[ISN] Worm linked to India-Pakistan cyber-spat

From: InfoSec News (isnat_private)
Date: Thu Mar 13 2003 - 00:53:19 PST

  • Next message: InfoSec News: "[ISN] Study Exposes WLAN Security Risks"

    13 Mar 2003 
    SAN FRANCISCO (Reuters) - Hackers claiming to be from India have 
    launched their latest strike in a cyber-spat with Pakistan by 
    unleashing a new variant of the "Yaha" Internet e-mail worm, 
    anti-virus firm Sophos says. 
    The worm, written by a group calling itself the Indian Snakes, does 
    not appear to be spreading or causing any damage, said Chris Wraight, 
    a technical consultant at U.K.-based Sophos. 
    The Yaha-Q worm, the latest in a string of Yaha worms released by 
    hackers from both countries since December, leaves a back-door on an 
    infected machine and sends itself to people listed in the e-mail 
    address book, Wraight said. 
    It also tries to disable anti-virus software and commands the computer 
    to launch a denial-of-service attack on five Pakistani Web sites, he 
    said. Such an attack is designed to shut down a Web site by sending so 
    many repeat requests to the Web server that it becomes overloaded. 
    The Pakistan Web sites it tries to attack are those of the main 
    government Web site, the government's Computer Bureau, a community 
    "portal" site, Internet service provider Comsats and the Karachi Stock 
    Exchange, according to Sophos. 
    Yaha-Q arrives in an e-mail attachment but also can spread via shared 
    network drives, such as at corporations. It tries to sneak past 
    firewalls and other security software to get onto Web servers 
    directly, Wraight said. 
    In addition to storing taunting messages against Pakistan on the 
    computer, it sends messages to Roger Thompson, technical director of 
    malicious code research at TruSecure in Herndon, Virginia, and to a 
    female virus writer known as "Gigabyte," Sophos said. 
    Gigabyte wrote a virus in January to counter an earlier version of 
    Yaha that was designed to attack her Web site. 
    "I do not plan on writing a new 'counter attack' or getting further 
    involved with these people in any way," she wrote in an e-mail. 
    Thompson said he has commented in the past that previous versions of 
    Yaha were politically motivated. 
    The worm is not spreading because it is being blocked by anti-virus 
    and other security software, and people are becoming more suspicious 
    of e-mail and not clicking on mysterious attachments, Wraight said. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 03:19:09 PST