The opening stanza of the popular English Nursery rhyme by Jane Taylor, is synonymous with the current situation prevailing in Iran and has left the AV researchers and security analysts flummoxed. The virus has been named “Star Virus”
Iran was yet again been the ground zero for a cyber attack on its infrastructure but according to commander of civil defense Gholamreza Jalali:
“Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations,” He did not specify the target of Stars or its intended impact.
As this has been a closely guarded investigation by Iran, much details are still awaited.
For past past few days during my research, I was unable to find anything substantial material on Iran nor was I able to find any interesting articles on Iran especially articles targeting their aspirations.
Normally, as per my observation, when-ever there is a flury of sensational news, within a few days of these news items, we end up finding news about a cyber-attack. eg. News about Iran’s nuclear program created quite a stir and immediately within 6 months we yet again find Stuxnet. Based on this, what I observed was that after the Stuxnet incident,
1: There was a clamp on the news stories from inside Iran except for Government crackdown etc etc but nothing substantial.
2: Everyone – including the military analysts (I presume) were thinking hard about the ground reality in Iran as far as its aspirations are concerned.
This actually means – silence, sometimes good and sometimes bad. Now that was Iran.
Now for the technical aspect. For past few days we have been observing a new form of exploit which comes in form of a PDF file with embedded flash a Zero Day exploit which exists in Adobe. Secondly, the timing of Star Virus was during the Easter holidays (but not a holiday in Iran), it is a well known fact that most of the attacks whether phishing or hacking happen during holidays.
When we put these two aspects a: No news is bad news and b: Zero Day Exploit existed during the time of press release, it is safe to assume that Iran was attacked by this Zero day exploit and to make the matters worse, the payload of the exploit is what will make this more interesting. The delivery of this file was most probably through the email system.
We have also come across various instances wherein organizations are placing orders for computer espionage related software. Is this all a culmination towards a full-fledged Proxy-CyberWar?
This analysis is complimented by the press release
Gholamreza Jalali: “The particular characteristics of the Stars virus have been discovered. The virus is congruous and harmonious with the [computer] system and in the initial phase it does minor damage and might be mistaken for some executive files of government organizations.”
When we do research, we have to assume a lot of things, assumptions are based on our observation, analytical skills, experience, knowledge and out of the box thinking. From these assumptions we derive the algorithm and work on it. Failures are a part and parcel, which act as a driving force to achieve our goals.
A lot of conclusions and parallels can be drawn but I prefer to stick to the core technical part.
For those who would want to think about something else:
1: Easter holidays + Long Weekend?
2: Executive files of Government organizations – which files? most of the files are in PDF format or Doc and distinctive feature about government files are the file names – was there an cyber espionage attempt or an insider threat (for data mining purposes)- which went un-noticed?
3: Which Government organizations were targeted?
Only time and Gholamreza Jalali can tell us how true this is.