[ISN] Terrorist group claims responsibility for Slammer

From: InfoSec News (isnat_private)
Date: Wed Feb 05 2003 - 22:21:25 PST

  • Next message: InfoSec News: "[ISN] Slammer: Why security benefits from proof of concept code"

    By Dan Verton
    A radical Islamic group that is on the State Department's list of
    designated terrorist organizations has claimed responsibility for the
    release of the Slammer worm late last month.
    In an exclusive exchange of e-mails with Computerworld spanning two
    weeks, Abu Mujahid, a spokesman for Harkat-ul-Mujahideen (HUM), a
    self-proclaimed radical Islamic jihadist organization, said the group
    released the Slammer worm as part of a "cyber jihad" aimed at creating
    fear and uncertainty on the Internet.
    U.S. intelligence officials allege that HUM, formerly known as
    Harkat-ul-Ansar, has ties to al-Qaeda and Ahmad Omar Sheikh, who was
    arrested for the January 2002 kidnapping and murder of Wall Street
    Journal reporter Daniel Pearl. The group operates primarily in
    Pakistan and the Kashmir region, but it has also run terrorist
    training camps in eastern Afghanistan, according to a U.S. Navy
    According to Mujahid, one of the worm's first instructions, a
    so-called "push" command, includes the number 42, which is the sum of
    the letters H, U and M if you add up the numbers that correspond to
    the point at which each one falls in the Roman alphabet. H is the
    eighth letter; U is the 21st; M is the 13th. When eight, 13 and 21 are
    added up, the total is 42
    However, Internet security experts were quick to dismiss HUM's claims
    of purposely injecting a fingerprint into the code of Slammer as a way
    to claim credit.
    Pedram Amini, an analyst at iDefense, a security firm based in
    Chantilly, Va., said the size of the worm is such that there is very
    little room for any arbitrary fingerprints to have been included in
    the code. In addition, the push command referenced by Mujahid and the
    numbers that followed it are not something a coder could inject, but
    are instead something generated by the execution of the code, said
    "It is and has always been my opinion that the author of the worm
    cannot be identified [by studying the code]," said Amini. HUM's claim
    of injecting a fingerprint into the code "does not hold water," he
    said, noting that the code that went into the worm could have been
    downloaded from multiple locations on the Internet by anybody.
    For example, according to iDefense analysts, a Chinese hacker group
    called the Honker Union of China is known to have posted code similar
    to that of the Slammer worm on its Web site prior to the attack. In
    addition, proof-of-concept code released last August at the Black Hat
    hacker conference by researcher David Litchfield is also believed to
    have been used as a basis for the worm.
    Bill Murray, a spokesman for the U.S. Federal Bureau of
    Investigation's National Infrastructure Protection Center (NIPC),
    would not call members of HUM suspects, but he did say that an NIPC
    analyst has looked into the group in connection with the Slammer
    "Do not underestimate our abilities to create fear and chaos on the
    Internet, using programs we find and modify to our purposes," said
    Mujahid. "We do not need to attack the infrastructure to terrorize the
    Kufars," he said, referring to non-Muslims. "We use the Internet to
    spread misinformation and confusion."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 01:33:39 PST