Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/10/2010
12:11 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cyber-Jihad Group Could Be Behind Worm Clogging Email Servers Worldwide, Researcher Says

Name of hacker known for Web defacements, recruiting cyber-jihadists to infiltrate military found in code

A new old-school email worm spotted spreading rapidly yesterday and choking email servers worldwide could be the handiwork of a hacker group known for waging cyber-jihad, a security researcher said today.

Joe Stewart, director of malware research for the counter threat unit at Secureworks, says the Brigades of Tariq ibn Ziyad, a self-proclaimed "cyber-jihad" organization, might have set off the worm that crippled email servers in major organizations during the past day, in some cases using the subject line "Here you have," reminiscent of 2001 Anna Kournikova virus. Stewart discovered a username of "Iraq_resistance" embedded in the binary of the malware that was similar to one sent out in August.

"If you go searching for that hacker, that username goes with" him, Stewart says. "He's done some minor defacing in the past ... In 2008, we heard from this guy that [they] wanted to get other hackers to join the Brigades of Tariq ibn Ziyad and wage cyber-jihad, the targets being the U.S. Army and institutions thereof."

Stewart says he can't be 100 percent sure that the malware is tied to this group, but there are several obvious connections besides the username in the binary code, including the fact that the backdoor downloads a Trojan that's set to connect to a server of a similar name of the organization, and that the password-stealing tool downloads used in the attack are all written with Arabic-language documentation. "It could be someone pretending to be those guys" in the organization, Stewart notes.

Stewart says it could be their main motivation was to steal passwords in order to penetrate the victim organizations and other resources, websites, or portals the victims have access to. "They may be trying to collect passwords in pursuit of that hacking," he says.

UPDATE: Over the weekend, someone claiming to be the hacker who wrote the worm posted a video as "IRAQ Resistance – Leader of Tarek Bin Ziad Group." PandaLabs researchers say he used the alias "iqziad" and his profile says he's from Spain. In the video, he claims the worm was aimed at the U.S. to commemorate the September 11 attacks and in protest to the Koran-burning that was scheduled in Florida.

Meanwhile, Google, Coca-Cola, ABC/Disney, NASA, Comcast, AIG, Wells Fargo, and the Florida Department of Transportation are reportedly among the big-name organizations that were infected by the worm, which basically replicates and sends itself to contacts in the victim's address book. So the offending messages appear to be from friends, family, and colleagues.

The attack uses a new variant of an older worm -- and using the same subject line as the Anna Kournikova virus from 2001, "Here you have," to tempt potential victims into clicking on purported documents or sex movies. The malicious email appears to contain a link to a PDF file, but the malicious link instead points to an ".SCR" file that then infects the victim's machine with an existing Autorun worm, according to researchers at Sophos and Trend Micro. And when the malware executes, it tries to disable the victim's security software and propagates the malicious message to contacts in the user's address book.

"This is just a reminder of the problems we think we have solved but haven't completely solved," says Hugh Thompson, program committee chair of the RSA Conference and chief security strategist at People Security. "This is the reason we still need brick-and-mortar fundamental defenses."

Researchers say that link had been disabled late yesterday, which should limit further spreading of the worm. While the actual attack was simple, it was effective because it took a slightly different spin on an old trick. The payload wasn't the suspicious .exe or .ZIP file, but an HTML file, according to Luis Chapetti, lead security analyst at Barracuda Networks, which blogged about the attack yesterday.

"This outbreak was actually kind of simple," Chapetti said. "All it did was spam itself out. They could have just as easily added a password stealer to the download list and, with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time."

Meanwhile, researchers found other versions of the email, including one claiming to include a job application letter. But the most common body of the message went something like this, according to McAfee:

Subject: Here you have
Body: This is The Document I told you about, you can find itbr> Here. [link]br> Please check it and reply as soon as possible.br> Cheers,

Meanwhile, the worm outbreak presents a good opportunity for organizations to reassess their security posture, experts say. "While these situations can cause a lot of harm, there is no better time than during a surge of malicious activity, such as a worm to observe your internal processes for rapid response. Regardless of whether you’ve been affected or not, it is important to look at your security posture and analyze what has worked and why," said Patricia Titus, vice president and CISO at Unisys. "For IT professionals, this unfortunate incident presents an opportunity to demonstrate to senior executives how their investments are working to protect their critical assets."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

http://www.darkreading.com/blog/archives/2010/09/virus_crashes_p.html http://www.contextis.co.uk" target="new">Website tomorrow.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .