Anti Virus Softwares

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 18 December 2009

Who is the "Iranian Cyber Army"? Twitter DNS Redirect

Posted on 06:16 by Unknown
(Update: 12JAN10 - Iranian Cyber Army Returns -- Target: Baidu.com )

#1 Search on Google in the past hour: "Iranian Cyber Army"
#2 Search on Google in the past hour: "Twitter hacked"

What do these things have to do with each other?

A formerly unknown group, the Iranian Cyber Army, was able to redirect the DNS for Twitter, causing all visitors to be temporarily redirected to another IP address, not belonging to Twitter, and sharing the message from the Iranian Cyber Army that they are cooler hackers than you.

Since we do actually track website defacers at UAB, and since we've never heard of the Iranian Cyber Army, we thought we would take a quick peek in our favorite Iranian hacker rooms to see who was boasting of their conquest.

First we found "vhdmsm" sharing details of the attack in the Iranian Hacker Forum, Ashiyane Digital Security.

They quote the defacement:

========================

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care

=====================
and post links to the Twitter Blog entry about the attack, and a CNET news story.

But there is no indication they were themselves involved.

We're going to need some more evidence. Perhaps someone should be talking to the folks at BlueHost this morning.

See for yourself?


A little twiddling with various DNS Caching systems, and we were able to find the IP address to which traffic had been redirected:

66.147.244.182

There are some interesting domains there, including:

http://mowjcamp.net/

That site is interesting, because its on Bluehost, in the United States.

which currently shows content made from these graphic files (I've moved them to a more permanent location...just in case):










In my opinion, it looks like that server was compromised via WordPress vulnerabilities, but that is just an educated guess based on content at this time. So, it looks like the hacker first hacked one of the sites on the Bluehost box, other mowjcamp.org, wpcrowd.com, or coventryri.com, then redirected all the twitter traffic to that IP by changing the Nameserver entries for Twitter to point away from their normal Google-provided IP addresses to 66.147.242.88 instead.

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • Indictments reveal $77 Million in Illegal Pill Sales
    Congratulations to the Daytona Beach FBI, US Attorney Robert O'Neill, and their colleagues at IRS and FDA. The Daytona Beach News report...
  • Most Dangerous Cities for Cyber Crime?
    Symantec Riskiest Cybercrime Cities Symantec released a study today in conjunction with Sperling's Best Places today. According to thei...
  • Morocco based "Team Evil" reroutes prominent Israeli websites
    After more than 10,000 websites being defaced in protest of Israeli actions in Gaza, Morrocco-based defacement team "Team Evil" ha...
  • Minipost: Google v. Pacific WebWorks
    I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and spaces.live.com by crea...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • WIRED: November Jargon Watch & Forensics?
    One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduce...

Categories

  • Blogs
  • Calendar
  • china
  • Communities
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • Drivers
  • email
  • Excel 2007
  • facebook
  • fake av
  • Features
  • Firewall
  • Gadgets
  • gumblar
  • Hardware
  • Hotmail
  • IE7
  • Internet Explorer 7
  • koobface
  • law enforcement
  • malware
  • Microsoft
  • Outlook
  • pharmaceuticals
  • phishing
  • PowerPoint 2007
  • public policy
  • Ready Boost
  • ReadyBoost
  • Security
  • Sidebar
  • Software
  • spam
  • Tutorials
  • twitter
  • twitter malware
  • USB
  • Virtual PC
  • Vista
  • waledac
  • Wallpaper
  • Websites
  • Windows
  • Windows Live
  • Windows Vista
  • Word 2007
  • zbot

Blog Archive

  • ►  2013 (17)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (93)
    • ▼  December (12)
      • New Year's Waledac Card
      • 2009 Year in Review
      • A donde se va Avalanche? BBVA! y United Bankers ...
      • Some updates . . . Visa/Zeus and Google Jobs
      • Who is the "Iranian Cyber Army"? Twitter DNS Redi...
      • China changes registration rules - will spam chang...
      • Ongoing VISA scam drop Zeus Zbot
      • Minipost: Google v. Pacific WebWorks
      • Yet Another Facebook spam - New Zeus / Zbot threat
      • Webmasters Targeted by CPANEL phish
      • Minipost: CDC Version of Zeus?
      • Google Jobs Scam: Read the Fine Print
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (7)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (109)
    • ►  December (7)
    • ►  November (17)
    • ►  October (12)
    • ►  September (10)
    • ►  August (23)
    • ►  July (14)
    • ►  June (3)
    • ►  May (8)
    • ►  April (6)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (37)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile