back to article New fear: ISIS killers use 'digital AK-47' malware to hunt victims

Malware has emerged from war-torn Syria targeting those protesting the rule of ISIS (ISIL, Islamic State, whatever the murderous humanity-hating fanatics are calling themselves these days.) The trivial Windows spyware, analyzed by University of Toronto internet watchdog Citizen Lab, was sent out in a small number of emails …

Silver badge

Doesn't malware have to do something other than e-mail an i.p. address? There has to be a slew of programs that do this all the time that don't disclose this functionality upfront. Well, I think Adobe was doing it, so maybe it is malware.

2
1
Silver badge

That depends on the point of view

Not if you consider the AK47 wielded by a fanatic with strong aversion to shaving facial hair to be the actual payload.

4
0
Headmaster

It's still a trojan

Same with RATs... Have functional uses, but it all depends on how they were dropped and the intent they're used for

0
0
Anonymous Coward

unlike an AK-47

This sort of attack can be turned back on it's users fairly easily. Just flood the receiving mailboxes with a bunch of IP addresses for known ISIS hangouts and other pro-militant groups.

3
0
Silver badge

Not exactly the hardest stuff to sidestep but I suppose it requires knowing it's there. Even using a virtual machine could defeat it assuming you have the host provide NAT services for the guests. It wouldn't even be too difficult to run a virtual network that could provide a traceroute that takes them from Argentina to Zaire in the event they eventually think they are getting wise and look for that. Sure, you might not be able to properly resolve hampsterdance.com but sometimes freedom from the zombie jihad sometimes has a price.

0
0

The malware probably queries a site like whatismyipaddress.com to get the public IP of the location it's connecting through - it would be incredibly stupid and not very dangerous if it only sent the system's own IP. This would explain why TOR and VPNs could defeat it.

0
0

The Received-From: SMTP header might show the public IP adddress of the NAT that the infected machine is connected to.

0
0
Silver badge
Paris Hilton

These guys are the biggest trolls on the planet

Even more infuriating than Team America. And frankly, I bet it is even against ISIS-enhanced Sharia Law to even know handle universal turing machines. What do they think they are doing?

Can we have a bacon item now?

7
0
Silver badge

Re: These guys are the biggest trolls on the planet

I didn't put this in my post, because I didn't really read the article too closely :-/, but don't they already have targets in mind before sending them this random e-mail? You'd think that they'd already have a target in mind, so wouldn't the e-mail/malware be redundant? Otherwise, if they don't have a target in mind, wouldn't it almost literally be like shooting in the dark?

WTF ever. Amazingly, this "AdobeR1.exe" somehow gives malware a bad name. What makes the whole thing really sad for me is that they used "Adobe" in the filename, which might already be blocked by a shit ton of firewalls.

3
0

Re: already have a target in mind

According to the article they sort of do have targets in mind. Essentially "people who don't like us on the Internet who might be reasonably local" but who could be anywhere, really.

The idea of trying to get the IP address of these targets is to narrow down the possible places they could be in meatspace because they don't really know who they are or where they are beforehand.

0
0
Silver badge

Re: These guys are the biggest trolls on the planet

It is registered mainstream media launching wars and conflicts for puppet generals and the intellectually challenged and virtually inept and naive, Destroy All Monsters, although they be not alone in that venture.

And to imagine that they be called and/or think of themselves as the Elite and Powers That Be and a POTUS on a COTUS is definitely a massive delusion in a created illusion. And all that it takes with IT Command and Control and CyberSpace Savvy is the sharing of greater intelligence with those searching and appreciative of greater intelligence and virtual applications which realise practical presentation of future event scenarios.

0
0
Anonymous Coward

Re: What makes the whole thing really sad for me

Sad for you?

Isn't it a relief for you that this simplistic attempt wouldn't be likely to succeed?

0
0

Re: These guys are the biggest trolls on the planet

Agree agree agree. But - the un-ISIS-enhanced version of Sharia law wouldn't prohibit scientific knowledge, in fact I'm pretty sure scholars in the Islamic world were pretty great with science and maths, the first to systematize algebra, decimals, the decimal point, they preserved for us the works of the classical Greek and Roman canon (although I honestly don't know what they were thinking when they allowed Ovid's Ars Amoris to be transcribed...).

1
0
Anonymous Coward

Fake beard jihadi chic

That righteousness fuelled funster at the front of the pic looks like he's styled his beard on the stoning scene in 'Life of Brian'. No wonder they have to create an institutionally misogynist society to get laid.

10
0
Anonymous Coward

Re: Fake beard jihadi chic

Picture is an obvious fake, so no wonder it looks like the life of Brian. The beard, background and commando escort are photoshopped.

As far as the hairy bits, I am 100% with 17-18 century Kossaks on how to deal with religious fanatics belonging to that particular persuasion. In first instance they shaved everything on one side (top to bottom) and "released into the community". For what they did in second instance you can see the history books. It did work as they had a virtually zero re-offend rate.

2
0
Bronze badge
Unhappy

Re: Fake beard jihadi chic

Dear AC: yes they had a good anti-recidivism rate - because they also participated in the Jewish Pogroms. They weren't prejudiced, they just killed everybody.

1
0
Silver badge

Re: Fake beard jihadi chic

Fake!!! What are you saying? It's clear from the photo that what we've known all along is true. They carry M-16 type rifles instead of AKs because as we know AKs are so expensive and hard to get while M-16s are handed out like candy on Halloween. Wait, what?

1
0
Silver badge

Where does it get the IP address from?

If it gets it from the PC, wouldn't it be 10.0.0.24 or something like that? Surely each PC in an internet cafe doesn't have a routable IP? The US having hogged the bulk of the IPv4 addresses may end up saving lives....talk about random unintended consequences!

1
1
Anonymous Coward

Re: Where does it get the IP address from?

It's easy enough to get the WAN IP. I assume that's what the article actually means.

It's trivial to side-step (TOR, VPN, not running random crap, etc).

0
0
Jos

Re: Where does it get the IP address from?

Correct. For a detailed description on how the whole thing works:

https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/

For the IP address, in one of the steps it explains:

"Next, “rundl132.exe” performs an HTTP GET request to myexternalip.com and collects the external IP of the infected machine"

The result file they create is send to an email address, so there goes an easy attempt to flood the b*stards with a list a couple of blocks of class A addresses.

0
0
Silver badge

.zip? Really?

I guess they have progressed from goat herding to MS-DOS 3.0

I'm quivering in my boots.

1
2
Silver badge

Darwin was heavily criticised that man descended from ape.

The photo gives definite proof that he was right.

3
0

Return Fire!

Time we played them at their own game: release a regionalised version of Goat Simulator (ISIS edition perhaps?) combined with a payload of <insert government agency here> snooping software.

1
0
Anonymous Coward

Re: Return Fire!

Surely you mean Goatse simulator.

The sight of Goatse's gape would surely drive the morons wild with lust.

1
0
Silver badge

Opposition

This might be a crude attack, but it's aimed at opposition fighters, not techies. Possibly people with limited understanding of the internet and its risks.

And may well be stage one. With more sophisticated stuff to come.

2
0
Bronze badge
Meh

Weapon of choice

The pic shows two M-16 rifles. Not the AK-47 prefered by ISIS. And the guy at the front does not look as if he is happy to go to paradise.

0
0

Where does it send the IP addresses?

With a small amount of scripting, and perhaps an EC2 instance or two, we could of course send /every/ IPv4 address to these neanderthals' server. It's clear they hate all of us, so they perhaps need to know where we all live.

3
0
Silver badge

Re: Where does it send the IP addresses?

I can just see the ISIS hackers geolocating 127.0.0.1 and mounting an attack.

1
0

Heads up for Mr.Thompson

'largely controlled by the Free Syrian Army and Kurdish forces'

Indeed, there are kurdish forces, but there is no 'Free Syrian Army', they are all partying with IS or ISIL, Daesh, whatever you want to call it, or the weaker but similar groups.

I would request, as Reg policy, because it is not a rare given name for girls among more enlightened families in north africa at least, please stop referring to this band of pigs as ISIS.

0
1
Anonymous Coward

Re: Heads up for Mr.Thompson

Given the problem some halfwits seem to have with the difference between paediatrician and paedophile, I'm half expecting a news report of some right wing nutter going postal in the British museum's Egyptology section.

0
0

modernity

Seems the rejection of modernity is a pick and choose option in their philosophy

1
0
Silver badge

Re: modernity

It's not modernity they reject, it's modern civilisation. They seem to want the 14thC but with technology. They seem to have made very good use of the interwebs to get their foul messages across.

.

0
0
Bronze badge
Holmes

I say!

Citizen Lab has a rather nice ring to it! I'm not sure why? (nudge-nudge)

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017