Pro-Iraq Hacker Threatens Virus Outbreak

A Malaysian virus writer who is sympathetic to the cause of the al Qaeda terrorist group and Iraq, and who has been connected to at least five other malicious code outbreaks, is threatening to release a megavirus if the United States launches a military attack against Iraq.

The virus writer, who goes by the handle Melhacker and whose real name is believed to be Vladimor Chamlkovic, is thought to have written or been involved in the development of the VBS.OsamaLaden@mm, Melhack, Kamil, BleBla.J, and Nedal worms.

However, in an exclusive interview Wednesday with Computerworld, Melhacker confirmed earlier reports by IDefense that he has developed and tested a "three-in-one" megaworm code-named Scezda that combines features from the well-known SirCam, Klez, and Nimda worms.

"This is a real Internet computer worm," said Melhacker. "I will attack or launch this worm if America attacks Iraq." The worm has been ready and fully tested in his lab since August, he said. He also confirmed earlier intelligence reports that he has ties to both Russian hackers and Pakistani virus writers.

Caution Urged

Brian Kelly, president and chief executive of IDefense, said that while Melhacker hasn't proved adept at seeding new worms in the wild, this worm could be difficult to stop. IDefense quietly warned its clients last week about the potential for such a worm to hit the Internet, saying that companies should move to a heightened state of alert and watch for suspicious Internet traffic and e-mail if Iraq is attacked.

"If he were to be successful with this one, it could be very serious," said Kelly. "Although we are aware of his contacts with Russian and Palestinian code-authoring groups, we're not yet sure how strong those relationships are."

Vincent Gullotto, vice president at McAfee Security's Avert, a division of Network Associates, said the threat posed by Scezda is completely dependent on whether Melhacker is successful in getting it to propagate.

"If he is, it could be very large," said Gullotto.

But it's difficult to speculate, because there have been many such viruses that have gone nowhere, he said. "Until we see the virus moving in the wild, we consider it to be a low risk," Gullotto said.

Short Track Record

Melhacker, who has also gone by the name Kamil, may have had some involvement in the September release of the BugBear mass-mailing network attack worm. According to IDefense, Melhacker has close ties to Nur Mohammad Kamil, who identifies himself as part of a group known as "A.Q.T.E. Al-Qaeda Network." Melhacker has also associated himself with the al Qaeda network for a long period and has been an active Malaysian malicious coder threat for at least six years.

At least one of these worms, the Nedal worm (the name is Laden spelled backward) contained encrypted code, according to analysis conducted by IDefense. When decrypted, the code was shown to contain numerous Arabic names of unknown significance, as well as references to al Qaeda.

In the case of the VBS.OsamaLaden@mm worm, the code leaves a message that references the September 11 terrorist attacks and then attempts to shut down a user's system and delete all files in the Windows System directory.

The continuing development of malicious code from pro-Islamic and pro-al-Qaeda hackers, especially in Malaysia, is of great concern and one that needs to be closely watched, according to an intelligence bulletin released last week by IDefense.

"While it might be true that al Qaeda operatives are not well organized, skilled, or equipped to mount a serious cyberoffensive, it is likely that al Qaeda sympathizers will serve as surrogates in their cyberoffensive," said Kelly.