SANS ISC: Iranian hacktivism

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

With the increase of violence in Iran due to the recently held election, it was just a matter of time when we will see some hacktivism. Similarly to some previous cases, we are again seeing people calling supporters of one or the other side to attack certain web sites. Back in January we saw Israeli proponents asking people to run a special program that will attack Palestinian web sites (http://isc.sans.org/diary.html?storyid=5638). It turned out that this "special" program was actually a Trojan horse, so obviously people behind it had a little bit different agenda.

Regarding the current events in Iran, it was interesting to see that proponents are inviting people to support their case over Twitter – they posted instructions on how to launch DDoS attacks against some Iranian sites as Twitter updates. It's clear that Twitter became increasingly interesting to hacktivists due to a large user base.

So far I've seen two groups launching DDoS attacks against Iranian web sites – in both cases we are talking about technically very, very simple attacks.

The first group created a special web page that supporters should visit. This web page is very simple – it creates 10 iframes, each iframe pointing to a different site in Iran. The visitor can then change the frequency which will be used to refresh iframe status. The browser will then regularly refresh every single web site from the list attached below. This is a poor man's DDoS; what's interesting is that I've seen a very similar method used by the Cyber Jihad program last year.



The second group uses a bit more advanced approach. They created a .NET application called "Low Orbit Ion Canon". This is a very simple HTTP and TCP/UDP flooder, as you can see in the screenshot below. All the user has to do is enter the target web site and/or IP address and click on the Launch button after which the tool will start the attack in the background.



The two attacks described show that hacktivism is still in its early days – both applications have some errors and are relatively easy to mitigate and analyze (even after the authors of LOIC used EZIRIZ's .NET Reactor to protect the code).
We will keep an eye on the development of the situation, of course, and post additional diaries if there is something interesting.

--
Bojan