wordplay for the lulz, or are the social engineers capitalizing on suspected mahdi-enthusiasm among their targets, in a way roughly analogous to the hilariously overt christianity of nigerian spammers?

Re:'Mahdi' eh? (1)

Hatta (162192) | more than 2 years ago | (#40676639)

are they engaging in some sort of wordplay for the lulz

Come now, hacking is serious business.

Re:'Mahdi' eh? (2)

LordGr8one (1174233) | more than 2 years ago | (#40676705)

None of the above. They're just Dune fanatics.

MAH-DI!! (1)

Antipater (2053064) | more than 2 years ago | (#40676343)

He has ridden a worm, and changed the passwords of life! The Bene Gnusserit prophecy was true! He is the Mahdi!!

MAHDI! MAHDI! MAHDI!!

Re:MAH-DI!! (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#40676451)

He who controls the bytes controls the universe...

Re:MAH-DI!! (0)

Anonymous Coward | more than 2 years ago | (#40676655)

He has ridden a worm, and changed the passwords of life! The Bene Gnusserit prophecy was true! He is the Mahdi!!

MAHDI! MAHDI! MAHDI!!

An awesome view of Allah from a mythical religion leading his martyrs chanting MAHDI! MAHDI! MAHDI!!

Re:MAH-DI!! (1)

scorp1us (235526) | more than 2 years ago | (#40677339)

Close, "Maud'dib" I also thought Mahdi

Re:MAH-DI!! (3, Informative)

scorp1us (235526) | more than 2 years ago | (#40677349)

Mahdi [wikipedia.org] - redeemer of Islam.

Re:MAH-DI!! (1)

ThatsNotPudding (1045640) | more than 2 years ago | (#40684237)

Religion - beyond redemption.

Re:MAH-DI!! (1)

scorp1us (235526) | more than 2 years ago | (#40685581)

I thought it funny that they planned to need redeeming.

Re:MAH-DI!! (1)

Antipater (2053064) | more than 2 years ago | (#40677421)

*sigh* You know, if you want to kill a joke with an "actually..." you should at least make sure you're right before you post.

Re:MAH-DI!! (1)

Ambitwistor (1041236) | more than 2 years ago | (#40677649)

"Mahdi" [wikia.com] is also used in Dune, along with "Lisan al Gaib" and other terms. "Mahdi" is, as someone else pointed out, a real term in Islam, upon which the Fremen mythology was based (Zensunni Wanderers).

Mon dieu! Several Gigabytes! (2)

jpapon (1877296) | more than 2 years ago | (#40676393)

Oh no! Several GIGABYTES of information?

That means they've stolen anywhere from half of a South Park season to several millions of pages of plain text!

What a useful measure!

Re:Mon dieu! Several Gigabytes! (1)

Brannoncyll (894648) | more than 2 years ago | (#40676427)

Oh no! Several GIGABYTES of information?

That means they've stolen anywhere from half of a South Park season to several millions of pages of plain text!

What a useful measure!

Or half of The Fellowship of the Ring, Extended Edition.

Re:Mon dieu! Several Gigabytes! (1)

Anarchduke (1551707) | more than 2 years ago | (#40676489)

They've stolen Frodo? Oh god no the humanity!

Re:Mon dieu! Several Gigabytes! (1)

Brannoncyll (894648) | more than 2 years ago | (#40676581)

They've stolen Frodo? Oh god no the humanity!

Just the boring part in the Shire. Reports just in that several top-level members of US intelligence have been found slumped dead at their desks after apparently being forced to endure the tedium of the first half of The Fellowship of the Ring, Extended Edition.

Re:Mon dieu! Several Gigabytes! (0)

Anonymous Coward | more than 2 years ago | (#40679535)

You'll be going on about all the walking next.

Re:Mon dieu! Several Gigabytes! (0)

Anonymous Coward | more than 2 years ago | (#40677159)

Or half of The Fellowship of the Ring, Extended Edition.

I always wondered what happened to Tom Bombadil...

drop the packets (0)

Anonymous Coward | more than 2 years ago | (#40676507)

DENY
174.142.57.*
67.205.87.*

http://www.blacklistednews.com/%E2%80%98Madi%E2%80%99_Cyber_Espionage_Campaign_in_Middle_East_Uncovered/20570/0/38/38/Y/M.html

optional: turn off iframe, xframe, and frame

looks just like virut to me goes after *.exe and*.scr (your not CLEANING that system, after that, you are reformatting after you spend days trying to save text files)
these love to come in on frames.

Israel did it and now they fakely pose as victims (0)

Anonymous Coward | more than 2 years ago | (#40682959)

> ... specifically targeting people in critical infrastructure companies, financial services and government embassies, which are mainly located in Iran, Israel and Afghanistan

Corrected for you:

"... specifically targeting people in critical infrastructure companies, financial services and government embassies, which are mainly located in Iran, the Occupied Palestinian Territories and Afghanistan

The aim of the axis of Manhattan - Tel-Aviv is the creation of Greater Zion, a spartan-type jewish military state that would extend from the Nile to the rivers of Tiger and Euphrates, as seen on the 10-agorot zionist conage. Arabs and muslims currently living in those vast lands will be part exterminated, part deported to Tierra Fuego in South America (Argentine accepted that condition to escape the state bankruptcy disaster 12 years ago). The little few who will remain in place among the descendants of Ishmael will be doing earthworks and cleaning toilets for the descendants of Isaac.

The sad thing is that first-born Ishmael and second born Isaac were brothers, as the famous biblical patriarch Abram/Abraham was their common father. The mother of Isaac, Sarah was a very vile women who used his political connection in the judaite tribe to pose as the only wife of Abraham and expel the "concubine" Hagar into the arabian desert with her son Ishmael. Yet, the Lord of Abraham (variously adored as YHWH / Father God / Allah) had mercy on the duo and directed them to an oasis. Later on, another tribal leader adopted Ishmael, made him his heir and with his successes an expansion in leadership he became the ancestor of the people who are today known as arabs and muslims. Abraham visited Ishmael later on to commend his success and together they built the Mecca shrine that now houses the holy Stone of Kaba.

The jews, the sons of Isaac do not like this story and wish to erase it from memory, preferably by extinguishing the arab and muslim people. They also hate present day Iran and its people, because Iran (Persian Empire) was the birthplace of Zarathustra, the sage founder of zoroastrian religion, of good and bad God dualism. Jews try to hide the fact their "divine kabbalah" mysthicism is actually applied zoroastrianism and thus jews are not really monotheistic in the strict "Adonai e'chad" and "tawhid" sense!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?