Wednesday, November 07, 2007
Electronic Jihad v3.0 - What Cyber Jihad Isn't It's intergalactic security statements like these <http://ddanchev.blogspot.com/2007/01/preventing-massive-al-qaeda-cyber.html > that provoked me to do my most insightful research into the topic of <http://ddanchev.blogspot.com/2007/08/analyses-of-cyber-jihadist-forums-and. html> what is cyber jihad, or <http://ddanchev.blogspot.com/2006/10/scada-security-incidents-and-critical. html> what cyber jihad isn't. The news item on cyber jihadists coordinating a massive DDoS attack is a cyclical one, namely it reappears every quarter as it happened in August, and so <http://ddanchev.blogspot.com/2007/08/cyber-jihadist-dos-tool.html> I reviewed the tool, provided screenshots, and commented that while it's an aspirational initiative, with thankfully lame execution, it's not the coordinated DDoS attack executed in such way that should be feared, but cyber jihadists outsourcing the process. Despite that absolutely nothing has changed in respect to the way the program operates since v2.0, except that al-jinan.org changed to the now down al-jinan.net, the web is buzzing about the plans of wannabe cyber jihadists, the Al Ansar Hacking Team to be precise, to DDoS infidel sites on the 11th of November. Boo! Spooky - <http://www.scmagazine.com/uk/news/article/764556/website-al-qaeda-cyber-jih ad-begin-nov-11/> Al Qaeda cyber-jihad to begin Nov. 11; <http://weblog.infoworld.com/robertxcringely/archives/2007/11/cyber_terroris m.html> The e-Jihadists are coming, the e-Jihadists are coming!; <http://www.foxnews.com/story/0,2933,307601,00.html> Report: Al Qaeda to Launch Cyber-Attack on Nov. 11; <http://www.itbusinessedge.com/blogs/hdw/?p=1134> Al-Qaeda Planning Cyber Attack?. Key points : - despite that the recommended DoS tool itself in the previous post is detected by almost all the anti virus vendors, in a <http://ddanchev.blogspot.com/2007/10/peoples-information-warfare-concept.ht ml> people's information warfare situation, the participants will on purposely turn off their AVs to be able to use it - the Electronic Jihad program is an example of poorly coded one, poorly in the sense of obtaining lists of the sites to be attacked from a single location, so you have a situation with 1000 wannabe cyber jihadists not being able to attack anyone in a coordinated manner given the host gets shut down - the central update locations at the al-jinan.net domain are down, <http://warintel.blogspot.com/2007/11/al-jinannet-is-back.html> thank you Warintel, and so are the several others included, so you have a situation where forums and people start recommending the tool, they obtained it before the site was shut down, but couldn't get the targets to be attacked list Time to assess the binary. The program archive's fingerprints as originally distributed : File size: 358490 bytes MD5: f38736dd16a5ef039dda940941bb2c0d SHA1: 769157c6d3fe01aeade73a2de71e54e792047455 No AV detects this one. E-Jihad.exe as the main binary File size: 94208 bytes MD5: caf858af42c3ec55be0e1cca7c86dde3 SHA1: f61fde991bfcc6096fa1278315cad95b1028cb4b ClamAV - Flooder.VB-15 Panda - Suspicious file Symantec - Hacktool.DoS In a <http://ddanchev.blogspot.com/2007/10/peoples-information-warfare-concept.ht ml> people's information warfare incident where the ones contributing bandwidth would on purposely shut down their AVs, does it really matter whether or not an perimeter defense solution detects it? It does from the perspective of wannabe cyber jihadists wanting to using their company's bandwidth for the purposely, an environment in which they are hopefully not being able to shut down the AV, thus forwarding the responsibility for the participation in the attack to their companies. Al-jinan.org has been down since the Electronic Jihad Against Infidel Sites campaign became evident, the question is - where's the current DDoS campaign site? A mirror of the first campaign is available here - al-ansar.virtue.nu. <http://72.14.209.104/search?hl=en&q=cache%3Awww.al-jinan.net> Cached copy of al-jinan.net (202.71.104.200) is still available. Emails related to Al Ansar Hacking Group - the_crusaders_hell @ yahoo.com; the_crusaders_hell @ hotmail.com; al-ansar @ gooh.net Now the interesting part - where are Al-Jinan's new target synchronization URLs, and did they actually diversified them given that Al-Jinan.net is now down courtesy of what looks like Warintel's efforts? Partly. Here are the update URLs found within the binary : al-jinan.net/ntarg.php?notdoing=yes al-jinan.net/ntarg.php?howme=re al-jinan.net/tlog.php? al-jinan.net/tnewu.php? arddra.host.sk/ntarg.php jofpmuytrvcf.com/ntarg.php jo-uf.net/ntarg.php All are down, and jo-uf.net was among the domains used in the first version of the attack. If you think about it, even a wannabe botnet master will at least ensure the botnet's update locations are properly hardcoded within the malware. More details on <http://terroronline.wordpress.com/2006/11/01/the-electronic-jihad-that-wasn t/> jo-uf.net. Let's discuss what cyber jihad isn't. Cyber jihad is anything but shutting down the critical infrastructure of a country in question, despite the potential for blockbuster movie scenario here. It's <http://www.timesonline.co.uk/tol/news/uk/crime/article2821101.ece> news stories like these, emphasizing on abusing the Internet medium for achieving their objectives in the form of recruitment, research, fund raising, propaganda, training, compared to wanting to shut it down. Logically, this is where all the investments go, because this is the most visible engagement point between a government and potential cyber terrorists - its critical infrastructure. I'm not saying don't invest in securing it, I'm just emphasizing on the fact that you should balance such spendings with the pragmatic reality which can be greatly described by using an analogy from the malware world, and how what used to be destructive viruses are now the types of malware interested in abusing your data, not destroying it. The real threat does not come from wannabe cyber jihadists flooding a particular site in a coordinated manner, but from <http://ddanchev.blogspot.com/2007/10/botnet-on-demand-service.html> outsourcing the entire process to those who specialize in the service, or providing the infrastructure for it on demand. Now that's of course given they actually manage to keep up the update locations for longer than 24 hours, and achieve the mass effect of wannabe cyber jihadists using it all at once, the type of <http://ddanchev.blogspot.com/2007/09/dark-web-and-cyber-jihad.html> Dark Web Cyber Jihad trade-off. posted by Dancho Danchev @ <http://ddanchev.blogspot.com/2007/11/electronic-jihad-v30-what-cyber-jihad. html> Wednesday, November 07, 2007 <http://ddanchev.blogspot.com/> [Non-text portions of this message have been removed] -------------------------- Want to discuss this topic? Head on over to our discussion list, [EMAIL PROTECTED] -------------------------- Brooks Isoldi, editor [EMAIL PROTECTED] http://www.intellnet.org Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/osint/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
