Malware, Vulnerability Management

“Iranian Cyber Army” cons fellow crooks with honeypot

Maybe the "Iranian Cyber Army" hasn't created a botnet as potent as first believed and simply is trying to put one over on white hats and fellow criminals.

Last week, researchers at cyberthreat management start-up Seculert discovered that the gang previously best known for defacements against Twitter and Baidu had shifted its operations to infecting machines with malware to amass a botnet.

Citing information from the group's crime server statistics page, researchers estimated that the botnet consisted of at least 400,000, but perhaps as many as 20 million, compromised machines.

But one security company, The Last Line of Defense (TLLOD), is questioning the lofty projection and believes that the botnet purveyors actually are hosting a fictitious administrator console, designed as a honeypot to trip up white-hat researchers and attackers trying to learn about the group's operations.

Based on reconnaissance into a recent spam run that pushes Zeus-laden emails claiming to come from the U.S. Electronic Federal Tax Payment System (EFTPS), the cyber gang's exploit toolkit actually contains a control interface supplying bogus data, Thorsten Holz, a senior threat analyst at TLLOD, told SCMagazineUS.com in an email.

The goal of the interface, in fact, is not to provide valid data but to gain insight into the competition, TLLOD researcher Brett Stone-Gross said in a blog post Wednesday.

"Note that it's common for most exploit toolkits to contain an admin interface that manages exploits, payloads, and tracks exploit success rates,"  he wrote. "However, the EFTPS exploit toolkit contains a completely fake admin console. This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it."

Aviv Raff, co-founder and CTO of Seculert, said that if TLLOD is right, he and his team might have fallen for the trick.

"According to the information they [TLLOD] present, the numbers in the statistics page [do] seem to be fake," Raff told SCMagazineUS.com via instant messenger. "If this is indeed fake, it would be interesting to know the real numbers." 

Holz tossed one more possibility into the ring.

"I am not sure if the Iranian Cyber Army guys are actually from Iran," he said. "The backend had lots of Russian comments, and I think this is just another attempt to confuse researchers."

That would run counter to Raff's belief that the Iranian Cyber Army moved from defacements to malware possibly out of revenge, amid reports that the Stuxnet worm predominantly has been invading control systems belonging to Iran.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.