Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/10/2010
12:11 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber-Jihad Group Could Be Behind Worm Clogging Email Servers Worldwide, Researcher Says

Name of hacker known for Web defacements, recruiting cyber-jihadists to infiltrate military found in code

A new old-school email worm spotted spreading rapidly yesterday and choking email servers worldwide could be the handiwork of a hacker group known for waging cyber-jihad, a security researcher said today.

Joe Stewart, director of malware research for the counter threat unit at Secureworks, says the Brigades of Tariq ibn Ziyad, a self-proclaimed "cyber-jihad" organization, might have set off the worm that crippled email servers in major organizations during the past day, in some cases using the subject line "Here you have," reminiscent of 2001 Anna Kournikova virus. Stewart discovered a username of "Iraq_resistance" embedded in the binary of the malware that was similar to one sent out in August.

"If you go searching for that hacker, that username goes with" him, Stewart says. "He's done some minor defacing in the past ... In 2008, we heard from this guy that [they] wanted to get other hackers to join the Brigades of Tariq ibn Ziyad and wage cyber-jihad, the targets being the U.S. Army and institutions thereof."

Stewart says he can't be 100 percent sure that the malware is tied to this group, but there are several obvious connections besides the username in the binary code, including the fact that the backdoor downloads a Trojan that's set to connect to a server of a similar name of the organization, and that the password-stealing tool downloads used in the attack are all written with Arabic-language documentation. "It could be someone pretending to be those guys" in the organization, Stewart notes.

Stewart says it could be their main motivation was to steal passwords in order to penetrate the victim organizations and other resources, websites, or portals the victims have access to. "They may be trying to collect passwords in pursuit of that hacking," he says.

UPDATE: Over the weekend, someone claiming to be the hacker who wrote the worm posted a video as "IRAQ Resistance – Leader of Tarek Bin Ziad Group." PandaLabs researchers say he used the alias "iqziad" and his profile says he's from Spain. In the video, he claims the worm was aimed at the U.S. to commemorate the September 11 attacks and in protest to the Koran-burning that was scheduled in Florida.

Meanwhile, Google, Coca-Cola, ABC/Disney, NASA, Comcast, AIG, Wells Fargo, and the Florida Department of Transportation are reportedly among the big-name organizations that were infected by the worm, which basically replicates and sends itself to contacts in the victim's address book. So the offending messages appear to be from friends, family, and colleagues.

The attack uses a new variant of an older worm -- and using the same subject line as the Anna Kournikova virus from 2001, "Here you have," to tempt potential victims into clicking on purported documents or sex movies. The malicious email appears to contain a link to a PDF file, but the malicious link instead points to an ".SCR" file that then infects the victim's machine with an existing Autorun worm, according to researchers at Sophos and Trend Micro. And when the malware executes, it tries to disable the victim's security software and propagates the malicious message to contacts in the user's address book.

"This is just a reminder of the problems we think we have solved but haven't completely solved," says Hugh Thompson, program committee chair of the RSA Conference and chief security strategist at People Security. "This is the reason we still need brick-and-mortar fundamental defenses."

Researchers say that link had been disabled late yesterday, which should limit further spreading of the worm. While the actual attack was simple, it was effective because it took a slightly different spin on an old trick. The payload wasn't the suspicious .exe or .ZIP file, but an HTML file, according to Luis Chapetti, lead security analyst at Barracuda Networks, which blogged about the attack yesterday.

"This outbreak was actually kind of simple," Chapetti said. "All it did was spam itself out. They could have just as easily added a password stealer to the download list and, with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time."

Meanwhile, researchers found other versions of the email, including one claiming to include a job application letter. But the most common body of the message went something like this, according to McAfee:

Subject: Here you have
Body: This is The Document I told you about, you can find itbr> Here. [link]br> Please check it and reply as soon as possible.br> Cheers,

Meanwhile, the worm outbreak presents a good opportunity for organizations to reassess their security posture, experts say. "While these situations can cause a lot of harm, there is no better time than during a surge of malicious activity, such as a worm to observe your internal processes for rapid response. Regardless of whether you’ve been affected or not, it is important to look at your security posture and analyze what has worked and why," said Patricia Titus, vice president and CISO at Unisys. "For IT professionals, this unfortunate incident presents an opportunity to demonstrate to senior executives how their investments are working to protect their critical assets."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

http://www.darkreading.com/blog/archives/2010/09/virus_crashes_p.html http://www.contextis.co.uk" target="new">Website tomorrow.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22893
PUBLISHED: 2021-04-23
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse...
CVE-2021-31408
PUBLISHED: 2021-04-23
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after t...
CVE-2021-31410
PUBLISHED: 2021-04-23
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
CVE-2021-31539
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
CVE-2021-31540
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.