X

Mahdi malware creators add new features

Researchers find new version of the malware and a possible Flame connection and offer a tool for checking if your computer is infected.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
This is a screenshot of the header for the new version of Mahdi that appears to have been compiled today.
This is a screenshot of the header for the new version of Mahdi that appears to have been compiled today. Seculert

Researchers said today that they have noticed some new features and changes to the data-stealing malware Mahdi and have uncovered a reference to "Flame," which could potentially indicate some connection to the malware of the same name that also has numerous infections in Iran.

"Last night, we received a new version of the #Madi malware. Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong, Nicolas Brulez of Kaspersky Labs wrote in a post on its SecureList blog.

The new version, compiled just today, contains "many interesting improvements and new features. It now has the ability to monitor VKontakte, together with Jabber conversations. It is also looking for people who visit pages containing 'USA' and 'gov' in their titles. In such cases, the malware makes screenshots and uploads them to the C2," or command-and-control server, he said. The new "USA" checks could indicate a shift in focus from targets in Israel to targets in the U.S., he speculated.

But the most important change is probably that the infostealer no longer waits for commands from command-and-control server but uploads all the stolen data immediately, Brulez said. Later today, he updated the post to say that the malware wasn't connecting to the servers for orders anymore.

Meanwhile, a Seculert blog post discusses a possible link to Flame.

"For each victim, the Mahdi malware assigns a unique identifier, which is used by the C&C server to identify which targeted entity it is communicating with. Part of this unique identifier is a prefix, which is used to help spread the targeted entities between the members of the attacking group and allow them to identify and manage a bulk of targeted entities," and one of the prefixes is "Flame," the post says. "The first targeted victim with the "Flame" prefix began communicating with the C&C server in early June, right after the Kaspersky Lab discovery of Flame went public. Coincidence? Maybe."

Aviv Raff, Seculert co-founder and chief technology officer, told CNET in an interview at the Black Hat conference that the link between the two pieces of malware is unclear. "Either it's the same guys running Flame or they have some connection to the guys running Flame," Raff said.

Some of the prefixes end with "coffinet," including: Chabehar, Iranshahr, Khash, Nikshahr, Saravan and Zabol, which are all cities and counties located in the southeast region of Iran, Seculert said.

Seculert also has created an online tool for people to check if their device or network is compromised by Mahdi. It is here.