« A Blackwater Security Sniper in Iraq
3rd Battalion, 1st Marines in Fallujah »

The Electronic Jihad (that wasn’t)

“The Electronic Jihad”

Islamists are making a concentrated effort to wield their influence and protect their interests in a number of ways. This may be by attacking websites who are presenting a message that they don’t agree with or by using their own websites to spread their special blend of intolerance and hatred.

In the first case the attacks typically consist of Distributed Denial of Service (DDoS) attacks or the defacement of the website under attack. The recent attacks on the Jawa Report and Aarons Rantblog are shining examples of this sort of attack in use. Zone-H, Jihad Watch and the Jamestown Foundation recently reported on an Islamist website that claims the following:

On the Electronic Jihad website, the moderator of the website claims that the site organizers do not belong to any specific Islamic group or sect, instead pointing out that they are fighting on behalf of all Muslims, united under one flag to defend Islam. The website domain, however, is registered to an “Ahmad Adel” who has an Iraq mailing address, although it is not clear whether this is a false name and address. The site itself appears to be hosted by Saudi Arabian company IBTEKARAT.com, based in Saida. Software companies and programmers will, eventually, figure out ways to counter the hacking programs used by Electronic Jihad, but it will only hold off the determined jihadis temporarily until they devise other methods to attack sites that they believe offend Islam.

The website in question “al-jinan.org” claims to be providing aspiring cyber-jihadis with DDoS tools and will then assist in identifying targets and co-ordinating attacks by it’s users. With that in mind I fired up a Sandbox and went and downloaded the tools in question for some “behavioral analysis” to see what was what.


Both Norman Sandbox and Virus Total found the tools in question to be free of malware so I loaded them up in a VMWare sandbox. The two programs are “e-Jihad 1.5″ (the actual DDoS tool) and “Jihad-Reminder” (snicker).


The “jihad-reminder” client idles on the Windows taskbar and promptly checks in with the command and control server. The client immediately begins receiving packets from a server at “62.236.34.97″ the IPWhois for this server has it in Helsinki, Finland.

route:          62.236.0.0/15
descr:          TDC Song Oy
origin:         AS3246
notify:         hostmaster@song.fi
mnt-by:         AS6793-MNT
changed:        jorma.mellin@teliafi.net 19980204
changed:        tm2427@songnet.fi 20020802
changed:        petteri.helin@songnetworks.fi 20021021
changed:        hostmaster@songnet.fi

The tool makes a “GET” request to “http://al-jinan.org/jhrm.php” and recieves data there. It also make a request to “jo-uf.net” who is registered to the following individual in the United Kingdom:

DOMAIN: JO-UF.NET

RSP: united-domains AG
URL: http://www.united-domains.de/

created-date: 2002-12-19
updated-date: 2006-09-15
registration-expiration-date: 2013-12-19

owner-contact: P-AYA234
owner-fname: Ahmad
owner-lname: Adel
owner-street: jannaah street
owner-city: esmaeiliya
owner-zip: 90018
owner-country: IQ
owner-phone: +964.972059870894
owner-email: serious.return@gmail.com

admin-contact: P-LRU22
admin-fname: Lycos
admin-lname: UK
admin-street: Ireland 52 Grosvenor Gardens
admin-city: London
admin-zip: SW1 0AU
admin-country: GB
admin-phone: +44.2078816500
admin-email: domains@webhosting.lycos.co.uk

tech-contact: P-LLE31
tech-fname: Lycos
tech-lname: Europe
tech-street: 79 rue de Monceau
tech-city: Paris
tech-zip: 75008
tech-country: FR
tech-phone: +33.156594508
tech-email: domains@webhosting.lycos.co.uk

billing-contact: P-LNE32
billing-fname: Lycos
billing-lname: Europe
billing-street: 79 rue de Monceau
billing-city: Paris
billing-zip: 75008
billing-country: FR

There’s not really much to say about the DDoS tool “e-Jihad 1.5″, it’s just a basic packet generator that sends ping requests, garbage packets and GET requests to the target. The website address that populates the DDoS client target field by default is that of “MECA” (www.meca-love4all.com) the Middle East Christian Association not a big surprise there.

In my opinion these “e-Jihad hack-tools” aren’t all they are cracked up to be, it has been my experience that the average script kiddie possesses more capable tools than this. Having these tools downloaded and installed probably helps the haji’s morale more than anything else.

As always, comments are welcome below.

This entry was posted on November 1, 2006 at 12:02 am and is filed under Counter Terror, Daily Rant . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

Leave a Reply