The Mahdi worm steals files from infected computers and logs users’ keystrokes in an attempt to harvest sensitive information.
Israeli firm Seculert said it has identified 800 infected computers worldwide out of which, according to Symantec, three-fourths are in Israel and Saudi Arabia.
“Targets of the Mahdi campaign … include oil companies, US-based think tanks, a foreign consulate, as well as various governmental agencies, including some in the energy sector,” according to Symantec.
Seculert said a number of infected computers were in Iran.
The worm comes as an email attachment. The worm is activated when unsuspecting users download the attachment. The virus then steals information, including screenshots of the computer, audio files, software applications and other information that could amount to gigabytes of data.
Symantec found that the data was routed to servers in Iran and Canada. However, that doesn’t prove involvement by anyone in Iran and Canada. Someone from a third country could just be using servers in those countries to hide their identity.
Researchers with Seculert said the large amounts of stolen data indicates state involvement in the attack. “This operation might require a large investment and financial backing,” said the firm in a blog post. “It requires people to actually do a massive amount of work” to sift through the data being collected said Seculert analyst Aviv Raff. In other words, an individual hacker would be inunbdated with too mich data for one hacker to likely be involved.
Experts have found snippets of Farsi embedded in the code, which suggests the developers know the language, but Symantec says it has not found any evidence of state involvement.
“The current research indicates these attacks are being conducted by an unknown Farsi-speaking hacker with a broad agenda.”
The design of the worm is very basic and not as sophisticated as Flame or Stuxnet, which were allegedly developed by the American and Isareli governments to target the nuclear infrastructure in Iran.
But Mahdi’s simplicity might be its strength. “While the malware and infrastructure is very basic compared to other similar projects, the Mahdi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicholas Brulez, senior malware research at the Russia-based Kaspersky Lab.
“Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection,” he said.
For its part, Iran has denied any involvement in the attacks, accusing Israel and the United States of running a smear campaign. “Several companies that are supported by Iran’s enemies, based on an organized plan, have accused Iran of stealing information through this malware,” the state news agency quoted the deputy head of a state-connected research center at Esfahan University as saying.
The worm was named Mahdi after the 12th Imam of Shia Islam because that word was found to be the name of one file inside the worm.
