Hackers, Virus Writers Take to War Theme

The beginning of war in Iraq prompted a rash of protest hacking on the Internet, with new war-themed viruses and Web page defacements directed at US, UK and Australian interests. But the devastating new worms and viruses that were predicted by some have so far failed to materialise.

Unquestionably, the hostilities in Iraq have had ripple effects on the Internet, according to Mikko Hyppönen, manager of antivirus research at F-Secure of Helsinki, Finland.

Two new worms were discovered in the past two weeks with Iraq themes.

One, named Prune, arrives in e-mail messages with the subject "US Government Material - Iraq Crisis." An attachment named UN_Interview.txt.vbs launches the Visual Basic Script worm, which spreads copies of itself using e-mail, Internet Relay Chat (IRC) and network shares, according to F-Secure.

A second worm, Ganda, arrives in messages with a variety of subjects and messages, many of them linked to the tensions over Iraq such as "Spy Pics," purporting to contain pictures from US satellites, and "George W Bush animation." Users are prompted to click on a Windows screen saver file attachment, launching the virus.

Web site defacements also spiked in the days leading up to war, according to F-Secure.

"We've seen a huge increase in the number of (Web site) defacements related to the Iraq crisis," Hyppönen said.

Web site defacements require hackers to compromise Web servers belonging to their targets, then replace the official Web page content with their own content, often inflammatory statements or political messages.

F-Secure recorded around 200 defacements in the 48 hours before hostilities began. On Friday, another 1000 sites were defaced, F-Secure said.

Many of the Web sites that were defaced belonged to US and UK businesses or lesser-known branches of US federal agencies.

The Web page for the US National Center for Agricultural Utilization Research, part of the US Department of Agriculture, and a Web-based e-mail portal belonging to the US Navy were both defaced, as was the home page of Routeco PLC, a distributor of industrial automation and control products in the UK.

Hundreds of defacements were attributed to Unix Security Guard (USG), a pro-Islamic hacking group, according to Hyppönen.

There were also incidents of seemingly "patriotic" hacking by supporters of the US's war on Iraq, Hyppönen said.

One defaced site, http://www.timeleader.com, displayed a message saying "Kill Saddam" alongside a more personal greeting from the culprit as late as Friday morning.

One security consultancy, mi2g of London, warned Friday of the possibility of combined digital and physical attacks in the coming weeks.

While clearly prompted by the hostilities in the Gulf, however, the hacking activity that has taken place so far does not appear to be coordinated or part of a larger master plan to disrupt the Internet, Hyppönen said.

"We haven't seen any proof of anything official or organised at all," Hyppönen said.

Missing also is a powerful new worm that was promised by a Malaysian virus writer known as "Melhacker" who was sympathetic with the cause of the al-Qaeda terrorist group.

In an interview with Computerworld magazine in November, Melhacker said that he had developed and tested a "three-in-one" worm code-named Scezda that combined features from the SirCam, Klez and Nimda worms. Scezda would be released if the US went to war with Iraq, Melhacker said.

Instead, the war in Iraq has just given computer hackers another reason to do what they want to do any way: hack computers.

"Right now the message is 'No War. Give peace a chance,' because that's what's in the news and on people's mind. When the war goes away, these people will keep on hacking but probably stop with the antiwar defacements," Hyppönen said.

The US Department of Homeland Security (DHS) has not seen a dramatic increase in hacking activity linked to the war either, according to Commander David Wray, spokesman for Directorate of Information Analysis and Infrastructure Protection (IAIP) within the DHS.

Still, Wray said that it is too early to know for sure whether the threat of larger cyber attacks linked to the war has passed.

"I don't think we're in a position yet to say that threat still isn't out there. Nobody is saying 'Let's call off the alarm. There's not much to worry about.' I think there are things to worry about," Wray said.

The DHS has made recommendations for both critical and cyber security as part of multiagency Operation Liberty Shield, and is working with various federal agencies to make sure that their information systems are protected, Wray said.

The new agency is asking organisations who own physical and information infrastructure to be more watchful for problems and to be willing to report what they see to appropriate government agencies, Wray said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Roberts

Latest Videos

More videos

Blog Posts