Entries with tag iran.

Initial analysis of the Flame malware toolkit by Kaspersky Lab researchers shows the attackers sought technical drawings from Iran. The researchers also reported that the network went dark within an hour of the operation being made public last week but not before the authors updated infected machines. Kaspersky Labs used a technique called sinkholing to obtain its information. “Sinkholing is a procedure when we discover a malicious server—whether it is an IP address or domain name—that we can take over with the help of the authorities or the [domain] registrar,” Kaspersky senior researcher Vitaly Kamluk told the BBC. “We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them.” This was how they determined that the attackers targeted Iran and sought AutoCAD schematics, as well as some PDF and text files. The attackers reportedly used complex false identities to carry out their plans and registered at least 86 domain names for their command-and-control infrastructure since 2008. The Kaspersky analysis shows that the command-and-control server network moved regularly and was in locations such as Germany, Hong Kong, Turkey, and the UK.  Kaspersky has not determined if Flame is related to a virus that targeted the Iranian oil ministry in April but they think it was created by the same nation-state responsible for the Stuxnet malware attacks. (Wired)(BBC)(Securelist)