[ISN] War with Iraq will mean virus outbreak, hacker says

From: InfoSec News (isnat_private)
Date: Thu Nov 21 2002 - 07:18:51 PST

  • Next message: InfoSec News: "RE: [ISN] COMDEX: Panel: Accept the Net is vulnerable to attack"

    NOVEMBER 20, 2002
    A Malaysian virus writer who is sympathetic to the cause of the
    al-Qaeda terrorist group and Iraq and who has been connected to at
    least five other malicious code outbreaks is threatening to release a
    megavirus if the U.S. launches a military attack against Iraq.
    The virus writer, who goes by the handle Melhacker and is believed to
    have the real name of Vladimor Chamlkovic, is thought to have written
    or been involved in the development of the VBS.OsamaLaden@mm, Melhack,
    Kamil, BleBla.J and Nedal worms.
    However, in an exclusive interview today with Computerworld, Melhacker
    confirmed earlier reports by Chantilly, Va.-based iDefense Inc. that
    he has developed and tested a "three-in-one" megaworm code-named
    Scezda that combines features from the well-known SirCam, Klez and
    Nimda worms.
    "This is a real Internet computer worm," said Melhacker. "I will
    attack or launch this worm if America attacks Iraq." The worm has been
    ready and fully tested in his lab since August, he said. He also
    confirmed earlier intelligence reports that he has ties to both
    Russian hackers and Pakistani virus writers.
    Brian Kelly, president and CEO of iDefense, said that while Melhacker
    hasn't proved adept at seeding new worms in the wild, this worm could
    be difficult to stop. IDefense quietly warned its clients last week
    about the potential for such a worm to hit the Internet, saying that
    companies should move to a heightened state of alert and watch for
    suspicious Internet traffic and e-mails if Iraq is attacked.
    "If he were to be successful with this one, it could be very serious,"  
    said Kelly. "Although we are aware of his contacts with Russian and
    Palestinian code-authoring groups, we're not yet sure how strong those
    relationships are."
    Vincent Gullotto, vice president at McAfee Security's Avert, a
    division of Network Associates Inc., said the threat posed by Scezda
    is completely dependent on whether or not Melhacker is successful in
    getting it to propagate.
    "If he is, it could be very large," said Gullotto.
    But it's difficult to speculate because there have been many such
    viruses that have gone nowhere, he said. "Until we see the virus
    moving in the wild, we consider it to be a low risk," Gullotto said.
    Melhacker, who has also gone by the name Kamil, may have had some
    involvement in the September release of the BugBear mass-mailing
    network attack worm. According to iDefense, Melhacker has close ties
    to Nur Mohammad Kamil, who identifies himself as part of a group known
    as "A.Q.T.E. Al-Qaeda Network." Melhacker has also associated himself
    with the al-Qaeda network for a long period and has been an active
    Malaysian malicious coder threat for at least six years.
    At least one of these worms, the Nedal worm (the name is Laden spelled
    backward) contained encrypted code, according to analysis conducted by
    iDefense. When decrypted, the code was shown to contain numerous
    Arabic names of unknown significance, as well as references to
    In the case of the VBS.OsamaLaden@mm worm, the code leaves a message
    that references the Sept. 11 terrorist attacks and then attempts to
    shut down a user's system and delete all files in the Windows System
    The continuing development of malicious code from pro-Islamic and
    pro-al-Qaeda hackers, especially in Malaysia, is of great concern and
    one that needs to be closely watched, according to an intelligence
    bulletin released last week by iDefense.
    "While it might be true that al-Qaeda operatives are not well
    organized, skilled or equipped to mount a serious cyberoffensive, it
    is likely that al-Qaeda sympathizers will serve as surrogates in their
    cyberoffensive," said Kelly.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 21 2002 - 10:17:36 PST