Iraqi Hostilities Go Online

War in Iraq is prompting a rash of protest hacking on the Internet, with new war-themed viruses and Web page defacements directed at U.S., U.K. and Australian interests. But the devastating new worms and viruses predicted by some have so far failed to materialize.

Unquestionably, the hostilities in Iraq have had ripple effects on the Internet, according to Mikko Hyppönen, manager of antivirus research at security vendor F-Secure.

Iraqi Worms

Two new worms were discovered in the past two weeks with Iraq themes.

One, named Prune, arrives in e-mail messages with the subject "US Government Material - Iraq Crisis." An attachment named UN_Interview.txt.vbs launches the Visual Basic Script worm, which spreads copies of itself using e-mail, Internet Relay Chat (IRC), and network sharing, according to F-Secure.

A second worm, Ganda, arrives in messages with a variety of subjects and messages, many of them linked to the tensions over Iraq, such as "Spy Pics," purporting to contain pictures from U.S. satellites, and "G.W. Bush animation." Users are prompted to click on a Windows screen saver file attachment, launching the virus.

Web site defacements spiked in the days leading up to war, according to F-Secure.

"We've seen a huge increase in the number of (Web site) defacements related to the Iraq crisis," Hyppönen said.

The defacements involved hackers compromising the targeted Web servers, then replacing the official Web page content with their own material--often inflammatory statements or political messages.

F-Secure recorded around 200 defacements in the 48 hours before hostilities began. On Friday, another 1000 sites were defaced, F-Secure said.

Many of the Web sites that were defaced belonged to U.S. and U.K. businesses or lesser-known branches of U.S. federal agencies.

Digital Vandals

Defaced Web pages include one for the U.S. National Center for Agricultural Utilization Research, part of the U.S. Department of Agriculture, and a Web-based e-mail portal belonging to the U.S. Navy. Also vandalized was the home page of Routeco, a distributor of industrial automation and control products in the U.K.

Hundreds of defacements were attributed to Unix Security Guard (USG), a pro-Islamic hacking group, according to Hyppönen.

Also reported are incidents of seemingly "patriotic" hacking by supporters of the U.S.'s war on Iraq, Hyppönen said.

One defaced site, Timeleader.com, displayed a message saying "Kill Saddam" alongside a more personal greeting from the culprit as late as Friday afternoon.

London security consultancy mi2g warned Friday of possible combined digital and physical attacks in the coming weeks.

However, while clearly prompted by the hostilities in the Gulf, the hacking activity that has taken place so far does not appear to be coordinated or part of a larger master plan to disrupt the Internet, Hyppönen said.

"We haven't seen any proof of anything official or organized at all," Hyppönen said.

Where's Scezda?

Also missing is a powerful new worm promised by a Malaysian virus writer known as "Melhacker" who is sympathetic with the cause of the al-Qaeda terrorist group.

Melhacker told Computerworld that he had developed and tested a "three-in-one" worm code-named Scezda that combined features from the SirCam, Klez, and Nimda worms. Melhacker said he would release Scezda if the U.S. went to war with Iraq.

Instead, the war in Iraq has just given computer hackers another reason to do what they want to do any way: hack computers.

"Right now, the message is 'No War. Give peace a chance,' because that's what's in the news and on people's mind. When the war goes away, these people will keep on hacking but probably stop with the antiwar defacements," Hyppönen said.

Cyber Activity Eyed

The Department of Homeland Security has not seen a dramatic increase in hacking activity linked to the war, according to Commander David Wray, spokesperson for Directorate of Information Analysis and Infrastructure Protection.

Still, Wray says it is too early to know whether the threat of larger cyber attacks linked to the war has passed.

"I don't think we're in a position yet to say that threat still isn't out there. Nobody is saying 'Let's call off the alarm. There's not much to worry about.' I think there are things to worry about," Wray said.

The department recommends action for both critical and cyber security as part of multiagency Operation Liberty Shield. It is working with various federal agencies to make sure their information systems are protected, Wray said.

The new agency is asking organizations who own physical and information infrastructure to be more watchful for problems and to be willing to report what they see to appropriate government agencies, Wray said.