Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:11 PM
Connect Directly

Cyber-Jihad Group Could Be Behind Worm Clogging Email Servers Worldwide, Researcher Says

Name of hacker known for Web defacements, recruiting cyber-jihadists to infiltrate military found in code

A new old-school email worm spotted spreading rapidly yesterday and choking email servers worldwide could be the handiwork of a hacker group known for waging cyber-jihad, a security researcher said today.

Joe Stewart, director of malware research for the counter threat unit at Secureworks, says the Brigades of Tariq ibn Ziyad, a self-proclaimed "cyber-jihad" organization, might have set off the worm that crippled email servers in major organizations during the past day, in some cases using the subject line "Here you have," reminiscent of 2001 Anna Kournikova virus. Stewart discovered a username of "Iraq_resistance" embedded in the binary of the malware that was similar to one sent out in August.

"If you go searching for that hacker, that username goes with" him, Stewart says. "He's done some minor defacing in the past ... In 2008, we heard from this guy that [they] wanted to get other hackers to join the Brigades of Tariq ibn Ziyad and wage cyber-jihad, the targets being the U.S. Army and institutions thereof."

Stewart says he can't be 100 percent sure that the malware is tied to this group, but there are several obvious connections besides the username in the binary code, including the fact that the backdoor downloads a Trojan that's set to connect to a server of a similar name of the organization, and that the password-stealing tool downloads used in the attack are all written with Arabic-language documentation. "It could be someone pretending to be those guys" in the organization, Stewart notes.

Stewart says it could be their main motivation was to steal passwords in order to penetrate the victim organizations and other resources, websites, or portals the victims have access to. "They may be trying to collect passwords in pursuit of that hacking," he says.

UPDATE: Over the weekend, someone claiming to be the hacker who wrote the worm posted a video as "IRAQ Resistance – Leader of Tarek Bin Ziad Group." PandaLabs researchers say he used the alias "iqziad" and his profile says he's from Spain. In the video, he claims the worm was aimed at the U.S. to commemorate the September 11 attacks and in protest to the Koran-burning that was scheduled in Florida.

Meanwhile, Google, Coca-Cola, ABC/Disney, NASA, Comcast, AIG, Wells Fargo, and the Florida Department of Transportation are reportedly among the big-name organizations that were infected by the worm, which basically replicates and sends itself to contacts in the victim's address book. So the offending messages appear to be from friends, family, and colleagues.

The attack uses a new variant of an older worm -- and using the same subject line as the Anna Kournikova virus from 2001, "Here you have," to tempt potential victims into clicking on purported documents or sex movies. The malicious email appears to contain a link to a PDF file, but the malicious link instead points to an ".SCR" file that then infects the victim's machine with an existing Autorun worm, according to researchers at Sophos and Trend Micro. And when the malware executes, it tries to disable the victim's security software and propagates the malicious message to contacts in the user's address book.

"This is just a reminder of the problems we think we have solved but haven't completely solved," says Hugh Thompson, program committee chair of the RSA Conference and chief security strategist at People Security. "This is the reason we still need brick-and-mortar fundamental defenses."

Researchers say that link had been disabled late yesterday, which should limit further spreading of the worm. While the actual attack was simple, it was effective because it took a slightly different spin on an old trick. The payload wasn't the suspicious .exe or .ZIP file, but an HTML file, according to Luis Chapetti, lead security analyst at Barracuda Networks, which blogged about the attack yesterday.

"This outbreak was actually kind of simple," Chapetti said. "All it did was spam itself out. They could have just as easily added a password stealer to the download list and, with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time."

Meanwhile, researchers found other versions of the email, including one claiming to include a job application letter. But the most common body of the message went something like this, according to McAfee:

Subject: Here you have
Body: This is The Document I told you about, you can find itbr> Here. [link]br> Please check it and reply as soon as possible.br> Cheers,

Meanwhile, the worm outbreak presents a good opportunity for organizations to reassess their security posture, experts say. "While these situations can cause a lot of harm, there is no better time than during a surge of malicious activity, such as a worm to observe your internal processes for rapid response. Regardless of whether you’ve been affected or not, it is important to look at your security posture and analyze what has worked and why," said Patricia Titus, vice president and CISO at Unisys. "For IT professionals, this unfortunate incident presents an opportunity to demonstrate to senior executives how their investments are working to protect their critical assets."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

http://www.darkreading.com/blog/archives/2010/09/virus_crashes_p.html http://www.contextis.co.uk" target="new">Website tomorrow.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...