Critical Infrastructure Security, Threat Management, Threat Intelligence, Malware, Vulnerability Management

“Stars” worm targets systems in Iran, official says

On the heels of the Stuxnet worm, Iran officials say they have discovered a new piece of malware also designed to sabotage government systems.

Gen. Gholam Reza Jalali, who leads the country's Passive Defense system, said Monday that authorities are investigating the new worm, known as Stars, according to a Mehr News Agency report.

“[C]ertain characteristics about the Stars worm have been identified...and it is likely to be mistaken [by users] for executable files of the government,” Jalali told the news agency.

Jalail said damage so far has been minimal, but would not elaborate on which systems have been targeted.

This is the second piece of custom malware with which the Iran government has had to deal in the past year.

First discovered last summer, Stuxnet, according to a Symantec report, exploited four zero-day vulnerabilities, compromised two digital certificates and injected code into the programmable logic controllers, or PLCs, of industrial control systems used to manage industrial environments – such as power plants, oil refineries and gas pipelines.

The worm affected two sites in Iran, a uranium processing center in Natanz and a nuclear reactor in Bushehr. The  attack put the global security community on notice that their enterprise or government infrastructure is susceptible to a similar infection that could cripple computer systems that control physical facilities.

Although the origin of the Stuxnet attacks have never been determined – it is widely believed to have originated in the United States or Israel – it targeted Siemens industrial control software.

Last week, according to reports, Jalali accused Germany-based Siemens of enabling the attack.

Experts have said that much of the equipment in control systems is several years old, and security patches are often overlooked, since replacing parts would disrupt operations.

Security experts said Monday that they are awaiting more information about Stars.

"We don't know if Iran officials have just found some ordinary Windows worm and announced it to be a cyberwar attack," Mikko Hypponen, chief research officer at anti-virus firm F-Secure, wrote in a blog post.

Graham Cluley, senior technology consultant at Sophos, said in a separate post that little is known beyond Jalali's initial remarks.

"Unfortunately, we can't tell you much about this Stars virus," Cluley wrote. "As far as we know, we don't have a sample in our malware collection -- and we would really need the Iranian authorities to share what they have seen with the anti-malware community, so we can delve a little deeper."

Both Hypponen and Cluley could not be reached for additional comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.