A hacker group responsible for defacement attacks against Twitter and Baidu now appears to be amassing a mighty botnet, according to security researchers.
The "Iranian Cyber Army" rose to infamy late last year when its members compromised Twitter's DNS records to redirect visitors to a page announcing that the popular microblogging site had been hacked. A few weeks later, the same band of hackers launched a similar attack against Baidu, the leading Chinese search engine.
But now the Cyber Army appears to be shifting to more malicious activity than simple defacements, researchers at Seculert, a cyberthreat management start-up, said in a Sunday blog post.
Last month, the European website of the TechCrunch blog was hacked to serve malware to visitors, and Seculert researchers now believe that the Cyber Army was responsible. After studying the crime server's components, researchers determined that the exploit kit being used is custom built and unique to only one hacker group. In addition, the email address used on the server's administration panel matched the one used on the Twitter and Baidu defacement pages.
Since the Iranian group has morphed its operations to malware, its exploit has been installed on at least 400,000 machines, the post said, citing information from the crime server's statistics page. But that number may actually exceed 20 million.
"[W]hile tracking these numbers, our research team noticed that once in a while, the counter got reset, which means the actual number of infected machines should be much larger," the post said. "What really matters here is what the Iranian Cyber Army can do with such power."
Aviv Raff, CTO of Seculert, said he is not sure what the botnet's ultimate goal is.
"Currently, they are doing it for money," Raff told SCMagazineUS.com on Monday in an interview on instant messenger. "They lease part of the botnet to other cybercriminals, [who] then install other types of malware," such as Zeus.
Raff said he finds the timing of the botnet's rise interesting, especially in light of reports that the Stuxnet worm predominantly has been invading control systems belonging to Iran. As a result, the Cyber Army soon may use the botnet as a means for revenge.
"Now, with the Stuxnet discovery, it's probably a matter of time until they'll use it as part of their 'hacktivism' campaigns," Raff said.