[ISN] India, Pakistan conflict enters computers

From: InfoSec News (isnat_private)
Date: Thu Jan 02 2003 - 22:29:26 PST

  • Next message: InfoSec News: "[ISN] Third World Conference on Information Security Education!"

    Forwarded from: William Knowles <wkat_private>
    By Anwar Iqbal
    United Press International
    From the Science & Technology Desk
    Published 1/2/2003 2:54 PM
    WASHINGTON, Jan. 2 (UPI) -- The India-Pakistan conflict has entered
    the cyber realm as hackers across the subcontinent have infected
    hundreds of thousands of computers in more than 100 countries on New
    Year's Day and the virus is spreading.
    South Asia's two nuclear rivals have been fighting each other since
    their independence from Britain in 1947. They have fought wars in the
    air, on the ground and in the sea. When the Internet arrived, it
    quickly became yet another arena of conflict.
    Last summer, when a terrorist attack on the Indian parliament brought
    more than a million troops to the border, Pakistani hackers attacked
    the official site of the Indian defense ministry. They inserted
    messages proclaiming independence for the Kashmir region, a Himalayan
    valley under dispute between India and Pakistan for 55 years.
    This was not the first hacking bout between the two rivals, however.  
    Both sides had engaged in this behavior previously.
    The latest virus attack has arrived with a warning for the Pakistani
    hackers: "Your days are over, now it is our turn to show that 'My
    India is great' ('Bharat mahan hai,' in Hindi)."
    The message continues: "Want peace and prosperity in India? Then
    (trash) corrupted politicians." It also warns politicians: "Talent and
    hard work should be respected. Self-styled (expletive) must be
    eliminated. No more (expletive) monopoly."
    The message includes an e-mail address -- qphat_private -- and a
    mailing address in New Delhi.
    Infected computers are automatically directed to an official Web site
    of the Pakistan government. Its virulent spread has enabled thousands
    of machines with the code to conduct a distributed denial-of-service
    attack aimed at the homepage of the Islamic Republic of Pakistan at
    On Tuesday, the virus forced one Pakistani official site,
    infopak.gov.pk, to suspend service.
    An earlier message also challenged G-Force, a group of Pakistani
    hackers, to match the "intelligence and expertise" of the Indian
    The G-Force hackers, who reportedly operate from Lahore, Pakistan, had
    claimed responsibility for attacking the official site of the Indian
    defense ministry in the summer.
    "Come & work with us" against "the G-Force-Pak shiites," the message
    urged Indian hackers.
    Also earlier this week, e-mail management firm MessageLabs gave the
    new virus, dubbed W32/Yaha.M, the No. 2 spot on the list of the most
    virulent computer viruses.
    The first copy of the virus was detected June 15 in an e-mail from
    Kuwait. Most copies now being stopped are coming from Egypt, Saudi
    Arabia and the United Kingdom.
    The e-mail messages, which are about 45-47 kilobytes in length, try to
    lure the receiver to download "sexy screensavers." Some messages offer
    "love partners" and chatting "opportunities" with members of the
    opposite sex.
    "Enjoy this friendship Screen Saver and Check your friends circle,"  
    the message says. "Send this screensaver to everyone you consider a
    FRIEND, even if it means sending it back to the person who sent it to
    you. If it comes back to you, then you'll know you have a circle of
    friends," it advises.
    Most of the senders have South Asian names. The early senders had
    female names such as Savera, Madhuri and Rekha that seem to have been
    borrowed from India's Bollywood movies.
    South Asian names still dominate but now the senders have both Muslim
    and Hindu names and some IP addresses can be traced to both sides of
    the India, Pakistan border.
    When a receiver opens an infected file, the virus quickly spreads
    through the system. A distributed denial-of-service attack floods a
    Web site with user requests, overwhelming the server and locking out
    site visitors.
    It enters Internet explorer and installs itself as the default
    homepage with addresses that lead to either hirosh.tk or hackers.com
    but it does not seem affect Netscape.
    Every time users click Internet Explorer, they are automatically led
    to one of the two sites. The default action can be suspended
    temporarily by going to the security setting and placing the two
    addresses in the restricted sites.
    Because a hacked system does not allow access to Internet options, a
    user can go there through pop-up ads that still appear in the Internet
    Explorer window.
    Although the two addresses reappear as the default home page every
    time a computer restarts, this temporary relief allows a user to
    download antivirus software.
    Yaha virus, which is also spelled Yahaa, is a mass mailer that sends
    itself to all e-mail addresses in the computer's Microsoft Windows
    Address Book, MSN Messenger List, Yahoo! Pager list, and ICQ list. It
    disables some anti-virus and firewall programs. All anti-virus
    programs currently have up-to-date definitions to protect against Yaha
    or Yahaa.
    Those who use Norton Anti-Virus tools can download removal
    instructions from sarc.com.
    If the worm has run already, the user first must reverse the change it
    effected. If the worm has not run:
    -- Configure Windows to show all files.
    -- Copy Regedit.exe to Regedit.com (in most cases).
    -- Edit the registry and reverse the change that the worm made.
    -- Update the virus definitions, run a full system scan, and delete
       all files that NAV detects as W32.Yahaa.E.
    Computer users without antivirus protection can go to bitdefender.com
    for a free removal tool.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:13:15 PST