Joe Stewart, director of malware research for the counter threat unit at Secureworks, says the Brigades of Tariq ibn Ziyad, a self-proclaimed "cyber-jihad" organization, might have set off the worm that crippled email servers in major organizations during the past day, in some cases using the subject line "Here you have," reminiscent of 2001 Anna Kournikova virus. Stewart discovered a username of "Iraq_resistance" embedded in the binary of the malware that was similar to one sent out in August.
"If you go searching for that hacker, that username goes with" him, Stewart says. "He's done some minor defacing in the past ... In 2008, we heard from this guy that [they] wanted to get other hackers to join the Brigades of Tariq ibn Ziyad and wage cyber-jihad, the targets being the U.S. Army and institutions thereof."
Stewart says he can't be 100 percent sure that the malware is tied to this group, but there are several obvious connections besides the username in the binary code, including the fact that the backdoor downloads a Trojan that's set to connect to a server of a similar name of the organization, and that the password-stealing tool downloads used in the attack are all written with Arabic-language documentation. "It could be someone pretending to be those guys" in the organization, Stewart notes.
Stewart says it could be their main motivation was to steal passwords in order to penetrate the victim organizations and other resources, websites, or portals the victims have access to. "They may be trying to collect passwords in pursuit of that hacking," he says.
UPDATE: Over the weekend, someone claiming to be the hacker who wrote the worm posted a video as "IRAQ Resistance – Leader of Tarek Bin Ziad Group." PandaLabs researchers say he used the alias "iqziad" and his profile says he's from Spain. In the video, he claims the worm was aimed at the U.S. to commemorate the September 11 attacks and in protest to the Koran-burning that was scheduled in Florida.
Meanwhile, Google, Coca-Cola, ABC/Disney, NASA, Comcast, AIG, Wells Fargo, and the Florida Department of Transportation are reportedly among the big-name organizations that were infected by the worm, which basically replicates and sends itself to contacts in the victim's address book. So the offending messages appear to be from friends, family, and colleagues.
The attack uses a new variant of an older worm -- and using the same subject line as the Anna Kournikova virus from 2001, "Here you have," to tempt potential victims into clicking on purported documents or sex movies. The malicious email appears to contain a link to a PDF file, but the malicious link instead points to an ".SCR" file that then infects the victim's machine with an existing Autorun worm, according to researchers at Sophos and Trend Micro. And when the malware executes, it tries to disable the victim's security software and propagates the malicious message to contacts in the user's address book.
"This is just a reminder of the problems we think we have solved but haven't completely solved," says Hugh Thompson, program committee chair of the RSA Conference and chief security strategist at People Security. "This is the reason we still need brick-and-mortar fundamental defenses."
Researchers say that link had been disabled late yesterday, which should limit further spreading of the worm. While the actual attack was simple, it was effective because it took a slightly different spin on an old trick. The payload wasn't the suspicious .exe or .ZIP file, but an HTML file, according to Luis Chapetti, lead security analyst at Barracuda Networks, which blogged about the attack yesterday.
"This outbreak was actually kind of simple," Chapetti said. "All it did was spam itself out. They could have just as easily added a password stealer to the download list and, with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time."
Meanwhile, researchers found other versions of the email, including one claiming to include a job application letter. But the most common body of the message went something like this, according to McAfee:
Subject: Here you have
Body: This is The Document I told you about, you can find itbr> Here. [link]br> Please check it and reply as soon as possible.br> Cheers,
Meanwhile, the worm outbreak presents a good opportunity for organizations to reassess their security posture, experts say. "While these situations can cause a lot of harm, there is no better time than during a surge of malicious activity, such as a worm to observe your internal processes for rapid response. Regardless of whether you’ve been affected or not, it is important to look at your security posture and analyze what has worked and why," said Patricia Titus, vice president and CISO at Unisys. "For IT professionals, this unfortunate incident presents an opportunity to demonstrate to senior executives how their investments are working to protect their critical assets."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
http://www.darkreading.com/blog/archives/2010/09/virus_crashes_p.html http://www.contextis.co.uk" target="new">Website tomorrow.