It all began in December 2009, when a group of hacktivists, which call themselves the “Iranian Cyber Army”, defaced several popular websites around the globe, including Twitter and the Chinese search engine Baidu. The defacement pages included messages in English against the US embargo on Iran, as well as a message in Persian that stated “This is a warning”.
Fast forward to September 2010. The website of TechCrunch Europe, one of Europe’s most popular technology blogs, got hacked. The attackers installed a page which redirected the blog’s readers to a crime server. The crime server then executed a script which exploited a vulnerability to silently install malware on the visitors’ machines.
Much More than a Single Exploit
While investigating this incident, Seculert Research Lab found what seems to be a connection between the attack against TechCrunch Europe, as well as many other similar worldwide attacks, and the “Iranian Cyber Army” group. The crime server involved in these attacks didn’t use a script to exploit only one vulnerability; it was actually using a collection of exploits – aka an exploit kit.
There are numerous different exploit kits being sold in underground forums among cyber criminals. Competition in this crowded and lucrative market is driving authors to create exploit kits with sleek and sexy user interfaces, so the product will be more attractive to potential customers. One such example is the administration panel of the Phoenix exploit kit, which displays a stylish animation of a flying phoenix (Figure 1).
|Figure 1 – Phoenix Exploit’s Kit Administration Panel|
During our research of the crime server involved in these attacks, we were able to uncover the exploit kit’s administration panel, as well as its statistics page. As can be seen in Figures 2 and 3, the graphical user interface of these pages is quite primitive, to say the least. This leads us to believe that this exploit kit was developed to be used only by one group, and it is not being sold on the open market to other cyber criminals.
|Figure 2 – “Iranian Cyber Army” Exploit Kit Administration Panel|
|Figure 3 – “Iranian Cyber Army” Exploit Kit Statistics Page|
Substantiating the Iranian Connection
If you look closely at the title of the administration panel (Figure 2), you will notice the email address “Iranian.firstname.lastname@example.org”. This same email address was used by the “Iranian Cyber Army” group on their defacement attack pages. The group also signed their name as an HTML comment within the statistics page source code (Figure 4).
|Figure 4 – “Iranian Cyber Army” Exploit Kit Statistics Page Source Code|
Size Doesn’t Always Matter
According to the statistics page (Figure 3), there are currently over 400,000 “confirmed loads,” i.e., machines that were successfully exploited and infected with the malware. However, while tracking these numbers our research team noticed that once in a while the counter got reset, which means that the actual number of infected machines should be much larger. We also noticed that the number of loads per hour is kept steady at around 14,000. As we were able to track the use of this exploit kit back to August 2010, we can now extrapolate the number of machines that potentially got infected by this group of cyber criminals: 14,000 x 24hrs x 60days ~= 20 million infected machines!
Again, this is just a “guestimate”, and we understand that size doesn’t always matter. What really matters here is what the “Iranian Cyber Army” can do with such power. For now, what they do is lease part of their botnet to other groups, which then install on these controlled machines different types of malware (Bredolab, Gozi , Zeus and others).
Based on the timing of this latest wave of attacks, on the heels of the recent Stuxnet worm attack that allegedly targeted Iranian facilities, it appears reasonable to assume that the “Iranian Cyber Army” group has decided to move from simple defacement warnings to actual cybercrime activities.
Is your network compromised? Take a free trial of Seculert and discover threats your other security solutions have missed.