Email worm traced back to cyber-jihad group

Those responsible for the "Here you have" email worm may be part of a cyber-jihad group upset over the ongoing foreign military presence in Iraq.

The malware author, who uses the handle "iraq_resistance", is believed to be part of the cyber-jihad organisation "Brigades of Tariq ibn Ziyad", whose goal is to digitally infiltrate US Army agencies, Joe Stewart, director of malware research at SecureWorks, told SCMagazineUS.com.

Researchers concluded this after determining that a worm launched last month, but on a much smaller scale, was connected to the "Here you have" outbreak, Stewart said.

The binaries to both worms contained a reference to the "iraq_resitance" alias, he said. Further investigation on the internet revealed that that same codename was used to write a 2008 forum post that attempts to recruit people to join the cyber-jihad group.

In addition, the handle was connected to a website defacement, in which the hacker describes himself as Libyan, and other forum posts, including a 2009 message which states that the cyber-jihad group has been successful in installing trojans on computers belonging to US soldiers in Germany, Iraq and in the USA, according to a blog post authored by Stewart.

However, it is not clear what specifically the malware author was after in last week's attack, aside from publicity for his cause.

"He may not have known exactly what he was after, but decided to cast a wide net," Stewart said.

In a video posted to YouTube, a person claiming to be the worm's creator discussed what prompted the attack.

"My name is Iraq Resistance," the person says in a computer-generated voice. "What I wanted to say is that the United States doesn't have the right to invade our people and steal the oil under the name of nuclear weapons. Have you seen any there?"

The culprit later claims he could have caused more damage had he wanted to.

"I could smash all those infected computers, but I wouldn't," he says on the video. "And don't use the word 'terrorist' please. I hope that all people understand that I am not a negative person."

At its peak on last week, the worm represented more than 14 percent of global spam, according to statistics from Cisco. The outbreak mostly died out by the end of the week, but not before companies such as NASA, Comcast, AIG, Disney, and Proctor & Gamble were affected by the self-propagating malware.

The spam messages contained a link that appeared to lead to a PDF file but actually directed users to a malicious .SCR executable. If users clicked on the link, they were prompted to install the worm, which attempted to disable security software and, in the spirit of the worms that crippled businesses nearly a decade ago, sent a copy of itself to all email contacts belonging to the victim.

In addition, the malicious file also downloaded more damaging components, such as keyloggers and password-extraction tools, Stewart said. The author, however, chose not to commit more damage, such as deleting hard drives, which he likely would have been able to do.

The worm stopped spreading once the domains serving the malware were taken offline, Stewart said. However, it also could spread to network nodes via PsExec, a Microsoft tool to execute processes on remote Windows systems, if a privileged domain administrator logs in to a "Here you have"-infected PC.

Stewart said he wouldn't be surprised to see politically motivated copycats emerge.

"People should definitely pay attention to this," he said. "People don't realize that some of these things can easily evade [anti-virus] defenses. If you weren't expecting it [an email with a link or attachment], you should always ping them back and say, 'What is this?'"

See original article on scmagazineus.com