Here You Have Worm Linked to Cyber-jihad Group

A security researcher finds a connection between a self-proclaimed cyber-jihad group and the malware attack that infected computers at a number of high-profile organizations Sept. 9.

A cyber-jihadist group may be to blame for the "Here you have" worm that reportedly struck organizations ranging from NASA to Wells Fargo.

According to Joe Stewart, director of malware research at SecureWorks, there are indications a group called the Brigades of Tariq ibn Ziyad is behind the attack, as well as another campaign that occurred in August.

In an analysis of the malware used in the worm attack Sept. 9, Stewart found that the binary contains "iraq_resistance," the user name of a known Libyan hacker who has posted recruitment messages for the group on the Web in the past. In the August attack, the spam e-mails had in the From field.

In addition, the backdoor component downloaded by the malware in the most recent incident phones home to, Stewart told eWEEK. SecureWorks also found that the e-mail sender component is documented in Arabic.

"There's a connection-whether it's a forged connection, we can't know, but it seems more plausible [for it] to be real than someone else trying to pin this on them, especially when they are pretty obscure," Stewart said.

The spam from the August attacks used the subject line "Here you have" as well. In both cases, the malware raids the e-mail address books of victims to propagate, while also spreading through mapped and removable drives.

According to security researchers, the link being sent in the e-mails in the latest attack-which also uses the subject line "Just for You"-is no longer active. Still, the worm hit some organizations hard, disrupting e-mail systems at a variety of high-profile companies and government agencies, including Walt Disney and the Florida Department of Transportation.

The stated mission of the Brigades of Tariq ibn Ziyad, Stewart said, is "to penetrate U.S. agencies belonging to the U.S. Army."

One way to address the problem posed by these kinds of attacks at the corporate level is to block e-mail attachments that are executable, noted John Viega, executive vice president of products and engineering at Perimeter E-Security. This needs to be based on the actual content, not the file name, he said.

"Another effective approach is to use an application whitelisting product, which can limit what can run on a computer to known good programs," Viega said.

Trend Micro Senior Threat Researcher Jamz Yaneza said mass-mailer worms have become less common due to improved content and spam filtering. But as long as the attacks are effective, they will continue to appear, he said.

"We will keep on seeing mass attacks and it is simply because not everyone uses the same level of protection-there will always be the low-hanging fruit and those who refuse to keep vigilant online ... [while] they keep tabs on the news or how well their cars work," Yaneza said.