The Madi Attacks: Series of Social Engineering Campaigns

Symantec Security Response is aware of recent reports of Madi, a Trojan used in targeted campaigns and observed in the wild since December 2011.

The following is an email example, discovered in the Madi campaign, which included a malicious PowerPoint attachment:

Figure 1. Targeted email containing malicious PowerPoint

In one example, opening the PowerPoint attachment displays a series of video stills showing a missile destroying a jet plane. During the final PowerPoint slide, a dialog window is displayed to the user requesting permission to run an executable file:

Figure 2. Final PowerPoint slide prompts user to run a .scr file

Symantec detects this malicious executable as Trojan.Madi using the latest LiveUpdate definitions. It is capable of stealing information—including keylogging functionality. The Trojan can also update itself. We have observed Trojan.Madi communicating with command-and-control servers hosted in Iran and, more recently, Azerbaijan.

Targets of the Madi campaign appear to be all over the spectrum but include oil companies, US-based think tanks, a foreign consulate, as well as various governmental agencies, including some in the energy sector.

Figure 3. Heat map distribution of global Madi infections

Although Madi has been seen targeting various Middle Eastern countries, it has also been found across the globe from the United States to New Zealand.

Figure 4. Infection percentages of Madi from December 2011 to July 2012

Where high profile attacks such as Flamer, Duqu, and Stuxnet utilize different techniques to exploit systems—including leveraging zero-day attacks—the Madi attack relies on social engineering techniques to get onto targeted computers.

Targets like Iran, Israel, and Saudi Arabia might suggest involvement of a nation state, however our research has not found evidence that this is the case. Instead, the current research indicates these attacks are being conducted by an unknown Farsi-speaking hacker with a broad agenda.

Update [July 18, 2012] - Distribution map (Figure 3) and pie chart (Figure 4) updated to reflect telemetry data.

AT&T Charging for FaceTime Would Breach Net Neutrality, Groups Say

Photo: Steve Rhodes/Flickr

AT&T would almost certainly violate net neutrality rules if it begins charging for using FaceTime over its cellular network when Apple’s newest mobile operating system debuts in September.

At least, that’s what digital rights groups said Tuesday of the leaked plan to charge yet another special fee to customers to use the full capability of devices on AT&T’s network.

On Monday, 9to5Mac discovered that, when testing iOS6 beta 3, a popup message said AT&T needed to be contacted to enable the FaceTime service when using the cellular network. Using the same iOS6 beta with a Verizon iPhone, 9to5Mac did not get the same popup.

Apple’s FaceTime app allows live video conversations between users of Apple devices. FaceTime works only over Wi-Fi currently, but is slated to also work over cellular connections when Apple’s iOS6 debuts this fall.

“It’s hard to believe AT&T could contemplate blocking consumers’ access to a video-calling application unless those consumers pay AT&T an additional fee,” Matt Wood, Free Press’ policy director, said in a statement. “Such a move would almost certainly violate the open internet rules that AT&T worked with the FCC to craft — rules that we’ve criticized as far too weak, but that are acceptable to AT&T according to the company’s own congressional testimony.”

AT&T charges $50 for 5 gigabytes of data on high-end plan, and now might add to that an unspecified price to use broadband via FaceTime.

AT&T did not immediately respond for comment. But it told 9to5Mac Monday that the company was “working closely with Apple on the new developer build of iOS6 and we’ll share more information with our customers as it becomes available.”

Peter Eckersley, the technology project director for the Electronic Frontier Foundation, said AT&T should not add additional charges. FaceTime use should count against a customer’s broadband plan, he said. “This is definitely dangerous territory,” he said in a telephone interview.

At issue are new net neutrality rules that went into effect in November.

The rules prohibit DSL and cable companies from unfairly blocking services they don’t like and require them to be transparent about how they manage their networks during times of congestion. Mobile carriers like AT&T and Verizon face fewer rules, but are banned from interfering with alternate calling services such as Skype that compete with the carriers’ services.

That’s the provision that Free Press says AT&T’s reported plan would violate.

Verizon is already suing the FCC over the rules. A federal appeals court struck down a previous FCC attempt to enforce similar principles against Comcast after it was caught secretly interfering with peer-to-peer file sharing.

Convicted Murderer Hans Reiser Ordered to Pay His Kids $60M

Hans Reiser on the stand in 2008 during his 11 days of testimony that ended with a jury convicting him of murdering his wife, Nina. Illustration: Norman Quebedeau/Wired

A California jury on Tuesday found Hans Reiser financially liable for killing his wife, Nina, four years ago, ordering the imprisoned Linux guru to pay the couple’s two children $60 million.

Deliberating less than a day, an Alameda County, California jury reached its conclusion after a weeklong trial.

Reiser, the developer of the ReiserFS filesystem, was convicted by a different Alameda County jury in 2008 of the first-degree murder of his wife. In that criminal case, defendant Reiser and his legal team argued that his wife was not dead, and that after he accused her of embezzling from his software company, Namesys, she abandoned her children to sneak away to Russia, where the couple met in 1998. But jurors didn’t buy Reiser’s story, and weeks after his conviction he led the authorities to Nina’s body hidden in the Oakland hills in exchange for a reduced term of 15-to-life instead of 25-to-life.

Acting as his own attorney while wearing Pleasant Valley State Prison smocks and sometimes rambling and crying, Reiser told jurors in the civil suit a new story — he killed his wife to prevent her from possibly killing their children.

San Francisco lawyers working pro bono brought the suit on behalf of Hans Reiser’s 12-year-old son and 11-year-old daughter. Jurors awarded $25 million for each child in addition to $10 million in punitive damages.

The children’s attorney, Arturo González of Morrison & Foerster, isn’t sure if there is any money to recover for the children. He said he brought the case in the event that Reiser has assets hidden, or develops something of financial value in the future.

“We’re very pleased that the jury agreed with the theme of our case — Nina was a wonderful person and a great mother,” González said. “Taking her life has caused immense harm to everyone who knew Nina, especially her children.”

The computer programmer claimed his wife was abusing the kids, that she had a factitious disorder by proxy – often referred to as Munchausen syndrome by proxy – where a caregiver harms or even kills someone they are in charge of in order to gain sympathy and attention. During the 2008 trial, Reiser alluded to that as well, accusing his wife of having the disease when she wanted to get their son surgery for severe hearing loss.

Nina Reiser, at age 31, was last seen alive at Hans Reiser’s house in the Oakland hills on the day of her 2006 murder, when she dropped off the once-happy couple’s two young children to stay with him the Labor Day weekend. The couple were in the middle of a contentious divorce.

Mahdi, the Messiah, Found Infecting Systems in Iran, Israel

Mahdi has targeted computers primarily in Iran and Israel, though it has also infected computers elsewhere in the Middle East. Courtesy of Seculert

Who knew that when the Messiah arrived to herald the Day of Judgment he’d first root through computers to steal documents and record conversations?

That’s what Mahdi, a new piece of spyware found targeting more than 800 victims in Iran and elsewhere in the Middle East, has been doing since last December, according to Russia-based Kaspersky Lab and Seculert, an Israeli security firm that discovered the malware.

Mahdi, which is named after files used in the malware, refers to the Muslim messiah who, it’s prophesied, will arrive before the end of time to cleanse the world of wrongdoing and bestow peace and justice before Judgment Day. But this recently discovered Mahdi is only interested in one kind of cleansing – vaccuuming up PDFs, Excel files and Word documents from victim machines.

The malware, which is not sophisticated, according to Costin Raiu, senior security researcher at Kaspersky Lab, can be updated remotely from command-and-control servers to add various modules designed to steal documents, monitor keystrokes, take screenshots of e-mail communications and record audio.

While researchers have found no particular pattern to the infections, victims have included critical infrastructure engineering firms, financial service companies, and government agencies and embassies. Of the 800 targets discovered so far, 387 have been in Iran, 54 in Israel and the rest in other countries in the Middle East. Gigabytes of data were stolen over the last eight months.

According to Aviv Raff, CTO of Seculert, his lab received the first sign of the malware last February in the form of a spear-phishing e-mail with a Microsoft Word attachment. The document, once opened, contained a November 2011 article from the online news site The Daily Beast discussing Israel’s plan to use electronic weapons to take out Iran’s electric grid, internet, cellphone network, and emergency frequencies during an airstrike against Iran’s nuclear facilities.

If users clicked on the document, an executable launched on their machine that dropped backdoor services, which contacted a command-and-control server to receive instructions and other components. Researchers have discovered other variants that used malicious PDF and PowerPoint attachments, some of them containing images with various religious themes or tropical locations, that use simple social engineering techniques to confuse users into allowing the malware to load onto their machines.

One of the serene images that appears in a malicious PowerPoint file sent to victims. Courtesy of Kaspersky Lab

As Kaspersky Lab explains in a blog post, one of the PowerPoint variants displays “a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system” by confusing them into ignoring virus warnings that might appear on their screen.

“[W]hile PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper,” Kaspersky writes.

While another image asks users to click the file, a dropper loads to their machine. Although a virus warning displays onscreen, users are tricked into clicking through it because the slideshow has already primed them to click through the slides.

According to Kaspersky, the backdoors that infected machines were all coded in Delphi. “This would be expected from more amateur programmers, or developers in a rushed project,” they write in their blog post.

The earliest variant found so far infected machines in December 2011, but a compilation date on some of the files indicates the malware may have been written before last September.

The malware communicates with at least five servers – one in Tehran, and four in Canada, all hosted in different locations. Researchers at Kaspersky Lab created a sinkhole to divert traffic from some of the infected machines, but at least one server is still up and running, meaning the spy mission is still active.

Seculert contacted Kaspersky about Mahdi last month after researchers in its lab discovered Flame, a massive, highly sophisticated piece of malware that infected systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. Flame is also a modular malware that allows its attackers to steal documents, take screenshots and record audio of Skype conversations or communications conducted in the vicinity of an infected machine.

Raff says his team in Israel reached out to Kaspersky because they thought there might be a connection between the two pieces of malware. But researchers have found no parallels between Mahdi and Flame. Raff notes, though, that “the guys behind them may be different, but they do have very similar purposes,” which is to spy on targets.

Recently, U.S. government sources told the Washington Post that Flame is the product of a joint operation between the United States and Israel.

Raff says it’s not clear if Mahdi is the product of a nation-state, but notes that the researchers found strings of Farsi in some of the communication between the malware and command-and-control servers, as well as dates written in the format of the Persian calendar.

“This is something we didn’t see before, so we thought it was interesting,” he says. “We are looking at a campaign that is using attackers who are fluent in Farsi.”

The infections in Iran and Israel, along with the Farsi strings, suggest the malware may be the product of Iran, used to spy primarily on domestic targets but also on targets in Israel and a handful of surrounding countries. But the malware could also be a product of Israel or another country that’s simply been salted with Farsi strings in order to point the finger at Tehran.

UPDATE 10:30am PST: A news story from an Israeli tech site back in February appears to refer to a Mahdi infection at Bank Hapoalim, one of Israel’s top banks. According to the story (which is in Hebrew), the attack came via a spear-phishing email that included a PowerPoint presentation and was sent to several bank employees. The malware includes a file called officeupdate.exe and tries to contact a remote server in Canada via a server in Iran.

Although the article does not directly identify the malware as Mahdi, it has multiple characteristics that match Mahdi, and it struck Bank Hapoalim around the same time that Seculert says it discovered Mahdi.

UPDATE 2:30pm PST: A reader has pointed out that the Hebrew in the PowerPoint slides above is incorrect and awkwardly phrased in several places and suggests that the author of the slides is not a native-Hebrew speaker.