Approximately 24 hours ago, the Iranian opposition coordinated an ongoing cyber attack that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President's homepage which continues returning a "The maximum number of user reached, Server is too busy, please try again later..." message.
Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page "refresher" tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to "lite" versions of their sites in an attempt to mitigate the attack.
Let's assess this very latest example of people's information warfare concept, find out which sites remain affected, and discuss the attack tools used:
The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.
Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year's Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there's no indication of a botnet involvement in the present attack.
Instead, the attack relies on the so called people's information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.
The following are some of the sites that are currently under attack, remain totally unresponsive, or return "server is too busy" error messages:
- Ahmadinejad.ir - Mahmoud Ahmadinejad's Official Blog - under attack
- Leader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attack
- President.ir - Presidency of The Islamic Republic - under attack
- Farsnnews.com - Fars News Agency - under attack
- Irib.ir - Islamic Republic of Iran Broadcasting - under attack
- Kayhannews.ir - News Portal - "Service Unavailable"
- Irna.ir - Islamic Republic News Agency - "service unavailable"
- Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attack
- Moi.ir - Ministry of Interior - under attack
- Police.ir - National Police - under attack
- Justice.ir - Ministry of Justice - under attack
- Presstv.ir - Iranian Press TV - "server is too busy"
Chatter from the hacktivists' trenches send over Twitter, or web forums during the past 24 hours:
- "Overload Iran's propaganda websites--we can do it together!" - "we can suspend IRIB propaganda! just click & keep it refreshing!" - "Take part in disabling the iranian propeganda leave on as long as possible" - "Our efforts are working!!! RT @NewIRAN: Leader.ir; President.ir; FarsNews.com all now appear to be down" - "Iran needs your help. Help us flood Iran Govt sites khamenei.ir is one of our targets. Go to PageReboot.com and set @ 2 secs" - "we are currently flooding Iran Government websites - we have successfully taken down numerous sites already" - "Great news! PressTV.ir has been shut down thanks to our efforts!" - "IRIB, RESALAT, Kayhan, FarsNews, President.ir, and Leader.ir all brought down. Please help keep them down." - "president.ir is down!!!" - "SPREAD: tool for denial of service web attack. run on president.ir and irib.ir" - "I'm reaping at 200kb/sec baby." - "sweeeeeet, Farsnews is finally down! keep it up guys. I have 5 browsers open using Page Reboot." - "Let's continue the attack. They have a very efficient server compared to other sites, but we successfully killed it many times already. Try to reload your application." - "It's down again. I can't view it from NZ. Keep at it people." - "I'm going to set up a massive solo attack on Resalat using 8 virtual machines on 8 CPUs while I go to bed. I understand it'll be hard to make it go down but I'm going to try." - "done. I am also using couple of virtual M. Lets see if we can bring it down." - "HAHAHAHAHAHAHAHAHA!!!! RESALAT DOWN!!!!!!!!!! THAT WAS F*CKING BRUTAL!!!"
Among the first web-based denial of service attack used, is a tool called "Page Rebooter" which is basically allowing everyone to set an interval for refreshing a particular page, in this case it's 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :
"Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei."
The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com; irna.ir and rajanews.com, the results of which you can see in the attached screenshot. The script has since changed its location and is advertised under a new domain.
The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.
- Go through related hacktivism posts: Chinese hackers deface the Russian Consulate in Shanghai; Georgia President's web site under DDoS attack from Russian hackers; Thousands of Israeli web sites under attack; Pro-Serbian hacktivists attacking Albanian web sites; Hundreds of Dutch web sites hacked by Islamic hackers; 300 Lithuanian sites hacked by Russian hackers; Chinese hackers deface the Russian Consulate in Shanghai; China detains web site defacer spreading earthquake rumors
The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors.
The following are the instructions found in the StopAhmadinejadOnline package, consisting of BWRaeper.exe and PingFlooder.exe :
"New hacking/DoS attack tool. Please learn and use: This is an online war 1. Please download 2. Extract it into a folder on your desktop and click on BWRaeper 3. Then click on Raep That's all.
FarsNews, AN's website, KHamenei's Website, IRIB and many other sites can be brought down with this technique. This is an online war. Don't let them win. They filter information, we will too. There's more of us. EDIT: Please add the following URLs to your list of URLs after you've completed the steps above. To do this, open the file "urls.txt" and paste the following line in it. Once you've added this URL, Run BWRaeper again
irna.ir/Images/uiImages.gif resalat-news.com/Pic/6729000.jpg resalat-news.com/image/Heder.jpg resalat-news.com/Pic/6729.gif resalat-news.com/Pic/6729011.jpg resalat-news.com/Pic/6729021.jpg"
"I also found another DOS file to attack. just another option. 1. dl this zip file from here and unzip it on ur desktop: 2. take IP address of IR sites(Farsnews.com, irna.ir, president.ir, rajanews.com) from here: http://www.selfseo.com/find_ip_address_of_a_website.php 3. insert the IP address in "Server Address" section and press Attack. 4. let it run and it'll attack all of their servers"
The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it - "Want to help DDoS attack Iran gov't? Have a server that runs PHP? Use this script!".
SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously - khamenei.ir; presstv.ir; irna.ir; president.ir; mfa.gov.ir; moi.ir; police.ir; justice.ir; live.irib.ir.
There have already been speculations that the magnitude of these local attacks -- Iranian users targeting Iranian web sites -- is contributing to the "strange changes in Iranian traffic transit" reported during the last couple of days.
The attacks are ongoing, updates will be posted as soon as they emerge.
An update to the ongoing DDoS attacks has been posted.