Mass-mailer worm linked to cyber-jihadists

Posted by Aharon Etengoff

A mass-mailer worm that recently infected a number of US government and corporate computer systems has been tentatively linked to a cyber-Jihadist organization known as the "Brigades of Tariq ibn Ziyad."

According to Joe Stewart of SecureWorks, the Imsolk.A/Visal.A/VBMania variant (Here You Have Worm) - originally designated "Imsolk.A" - was first positively identified in August 2010.

"That attack was much smaller in scale and its possible origins were not investigated at the time," he explained.



Mass-mailer worm linked to cyber-jihadists"[However], studying clues in the second attack showed that it might have originated from a cyber-jihad organization called 'Brigades of Tariq ibn Ziyad,' whose founding member is known as 'iraq_resistance."

Stewart also noted the email "sender component" was written by an Arabic speaker and documented only in that language. 


"Windows-1256 is used in the email subroutines - this is the Arabic character set, [while] the first email worm attack in August [inserted] the e-mail address iraq_resistance@yahoo.com in the sender field.

"[In addition], the string iraq_resistance still appears in the binary code of the latest version of the worm - and the back-door component of the worm, BiFrost, tries to connect to a command-and-control server called 'tarekbinziad.no-ip.biz."



Stewart added that "iraq_resistance" is well known for actively recruiting cyber jihadists - with the stated goal of "penetrating US agencies" under the auspices of the American military.

"The author has now posted a YouTube video claiming credit for the worm. Although the YouTube user account he uses, 'iqziad,' is listed as being from Spain, it's pretty clear iraq_resistance is Libyan.  [For example], in January 2009, he posted a message detailing successes that the Brigades were having in penetrating (and destroying) computers belonging to US soldiers in Germany, Iraq and America," stated Stewart.

"And in [another] posting, he tells his cohorts that the hits to the counter from Libya were from his tests - apparently the group has been keeping records of computers they have infected with an unknown trojan (possibly Bifrost) using a stats page somewhere. He also says that 'the device which was destroyed in Egypt' was due to one of their own members who opened the malware on his own computer by mistake."