Here You Have Worm and E-Jihad ConnectionBy: Joe Stewart
On Friday, September 10, I hinted that a cyber-jihad group might be behind the "Here you have" mass-mailer worm. Here is some additional information.
Imsolk.A/Visal.A/VBMania, was originally designated as "Imsolk.A" and was first seen in August 2010. That attack was much smaller in scale and its possible origins were not investigated at the time. Studying clues in the second attack showed that it might have originated from a cyber-jihad organization called "Brigades of Tariq ibn Ziyad", whose founding member is known as "iraq_resistance'.
The reasons for this early conclusion are as follows:
1. The email sender component is written by an Egyptian author and documented only in Arabic, indicating the worm has an Arabic-speaking author at least.
2. "Windows-1256" is used in the email subroutines, this is the Arabic character set.
3. The first email worm attack in August used the e-mail address firstname.lastname@example.org in the sender field.
4. The string iraq_resistance still appears in the binary code of the latest version of the worm.
5. The back-door component of the worm, BiFrost, tries to connect to a command-and-control server called "tarekbinziad.no-ip.biz".
Researching the name "iraq_resistance" revealed several things:
A forum posting by iraq_resistance in 2008 where he tries to get joiners to his Brigades of Tariq ibn Ziyad, whose goal is "to penetrate U.S. agencies belonging to the U.S. Army":
Here is text from a defacement where iraq_resistance is labeled a Libyan hacker:
Here is iraq_resistance in 2009 asking questions about Visual Basic programming, such as how to send email or how to launch a program over the network using admin credentials (things the worm does):
On Friday, September 10, he posted a new message titled "Tariq ibn Ziyad virus plaguing America" here:
Finally, the author has now posted a YouTube video claiming credit for the worm and listing his reasons for releasing it:
Although the YouTube user account he uses, "iqziad", is listed as being from Spain, it's pretty clear iraq_resistance is Libyan. In January 2009, he posted a message detailing successes that the Brigades of Tariq ibn Ziyad were having in penetrating (and destroying) computers belonging to U.S. soldiers in Germany, Iraq and America:
http://www.moqawmh.ps/vb/showthread.php?t=24449 (site is down, but still cached in Google)
In this posting he tells his cohorts that the hits to the counter from Libya were from his tests apparently the group has been keeping records of computers they have infected with an an unknown trojan (possibly Bifrost) using a stats page somewhere. He also says that "the device which was destroyed in Egypt" was due to one of their own members who opened the malware on his own computer by mistake, and reminds the other members to be cautious.