back to article New fear: ISIS killers use 'digital AK-47' malware to hunt victims

Malware has emerged from war-torn Syria targeting those protesting the rule of ISIS (ISIL, Islamic State, whatever the murderous humanity-hating fanatics are calling themselves these days.) The trivial Windows spyware, analyzed by University of Toronto internet watchdog Citizen Lab, was sent out in a small number of emails …

  1. Anonymous Coward
    Anonymous Coward

    Doesn't malware have to do something other than e-mail an i.p. address? There has to be a slew of programs that do this all the time that don't disclose this functionality upfront. Well, I think Adobe was doing it, so maybe it is malware.

    1. Voland's right hand Silver badge

      That depends on the point of view

      Not if you consider the AK47 wielded by a fanatic with strong aversion to shaving facial hair to be the actual payload.

    2. Al_21
      Headmaster

      It's still a trojan

      Same with RATs... Have functional uses, but it all depends on how they were dropped and the intent they're used for

      1. Anonymous Coward
        Anonymous Coward

        unlike an AK-47

        This sort of attack can be turned back on it's users fairly easily. Just flood the receiving mailboxes with a bunch of IP addresses for known ISIS hangouts and other pro-militant groups.

  2. Eddy Ito

    Not exactly the hardest stuff to sidestep but I suppose it requires knowing it's there. Even using a virtual machine could defeat it assuming you have the host provide NAT services for the guests. It wouldn't even be too difficult to run a virtual network that could provide a traceroute that takes them from Argentina to Zaire in the event they eventually think they are getting wise and look for that. Sure, you might not be able to properly resolve hampsterdance.com but sometimes freedom from the zombie jihad sometimes has a price.

    1. fearnothing

      The malware probably queries a site like whatismyipaddress.com to get the public IP of the location it's connecting through - it would be incredibly stupid and not very dangerous if it only sent the system's own IP. This would explain why TOR and VPNs could defeat it.

    2. Colin Miller

      The Received-From: SMTP header might show the public IP adddress of the NAT that the infected machine is connected to.

  3. Destroy All Monsters Silver badge
    Paris Hilton

    These guys are the biggest trolls on the planet

    Even more infuriating than Team America. And frankly, I bet it is even against ISIS-enhanced Sharia Law to even know handle universal turing machines. What do they think they are doing?

    Can we have a bacon item now?

    1. Anonymous Coward
      Anonymous Coward

      Re: These guys are the biggest trolls on the planet

      I didn't put this in my post, because I didn't really read the article too closely :-/, but don't they already have targets in mind before sending them this random e-mail? You'd think that they'd already have a target in mind, so wouldn't the e-mail/malware be redundant? Otherwise, if they don't have a target in mind, wouldn't it almost literally be like shooting in the dark?

      WTF ever. Amazingly, this "AdobeR1.exe" somehow gives malware a bad name. What makes the whole thing really sad for me is that they used "Adobe" in the filename, which might already be blocked by a shit ton of firewalls.

      1. Sir Sham Cad

        Re: already have a target in mind

        According to the article they sort of do have targets in mind. Essentially "people who don't like us on the Internet who might be reasonably local" but who could be anywhere, really.

        The idea of trying to get the IP address of these targets is to narrow down the possible places they could be in meatspace because they don't really know who they are or where they are beforehand.

      2. Anonymous Coward
        Anonymous Coward

        Re: What makes the whole thing really sad for me

        Sad for you?

        Isn't it a relief for you that this simplistic attempt wouldn't be likely to succeed?

    2. amanfromMars 1 Silver badge

      Re: These guys are the biggest trolls on the planet

      It is registered mainstream media launching wars and conflicts for puppet generals and the intellectually challenged and virtually inept and naive, Destroy All Monsters, although they be not alone in that venture.

      And to imagine that they be called and/or think of themselves as the Elite and Powers That Be and a POTUS on a COTUS is definitely a massive delusion in a created illusion. And all that it takes with IT Command and Control and CyberSpace Savvy is the sharing of greater intelligence with those searching and appreciative of greater intelligence and virtual applications which realise practical presentation of future event scenarios.

    3. Tapeador

      Re: These guys are the biggest trolls on the planet

      Agree agree agree. But - the un-ISIS-enhanced version of Sharia law wouldn't prohibit scientific knowledge, in fact I'm pretty sure scholars in the Islamic world were pretty great with science and maths, the first to systematize algebra, decimals, the decimal point, they preserved for us the works of the classical Greek and Roman canon (although I honestly don't know what they were thinking when they allowed Ovid's Ars Amoris to be transcribed...).

  4. Anonymous Coward
    Anonymous Coward

    Fake beard jihadi chic

    That righteousness fuelled funster at the front of the pic looks like he's styled his beard on the stoning scene in 'Life of Brian'. No wonder they have to create an institutionally misogynist society to get laid.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fake beard jihadi chic

      Picture is an obvious fake, so no wonder it looks like the life of Brian. The beard, background and commando escort are photoshopped.

      As far as the hairy bits, I am 100% with 17-18 century Kossaks on how to deal with religious fanatics belonging to that particular persuasion. In first instance they shaved everything on one side (top to bottom) and "released into the community". For what they did in second instance you can see the history books. It did work as they had a virtually zero re-offend rate.

      1. JCitizen
        Unhappy

        Re: Fake beard jihadi chic

        Dear AC: yes they had a good anti-recidivism rate - because they also participated in the Jewish Pogroms. They weren't prejudiced, they just killed everybody.

      2. Eddy Ito

        Re: Fake beard jihadi chic

        Fake!!! What are you saying? It's clear from the photo that what we've known all along is true. They carry M-16 type rifles instead of AKs because as we know AKs are so expensive and hard to get while M-16s are handed out like candy on Halloween. Wait, what?

  5. Anonymous Coward
    Anonymous Coward

    Where does it get the IP address from?

    If it gets it from the PC, wouldn't it be 10.0.0.24 or something like that? Surely each PC in an internet cafe doesn't have a routable IP? The US having hogged the bulk of the IPv4 addresses may end up saving lives....talk about random unintended consequences!

    1. Anonymous Coward
      Anonymous Coward

      Re: Where does it get the IP address from?

      It's easy enough to get the WAN IP. I assume that's what the article actually means.

      It's trivial to side-step (TOR, VPN, not running random crap, etc).

      1. Jos

        Re: Where does it get the IP address from?

        Correct. For a detailed description on how the whole thing works:

        https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/

        For the IP address, in one of the steps it explains:

        "Next, “rundl132.exe” performs an HTTP GET request to myexternalip.com and collects the external IP of the infected machine"

        The result file they create is send to an email address, so there goes an easy attempt to flood the b*stards with a list a couple of blocks of class A addresses.

  6. jake Silver badge

    .zip? Really?

    I guess they have progressed from goat herding to MS-DOS 3.0

    I'm quivering in my boots.

  7. gnasher729 Silver badge

    Darwin was heavily criticised that man descended from ape.

    The photo gives definite proof that he was right.

  8. Jaffire

    Return Fire!

    Time we played them at their own game: release a regionalised version of Goat Simulator (ISIS edition perhaps?) combined with a payload of <insert government agency here> snooping software.

    1. Anonymous Coward
      Anonymous Coward

      Re: Return Fire!

      Surely you mean Goatse simulator.

      The sight of Goatse's gape would surely drive the morons wild with lust.

  9. Terry 6 Silver badge

    Opposition

    This might be a crude attack, but it's aimed at opposition fighters, not techies. Possibly people with limited understanding of the internet and its risks.

    And may well be stage one. With more sophisticated stuff to come.

  10. harmjschoonhoven
    Meh

    Weapon of choice

    The pic shows two M-16 rifles. Not the AK-47 prefered by ISIS. And the guy at the front does not look as if he is happy to go to paradise.

  11. Dodgy Dave

    Where does it send the IP addresses?

    With a small amount of scripting, and perhaps an EC2 instance or two, we could of course send /every/ IPv4 address to these neanderthals' server. It's clear they hate all of us, so they perhaps need to know where we all live.

    1. Paul Hovnanian Silver badge

      Re: Where does it send the IP addresses?

      I can just see the ISIS hackers geolocating 127.0.0.1 and mounting an attack.

  12. Bleu

    Heads up for Mr.Thompson

    'largely controlled by the Free Syrian Army and Kurdish forces'

    Indeed, there are kurdish forces, but there is no 'Free Syrian Army', they are all partying with IS or ISIL, Daesh, whatever you want to call it, or the weaker but similar groups.

    I would request, as Reg policy, because it is not a rare given name for girls among more enlightened families in north africa at least, please stop referring to this band of pigs as ISIS.

    1. Anonymous Coward
      Anonymous Coward

      Re: Heads up for Mr.Thompson

      Given the problem some halfwits seem to have with the difference between paediatrician and paedophile, I'm half expecting a news report of some right wing nutter going postal in the British museum's Egyptology section.

  13. TheWeddingPhotographer

    modernity

    Seems the rejection of modernity is a pick and choose option in their philosophy

    1. Terry 6 Silver badge

      Re: modernity

      It's not modernity they reject, it's modern civilisation. They seem to want the 14thC but with technology. They seem to have made very good use of the interwebs to get their foul messages across.

      .

  14. JCitizen
    Holmes

    I say!

    Citizen Lab has a rather nice ring to it! I'm not sure why? (nudge-nudge)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like