The Electronic Jihad (that wasn’t)
“The Electronic Jihad”
Islamists are making a concentrated effort to wield their influence and protect their interests in a number of ways. This may be by attacking websites who are presenting a message that they don’t agree with or by using their own websites to spread their special blend of intolerance and hatred.
In the first case the attacks typically consist of Distributed Denial of Service (DDoS) attacks or the defacement of the website under attack. The recent attacks on the Jawa Report and Aarons Rantblog are shining examples of this sort of attack in use. Zone-H, Jihad Watch and the Jamestown Foundation recently reported on an Islamist website that claims the following:
On the Electronic Jihad website, the moderator of the website claims that the site organizers do not belong to any specific Islamic group or sect, instead pointing out that they are fighting on behalf of all Muslims, united under one flag to defend Islam. The website domain, however, is registered to an “Ahmad Adel” who has an Iraq mailing address, although it is not clear whether this is a false name and address. The site itself appears to be hosted by Saudi Arabian company IBTEKARAT.com, based in Saida. Software companies and programmers will, eventually, figure out ways to counter the hacking programs used by Electronic Jihad, but it will only hold off the determined jihadis temporarily until they devise other methods to attack sites that they believe offend Islam.
The website in question “al-jinan.org” claims to be providing aspiring cyber-jihadis with DDoS tools and will then assist in identifying targets and co-ordinating attacks by it’s users. With that in mind I fired up a Sandbox and went and downloaded the tools in question for some “behavioral analysis” to see what was what.
Both Norman Sandbox and Virus Total found the tools in question to be free of malware so I loaded them up in a VMWare sandbox. The two programs are “e-Jihad 1.5” (the actual DDoS tool) and “Jihad-Reminder” (snicker).
The “jihad-reminder” client idles on the Windows taskbar and promptly checks in with the command and control server. The client immediately begins receiving packets from a server at “126.96.36.199” the IPWhois for this server has it in Helsinki, Finland.
route: 188.8.131.52/15 descr: TDC Song Oy origin: AS3246 notify: firstname.lastname@example.org mnt-by: AS6793-MNT changed: email@example.com 19980204 changed: firstname.lastname@example.org 20020802 changed: email@example.com 20021021 changed: firstname.lastname@example.org
The tool makes a “GET” request to “http://al-jinan.org/jhrm.php” and recieves data there. It also make a request to “jo-uf.net” who is registered to the following individual in the United Kingdom:
DOMAIN: JO-UF.NET RSP: united-domains AG URL: http://www.united-domains.de/ created-date: 2002-12-19 updated-date: 2006-09-15 registration-expiration-date: 2013-12-19 owner-contact: P-AYA234 owner-fname: Ahmad owner-lname: Adel owner-street: jannaah street owner-city: esmaeiliya owner-zip: 90018 owner-country: IQ owner-phone: +964.972059870894 owner-email: email@example.com admin-contact: P-LRU22 admin-fname: Lycos admin-lname: UK admin-street: Ireland 52 Grosvenor Gardens admin-city: London admin-zip: SW1 0AU admin-country: GB admin-phone: +44.2078816500 admin-email: firstname.lastname@example.org tech-contact: P-LLE31 tech-fname: Lycos tech-lname: Europe tech-street: 79 rue de Monceau tech-city: Paris tech-zip: 75008 tech-country: FR tech-phone: +33.156594508 tech-email: email@example.com billing-contact: P-LNE32 billing-fname: Lycos billing-lname: Europe billing-street: 79 rue de Monceau billing-city: Paris billing-zip: 75008 billing-country: FR
There’s not really much to say about the DDoS tool “e-Jihad 1.5”, it’s just a basic packet generator that sends ping requests, garbage packets and GET requests to the target. The website address that populates the DDoS client target field by default is that of “MECA” (www.meca-love4all.com) the Middle East Christian Association not a big surprise there.
In my opinion these “e-Jihad hack-tools” aren’t all they are cracked up to be, it has been my experience that the average script kiddie possesses more capable tools than this. Having these tools downloaded and installed probably helps the haji’s morale more than anything else.
As always, comments are welcome below.