Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

Summary: Approximately 24 hours ago, the Iranian opposition coordinated an ongoing cyber attack that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President's homepage which continues returning a "The maximum number of user  reached, Server is too busy, please try again later..." message.

SHARE:

Approximately 24 hours ago, the Iranian opposition coordinated an ongoing cyber attack that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President's homepage which continues returning a "The maximum number of user  reached, Server is too busy, please try again later..." message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page "refresher" tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to "lite" versions of their sites in an attempt to mitigate the attack.

Let's assess this very latest example of people's information warfare concept, find out which sites remain affected, and discuss the attack tools used:

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year's Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there's no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people's information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return "server is too busy" error messages:

  • Ahmadinejad.ir - Mahmoud Ahmadinejad's Official Blog - under attack
  • Leader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attack
  • President.ir - Presidency of The Islamic Republic - under attack
  • Farsnnews.com - Fars News Agency -  under attack
  • Irib.ir - Islamic Republic of Iran Broadcasting - under attack
  • Kayhannews.ir - News Portal - "Service Unavailable"
  • Irna.ir - Islamic Republic News Agency - "service unavailable"
  • Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attack
  • Moi.ir - Ministry of Interior - under attack
  • Police.ir - National Police - under attack
  • Justice.ir - Ministry of Justice - under attack
  • Presstv.ir - Iranian Press TV - "server is too busy"

Chatter from the hacktivists' trenches send over Twitter, or web forums during the past 24 hours:

- "Overload Iran's propaganda websites--we can do it together!" - "we can suspend IRIB propaganda! just click & keep it refreshing!" - "Take part in disabling the iranian propeganda leave on as long as possible" - "Our efforts are working!!! RT @NewIRAN: Leader.ir; President.ir; FarsNews.com all now appear to be down" - "Iran needs your help. Help us flood Iran Govt sites khamenei.ir is one of our targets. Go to PageReboot.com and set @ 2 secs" - "we are currently flooding Iran Government websites - we have successfully taken down numerous sites already" - "Great news! PressTV.ir has been shut down thanks to our efforts!" - "IRIB, RESALAT, Kayhan, FarsNews, President.ir, and Leader.ir all brought down. Please help keep them down." - "president.ir is down!!!" - "SPREAD: tool for denial of service web attack. run on president.ir and irib.ir" - "I'm reaping at 200kb/sec baby." - "sweeeeeet, Farsnews is finally down! keep it up guys. I have 5 browsers open using Page Reboot." - "Let's continue the attack. They have a very efficient server compared to other sites, but we successfully killed it many times already. Try to reload your application." - "It's down again. I can't view it from NZ. Keep at it people." - "I'm going to set up a massive solo attack on Resalat using 8 virtual machines on 8 CPUs while I go to bed. I understand it'll be hard to make it go down but I'm going to try." - "done. I am also using couple of virtual M. Lets see if we can bring it down." - "HAHAHAHAHAHAHAHAHA!!!! RESALAT DOWN!!!!!!!!!! THAT WAS F*CKING BRUTAL!!!"

Among the first web-based denial of service attack used, is a tool called "Page Rebooter" which is basically allowing everyone to set an interval for refreshing a particular page, in this case it's 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

"Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei."

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com; irna.ir and rajanews.com, the results of which you can see in the attached screenshot. The script has since changed its location and is advertised under a new domain.

Next -->

The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.

The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors.

The following are the instructions found in the StopAhmadinejadOnline package, consisting of BWRaeper.exe and PingFlooder.exe :

"New hacking/DoS attack tool. Please learn and use: This is an online war 1. Please download 2. Extract it into a folder on your desktop and click on BWRaeper 3. Then click on Raep That's all.

FarsNews, AN's website, KHamenei's Website, IRIB and many other sites can be brought down with this technique. This is an online war. Don't let them win. They filter information, we will too. There's more of us. EDIT: Please add the following URLs to your list of URLs after you've completed the steps above. To do this, open the file "urls.txt" and paste the following line in it. Once you've added this URL, Run BWRaeper again

irna.ir/Images/uiImages.gif resalat-news.com/Pic/6729000.jpg resalat-news.com/image/Heder.jpg resalat-news.com/Pic/6729.gif resalat-news.com/Pic/6729011.jpg resalat-news.com/Pic/6729021.jpg"

The manual within Server_Attack_By-_C-4.exe entices users to participate in the attack, in the following way:

"I also found another DOS file to attack. just another option. 1. dl this zip file from here and unzip it on ur desktop: 2. take IP address of IR sites(Farsnews.com, irna.ir, president.ir, rajanews.com) from here: http://www.selfseo.com/find_ip_address_of_a_website.php 3. insert the IP address in "Server Address" section and press Attack. 4. let it run and it'll attack all of their servers"

The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it - "Want to help DDoS attack Iran gov't? Have a server that runs PHP? Use this script!".

SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously - khamenei.ir; presstv.ir; irna.ir; president.ir; mfa.gov.ir; moi.ir; police.ir; justice.ir; live.irib.ir.

There have already been speculations that the magnitude of these local attacks -- Iranian users targeting Iranian web sites --  is contributing to the "strange changes in Iranian traffic transit" reported during the last couple of days.

The attacks are ongoing, updates will be posted as soon as they emerge.

An update to the ongoing DDoS attacks has been posted.

Topics: Security, Browser, Servers, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • LOL.. this wil not change a dictators hold on a country.

    when will you people learn.

    BTW: nothing new about DDoS attacks. Easy to create and complete.

    The only question here is: How long can they sustain it and will the US gov assist? ( since we dont like him ). Wonder if the isrealies are helping?
    Been_Done_Before
    • Tell me about it

      I've been laughing my head off the past few days as the media has
      reported on the Iranian elections. As if they actually meant anything. The
      naivete of liberals would be even funnier if they didn't have so much
      power.

      BTW, latest news report: Government troops have fired on protesters.
      Liberals are shocked. Conservatives are saying, well, duh, it's a
      dictatorship.
      frgough
  • RE: Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

    Looks like he CIA has been very busy with another "Color Revolution"... and the sheeple are buying it!

    Good luck.... looks like they're running a bit scared these days;-)

    quijibo69
  • Think this won't change anything? You're dead wrong.

    I can't believe that people who read ZDNet are actually so pessimistic about the potential of technology to change the world. Sure, it won't dethrone Ahmadinejad if a bunch of people use page-refreshers or Twitter, but it can set the stage for whatever WILL topple dictators like him. There has never been anything in place that is comparable to what we are seeing now in terms of the mobilization of technology. This is a sign of things to come. Just imagine what it would've been like without the internet in Iran this year and then tell me that this won't change anything.
    eric@...
  • On the "information" we are being fed on this: take w/ grain of salt

    How can we be sure this whole thing is not exactly like the mainstream medias
    lapdog reporting of "WMDs" in Iraq?
    After the unforgivable simple reprinting, w/no research, of White House press
    statements dressed up as 'facts' as to what led up to Iraq in the corporate
    mainstream media, ive learned to dig deeper-dont trust 'em. All this seems just
    a little TOO orchestrated.
    A newer version of" IRAQ has WMDs- we SWEAR it!!!"
    tailor made for IRAN-later found to be lies, staged etc
    Remember the huge crowd that "helped" topple Saddams statue
    (thanks to a US tank)
    later found to be bussed in from Kuwait.
    amongst all the other lies
    Do you want to see more of our soldiers killed based solely on the
    manipulation of the 'news' reporting?
    Even PBS fell for it
    Just take all this with a grain of salt
    as The Who sang "We wont get fooled again"
    gennx30
  • RE: Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

    I am doing my part and joining them, lets help them.
    The least we can do is to help them from here, what do we have to loose even if it is not true?
    They are risking their lives, lets lend them a hand against the dictators.
    zaad
  • The least we can do is to help them from here, what do we have to loose eve

    Lets help them
    zaad
  • RE: Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

    I commend these groups of individuals for taking the initiative to band together for a global cause. If you think about it rationally, this would be one of the first, or perhaps, the first publicised protest in the virtual world of online communications.

    I too concur that anyone thinking this will have little to no effect, should start thinking about eating those words. A gigantic proportion of people worldwide are connected to the internet constantly. Governments, particularly communication and information departments, rely solely on this resource for a great degree of their daily activities. Imagine if the US President could not communicate with the entire east coast? It may be laughable but the fact remains that a simple DDoS attack in conjuction with a well programmed script could easily achieve this within a period of hours, and easily evade discovery for hours more.

    I must confess, that I have implimented such DDoS & Self-Spreading attacks in a secure lab. The inability of OS dependant Virus scanners, "Lazy software", and "Unaware" users in conjuction with basic everyday security being overlooked could result in a catastrophe of global proportions, seeing eveything computer or "information-exchanging" dependant fail, and continually fail.

    Koodos to the groups responsible, you should be commended, not ridiculed.
    azmodii(FiNIte)
    • Never underestimate propaganda

      Limiting the propaganda that can be spread also limits negative emotional effects on the protesters. Remember Hitler was the king of propaganda and if not for his lack of good sense in the Nazi's war planning & overreaching goals. The world might well be a different place now. In the past history was written by the victor, now we have blogging, Wikipedia & youtube.
      PCLinuxOS(user)
  • RE: Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

    Let the opposition know that the U.S. is behind them!
    supertms@...
  • RE: Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

    If the majority of Iranians are for the current regime, that is what makes a democracy. If the election is believed fraudulent, and yet the majority accept the candidate, that still shows the majority want the candidate, and it legitimizes the election. Stupidity is what keeps the protestors going. If the minority think it was not fair, keep the nation together there is next election. But the minority are likely too stupid to do that.
    0099wrestler
  • RE: Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

    Great !!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut
  • RE: Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

    Great !!! thanks for sharing this information to us!
    <a href="http://www.huzurchat.net" title="chat" rel="nofollow">chat</a><a href="http://www.iyimirc.net" title="mirc" rel="nofollow">mirc</a><a href="http://www.chatmirc2.com" title="mirc" rel="nofollow">mirc</a>
    hovarda06