Transcript Stuxnet - Clemson

Mahdi The “Messiah”
(CPSC 620)
Akash Mudubagilu
Arindam Gupta
Agenda
• Computer Trojan
• Mahdi
• What makes it special
• Mahdi Targets
• Effects
• How to remove
• References
What is Trojan ?
• A Trojan is a program that may appear to be
legitimate, but in fact does something malicious.
• Destructive program
• steals information or harms the system
• Does not replicate
Mahdi
• Also known as Madi
• Data-stealing Trojan
• Attack relies on social engineering techniques to get onto
targeted computers.
• Records
•
•
•
•
Keystrokes
Screen shots
Audio
Steal text and image files
Contd..
• The following is an email example which included a
malicious PowerPoint attachment
Contd..
• In another example the PowerPoint when opened,
displays a series of video stills showing a missile
destroying a jet plane
What makes it special ?
• Reference in the code to the word for the Islamic
Messiah.
• Use of Farsi Language.
• Persian calendar format.
• It can update itself.
• The creators are still at work
• Always takes latest code definition.
Contd..
• Communicates with command-and-control server
• Uploads stolen data
• Gets instructions from the server
Mahdi targets
• Critical infrastructure firms
• Engineering students,
• Financial services firms
• Government embassies located in Middle Eastern
countries, with the majority of the infections in Iran.
• Also been found in countries like United States and
New Zealand.
Mahdi Infections
Effects
• Google and Yahoo searches are redirected.
• Desktop background image and browser homepage settings
changed.
• Slows down the computer considerably.
• Will get unwanted pop-ups. Also corrupts windows registry
and uses it to deploy annoying pop-ups.
• Large amount of data uploaded.
• Might make the internet connection slow.
• Uploads sensitive information to server.
How to Remove
• Auto- Removal
• System Restore.
• Install a tool to remove the malware.
• Manual Removal
• Stop Mahdi process from Task Manager.
• Uninstall Mahdi from Control Panel, Add/Remove
programs.
• Open windows registry, find and remove all Mahdi
registry files.
• Delete all Mahdi related files from the computer.
References
•
http://news.cnet.com/8301-1009_3-57503949-83/a-whos-who-ofmideast-targeted-malware/
•
http://news.cnet.com/8301-1009_3-57474405-83/mahdi-messiahmalware-targeted-israel-iran-pcs/
•
http://blog.seculert.com/2012/07/mahdi-cyberwar-savior.html
•
http://www.symantec.com/connect/blogs/madi-attacks-seriessocial-engineering-campaigns
•
http://www.nextgov.com/cybersecurity/2012/08/mahdi-spywareoperation-broadens-middle-east/57761/?oref=ng-channelriver
•
http://www.reuters.com/article/2012/08/29/us-cybersecuritymiddleeast-idUSBRE87S0EK20120829