Hackers, virus writers take to war theme

Web sites defaced, but devastating worms have not arrived

The beginning of war in Iraq prompted a rash of protest hacking on the Internet, with new war-themed viruses and Web page defacements directed at U.S., U.K. and Australian interests. But the devastating new worms and viruses that were predicted by some have so far failed to materialize.

Unquestionably, the hostilities in Iraq have had ripple effects on the Internet, according to MikkoHyppönen, manager of antivirus research at F-Secure, of Helsinki, Finland.

Two new worms were discovered in the past two weeks with Iraq themes.

One, named Prune, arrives in e-mail messages with the subject "US Government Material - Iraq Crisis." An attachment named UN_Interview.txt.vbs launches the Visual Basic Script worm, which spreads copies of itself using e-mail, Internet Relay Chat (IRC) and network shares, according to F-Secure.

A second worm, Ganda, arrives in messages with a variety of subjects and messages, many of them linked to the tensions over Iraq such as "Spy Pics," purporting to contain pictures from U.S. satellites, and "G.W. Bush animation." Users are prompted to click on a Windows screen saver file attachment, launching the virus.

Web site defacements also spiked in the days leading up to war, according to F-Secure.

"We've seen a huge increase in the number of [Web site] defacements related to the Iraq crisis," Hyppönen said.

Web site defacements require hackers to compromise Web servers belonging to their targets, then replace the official Web page content with their own content, often inflammatory statements or political messages.

F-Secure recorded around 200 defacements in the 48 hours before hostilities began. On Friday, another 1000 sites were defaced, F-Secure said.

Many of the Web sites that were defaced belonged to U.S. and U.K. businesses or lesser-known branches of U.S. federal agencies.

The Web page for the U.S. National Center for Agricultural Utilization Research, part of the U.S. Department of Agriculture, and a Web-based e-mail portal belonging to the U.S. Navy were both defaced, as was the home page of Routeco PLC, a distributor of industrial automation and control products in the U.K.

Hundreds of defacements were attributed to Unix Security Guard (USG), a pro-Islamic hacking group, according to Hyppönen.

There were also incidents of seemingly "patriotic" hacking by supporters of the U.S.'s war on Iraq, Hyppönen said.

One defaced site, http://www.timeleader.com, displayed a message saying "Kill Saddam" alongside a more personal greeting from the culprit as late as Friday morning.

One security consultancy, mi2g of London, warned Friday of the possibility of combined digital and physical attacks in the coming weeks.

While clearly prompted by the hostilities in the Gulf, however, the hacking activity that has taken place so far does not appear to be coordinated or part of a larger master plan to disrupt the Internet, Hyppönen said.

"We haven't seen any proof of anything official or organized at all," Hyppönen said.

Missing also is a powerful new worm that was promised by a Malaysian virus writer known as "Melhacker" who was sympathetic with the cause of the al-Qaeda terrorist group.

In an interview with Computerworld magazine in November, Melhacker said that he had developed and tested a "three-in-one" worm code-named Scezda that combined features from the SirCam, Klez and Nimda worms. Scezda would be released if the U.S. went to war with Iraq, Melhacker said.

Instead, the war in Iraq has just given computer hackers another reason to do what they want to do any way: hack computers.

"Right now the message is 'No War. Give peace a chance,' because that's what's in the news and on people's mind. When the war goes away, these people will keep on hacking but probably stop with the antiwar defacements," Hyppönen said.

The U.S. Department of Homeland Security (DHS) has not seen a dramatic increase in hacking activity linked to the war either, according to Commander David Wray, spokesman for Directorate of Information Analysis and Infrastructure Protection (IAIP) within the DHS.

Still, Wray said that it is too early to know for sure whether the threat of larger cyber attacks linked to the war has passed.

"I don't think we're in a position yet to say that threat still isn't out there. Nobody is saying 'Let's call off the alarm. There's not much to worry about.' I think there are things to worry about," Wray said.

The DHS has made recommendations for both critical and cyber security as part of multiagency Operation Liberty Shield, and is working with various federal agencies to make sure that their information systems are protected, Wray said.

The new agency is asking organizations who own physical and information infrastructure to be more watchful for problems and to be willing to report what they see to appropriate government agencies, Wray said.

Copyright © 2003 IDG Communications, Inc.