The attack, which began on 4 March, 2011 and continued for 10 days, was launched from a network of compromised computers in South Korea. Once the attack ceased, the bots destroyed the host operating systems, forcing users to reinstall Windows.

“After the DDoS, the malware wiped the master boot record, creating extra problems for civilian users, wrecking the botnet and voluntarily destroying the infected machines’ [operating systems],” McAfee researcher Georg Wicherski told ZDNet UK on Wednesday.

Botnets are normally preserved by their operators — the compromised computers can often be repurposed, and used to generate revenue.

While the aim of the attacks was simply to bludgeon South Korean military, banking and government websites, the methodology used was complex.

The botnet command and control servers were arranged in multiple tiers according to a McAfee report (PDF) issued on Wednesday, while commands were sent to the bots in the form of encrypted binaries. A number of different encryption ciphers were used, including the US government standard AES, throughout the files.

“It’s not really necessary to use such a strong algorithm unless you want to delay analysis for as long as possible,” said Wicherski.

…

For full original article, see here

North Korea has been conducting “drills” for cyberwar against its southern neighbor using simple, but very effective denial-of-service attacks, according to security experts.

A team from McAfee looked into the attacks on South Korean internet networks in July 2009 and March this year, and concluded they were probably efforts by North Korea to test cyberwar weapons.
Those weapons are blunt and crude, but they work.

First, the attackers built a botnet – an army of slave PCs – by luring people to download free stuff from a popular file sharing site. Lurking inside the downloaded files were trojan horses, designed to install code on the hapless PCs and tie them to the botnet.

Later, when the command came from above, every single machine in that network would flood certain South Korean websites with requests, effectively bringing them down. That’s what’s known as a distributed denial-of-service attack, or DDoS.

…

Read more: http://techland.time.com/2011/07/06/report-cyber-attacks-against-south-korea-were-war-drills-by-the-north/#ixzz1TsqagT53
…

For full original article, see here

The AntiSec movement was one of the last public cause statements issued by the LulzSec hacktivist group before it disbanded over the weekend, Infosecurity notes.

MasterCard isn’t commenting on the DDoS attack, but some news wire reports suggest that access to the site was intermittent in some areas of the world, notably the US and UK, for several hours yesterday.

What is interesting, however, is that the site was accessible in some areas of Europe when it was apparently being DDoS-ed in the US and UK, suggesting that the IP route diversification that MasterCard said it was deploying following previous attacks may have worked.

According to the Softpedia news wire, a hacker using the name Ibom Hacktivist posted messages on the Twitter microblogging services yesterday, attributing the DDoS attacks to the WikiLeaks cause.

…

For full original article, see here

Introduction

In The Emergence of Open and Organized Pro-Government Cyber Attacks in the Middle East: The Case of the Syrian Electronic Army, the Information Warfare Monitor’s Helmi Noman started documenting the activities of the Syrian Electronic Army (SEA), which appears to be a case of an open and organized pro-government computer attack group that is actively targeting political opposition and Western websites. That report documented how Syria has become the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies.

In this report, the IWM continues to examine the SEA’s activities, their online targets, and the impact of their attacks.

Overview

On June 20, 2011, the president of Syria, Bashar al-Assad, stated his appreciation for the SEA’s efforts and described it as a real army in virtual reality in a televised speech to the nation. The SEA stated on its website that it was honored by the mention in the Presidential speech but reiterated that it is not affiliated with any government entity. Although we have no concrete evidence linking the SEA to the Syrian regime, the President’s statement, and the fact that the group is able to operate with impunity over Syrian networks, shows at least tacit support for their activities.

The SEA continues to claim responsibility for defacing or otherwise compromising scores of websites that it contends spread news hostile to the Syrian regime. After a 4-day countdown meant to build anticipation, the SEA announced the defacement of over 130 websites and has continued to release the URLs of more defaced pages every few days. Although we verified that most of the websites were indeed defaced, the vast majority of the affected pages were online businesses and blogs with no apparent political content.

The SEA has intensified its efforts to target Israeli websites based on claims that some of these sites contain content that is antagonistic to Syria and Palestine, and also supposedly as revenge on Facebook for continually disabling the SEA’s pages. The SEA did not provide details explaining why they perceive Facebook to be related to Israel. Although one of the targeted sites was associated with an Israeli member of Knesset, the majority had no political content. Many of these defaced sites share IP addresses, indicating that far fewer compromises actually occurred than what appears upon first glance.

The SEA has continued with the Facebook comment spamming campaigns we described in our last report. They also recently linked to a video that documents defacement of five Facebook pages of Syrian political opposition groups, changing the profile picture of each to the SEA logo.

The group and its affiliates continue to disseminate denial of service (DoS) software designed to target media organization websites. We have acquired and analyzed the software and found that it is designed to perform denial of service on the websites of Al Jazeera, BBC News, Syrian satellite broadcaster Orient TV, and Dubai-based al-Arabia TV. A group calling itself the “Syrian Hackers School” has a Facebook page that promotes the DoS tool, recruits members, and provides links to resources for learning how to compromise vulnerable websites.

The SEA has also started to infiltrate a number of Syrian political opposition Facebook pages and replace the original content with SEA logos and post pro-regime messages.

Syrian Electronic Army Attacks on Hyped Targets

Following the SEA’s announcement of mass defacements we verified that most of the websites were indeed defaced at the time, some by the handle  “ArabAttack”, whose name has also appeared on previous SEA defacements, and others by “The Shadow”, whom we had not seen before. Other handles seen previously, such as “The Pr0”, “Saqer Syria”, “Sy Team” and “al3rab” did not appear in any of the new defacements (See Figure 1).

Figure 1: Defaced sites by date and attacker.

The 122 domains the SEA claimed responsibility for attacking on June 4th resolve to only 15 unique IP addresses, which indicates that the high volume of sites was likely due to a few mass defacements achieved by exploiting a single vulnerability on a shared web server (See Figure 2).

Figure 2: Claimed defacements by IP and country, May 16 – June 19, 2011.

The first URL reported to be defaced by the SEA, http://o3touch.com, had an HTML tag inserted into it causing a redirect to http://justnulled.com/i/ind.htm, with a defacement image from ArabAttack claiming responsibility under the banner of the SEA. The SEA’s announcement stated that the compromise was committed as a protest against US interference in Syrian domestic affairs, and also mentions Microsoft. However, the site in question is actually an Israel-based company that sells software for Windows Mobile phones. Both o3touch.com and justnulled.com resolve to the same IP address, suggesting that both sites may have been compromised through a single breach. On the other hand, we were also able to confirm that the redirect tag had been injected into a database table, whereas the target page would likely needed to have been uploaded directly to the site, indicating a possible second vulnerability.

The majority of the defaced sites were announced in the SEA’s three subsequent posts. Once again, these were almost all online business websites, and most of them had the Internet country code top-level domain (ccTLD) for the Netherlands (.nl). These defacements were claimed by The Shadow, who, like ArabAttack, explicitly mentioned the Syrian Electronic Army.

We verified that most of these websites were indeed defaced at the time, and also found that 95 of the sites had been previously defaced on May 13, 2011 by an entity calling itself Reza_0o0, associated with “Iranian Hackers.” (We cannot confirm if this entity is a single person or a group of attackers). Most of these websites still carried Reza_0o0’s defacement in addition to the defacement text placed by the SEA. Unlike the SEA, which defaced the front page of each site, Reza_0o0 “tagged” the sites in a more subtle way, leaving a file named r.htm accessible at the root of each site. For example, the site at http://aaddejong.nl by default looked like Figure 3 (below), but Reza_0o0’s defacement text can still be accessed at http://aaddejong.nl/r.htm (See Figure 4).

Figure 3 IWM mirror of http://aaddejong.nl as defaced by the Syrian Electronic Army.

Figure 4: Screenshot of http://aaddejong.nl/r.htm as defaced by Reza_0o0.

Reza_0o0 reported and uploaded screenshots of the affected websites to zone-h.org, an online archive of defaced websites, on May 13, 2011. As of June 25, 2011 Reza_0o0 had reported a total of 945 defaced websites, of which 773 were mass defacements, since December 11, 2010.

The fact that these pages were defaced by both an Iranian entity and the SEA may indicate some kind of collaboration between them. We will explore such connections in our ongoing research efforts. However, it is more likely that these were soft targets, chosen for the ease of breaching them. Both the SEA and Reza_0o0 left traces to external websites via tag references – The Shadow left a link to the Arabic underground hacking forum http://www.aljyyosh.com, and Reza_0o0 linked to a now-missing image hosted on a server which contains an open directory of web hacking tools.

Defacement Attacks on Israeli Websites

In another of the June 4 SEA announcements the group claimed responsibility for compromising 6 websites that it described as top Israeli websites that spread poisonous [information] and instigate killing of our Palestinian brothers.

We confirmed that the websites were defaced, and found that none of the 6 targeted sites were news websites or carried content related to Syria or Palestine. The websites included an online shop, a plastic products company, and personal websites. The defacement text left on those websites read:

“Hacked by Arab Attack under the Brigade of the Syrian Electronic Army to commemorate the Naksa Day.” (See Figure 5).

Naksa Day (day of setback) is the annual day of commemoration (June 5) for the Palestinian people of the displacement that followed Israel’s victory in the 1967 Six-Day War.

Figure 5: Screenshot of an Israeli plastic products company defaced by the Syrian Electronic Army.

On June 7, 2011, the SEA announced it compromised more Israeli websites; the website of the Israeli Member of Knesset Arieh Eldad (http://www.arieheldad.com) and a tourism site (http://soloisraele.com). The SEA said it deleted all content on the sites and claimed to target these Israeli websites “as a revenge from Facebook which keeps removing our pages” but did not explain what connection there was between Facebook and Israel. We verified that the website of the Member of Knesset was defaced with the following message:

The Golan Heights, Shebaa Farms, Kfarshuba Hills and the entire Palestinian territory is a Syrian land taken from us by force and by force we’ll return and liberate it soon (See Figure 6).

Figure 6: Screenshot of defaced website of Israeli Member of Knesset Arieh Eldad.

On June 12, 2011, the SEA claimed responsibility for compromising two more Israeli websites and said these targets were chosen as part of an operation to cleanse up the web from Israeli websites that promote hatred towards the Palestinian people. We confirmed that the two websites were defaced and found that neither had political content. One of the sites is an online directory of lawyers in Israel (http://www.lawyerfinder.co.il), and the other is a blog about personal computers (http://www.pc-blog.co.il). The defacement text was the same as in Figure 6.

On June 15, 2011, the SEA defaced the website of the Center for Small Business in Israel (http://ismbc.co.il), and on  June 19, 2011 the website of the Israel Chemical Society (http://www.chemistry.org.il).

We found that all of the targeted Israeli domains resolve to the same IP address: 109.73.160.8. This is the same address for two of the domains claimed by the SEA on June 4th (o3touch.com and justnulled.com), and at least one of the newer sites, soloisraele.com, was compromised via the same HTML redirect injection used against o3touch.com. However, other websites were defaced by a different method, possibly through the same vulnerability that gave the attacker access to justnulled.com. By using a reverse IP lookup we were also able to find two more defaced sites that the SEA did not announce on their site. In contrast with the strategy used for the Dutch domains on June 4, where they announced a large number of defacements at once, the SEA opted to deface and publicize these Israeli sites a few at a time, possibly to maintain the hype surrounding their activities without having to find new vulnerable targets (See Figure 7).

Figure 7: IP addresses of confirmed defaced websites.

Defacements by Affiliated groups

In the last of their June 4 announcements, the SEA announced that other groups of Arab hackers targeted 10 websites it described as American and British news websites as a contribution to the SEA. We verified that the websites were defaced and found that none appeared to be news websites. Rather, they were websites of private companies, blogs and forums based mostly in Brazil, and one in Thailand (listed below).

http://vagood.com

http://rocco-huahin.com

http://ssfiberglass.co.th

http://ascendantjustice.com

http://ahoraesnoticia.com

http://folhadoconisud.com.br

http://chaos-na30.com

http://imoveisjc.com.br

http://tribusites.com.br

The defacement text on these websites read:

Hacked by
Yemen Hackers
Muslim Hackers
Arab Hackers
For Free Palestine

The defacement page displayed the flags of Palestine, Syria, Egypt, Yemen, Lebanon, and a banner that read “Third Palestinian Intifada.” (See Figure 8 and Figure 9).

Figure 8: Screenshot of a defaced Thai website.

Figure 9: Screenshot of a defaced Brazilian website.

Denial of Service and the Syrian Hackers School

The Syrian Electronic Army and other pro-regime groups have started what constitutes a virtual academy to recruit and educate sympathizers on how to use Denial of Service (DoS) software and computer exploitation and infiltration techniques. Earlier this month, the group posted an announcement on Facebook seeking recruits who speak different languages, and provided an email address for interested individuals to send details and time of availability (See Figure 10).

Figure 10: Screenshot of the SEA Facebook announcement

We acquired the DoS software “Bunder Fucker 1.0” from the links available on the SEA’s Facebook pages. The software’s interface indicates it is developed by a person known as Alex Izeld. The software is named after the Bandar bin Sultan, a prince of the Saudi royal family who had served as the Kingdom’s ambassador to the USA. The interface displays an image of Bandar bin Sultan beside an image of a donkey (an insulting combination in Arabic culture) as a logo (See Figure 11). Syrian local media have accused the Saudi prince of conspiring to destroy the country.

Figure 11: Screenshot of Facebook that distributes links to download the DoS software.

The software targets four news websites: Al Jazeera (www.aljazeera.net), BBC News ( www.bbc.co.uk), Syrian satellite broadcaster Orient TV, (www.orient-tv.net), and Dubai-based al-Arabia TV (www.alarabiya.net). The group claims the four websites were targeted because they spread biased and hostile information about the protests in Syria.

In an ironic twist, pro-revolution hackers have re-purposed the same software to target Syrian government and pro-regime websites. The alternative version was made available through opposition websites and a blog containing pro-revolution content and information on computer exploitation and infiltration. The targeted sites were the website of government General Organization of Radio and TV (rtv.gov.sy), Addounia TV station (addounia.tv), and Syrian news websites syriarose.com and syria-news.com (See Figure 12).

Figure 12: Version of the DoS tool modified by pro-revolution hackers.

Our analysis of the software reveals that it is a simple denial of service tool, meant to be used by many people at once as part of a manual distributed DoS attack. It is packed (compressed and obfuscated) using PECompact, which is relatively easy to unpack. The ease of unpacking the program may explain why it was re-purposed against pro-Syrian sites; once unpacked, only minor changes to text fields are necessary to turn it against its creator. These kinds of alterations are exactly what happened with the “Syrian Gov Pigs (PIMPED BY XACKER)” version of the tool: only text fields have been changed, even the original pro-Syrian images remain.

The program allows users to select one of four targets, set the number of parallel execution threads and how many connections to make per thread, and then connects to that website repeatedly over TCP. The TCP connections are established and closed normally, which is unlike other DDoS tools that attempt to leave connections in half-open states. This full-connection attack is very simple and “loud”, and relies entirely on the number of simultaneous connections at any given time to overwhelm the target. While the attack is very basic and can be implemented very easily, it can still be effective when used by many people at the same time.

In addition, the SEA and its supportive groups direct sympathizers to various related resources including websites that have been already compromised, and encourages them to practice their skills on the compromised websites. One of the Facebook pages that disseminates resources for computer exploitation and infiltration techniques belongs to a group calling themselves the Syrian Hackers School. In the screenshot below (See Figure 13), the page owner for the Syrian Hackers School posts a list of compromised websites and explains that the exploited shell is available for users to manipulate.

Figure 13: Screenshot of Facebook page School Hacker publicizing a compromised website.

We examined the website and found it had indeed been compromised and that it was made available for vulnerable to further exploitation (See Figure 14). The technique used is known as SQL database injection, which exploits a security vulnerability occurring in the database layer of an application. This technique seems to be commonly used by the SEA and it is demonstrated in YouTube clips that document SEA attacks. Many of these video clips are posted on the group’s YouTube channel.

Figure 14 Screenshot of a compromised website publicized by the Syrian Hacker School Facebook page

Compromising Opposition Facebook Pages

Starting on June 20, the SEA began to compromise and infiltrate opposition Facebook pages and replace their anti-regime logos with that of the SEA (see here and here). Through access to these pages the SEA posted pro-regime messages and graphics, but the original titles of the pages remained intact. Seventeen pages were infiltrated as of June 23. One of the pro-revolution pages allegedly published the names of the regime informants in Damascus, and another page was dedicated to thank Turkey’s Prime Minister Recep Tayyip Erdogan for “standing with the Syrian people.”

Anti-regime postings continued to appear in these pages and the number of each page’s fans has dropped significantly after the infiltration.

The SEA posted to its YouTube channel a video clip showing how it “attacked” the Facebook pages and how it replaced their logos with its own. At the time of publication, we are not able to conclusively determine how the compromise was technically implemented.

Conclusion

The Syrian Electronic Army’s recent activities are noteworthy for two reasons. First, the SEA re-defaced websites that were already defaced by an Iranian entity two weeks earlier. It is possible that the SEA has been able to exploit the same security vulnerabilities that the Iranian entity had exploited to re-deface these websites. However, it is also possible — but we determine of low probability — that the two parties are working together and that the Iranian entity gave the Syrian group backdoor access to the affected websites. We do not have sufficient evidence to support either hypothesis at the time of writing.

Second, it is interesting that the SEA continues to deface websites that it describes as hostile and responsible for antagonistic content, when the websites are mostly online businesses or personal websites not related to Syrian politics or the politics of the region. The SEA may be seeking publicity by claiming political significance to otherwise non-political websites, and targeting these web sites because they are simply vulnerable opportunities.

On the other hand, the SEA’s actions, regardless of the target, raise questions about the legal responsibility and international consequences of activities that manipulate and disrupt online businesses and personal websites in foreign jurisdictions. Such questions are particularly noteworthy when the group has a public online presence on a national network, and with the apparent blessing of the country’s president, vows to continue to engage in computer network exploitation.

Update June 25 2011

The SEA has claimed responsibility for attacking the website of the French embassy in Damascus on June 24, 2011 and 10 Israeli websites on June 25, 2011.

Users that try to access the news page of the French embassy in Damascus (http://www.ambafrance-sy.org/spip.php?rubrique112), are redirected to http://th3pro.pro/fr/ and displayed a page with text in French and Arabic claiming the defacement attack was to protest the “negative stand of the French government on Syria” and its participation in the “conspiracy against Syria”. The message also states the attack was to protest the inaccurate report of French news channel France 24 concerning the resignation of the Syrian Ambassador to France. The defacement page includes photos of supposedly pro-regime demonstrations in Syria, and is signed by the two SEA affiliated handles SaQeR SyRia and The PR0.

We also verified that the Israel websites below were defaced by SEA affiliated handles SaQeR.SyRia and THe PR0.

http://dealbekef.com/xn--8dbambabac0bzb0ax6ack.co.il/

http://סרטלצפייהישירה.co.il/

http://וילותלמסיבתרווקים.co.il/

http://dealbekef.com/xn--cebafbscrd.co.il/

http://סרטיםצפייהישירה.co.il/

http://סרטיםצפייהישירה.co.il/

The defacement pages left on these sites read:

We Are the Syrian People , We Love our President Bashar Al Assad and we are going to return our Jolan Back , our Missiles will be landing on each one of you if you ever think of attacking our beloved land SYRIA
SaQeR.SyRia@Gmail.com

All of the affected websites are on the single IP 84.154.80.154 and hosted by a US-based server. None of these Israeli websites appear to contain political content.

The Information Warfare Monitor will continue to track and document SEA activities.

About the Information Warfare Monitor

The Information Warfare Monitor (IWM) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk School of Global Affairs, University of Toronto and The SecDev Group, an operational consultancy based in Ottawa, Canada.

The flood of news of breaches against high profile organizations that Ron Deibert has dubbed Breachfest 2011 remains in full force. Last week, LulzSec broke into the U.S. Senate’s computer network and released files while publicly stating, “We don’t like the U.S. government very much,” adding, “This is a small, just-for-kicks release of some internal data from Senate.gov—is this an act of war, gentlemen?” The group also claimed responsibility for a distributed denial of service (DDoS) attack against the CIA’s public Web site and released 62,000 email and password combinations from an unknown source.

Rafal Rohozinski contends that the rise of political as opposed to profit-driven breaches is an indication of the “digital-native generation” flexing its muscles—expressing its political views and social values via online activism—that “hacking is a nascent form of politics”:

You’ve got this new generation of digital natives, generally people between the ages of 14 to 25, who have grown up with this technology. That generation is coming of age, so to speak, in terms of having political views, social values, and the way they’re starting to express that is through online activism.”

For instance, it is understood that Lulzsec defaced the PBS website in reaction to the PBS documentary “WikiSecrets.” A few weeks ago, Anonymous declared action against the IMF, in protest against the austerity measures demanded by the country’s IMF bailout and amid call from within the country for protests and a general strike on June 15th. On Monday, the two groups announced that they were going to join forces under the “AntiSec” banner under Operation Anti-Security to expose and oppose security profiteers and government intervention in cyberspace, through tactics such as DDoS attacks and gathering and leaking classified information from banks, high profile establishments, and governments. On Monday, the group launched a DDoS attack against the British Serious Organized Crime Agency, forcing it to take its site offline.

Last week, politically-motivated DDoS attacks were launched against the Web site of Belarusian President Alexander Lukashenko—organizers of the mass DDoS action announced it as a protest against the President for “pissing away such a country.” Meanwhile, the Syrian Electronic Army apparently motivated by patriotic sentiments continues to deface foreign Web sites. Last week, protests in Hanoi and Ho Chi Minh city over China-Vietnamese territorial dispute over the South China Sea spilled over into the cyberspace as hackers from both countries attacked and defaced each others national Web sites, including government portals. Yesterday, a Brazilian “unit” of Lulzsec launched cyber attacks on the Web site of the Brazilian Presidency, rendering the Web site inaccessible. It also launched an attack against the Web site of the oil company, Petrobras, claiming, “Wake up Brazil! We no longer want to buy gas at 2.75 to 2.78 reals ($1.73 to $1.75) and export for half of that price!”

As Ron Deibert has pointed out, the culmination of recent online attacks—including, the high profile attacks on the IMF—has had the effect of forcing people and governments to seriously start thinking about the lack of proper security in the Internet’s infrastructure. It has been reported that companies are now taking out cyber insurance worth hundreds of millions of dollars, while cybersecurity companies are slated to be a key focal point on Wall Street. Meanwhile, in the US, the National Security Agency is now actively working with Internet carriers (AT&T, Verizon and Century Link) to deploy new tools which will scan emails and online traffic in order to prevent cyberattacks against 15 defense firms, including the recently breached Lockheed Martin, and Northrop Grumman. As this Washington Post article points out, the pilot program has been praised as an “elegant solution” to the ongoing problem of how to use the agency’s expertise while avoiding domestic government surveillance on private Internet traffic.

Nonetheless, Deibert remains concerned that in attempting to manage online threats, governments may take the wrong approach—through building borders and asserting control by cracking down on anonymity and blocking access.

Spain’s main police website was knocked offline over the weekend in an apparent revenge attack following the arrest of three suspected leaders of the hacking group Anonymous.

Officers said the three detainees had been involved in attacks on the websites of Sony PlayStation, several banks, an electricity company and the governments of Egypt, Algeria, Libya, Iran, Chile, Colombia and New Zealand. A server allegedly used in the attacks was also seized during a raid on homes in Gijon, Barcelona, Valencia and Almeria.

Anonymous had also launched attacks on the Catalan regional police, a Spanish trade union and the country’s electoral administration, police said.

…

For full original article, see here

Anonymous has hacked into Iranian government servers and procured over 10,000 email messages from the Ministry of Foreign Affairs.

The Ministry’s website is still down as of this writing, and the servers are under Anonymous control. One of the Iranian members of Anonymous involved with the operation sent me a message from the compromised email servers as evidence that they were still under Anonymous control.

While email addresses can be spoofed, the collection of 10,000 emails is a pretty good indication that they have no need for spoofing.

The email archive includes approvals and rejections for a variety of visas and passports, among other requests and correspondence.

“It’s near the election’s anniversary. We had to do something,” said one of the Iranian members of Anonymous from #OpIran.

He said they take down Iranian government servers on a regular basis for operation days, but that obviously retrieving information required a different approach to the group’s signature DDoS attack.

He also indicated an as-yet unannounced attack. “For the election’s anniversary, we have a complete DDoS attack day” planned, he said.

It’s not clear who the specific target of the day will be, but it will be part of the Iranian government.

“We don’t attack the media,” said my source, though he indicated that propaganda masquerading as news was fair game. For instance, this site publishes photographs of “rioters”, asking other citizens to identify them so the government can subject them to any of a number of horrific punishments.

If you need to get into Iran, now would be a good time to talk to Anonymous. “Are you sure you don’t want a visa?” was the last thing my source said to me.

The action is occurring amid cyberattacks being launched by pro-regime attackers. Last week, the OpenNet Initiative’s Helmi Noman reported that pro-regime Facebook pages (http://www.facebook.com/syria.e.s and http://www.facebook.com/syrian.electronic.soldiers, which have since been removed) have begun distributing DDoS software, encouraging followers to attack anti-regime Web sites.

The EFF was able to track down a copy of the fake certificate used in the latest attack, and below is a screenshot of the fake certificate from Global Voices.

On the left is the fake certificate, and on the right is the original SSL certificate.

This type of attack has occurred during other tense moments in the region—for instance, during the protests in Tunisia this year when malicious code was injected into Tunisia’s Twitter, Facebook and Gmail to phish credentials from users.

A man-in-the-middle attack was used in last months Comodo breach, which we blogged about here, where Comodo’s European affiliate had issued nine fraudulent certificates to Mozilla, Global Trustee, Gmail, Google, Skype, Yahoo and Windows Live. In the case of Comodo, some suspected that it was a part of a larger state-sponsored plan to eavesdrop on encrypted communications. At the time, Comodo stated that, “It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in Middle East and North Africa (MENA) region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.” While some attributed the attack to state-sponsored agents, a lone Iranian hacker claimed responsibility. However, the alleged attacker’s claims of acting independently from the state have been questioned.

A number of cyber attacks took place against human rights groups this week; including Armorize’s discovery of a variant of a “drive-by-download” attack on Amnesty International’s Web site. As this Armorize blogpost explains, “A drive-by download attack refers to the process of a user visiting an infected page and subsequently gets installed with malware, without his/her knowledge and without having him/her to click on or to agree to anything.” In the case of this week’s attack on Amnesty International, a “drive-by-cache attack” (term dubbed by Amorize) was launched. John Leyden of the Register explains that in drive-by-caching, “malicious scripts are used to locate the malware which is already sitting in the browser’s cache directory, and executing it. This so-called drive-by cache approach make attacks harder to detect because no attempt is made to download a file and write it to disk, a suspicious maneuver many security software packages are liable to detect.” (For a more eloquent and technical write up of drive-by-caching see the Armorize blogpost).

What is interesting is that the compromising of Web sites belonging to human rights groups as vehicles to deliver 0day exploits to visitors is a continuation of a trend that the Infowar Monitor has been actively monitoring—for example, a similar attack launched on users occurred in November 2010 to Amnesty International’s Hong Kong site (see our past Nobel Peace Prize, Amnesty HK and Malware and “0day”: Civil Society and Cyber Security blogposts on such attacks for more).

More generally, attacks launched on the Web sites of human rights groups (and independent Web sites) have become increasingly common. In fact, cyberspace saw two such attacks this week. First, was the DDoS attack launched against the Web site of the alternative new source, Newsnet Scotland, in the lead up to the country’s elections; and second was the DDoS attack launched on Change.org’s Web site this week.

As a major online petitioning platform, Change.org has recently become known for hosting a major petition, signed by over 90,000, calling for the release of famous Chinese dissident Ai Weiwei. The DDoS attack on the site began on Monday and rendered the site inaccessible for a few hours. It has been reported that the attack has been traced to servers in China and Change.org has begun reporting that the attacks were launched by Chinese hackers.

The Chinese state is often believed to be behind attacks on human rights Web sites, as noted in our recent blog here; however, attribution of cyberattacks is an ongoing problem and difficult to make—for instance, although the attacks were traced to China, it is possible that the computers are controlled by attackers in another country. In this CIO article, Verizon points out that the recent introduction of the term “advanced persistent threat attack” (APT) (defined by Verizon as “sophisticated and highly targeted data exfiltration exercises conducted by state-sponsored agents) has led many victims of security breaches to characterize attacks as APT, usually originating from China. Verizon argues that although “China is the source for most online attacks these days, no matter what the motivation,” it must be remembered that “the country has more than 400 million Internet users, and many of them are using computers that don’t have up-to-date patches or security software. Those PCs often get hacked and then used as stepping-stones for further attacks.” Verizon further stated that, “China is like the wild west of source IP addresses that can be taken over to state attacks.” When an attack occurs “everybody looks at it and says, ‘Oh that’s the Chinese government.”

The problem of state attribution was brought up once again this week when Canadian resident and Chinese dissident with protected person status, Maggie Wenzhuo Hou, stepped up to warn against a “’silent cyber war” that was being launched by the Chinese government. Hou stated that she was certain that the Chinese government was monitoring and blocking her communications. Some note that there is evidence that China is involved in the spying of expatriates, and Hou’s own background certainly puts her in a vulnerable category. However, Ron Deibert, Director of the Citizen Lab suggested that such a case requires caution: “There are so many people who read about issues of espionage or information-based attacks and jump immediately to the extreme conclusion.”

Indeed, accusations of China’s involvement in cyber espionage is a regular fixture in cyber news. Last week, a leaked US diplomatic cable revealed that US authorities had traced a series of breaches (in which private information was stolen from US agencies and the private sector)—known as Byzantine Hades—to a unit of the country’s People Liberation Army.

Although attribution is difficult to make, attacks continue against Web sites of human rights organizations and supporters/employees and are part of a continuing trend that has been recently documented by the Berkman Center for Internet and Society in their 2010 report on Distributed Denial of Services Attacks Against Independent Media and Human Rights Sites.

Change.org, an online petitioning platform, has come under an ongoing distributed denial of service (DDoS) attack originating from China after the site hosted a call urging Chinese authorities to release artist Ai Weiwei from custody.

The attacks, which started late Sunday, have nearly brought down the site, according to Change.org founder Ben Rattray.

DDoS attacks work by using hundreds or thousands of hacked computers to send traffic to a website, overwhelming it with data so it becomes inaccessible to normal users.

Change.org said the current attack originates from an expanding group of computers primarily based in China, and has yet to stop. This is the first time the site has been hit with a DDoS attack.

Change.org has been hosting a online petition calling for the release of Chinese artist Ai Weiwei, who is currently under arrest. The petition has attracted almost 100,000 people from 175 countries, making it one of Change.org’s most successful international campaigns, Rattray said.

“It’s pretty clear the attack is in response to the campaign,” he added. “It’s extraordinary that somebody in China with a high-level of technical sophistication can impact the ability for people around the world to organize.”

The online call coincided with demonstrations across the world this past Sunday, which also called for the artist’s release. Ai, who is also known for his activism, has been detained as part of a Chinese government crackdown on political dissidents in the country.

Authorities in the country have arrested other human rights activists and clamped down on the information flow, following previous online postings that began in February calling for a “Jasmine revolution” against the Chinese government.

Change.org is currently blocked in China. Internet censors in the country regularly block sites that are deemed to politically sensitive.

Despite the block, the computers involved in the DDoS attack are managing to find a way around the country’s national Internet firewall, said Rattray.

In the past, other sites have been the victims of cyber attacks coming from China. This March, blog publishing platform WordPress.com also reported being hit with a DDoS attack originating from China.

Chinese hackers have also allegedly launched cyber attacks to steal data from foreign energy accompanies, according to security vendor McAfee. In 2009, Google was also the victim of an attack originating from China that was aimed at accessing the Gmail accounts of human rights activists

The Chinese government has previously responded to these reports by denying it is involved in any cyberattacks, adding that China has also been a victim of hacking attempts.

The true source of DDoS attacks is often unclear. Although Change.org has traced the current attack to servers in China, it is also possible the computers are under the control of hackers based in another country.

Change.org reports that both the FBI and U.S. State Department are looking into the DDoS attack.

“We won’t stop or take down anything because of this DDoS attack,” Rattray said. “We believe in the fundamental right of the people to organize around issues they care about it.”