Wednesday, November 07, 2007

Electronic Jihad v3.0 - What Cyber Jihad Isn't

It's intergalactic security statements like these that provoked me to do my most insightful research into the topic of what is cyber jihad, or what cyber jihad isn't. The news item on cyber jihadists coordinating a massive DDoS attack is a cyclical one, namely it reappears every quarter as it happened in August, and so I reviewed the tool, provided screenshots, and commented that while it's an aspirational initiative, with thankfully lame execution, it's not the coordinated DDoS attack executed in such way that should be feared, but cyber jihadists outsourcing the process. Despite that absolutely nothing has changed in respect to the way the program operates since v2.0, except that al-jinan.org changed to the now down al-jinan.net, the web is buzzing about the plans of wannabe cyber jihadists, the Al Ansar Hacking Team to be precise, to DDoS infidel sites on the 11th of November. Boo! Spooky - Al Qaeda cyber-jihad to begin Nov. 11; The e-Jihadists are coming, the e-Jihadists are coming!; Report: Al Qaeda to Launch Cyber-Attack on Nov. 11; Al-Qaeda Planning Cyber Attack?.


Key points :

- despite that the recommended DoS tool itself in the previous post is detected by almost all the anti virus vendors, in a people's information warfare situation, the participants will on purposely turn off their AVs to be able to use it

- the Electronic Jihad program is an example of poorly coded one, poorly in the sense of obtaining lists of the sites to be attacked from a single location, so you have a situation with 1000 wannabe cyber jihadists not being able to attack anyone in a coordinated manner given the host gets shut down

- the central update locations at the al-jinan.net domain are down, thank you Warintel, and so are the several others included, so you have a situation where forums and people start recommending the tool, they obtained it before the site was shut down, but couldn't get the targets to be attacked list

Time to assess the binary. The program archive's fingerprints as originally distributed :

File size: 358490 bytes
MD5: f38736dd16a5ef039dda940941bb2c0d
SHA1: 769157c6d3fe01aeade73a2de71e54e792047455

No AV detects this one.

E-Jihad.exe as the main binary
File size: 94208 bytes
MD5: caf858af42c3ec55be0e1cca7c86dde3
SHA1: f61fde991bfcc6096fa1278315cad95b1028cb4b

ClamAV - Flooder.VB-15
Panda - Suspicious file
Symantec - Hacktool.DoS

In a people's information warfare incident where the ones contributing bandwidth would on purposely shut down their AVs, does it really matter whether or not an perimeter defense solution detects it? It does from the perspective of wannabe cyber jihadists wanting to using their company's bandwidth for the purposely, an environment in which they are hopefully not being able to shut down the AV, thus forwarding the responsibility for the participation in the attack to their companies.

Al-jinan.org has been down since the Electronic Jihad Against Infidel Sites campaign became evident, the question is - where's the current DDoS campaign site? A mirror of the first campaign is available here - al-ansar.virtue.nu. Cached copy of al-jinan.net (202.71.104.200) is still available. Emails related to Al Ansar Hacking Group - the_crusaders_hell @ yahoo.com; the_crusaders_hell @ hotmail.com; al-ansar @ gooh.net Now the interesting part - where are Al-Jinan's new target synchronization URLs, and did they actually diversified them given that Al-Jinan.net is now down courtesy of what looks like Warintel's efforts? Partly. Here are the update URLs found within the binary :

al-jinan.net/ntarg.php?notdoing=yes
al-jinan.net/ntarg.php?howme=re
al-jinan.net/tlog.php?
al-jinan.net/tnewu.php?
arddra.host.sk/ntarg.php
jofpmuytrvcf.com/ntarg.php
jo-uf.net/ntarg.php

All are down, and jo-uf.net was among the domains used in the first version of the attack. If you think about it, even a wannabe botnet master will at least ensure the botnet's update locations are properly hardcoded within the malware. More details on jo-uf.net.

Let's discuss what cyber jihad isn't. Cyber jihad is anything but shutting down the critical infrastructure of a country in question, despite the potential for blockbuster movie scenario here. It's news stories like these, emphasizing on abusing the Internet medium for achieving their objectives in the form of recruitment, research, fund raising, propaganda, training, compared to wanting to shut it down. Logically, this is where all the investments go, because this is the most visible engagement point between a government and potential cyber terrorists - its critical infrastructure. I'm not saying don't invest in securing it, I'm just emphasizing on the fact that you should balance such spendings with the pragmatic reality which can be greatly described by using an analogy from the malware world, and how what used to be destructive viruses are now the types of malware interested in abusing your data, not destroying it.

The real threat does not come from wannabe cyber jihadists flooding a particular site in a coordinated manner, but from outsourcing the entire process to those who specialize in the service, or providing the infrastructure for it on demand. Now that's of course given they actually manage to keep up the update locations for longer than 24 hours, and achieve the mass effect of wannabe cyber jihadists using it all at once, the type of Dark Web Cyber Jihad trade-off.