The "Iranian Cyber Army" Strikes Back
It all began in December 2009, when a group of hacktivists, which call themselves the “Iranian Cyber Army”, defaced several popular websites around the globe, including Twitter and the Chinese search engine Baidu. The defacement pages included messages in English against the US embargo on Iran, as well as a message in Persian that stated “This is a warning”.
Fast forward to September 2010. The website of TechCrunch Europe, one of Europe’s most popular technology blogs, got hacked. The attackers installed a page which redirected the blog’s readers to a crime server. The crime server then executed a script which exploited a vulnerability to silently install malware on the visitors’ machines.
Much More than a Single Exploit
While investigating this incident, Seculert Research Lab found what seems to be a connection between the attack against TechCrunch Europe, as well as many other similar worldwide attacks, and the “Iranian Cyber Army” group. The crime server involved in these attacks didn’t use a script to exploit only one vulnerability; it was actually using a collection of exploits – aka an exploit kit.
There are numerous different exploit kits being sold in underground forums among cyber criminals. Competition in this crowded and lucrative market is driving authors to create exploit kits with sleek and sexy user interfaces, so the product will be more attractive to potential customers. One such example is the administration panel of the Phoenix exploit kit, which displays a stylish animation of a flying phoenix (Figure 1).
 |
| Figure 1 – Phoenix Exploit’s Kit Administration Panel |
During our research of the crime server involved in these attacks, we were able to uncover the exploit kit’s administration panel, as well as its statistics page. As can be seen in Figures 2 and 3, the graphical user interface of these pages is quite primitive, to say the least. This leads us to believe that this exploit kit was developed to be used only by one group, and it is not being sold on the open market to other cyber criminals.
 |
| Figure 2 – “Iranian Cyber Army” Exploit Kit Administration Panel |
 |
| Figure 3 – “Iranian Cyber Army” Exploit Kit Statistics Page |
Substantiating the Iranian Connection
If you look closely at the title of the administration panel (Figure 2), you will notice the email address “Iranian.cyber.army@gmail.com”. This same email address was used by the “Iranian Cyber Army” group on their defacement attack pages. The group also signed their name as an HTML comment within the statistics page source code (Figure 4).
 |
| Figure 4 – “Iranian Cyber Army” Exploit Kit Statistics Page Source Code |
Size Doesn’t Always Matter
According to the statistics page (Figure 3), there are currently over 400,000 “confirmed loads,” i.e., machines that were successfully exploited and infected with the malware. However, while tracking these numbers our research team noticed that once in a while the counter got reset, which means that the actual number of infected machines should be much larger. We also noticed that the number of loads per hour is kept steady at around 14,000. As we were able to track the use of this exploit kit back to August 2010, we can now extrapolate the number of machines that potentially got infected by this group of cyber criminals: 14,000 x 24hrs x 60days ~= 20 million infected machines!
Again, this is just a “guestimate”, and we understand that size doesn’t always matter. What really matters here is what the “Iranian Cyber Army” can do with such power. For now, what they do is lease part of their botnet to other groups, which then install on these controlled machines different types of malware (Bredolab, Gozi , Zeus and others).
Based on the timing of this latest wave of attacks, on the heels of the recent Stuxnet worm attack that allegedly targeted Iranian facilities, it appears reasonable to assume that the “Iranian Cyber Army” group has decided to move from simple defacement warnings to actual cybercrime activities.
Timeline
Is your network compromised? Take a free trial of Seculert and discover threats your other security solutions have missed.
Interesting analysis. Actually it’s little difficult to identify where these attacks come from. The name “Iranian Cyber Army” may just be used as a fantasy name. What do you think?
This is so stupid, why would Iranians hack a site and sign in their names? That is completely against the hacking concept. My guess is that it is the Mossad (the Stuxnet inventors) who are trying to cover their tracks by trying to defame the Iranians.
I wonder just how up to date each department in Iran is kept by other departments…I wouldn’t be surprised at all if the Stuxnet worm infection of Iran’s nuclear facilities was in fact a product of the Iranian Cyber Army itself…If these sources are accurate and are in fact true, I would think it would be advantageous to the world to nip these camel jockeys in the bud and destroy their IT infrastructure; a slightly less dramatic counter offer to previously Anonymous post. Maybe a new project for the worlds anxious-yet-idle hackers?
“This is so stupid, why would Iranians hack a site and sign in their names?”
Because that’s a pretty common practice when defacing websites (especially in case of political hacks) ? Whatever the background of the ICA (I also have my doubts), I don’t agree at all with your comment.
Really? 20 million? Did you ever think that counter might be counting the same bots over and over again? How could you know what the number is used for and how or why it’s being reset? Seriously this is a flawed analysis..
A false flag operation by Mossad to cover their tracks after Stuxnet.
Other than the name, anything that actually points at who you are blaming ?
Perhaps this is the new scapegoat for all new script kiddies.
Mossad is not behind Stuxnet, nor are they behind this Iranian Cyber Army. They didn’t have anything to with 9/11 either. It’s all paranoid delusions in the mind of those with inferiority complexes and megalomanical tendencies.
No, this Iranian Cyber Army is clearly the work of someone sitting in their parents’ basement, possibly looking at porn and feeling ashamed about it. It is so blatantly obvious the ‘brainchild’ of a very immature individual that might possess some decent programming skills but also a seriously disturbed mind with delusions of grandeur, probably influenced by religious brainwashing.
bad behaviors always doing Anonymously ! if they are bad tasks and bad jobs actor should keep itself Anonymous ….
propaganda and Iran-o-phobia
The authors might have figured it out in the meantime : the “administrator interface” is completely fake (a honeypot to keep security experts busy…). So the all conclusions from these numbers don’t mean anything. Check the TLLOD blog for details
http://blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/