- George Zimmerman will not be charged in domestic dispute
- Russian officials press bilateral U.S. trade deal
- Selfies at Funerals blog creator retires after Obama flub: ‘Our work here is done’
- New Obama adviser Podesta is against Keystone but will steer clear of pipeline deliberations
- 40 Australian adults, children found in ‘one of the worst accounts of incest ever made public’
- Venezuela’s Maduro calls on student ‘price vigilantes’ to hit the streets, report businesses
- Atheists smug as Hindus join Satanists to demand display at Oklahoma Statehouse
- Bow before Valkyrie, NASA’s ‘superhero robot’ entry in DARPA challenge
- 10-year-old Pennsylvania boy suspended for pretend bow-and-arrow shooting
- All-out war breaks out in GOP over budget pact
Hackers shopping malware network
Suspected of backing Iran
Question of the Day
A hacker group calling itself the Iranian Cyber Army is assembling a network of infected computers, and selling it to cybercriminals to spread spam and malicious software, according to security researchers.
Aviv Raff, of the computer security firm Seculert, told The Washington Times that the group was exploiting a vulnerability in WordPress, a popular blogging software program, to gain control of unsuspecting Internet users' computers and add them to its network — known as a botnet, or robot network — of infected machines. He said the botnet, one of hundreds controlled by hacker gangs and cybercrime syndicates all over the world, could be used to launch cyber-attacks against Tehran's enemies.
Most researchers regard the Iranian Cyber Army (ICA) as "hacktivists" — politically motivated pro-Iranian hackers — and there is no evidence they are linked to the Tehran government. Almost a year ago, a group using that name attacked U.S.-based social networking platform Twitter, and then Chinese search engine Baidu, briefly diverting visitors to those Web pages to a different page decorated with an Iranian flag, nationalist slogans and anti-U.S. and anti-Israel images.
"We are not sure if they are really Iranians," Mr. Raff said of the ICA, "but they are supporters of the Iranian regime."
He said his firm was trying to identify the geographical origin of the attacks, but such tracing is notoriously difficult in cyberspace, where hackers can launch attacks from computers they control half a world away from their own location.
"At the moment, there is no way of knowing who these people really are," said Jason Glassberg, of the computer firm Casaba Security.
"They could be Iranians," he told The Times. "It could just as easily be a 13-year-old in New Jersey."
Politically motivated cybervandalism like the ICA defacement of the Twitter and Baidu sites is relatively common, and usually no more than a nuisance. For example, Islamic hacker groups, many of them apparently based in Turkey, defaced Danish websites after a newspaper there published cartoons of the Prophet Muhammad in September 2005.
But ICA's most recent hack appears to be much more aggressive, said Mr. Raff. He said European newsblog site TechCrunch, and "hundreds" of other smaller sites that use WordPress had been compromised over the past two months. Visitors were surreptitiously redirected to a hacker-controlled website, where they were infected with a so-called Trojan downloader — a kind of malicious software that allows hackers to take control of the user's computer.
The Trojan was placed on the visitors' computers by exploiting well-known vulnerabilities in several widely used software packages, including Adobe PDF, Java and Internet Explorer.
Seculert linked the ICA to the WordPress-based attacks through an e-mail address that was also referenced in the Twitter defacement attack. The firm's researchers found the Web page ICA was using to control its botnet, and noted that their Trojan software appeared to be infecting thousands of computers an hour.
Given that the vulnerabilities ICA is using are known and that anyone whose computer software was properly patched and up to date would be immune, Mr. Raff said it was "scary to see that people are still getting infected" at such a rate.
He estimated that millions of computers could be in the ICA botnet, but other analysts downplayed those figures.
"You can't really assume a constant rate of infection," said Steven Adair of the Shadowserver Foundation, a volunteer group of security professionals that tracks illicit activity on the Internet. He added that the estimate also might involve multiple counting of computers that had been infected more than once.
"I would say that estimate is likely on the high side," he said.
Botnets can be used to send spam e-mail or spread more malware, but they can also be used to conduct so-called denial-of-service attacks against websites. At the moment, Mr. Raff said, the ICA appeared to be selling access to the computers it had infected to other cybercrime gangs, who were loading their own malware onto them, effectively recruiting them to multiple other botnets, or equipping them to steal banking passwords or other personal data from their owners.
"They have moved into commercial cybercrime," said Mr. Raff of the ICA. "But we suspect that they will also use [their botnet] in the future for hacktivist attacks," perhaps in the service of Tehran.
Russian nationalist hacktivists were blamed for providing the foot soldiers for the cyberwar attacks on Estonia in April and May 2007. Those hackers used botnets to cripple Estonian government and banking websites.
Mr. Raff said the ICA attack had been reported to law enforcement in several countries and was under investigation but declined to comment further.
Over the summer, security researchers assessed that a computer worm called Stuxnet, which attacked special industrial-control systems, had been aimed at sabotaging an Iranian nuclear plant. Given the timing of the ICA attack, Mr. Raff said, "on the heels of the recent Stuxnet worm — it appears reasonable to assume that the Iranian Cyber Army group has decided to move from simple defacement warnings to actual cybercrime activities."
© Copyright 2013 The Washington Times, LLC. Click here for reprint permission.
About the Author
By Matt Kibbe
The short-term deal will assure long-term overspending
- Rand Paul: Budget deal 'shameful,' 'huge mistake'
- All-out war breaks out in GOP over budget pact
- Teen thugs in D.C. run wild -- even while wearing GPS ankle bracelets
- Obama takes 'selfie' at Mandela's funeral service
- Obama's antics at Nelson Mandela tribute: Jovial conversation, handshake with Raul Castro
- American bourbon now better than Scottish whisky: U.K.-born expert
- U.S. pilot scares off Iranians with 'Top Gun'-worthy stunt: 'You really ought to go home'
- Biden guarantees victory on immigration reform
- Study IDs reasons for late-term abortions
- Inside the Ring: China targets Global Hawk drone
Independent voices from the The Washington Times Communities
Al Maurer provides a common sense, conservatarian, Constitutional conservative perspective from the battleground state of Colorado
Interviews and show reviews from the Los Angeles punk scene past and present. Los Angeles has always been rich in punk rock talent since punk rock was born.
Buzz on Bees is a column promoting the love and life of God’s greatest pollinators on earth: The Honeybee
Brazen, leading-edge, “call it like it is” columns and reporting from Ohio native, radio host and writer, Sara Marie Brenner.
Extraordinary day at Redskins Park
White House pets gone wild!
Let it snow