Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:11 PM
Connect Directly

Cyber-Jihad Group Could Be Behind Worm Clogging Email Servers Worldwide, Researcher Says

Name of hacker known for Web defacements, recruiting cyber-jihadists to infiltrate military found in code

A new old-school email worm spotted spreading rapidly yesterday and choking email servers worldwide could be the handiwork of a hacker group known for waging cyber-jihad, a security researcher said today.

Joe Stewart, director of malware research for the counter threat unit at Secureworks, says the Brigades of Tariq ibn Ziyad, a self-proclaimed "cyber-jihad" organization, might have set off the worm that crippled email servers in major organizations during the past day, in some cases using the subject line "Here you have," reminiscent of 2001 Anna Kournikova virus. Stewart discovered a username of "Iraq_resistance" embedded in the binary of the malware that was similar to one sent out in August.

"If you go searching for that hacker, that username goes with" him, Stewart says. "He's done some minor defacing in the past ... In 2008, we heard from this guy that [they] wanted to get other hackers to join the Brigades of Tariq ibn Ziyad and wage cyber-jihad, the targets being the U.S. Army and institutions thereof."

Stewart says he can't be 100 percent sure that the malware is tied to this group, but there are several obvious connections besides the username in the binary code, including the fact that the backdoor downloads a Trojan that's set to connect to a server of a similar name of the organization, and that the password-stealing tool downloads used in the attack are all written with Arabic-language documentation. "It could be someone pretending to be those guys" in the organization, Stewart notes.

Stewart says it could be their main motivation was to steal passwords in order to penetrate the victim organizations and other resources, websites, or portals the victims have access to. "They may be trying to collect passwords in pursuit of that hacking," he says.

UPDATE: Over the weekend, someone claiming to be the hacker who wrote the worm posted a video as "IRAQ Resistance – Leader of Tarek Bin Ziad Group." PandaLabs researchers say he used the alias "iqziad" and his profile says he's from Spain. In the video, he claims the worm was aimed at the U.S. to commemorate the September 11 attacks and in protest to the Koran-burning that was scheduled in Florida.

Meanwhile, Google, Coca-Cola, ABC/Disney, NASA, Comcast, AIG, Wells Fargo, and the Florida Department of Transportation are reportedly among the big-name organizations that were infected by the worm, which basically replicates and sends itself to contacts in the victim's address book. So the offending messages appear to be from friends, family, and colleagues.

The attack uses a new variant of an older worm -- and using the same subject line as the Anna Kournikova virus from 2001, "Here you have," to tempt potential victims into clicking on purported documents or sex movies. The malicious email appears to contain a link to a PDF file, but the malicious link instead points to an ".SCR" file that then infects the victim's machine with an existing Autorun worm, according to researchers at Sophos and Trend Micro. And when the malware executes, it tries to disable the victim's security software and propagates the malicious message to contacts in the user's address book.

"This is just a reminder of the problems we think we have solved but haven't completely solved," says Hugh Thompson, program committee chair of the RSA Conference and chief security strategist at People Security. "This is the reason we still need brick-and-mortar fundamental defenses."

Researchers say that link had been disabled late yesterday, which should limit further spreading of the worm. While the actual attack was simple, it was effective because it took a slightly different spin on an old trick. The payload wasn't the suspicious .exe or .ZIP file, but an HTML file, according to Luis Chapetti, lead security analyst at Barracuda Networks, which blogged about the attack yesterday.

"This outbreak was actually kind of simple," Chapetti said. "All it did was spam itself out. They could have just as easily added a password stealer to the download list and, with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time."

Meanwhile, researchers found other versions of the email, including one claiming to include a job application letter. But the most common body of the message went something like this, according to McAfee:

Subject: Here you have
Body: This is The Document I told you about, you can find itbr> Here. [link]br> Please check it and reply as soon as possible.br> Cheers,

Meanwhile, the worm outbreak presents a good opportunity for organizations to reassess their security posture, experts say. "While these situations can cause a lot of harm, there is no better time than during a surge of malicious activity, such as a worm to observe your internal processes for rapid response. Regardless of whether you’ve been affected or not, it is important to look at your security posture and analyze what has worked and why," said Patricia Titus, vice president and CISO at Unisys. "For IT professionals, this unfortunate incident presents an opportunity to demonstrate to senior executives how their investments are working to protect their critical assets."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

http://www.darkreading.com/blog/archives/2010/09/virus_crashes_p.html http://www.contextis.co.uk" target="new">Website tomorrow.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.