Tuesday Feb 09

The enemy within

Attention: open in a new window. PDFPrintE-mail

Written by Steve Dinneen Sunday, 10 February 2008 13:58

 

The more observant among you may have noticed the Brazen site was hacked a couple of days ago. The front page was replaced with a black screen bearing the slogan "Hacked By holocaust & BlackCAT!" - the exclamation mark presumably to demonstrate just how smug "holocaust" or "BlackCAT" were at gaining access to the world's finest web rag (r).

Thankfully our resident tech wizard was able to restore usual service within a few hours and we're working on a security upgrade to stop it from happening again. But who were holocaust and BlackCAT and what significance did the Brazen site have to their evil plans?

A few google searches reveal they are part of a network of (probably unrelated) hackers using a tweaked version of the Santy worm.

A worm is a self-replicating program that uses a network to send copies of itself to other victims. Unlike a virus it does not need to attach itself to an existing program.

The Santy worm, first released in 2004, was spread through google adverts and targeted any site it came across where phpBB software - used to host forums and blogs - security was lapse enough for it to take over the page.

It displayed the message "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm," again showing the hacker's propensity to overuse punctuation. Within 24 hours of the worm's release an estimated 40,000 sites had been affected.

The hack on Brazen was an almost identical worm with an altered message - the equivalent of scrawling a tag over a bus stop - an outdated, simplistic and ultimately pretty harmless piece of vandalism.

But the same hackers have released newer generations of the worm which are more complex and, just as worrying, increasingly political in nature.

The most recent creation by holocaust, currently burrowing its way through google, causes sites to display a graphic of the Turkish flag, images of soldiers and the slogan: "Our Martyrs Will Get The Hold Responsible..! We will your curse in internet yet again. Our war dont't [sic] stop 'till eliminate to all PKK PKK supporters and sympathizer (USA, EU) sites. Our answer take back with a very hard something for every teror [sic] action. Our any martyrs blood isn't be left over. We are swearing on honour and laurels.." The hacked sites even play the Turkish national anthem on a loop.

The PKK , or the Kurdistan Workers Party, is a militant Kurdish organization founded in the 1970s aiming to found an independent socialist Kurdish state in the area that comprises parts of south-eastern Turkey, north-eastern Iraq, north-eastern Syria and north-western Iran. The revolutionary Marxist PKK is listed as a terrorist organization by the United States, NATO and the European Union, among others. Other versions of holocaust's worm bewail the Italian government for selling landmines to the PKK - and say their campaign of internet terror will not stop until Italy has ceased landmine production and apologised for its involvement.

Holocaust and BlackCAT are not the only politically motivated Turkish hackers - a whole community of geeks have risen to the political calling. In fact, the Turkish hacking community ranks among the biggest in the world, despite being in the shadow of its Russian and Brazilian counterparts. Most use similar tactics to holocaust - using basic programs that cause impacting but superficial damage. A hacker calling himself sari_seytan manipulates links and images within sites, changing text to display political messages ("hacked by sari_seytan and Peace For Ever Peace Crew Hack Team - Turkish Muslims Hacker").

While holocaust has infected around 5,000 sites, sari_seytan boasts over 35,000. KavaLye works in a similar way and has racked up almost 1,000 defaced sites - others include ENO7 TURKISH HACKER and GokTurk.

The IP addresses of the offending pages can usually be traced back to TurkTelecom and some sites are even taking the drastic step of blocking all users with IP addresses originating there.

The hackers even have their own YouTube postings , where they display screen-grabs of their victims (including Greek football team Panathinaikos), press cuttings of their activities and more images of soldiers and men in balaclavas - complete with the ubiquitous national anthem.

As the Santy worm and its ilk are no longer under the control of their creators once released, affected sites usually have no common link - Spanish estate agents, American neuroscience journals, British equestrian sites - however, there does seem to be an attempt to introduce a religious aspect at the source. Israel-based website Doing Zionism, a large-scale google advertiser, is one of the sites the worm initially passed through - which, I suspect, was not merely a coincidence. The site has been known to feature ads on the Brazen page (despite our zealous dislike of all things God) - and it seems likely we were infected through this.

Most of the damage is entirely reversible, little more than an initial shock followed by a minor inconvenience, but it is likely the techniques deployed by these hackers will become increasingly sophisticated. This may not be the last we hear of holocaust and BlackCAT.

Bookmark with:

Digg    reddit    Facebook    StumbleUpon    Newsvine
< Prev   Next >

Menu

Sign in






Forgot login?
No account yet? Register

Wise Words

"You can turn your back on a person, but never turn your back on a drug, especially when its waving a razor sharp hunting knife in your eye." (Hunter S. Thompson)