A New, Simpler Malware Outbreak Appears In Iran
Another new bit of malware has cropped up in Iran, maybe targeting computers associated with the Iranian nuclear research program, maybe not. That country’s Computer Emergency Response Team announced the discovery, and, as usual, computer security experts have been poring over the malware to see what it does.
Experts at Russia’s Kaspersky Labs say it’s pretty simple, and thus perhaps not directly connected to the more spectacular malware attacks launched in recent years on Iran by parties widely assumed to be the U.S. and Israel. This new one, dubbed GrooveMonitor, is a variant of a previously-seen Trojan called Win32.Maya.a.
Its primary function is deleting Windows hard drive partitions, but it does so only within nine specific date ranges, each about two days long — starting with the period of December 10-12 of this year and ending with the period of February 2-4, 2015. On those dates, it waits for a little while and then deletes a range of hard drive partitions labeled with the letters D through I.
It may be a case of simplicity being the ultimate sophistication, as Leonardo da Vinci put it. If it does turn out to be the latest shot in the ongoing cyberwar campaign against Iran, it’s an interesting feint after a string of highly sophisticated digital weapons including Gauss — which aimed at stealing the bank and financial account information of people using targeted machines — and Flame, a sort of Swiss Army Knife of spying tools. Then, of course, there was Stuxnet itself, which caused Iranian nuclear centrifuges to spin out of control and explode. After years of finely-tuned, expensive and carefully-targeted cyber weapons, this one is more of a blunt instrument.
In being less than cutting-edge, the malware carries with it the cloak of plausible deniability. As is always the case with these incidents, attribution — figuring out the responsible party — is ridiculously tough. Since it’s a variant of a previously-seen Trojan, the more skeptical view of the Iranian reports might attribute the outbreak to bad luck and poor maintenance. There’s also less of a chance that the world’s computer criminals will learn anything new and nasty from the uber-hackers at the CIA and Mossad. That means less chance — at least in this case — of unintended blowback down the road.