A security researcher finds a connection between a self-proclaimed cyber-jihad group and the malware attack that infected computers at a number of high-profile organizations Sept. 9.
A cyber-jihadist group may be to blame for the "Here you have"
worm that reportedly struck organizations ranging from NASA to Wells
According to Joe Stewart, director of malware research at SecureWorks, there
are indications a group called the Brigades of Tariq ibn Ziyad is behind the
attack, as well as another campaign that occurred in August.
In an analysis of the malware used in the worm
attack Sept. 9,
Stewart found that the binary contains "iraq_resistance,"
the user name of a known Libyan hacker who has posted recruitment messages for
the group on the Web in the past. In the August attack, the spam e-mails had email@example.com in the
In addition, the backdoor component downloaded by the malware in the most
recent incident phones home to tarekbinziad.no-ip.biz, Stewart told
eWEEK. SecureWorks also found that the e-mail sender component is documented in
"There's a connection-whether it's a forged connection, we can't know,
but it seems more plausible [for it] to be real than someone else trying to pin
this on them, especially when they are pretty obscure," Stewart said.
The spam from the August
used the subject line "Here you have" as well. In both
cases, the malware raids the e-mail address books of victims to propagate,
while also spreading through mapped and removable drives.
According to security researchers, the link being sent in the e-mails in the
latest attack-which also uses the subject line "Just for You"-is
no longer active. Still, the worm hit some organizations hard,
disrupting e-mail systems at a variety of high-profile companies and government
agencies, including Walt Disney and the Florida Department of
The stated mission of the Brigades of Tariq ibn Ziyad, Stewart said, is
"to penetrate U.S.
agencies belonging to the U.S. Army."
One way to address the problem posed by these kinds of attacks at the
corporate level is to block e-mail attachments that are executable, noted John
Viega, executive vice president of products and engineering at Perimeter
E-Security. This needs to be based on the actual content, not the file name, he
"Another effective approach is to use an application whitelisting
product, which can limit what can run on a computer to known good
programs," Viega said.
Trend Micro Senior Threat Researcher Jamz Yaneza said mass-mailer
worms have become less common due to improved content and spam filtering.
But as long as the attacks are effective, they will continue to appear, he
"We will keep on seeing mass attacks and it is simply because not
everyone uses the same level of protection-there will always be the low-hanging
fruit and those who refuse to keep vigilant online ... [while] they keep tabs
on the news or how well their cars work," Yaneza said.