Iran Claims Stars Virus a Second Cyber-Attack

An Iranian military official accused the United States and Israel of launching a "Stars" virus to compromise Iranian systems.

Iran has uncovered another computer virus targeting the country as part of an ongoing cyber-attack campaign, according to a senior military official. Its capabilities and actual target are still unknown.

Iranian experts discovered the "espionage virus," code-named "Stars," Gholam Reza Jalali, the head of Passive Defense, an Iranian military unit in charge of combating sabotage, said in a report posted April 25 on the Passive Defense Website. The report did not indicate whether the malware targeted sensitive equipment or facilities or random computers across the country.

"Fortunately, our young scientists were able to discover the virus, and now the virus Stars is presented to the laboratory," Jalali wrote in the report, posted on (Google Translate).

While downplaying the impact of Stars, Jalali noted that it is "harmonious" with computer systems and that it "inflicts minor damage" in the initial stage. Stars can be mistaken for executive files of governmental organizations, according to Jalali.

This suggests the attack was disguised as a legitimate Word, PDF or other similar document type to trick unsuspecting victims into infecting government computers, Graham Cluley, senior technology consultant at Sophos, speculated on the Naked Security blog. Several organizations, including federal research facility Oak Ridge National Laboratory, have disclosed that attackers breached their systems by tricking employees into opening malicious Word or Excel documents.

There are currently no details on whether Stars has any destructive capabilities or if it steals sensitive information. It's also unclear as to when it was first detected.

Experts were still investigating the full scope of the malware's abilities in order to determine the necessary steps to "counter" the virus. "No definite and final conclusions have been reached," Jalali told Mehr, the country's semi-official news agency.

A unit set up by the Ministry of Information Technology and Telecommunications will be decoding the virus, the report said.

Jalali blamed the United States and Israel for creating the Stars virus, claiming it was part of the nations' alleged cyber-attack against Iran. Iranian officials blame the U.S. and Israel for last year's Stuxnet worm, which targeted specific Siemens SCADA (supervisory control and data acquisition) systems and effectively disabled the country's nuclear facilities. Jalali claimed in an April 16 report that Iranian experts have determined that Stuxnet-infected systems sent back reports of its activities to a server located in Texas.

There is no proof at this point whether Stars is "really specifically targeting Iranian systems," Cluley said, noting that Sophos researchers see over 100,000 new unique malware samples every day, and many of them are designed to spy on victims' computers.

"Presumably the Iranian authorities have reason to believe that the Stars virus they have intercepted was specifically written to steal information from their computers and is not just yet another piece of spyware," Cluley said.

Stuxnet, which was publicly identified last June, was spread primarily by USB drives. The worm reportedly mutated and infected at least 30,000 industrial systems over the course of the year. Nearly half the IT executives in the electric industry sector around the world said they had found Stuxnet on their systems in a recent McAfee report looking at cyber-attacks on critical infrastructure.

Iranian officials acknowledged in December that Stuxnet affected a number of centrifuges at its main uranium enrichment facility in Natanz, but claimed scientists had discovered and neutralized the worm before it caused serious damage.

Despite the efforts to contain Stuxnet, it remains an active threat for Iran. It "does not mean the threat has been completely resolved, because viruses have a specific lifetime and may continue their activities," Jalali said in the same report.

Stuxnet is still on various machines in the wild and hasn't gone away, Randy Abrams, director of technical education at ESET told eWEEK. "We don't know if the authors accomplished their objective" in developing Stuxnet, and it was reasonable to assume that the worm could be updated with new instructions to launch further attacks, Abrams said.

"The country should prepare itself to tackle future worms since future worms, which may infect our systems, could be more dangerous than the first ones," the Mehr news agency quoted Jalali as saying.