View my documents ()
 Home > Insights 

This Blog

Syndication

Tags

Calendar

<November 2007>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678

CA Security Advisor Research Blog

Find out what our research team is saying about the latest security threats in the CA Security Advisor blog

E-jihad cyber attack is back: rumours or a serious threat?

by Rossano Ferraris

 

Bin Laden's cyber legions are fighting back? It is a bit hard to understand what comes out from cyber-criminal minds but what is sure is that once we hear about e-jihad, security researchers are requested to keep their eyes very open making a full immersion of investigation activity in order to be prepared and ready to combat against a possible terrible computer security breach event.

 

According to a report by DEBKAfile, a cyber-jihad has been launched by Osama Bin Laden's warriors and the attack would be carried out with a software kit known as Electronic Jihad 3.0 on 11th November 2007.

 

When I personally heard this I began to make some research and I got a lot of different thoughts about this information. Somebody says it is just only a rumour and a possible hoax to freak out people of the net and somebody else says we are in front of a new threat created by cyber-terrorism to hit again Western countries.

 

It is true that nowadays hoax phenomenon is common place but it is also true that we have been witness to a number of DDoS attacks against important international websites in the past months.

 

Anyway -true or not- I decided to get a copy of the new kit which is just an improved version of the previous e-jihad 2.0 released last July 2007.

 

Once I downloaded the e-jihad 3.0 tool I realized it is written in Visual Basic programming language and upon execution a popup-window with Arabic characters came up. Unfortunately I am not comfortable with Arabic language but the process was easily comprehensible since what the popup window asked was a username and password. So I put some information and the toolkit began to connect to a remote server which is -as of this writing- inaccessible (see below).

  

 

Index 2
Protocol TCP
Local Address xxx.xxx.xx.xxx
Remote Address 202.71.104.200
Local Port 1035
Remote Port 80
Local Host  
Remote Host  
Service Name http
Packets 8
Data Size 1,614 Bytes
Total Size 2,224 Bytes
Capture Time 11/11/2007 2:21:38 PM:859

 

 

 

The tool uses al-jinan.net as a central control server, hosted in Malaysia. As I earlier said, fortunately this server seems to be suspended. With a look at the strings of the toolkit I noticed e-jihad 3.0 is a hacking tool architected to be installed on a machine and used to connect to a list of websites to download a list of URLs in order to start a ping flood attack against them (see below).

 

 

     

e-jihad 3.0 uses the command line option ping -t for the DoS attacks that continuously pings the target systems flooding them.

 

 

Since the analysis of the tool was not sufficiently completed because the URLs are not accessible, we are not sure which websites were to be targeted.  The tool can be configured to attack any website.  I would suspect the most likely targets to be important commercial and government websites located in the USA and Europe.

 

 

Even though the toolkit seems to be harmless because ISPs have been informed in a timely fashion, it is always possible that a similar tool could work in the near future.  We must not forget that we all could be impacted if the infrastructure, on which we rely, is taken out. For this reason the use of good anti-malware products that detect DDoS tools and hacking tools will help reduce the risk.

 

At the moment very few anti-malware products are detecting e-jihad tool, CA Anti-Spyware is able to find and remove it and it is detected as DDoS E-Jihad 3.0.

 
Share this post: Email it! | bookmark it! | digg it! | reddit!
Published Nov 25 2007, 05:28 AM by Rossano Ferraris
Tags: , , ,

Comments

No Comments

Leave a Comment

(required)  
(optional)
(required)  
Add

About Rossano Ferraris

Rossano Ferraris is located in Italy where he lives and works for the CA Anti-Spyware Research Team as a research engineer. He was one of the first employees of PestPatrol and has been working for CA since its acquisition.

 

At CA he has taken the worldwide responsibility for supporting the CA Anti-Spyware product family as a senior specialist engineer, where he has trained the CA Threat Support Team on spyware issues. His main interests include spyware research, phishing, exploits and potentially unwanted software falling within CA Anti-Spyware’s scope of detection.

 

Rossano is an active member of various well known security forums and a member of ISSA association. He is the author of many articles on security matters for Italian newspapers and magazines and he is also author of a book on the spyware phenomenon published in Italy. He holds a degree in Computer Science and he is a GREM certified.
 
 
Page Tools