In this post I'll provide actionable intelligence and discuss in-depth the campaign including the actual tool and provide the actual list of targeted URLs including the actual MD5 for the malicious DDoS tool and discuss in-depth the actual crowd-sourcing DDoS campaign which was originally lauched during the 2009 election in Iran.
It appears that back in 2009 a tiny group of folks including companies actually organized an online spree to help and support Iran's activists and protestors with technologies and access to free service which basically violates the law and should be considered a dangerous precendent in the context of assisting Iran-based activists and protestors. Therefore I've decided to take a deeper look inside the trend that took place internationally back in the 2009 Iran-based election and offer practical and relevant technical and actionable intelligence information on the actual infrastructure behind the campaign including its participants.
Related domains and URLs known to have been involved in the campaign:
https://lxkghnyg2owy6scd.onion
http://iran.whyweprotest.net/
http://haystack.austinheap.com/
http://www.haystacknetwork.com/
http://iproxyiran.tk/
http://iranpetitie.wordpress.com/
https://davepack.net/retweetforiran.html
https://iranfree.cryptocloud.net/
http://servers-info.com/
MD5: 25bc5507934756a836e574e9b43f8b3a - Detection rate
Sample official download location of the actual DDoS application:
https://sites.google.com/site/nedasites
Sample targeted URLs and domains list:
http://keyhannews.ir
http://www.iran-newspaper.com
http://www.irna.com
http://www.irna.ir
http://www2.irna.com
http://www5.irna.com
http://www.irna.net
http://www.tabnak.com
http://www.farsnews.com
http://english.farsnews.com
http://shahabnews.com
http://www.rajanews.com
http://www.khamenei.ir
http://www.ahmadinejad.ir
http://www.gerdab.ir
http://www.bornanews.com
http://www.bornanews.ir
http://www.leader.ir/langs/en
http://www.president.ir/fa/
http://www.mod.ir
http://www.isna.ir
http://www.justice.ir
http://www.presstv.ir
http://www.police.ir
http://mfa.gov.ir
http://sahandnews.com
http://www.farsnews.net
HAMSEDA.IR -- theplanet.com
HAMSHAHRIONLINE.IR -- cogentco.com
AYANDENEWS.COM -- theplanet.com
ASRIRAN.COM -- theplanet.com
SHIA-NEWS.COM -- theplanet.com
SHAFAF.IR -- theplanet.com
SIBNA.IR -- theplanet.com
SAYENEWS.COM -- theplanet.com
KAYHANNEWS.IR -- theplanet.com
RESALAT-NEWS.COM -- iweb.com
DEILAMNEWS.COM -- iweb.com
KHORASANNEWS.COM -- abac.com
JAHANNEWS.COM -- theplanet.com
JARASNEWS.COM -- theplanet.com
POOLNEWS.IR -- theplanet.com
PARSINE.COM -- theplanet.com
BUSHEHRNEWS.COM -- theplanet.com
TEBNA.COM -- theplanet.com
IWNA.IR -- theplanet.com
ALBORZNEWS.NET -- theplanet.com
ERAMNEWS.IR -- theplanet.com
AYANDENEWS.COM -- theplanet.com
JOMHOURIESLAMI.COM -- iweb.com
Something else that's also worth emphasizing on in terms of the Iran 2009 election is that the U.K's GCHQ has also been busy attempting to track down protestors including activists and has been busy working on an election specific and GCHQ owned URL shortening service which I managed to profile and expose here including the following still active Twitter accounts and URLs known to have been involved in the GCHQ campaign to monitor and track down Iran 2009 election protesters and activists:
https://twitter.com/2009iranfree
https://twitter.com/MagdyBasha123
https://twitter.com/TheLorelie
https://twitter.com/Jim_Harper
https://twitter.com/angelocerantola
https://twitter.com/recognizedesign
https://twitter.com/akhormani
https://twitter.com/FNZZ
https://twitter.com/GlenBuchholz
https://twitter.com/enricolabriola
https://twitter.com/katriord
https://twitter.com/ShahkAm147
https://twitter.com/Pezhman09
https://twitter.com/jimsharr
https://twitter.com/blackhatcode
Stay tuned!
No comments:
Post a Comment