Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Iranian hacktivism - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Iranian hacktivism

With the increase of violence in Iran due to the recently held election, it was just a matter of time when we will see some hacktivism. Similarly to some previous cases, we are again seeing people calling supporters of one or the other side to attack certain web sites. Back in January we saw Israeli proponents asking people to run a special program that will attack Palestinian web sites (http://isc.sans.org/diary.html?storyid=5638). It turned out that this "special" program was actually a Trojan horse, so obviously people behind it had a little bit different agenda.

Regarding the current events in Iran, it was interesting to see that proponents are inviting people to support their case over Twitter – they posted instructions on how to launch DDoS attacks against some Iranian sites as Twitter updates. It's clear that Twitter became increasingly interesting to hacktivists due to a large user base.

So far I've seen two groups launching DDoS attacks against Iranian web sites – in both cases we are talking about technically very, very simple attacks.

The first group created a special web page that supporters should visit. This web page is very simple – it creates 10 iframes, each iframe pointing to a different site in Iran. The visitor can then change the frequency which will be used to refresh iframe status. The browser will then regularly refresh every single web site from the list attached below. This is a poor man's DDoS; what's interesting is that I've seen a very similar method used by the Cyber Jihad program last year.

iframes pointing to Iranian web sites

The second group uses a bit more advanced approach. They created a .NET application called "Low Orbit Ion Canon". This is a very simple HTTP and TCP/UDP flooder, as you can see in the screenshot below. All the user has to do is enter the target web site and/or IP address and click on the Launch button after which the tool will start the attack in the background.

LOIC

The two attacks described show that hacktivism is still in its early days – both applications have some errors and are relatively easy to mitigate and analyze (even after the authors of LOIC used EZIRIZ's .NET Reactor to protect the code).
We will keep an eye on the development of the situation, of course, and post additional diaries if there is something interesting.

--
Bojan

 

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler
For what it's worth, LOIC has been around for awhile; the Iranians didn't create it.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!