'Stars' worm targets systems in Iran, official says

News by Dan Kaplan

On the heels of the Stuxnet worm, Iran officials say they have discovered a new piece of malware also designed to sabotage government systems.

On the heels of the Stuxnet worm, Iran officials say they have discovered a new piece of malware also designed to sabotage government systems.

Gen. Gholam Reza Jalali, who leads the Iranian passive defence organisation, said on Monday that authorities are investigating the new worm, known as Stars, according to a Mehr News Agency report.

“[C]ertain characteristics about the Stars worm have been identified...and it is likely to be mistaken [by users] for executable files of the government,” Jalali told the news agency.

Jalali said damage so far has been minimal, but would not elaborate on which systems have been targeted.

This is the second piece of custom malware which the Iranian government has had to deal with in the past year.

First discovered last summer, Stuxnet, according to a Symantec report, exploited four zero-day vulnerabilities, compromised two digital certificates and injected code into the programmable logic controllers, or PLCs, of industrial control systems used to manage industrial environments – such as power plants, oil refineries and gas pipelines.

The worm affected two sites in Iran, a uranium processing centre in Natanz and a nuclear reactor in Bushehr. The attack put the global security community on notice that their enterprise or government infrastructure is susceptible to a similar infection that could cripple computer systems that control physical facilities.

Although the origin of the Stuxnet attacks have never been determined – it is widely believed to have originated in the United States or Israel – it targeted Siemens industrial control software.

Last week, according to reports, Jalali accused Germany-based Siemens of enabling the attack.

Experts have said that much of the equipment in control systems is several years old and security patches are often overlooked since replacing parts would disrupt operations.

Security experts said on Monday that they are awaiting more information about Stars.

"We don't know if Iran officials have just found some ordinary Windows worm and announced it to be a cyber war attack," Mikko Hypponen, chief research officer at anti-virus firm F-Secure, wrote in a blog post.

Graham Cluley, senior technology consultant at Sophos, said in a separate post that little is known beyond Jalali's initial remarks.

"Unfortunately, we can't tell you much about this Stars virus," Cluley wrote. "As far as we know, we don't have a sample in our malware collection -- and we would really need the Iranian authorities to share what they have seen with the anti-malware community, so we can delve a little deeper."

Both Hypponen and Cluley could not be reached for additional comment.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews