Madison Ruppert
Activist Post
July 18, 2012

Yet another virus primarily targeting countries in the Middle East has been discovered, this time called Mahdi, after the Islamic Messiah who will, according to Islam, rule the earth before the Day of Judgment.

Much like the astoundingly complex virus known as Flame, this virus can be modified remotely by the attacker in order to record keystrokes, remove documents, monitor email communications and even record audio.

However, according to Costin Raiu, senior security researcher at Kaspersky Lab, this piece of malware is not sophisticated, unlike Flame.

The malware was discovered “several months ago” and has targeted over 800 systems, with the vast majority in Iran, and Israel coming in a distant second, according to Israeli Seculert and Russian Kaspersky Lab.

Interestingly, on Seculert’s July 17 blog they revealed,

“The variant we examined communicated with a server located in Canada. We were able to track variants of the same malware back to December 2011. Back then, the malware communicated with the same domain name, but the server was located in Tehran, Iran.”


The potential similarities between Flame and Mahdi were so striking that Seculert originally contacted Kaspersky Lab in order to examine the two pieces of malware, although ultimately they “couldn’t find a direct connection between the campaigns.”

However, they did find that victims of the software known as Mahdi “include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries.”

Seculert makes it very clear that they do not know if there is a nation behind this effort. Previous Middle Eastern-focused viruses like Stuxnet, Duqu and Flame have all been traced back to the U.S. and Israel by researchers.

“It is still unclear whether this is a state-sponsored attack or not. The targeted organizations seem to be spread between members of the attacking group by giving each victim machine a specific prefix name, meaning that this operation might require a large investment and financial backing,” Seculert states on their blog.

This assertion, however, seems a bit odd considering that Mahdi is “not sophisticated” according to Kaspsersky Lab’s Raiu. When dealing with potentially state-sponsored malware, we usually see researchers from groups like Kaspersky Lab saying that they are quite complex indeed.

Kaspersky Lab even pointed out that Delphi, the code in which parts of the malware were written, “Would be expected from more amateur programmers, or developers in a rushed project.”

Interestingly, according to the CTO of Seculert, Aviv Raff, Mahdi first came to their attention last February when a so-called “spear-phishing e-mail,” as Threat Level puts it, with a Microsoft Word attachment was discovered.

This document, if opened, would then open an article from November 2011 on Israel’s electronic warfare plans against Iran published on the Daily Beast.

Mahdi would also launch an executable on the victim’s system which dropped so-called backdoor services which then contacted a command and control, or C&C, server in order to receive instructions and/or other malware components.

Alternative versions uncovered by researchers included infected PDFs and PowerPoint attachments, some of which contained images of tropical locations or religious themes.

These PowerPoint presentations confused people into actually allowing the virus to infect their machines. According to Kaspersky Lab, one of the Mahdi PowerPoint variants shows the user “a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system.”

“While PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper,” Kaspersky Lab explains.

Kaspersky Lab notes:

Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia. And individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time.
Interestingly, a reader informed Threat Level that the Hebrew utilized in the PowerPoint slides on one of the Mahdi variants
“is incorrect and awkwardly phrased in several places and suggests that the author of the slides is not a native-Hebrew speaker.”


In her Threat Level article, Kim Zetter draws some interesting conclusions. Zetter states that the infections in both Iran and Israel ~ with the vast majority (387 in Iran vs. 54 in Israel according to Seculert) of infections in Iran ~ could indicate that Iran is somehow behind this infection.

Personally, I find such a leap quite absurd, although in the next sentence Zetter admits:

But the malware could also be a product of Israel or another country that’s simply been salted with Farsi strings in order to point the finger at Tehran.
Seeing as the cyber attacks on Iran to date have come from a group of usual suspects, namely, the United States and Israel, why would we suddenly expect the nation continuously targeted by similar attacks to turn around and infect their nation’s own machines?

That being said, Zetter might have grounds if she opted to highlight the seemingly rudimentary nature of the malware instead of the Farsi strings, which, according to Raff, indicate that “We are looking at a campaign that is using attackers who are fluent in Farsi.”

Seeing as U.S. officials have already confirmed that members of the Iranian terrorist group commonly referred to as the MEK were, in fact, trained by the Israeli Mossad, I would not for a moment be surprised if Israel had many fluent Farsi speakers they could utilize for such an operation.

In a seeming attempt to support the conclusion that the virus is of Iranian origin, Zetter links a virus revealed on an Israeli site in February which “came via a spear-phishing email that included a PowerPoint presentation and was sent to several bank employees.”

“The malware includes a file called officeupdate.exe and tries to contact a remote server in Canada via a server in Iran,” Zetter adds.

However, Zetter then admits that the article in no way identifies the malware as Mahdi, writing:

Although the article does not directly identify the malware as Mahdi, it has multiple characteristics that match Mahdi, and it struck Bank Hapoalim around the same time that Seculert says it discovered Mahdi.
One must wonder why highly secret Israeli cyber warriors would target one of their nation’s top banks, thus strengthening Zetter’s not-so-subtle finger pointing in the direction of Iran.
Zetter, described as, “a senior reporter at Wired covering cybercrime, privacy, security and civil liberties,” must still explain why Iran, the target of the majority of highly sophisticated malware (which all just happens to be linked to the U.S. and Israel), would target themselves with malware.


Personally, I just don’t see why that is an even remotely reasonable conclusion to draw from the limited amount of evidence at hand.

Did I forget anything or miss any errors? Would you like to make me aware of a story or subject to cover? Or perhaps you want to bring your writing to a wider audience? Feel free to contact me at admin@EndtheLie.comwith your concerns, tips, questions, original writings, insults or just about anything that may strike your fancy.

This article first appeared at End the Lie.
Bookmark the permalink.

Leave a Reply