The person responsible for the "Here you have" email worm, which wreaked havoc last week on businesses across the United States, may be part of a cyber-jihad group upset over American military presence in Iraq.
The malware author, who uses the handle "iraq_resistance," is believed to be part of the cyber-jihad organization "Brigades of Tariq ibn Ziyad," whose goal is to digitally infiltrate U.S. Army agencies, Joe Stewart, director of malware research at SecureWorks, a network security company, told SCMagazineUS.com on Monday.
Researchers concluded this after determining that a worm launched last month, but on a much smaller scale, was connected to the "Here you have" outbreak, Stewart said.
The binaries to both worms contained a reference to the "iraq_resitance" alias, he said. Further investigation on the internet revealed that that same codename was used to write a 2008 forum post that attempts to recruit people to join the cyber-jihad group.
In addition, the handle was connected to a website defacement, in which the hacker describes himself as Libyan, and other forum posts, including a 2009 message which states that the cyber-jihad group has been successful in installing trojans on computers belonging to U.S. soldiers in Germany, Iraq and here, according to a Monday blog post authored by Stewart.
However, it is not clear what specifically he was after in last week's attack, aside from publicity for his cause.
"He may not have known exactly what he was after, but decided to cast a wide net," Stewart said.
In a video posted to YouTube, a person claiming to be the worm's creator discussed what prompted the attack.
"My name is Iraq Resistance," the person says in a computer-generated voice. "What I wanted to say is that the United States doesn't have the right to invade our people and steal the oil under the name of nuclear weapons. Have you seen any there?"
The culprit later admits he could have caused more damage had he wanted to.
"I could smash all those infected computers, but I wouldn't," he says on the video. "And don't use the word 'terrorist' please. I hope that all people understand that I am not a negative person."
At its peak on Thursday evening, the worm represented more than 14 percent of global spam, according to statistics from Cisco. The outbreak mostly died out by the following day but not before companies such as NASA, the Florida Department of Transportation, ABC, Comcast, AIG, Disney and Proctor & Gamble were affected by the self-propagating malware.
The spam messages contained a link that appeared to lead to a PDF file but actually directed users to a malicious .SCR executable. If users clicked on the link, they were prompted to install the worm, which attempted to disable security software and, in the spirit of the worms that crippled businesses nearly a decade ago, sent a copy of itself to all email contacts belonging to the victim.
In addition, the malicious file also downloaded more damaging components, such as keyloggers and password-extraction tools, Stewart said. The author, however, chose not to commit more damage, such as deleting hard drives, which he likely would have been able to do.
The worm stopped spreading once the domains serving the malware were taken offline, Stewart said. However, it also could spread to network nodes via PsExec, a Microsoft tool to execute processes on remote Windows systems, if a privileged domain administrator logs in to a "Here you have"-infected PC.
Stewart said he wouldn't be surprised to see politically motivated copycats emerge.
"People should definitely pay attention to this," he said. "People don't realize that some of these things can easily evade [anti-virus] defenses. If you weren't expecting it [an email with a link or attachment], you should always ping them back and say, 'What is this?'"
