Seeing Stars?

It’s been a week since a senior official in Iran announced that they had discovered a new targeted attack aimed at them. The details of this attack are still vague. While Iran has labeled the attack "Stars", it’s not clear if it is Stuxnet-like in its complexity, target, or ultimate goals. Iran says they have not yet discovered it purpose. And it appears they have not shared malware samples with any outside security researchers.

If more details emerge, specifically a sample of the threat that can be examined by security researchers, or a hash of the suspected file so we can identify it in our sample set, we’ll examine it. Until then we can only speculate. So here goes: my thoughts on what possibly could be going on.

1. Iran has discovered the "Brother-of-Stuxnet"
Given the resources that were put behind Stuxnet, it shouldn't be surprising that more than one attack was planned. In product development, it is not unusual to have two teams competing to solve a problem. And from what I know about espionage (which admittedly, is all learned from spy movies) it’s not unusual with those folks either. You can then pick the best effort with which to move forward. It also give you a plan B, in case your first effort doesn't work out like you hoped it would. It is very possible Iran has discovered plan B.

2. Imitation is the sincerest form of flattery
We have predicted that Stuxnet would drive other nation states to create similar malware. Another player may have jumped into the game, attempting to show off their cyber espionage skills and reach some objective known only to them.

3. Paranoia rules
It is quite possible that Iran has detected a massive attack that just happened to strike at them. This malware could be a fake AV program, who’s only purpose is to steal $49.95 in Iran currency. But given the paranoia of cyber attacks that must be running rampant in the government there, or perhaps to put it kindly, because of the extreme caution they likely now take, they have overreacted to a garden variety piece of malware. 

4. The dog ate my homework
Maybe somebody is running behind on an important project, their boss is breathing down their necks and they need a good excuse for being late. I've used the same technique on my boss before. “I would have had that white paper done, but I forgot to save it and then my machine crashed”, “I emailed it to you, you didn't get it?” or “An Israeli hacker crippled my server and I can't possibly make that deadline you gave me.”

As I said, I am just speculating. It's likely to be one of these reasons, but then again maybe it’s something else. What I am sure of is that unless security researcher are given a sample of the threat, speculation is all we have.

SSCC 58 – Coreflood, DSLReports, Sony, Stars and Ars Technica

Sophos Security Chet Chat logoPaul Ducklin joined me from Sydney this week as we both returned home from a long and rewarding trip to InfoSec Europe.

While the news has been dominated by the recent attack on Sony Computer Entertainment, we started off talking about the actions the US government took against the Coreflood botnet. The news was largely positive, but it does allow broadened powers for the police that include actions some feel could further harm the victims.

When the topic of DSLReports, Sony and other data leakage incidents came up, our conclusions were ultimately in alignment. While these incidents are important and may draw our attention to the problem, these losses are only a small part of what Paul likes to call the “death of a million cuts.”

On the topic of the supposed “Stars” virus, which Iran claims is a second stage Stuxnet virus, the conclusion was the same. Even if this “Stars” virus is real, and is a concern for Iran, in the meantime the rest of us are being hit with a barrage of cyber-crap that is having real impact on our lives.

No story is complete without some comment on Facebook and Chet Chat 58 is no exception. Aside from the usual list of attacks and scams, it appears that their DMCA takedown process and other pieces of their self-defense mechanisms are easily manipulated. Ars Technica’s Facebook page was arbitrarily deleted this week based on a DMCA claim that no one has yet been able to explain.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(28 April 2011, duration 18:37 minutes, size 12.6MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 58.

Stars virus: Iran claims to intercept second cyberwarfare attack

StarsIranian officials today claimed to have intercepted a cyberwarfare attack, involving malware designed to spy upon government systems.

The malware has been dubbed the “Stars” virus by Gholamreza Jalali, the head of Iran’s civil defence organisation, who broke the news on the institution’s website.

Jalali says that the Stars virus continues to be investigated by the country’s experts, and that it could have been “mistaken for executive files of governmental organisations”. That suggests that the attack may have been disguised as a legitimate Word, PDF file or similar document in an attempt to trick unsuspecting victims into infecting government computers.

Inevitably, many people will remember the brouhaha that surrounded the Stuxnet virus last year, and sure enough the media has jumped upon the story of the new Stars virus.

Unfortunately, we can’t tell you much about this Stars virus. As far as we know, we don’t have a sample in our malware collection – and we would really need the Iranian authorities to share what they have seen with the anti-malware community, so we can delve a little deeper.

An MD5 checksum, for instance, would quickly help us ascertain if this is a sample of some malware that we’ve seen before.

In his statement, Jalali blamed American and Israeli forces for attacking Iranian websites, but we are not able to confirm that the malware attack – if genuine – originated in either country or if it is really specifically targeting Iranian systems.

Let’s not forget, we see almost 100,000 new unique malware samples every day – much of it designed to spy upon victims’ computers. Presumably the Iranian authorities have reason to believe that the Stars virus they have intercepted was specifically written to steal information from their computers, and is not just yet another piece of spyware.

If we learn any more we’ll certainly let you know.