New fear: ISIS killers use 'digital AK-47' malware to hunt victims
New code built in-house targets innocents fending off deranged terrorists
Malware has emerged from war-torn Syria targeting those protesting the rule of ISIS (ISIL, Islamic State, whatever the murderous humanity-hating fanatics are calling themselves these days.)
The trivial Windows spyware, analyzed by University of Toronto internet watchdog Citizen Lab, was sent out in a small number of emails aimed squarely at members of the group Raqqah is being Slaughtered Silently (RSS) – which is holed up deep in ISIS-controlled territory and campaigning against the medieval terror bastards.
The booby-trapped emails purport to come from a Canadian expat group that wants to help the fight against ISIS. The messages ask the recipients to check over a report about the actions of the religious fanatics. Clicking on the URL leads to a file-sharing account with TempSend, and downloads an archive called slideshow.zip.
While the zipped folder does contain a few maps, it also holds some simple but dangerous spyware called AdobeR1.exe: when run, it emails the infected system's public IP address to its masters. There's no backdoor or other sort of remote access – the computer simply emails out its network address whenever it boots up.
Just getting the IP address may not sound like much, but it could be useful information in the hands of a determined killer, and may narrow down the location of a target, if not pinpoint it using geolocation.
Syria's internet access is so fractured and scarce that mapping IP addresses to particular locations isn't impossible: imagine a person regularly using a cafe for web access; if ISIS can map the cafe's network address to its physical location, it will know exactly where that person is when he or she switches on their laptop.
(This is assuming the target hasn't heard of Tor or VPNs. Of course, if the IP address leads to the wrong place, kicking down a door and slaughtering everyone inside is just a Monday morning jolly for ISIS, anyway.)
In areas of the bloodstained country still run by the Assad regime, internet access is provided by the state telco, which of course has its own IP address block. So a machine running the spyware with a network address in that range could well be within those Assad-held sectors.
In the north of the country, largely controlled by the Free Syrian Army and Kurdish forces, internet access is almost exclusively provided via commercial satellite internet, which again has its own IP range.
And someone with the right skills could use the leaked public IP addresses to prod a victim's machine for software vulnerabilities to exploit, leading to a full system compromise and, ultimately, death.
'It definitely looks like it has been developed internally'
This malware is pretty basic and buggy, we're told. Citizen Lab senior security analyst Seth Hardy told The Register that the code only sends out the initial IP discovered, and doesn't update itself, which the analysis team think is down to bad coding. The emails it sends out also don’t use any encryption.
On the balance of probabilities, Citizen Lab thinks it's highly likely the malware involved has been developed by ISIS. The Syrian government has its own spyware that installs a backdoor and opens link back to government agents so they can remotely control the infected PC.
The other possibility is that the code has been purchased from one of many unscrupulous outfits that sell malware to the highest bidder, often quite legally. But the new sample doesn't look like it came from one of these cyber-merchants.
"It's not even close to commercial samples," Hardy said. "It definitely looks like it has been developed internally."
The spyware has now been fingerprinted and the signatures published for antivirus products to use, so hopefully security software companies will be able to block further infections. But Hardy said it would be "trivial" to tweak the code to evade detection again.
It's possible the code is the work of British hacker Junaid Hussain, who was sentenced to a six-month stretch behind bars in 2012 for infiltrating the email account of an aide to Tony Blair, and flooding the UK's national anti-terrorism hotline with spoof calls.
Hussain has since skipped bail and fled Blighty. According to various tweets he is now operating in ISIS-controlled territory and may be using his computer skills to create malware, as he did in his earlier hacking attacks.
"We can't say for certain where this malware came from, but based on what we're seeing in the Lab the entry costs and expertise needed for these kinds of attacks is falling drastically" John Scott-Railton, coauthor of the Citizen Lab study, told The Register.
"Malware like this is becoming the digital equivalent of the AK-47; it's cheap, easy to use, and can be very dangerous when it's used by militant groups looking to find their enemies." ®