Me and Iraq Resistance -- a conversation with a worm author

It wasn't that long ago that we thought that all cybercrime was all about the money. The bad guys, we were told, wanted to keep a low profile so they could keep running their scams, and racking up big bucks. The age of the attention-seeking hacker was over.



Well not quite. On Sept. 9 the "Here you have" worm started spreading and many antivirus researchers immediately felt like they were getting a blast from the past. Even the worm's subject line, "Here you have" was lifted from the Anna Kournikova virus. And as with past old-school outbreaks, "Here you have's" author is happy for whatever publicity he can get to promote his criticism of the U.S. war in Iraq and a planned public burning of the Koran -- which seems to have inspired the worm in the first place. He's posted a YouTube video, and he seems happy to answer emails sent to his Yahoo address.



Here's what he's told me over the past few weeks. Most of these e-mails were sent just after the worm was released. I've tried to make the timestamps here all in Pacific time, but if you look at when my messages were timestamped on his computer, it appears as though he is emailing me from UTC +3.  This is not the time zone in Libya, where he is thought to be based, but that could be misdirection. Or it could place him in any country that uses Arabia Standard Time -- Iraq, Saudi Arabia, or even eastern Africa. Though his English is not good, they give you a peek into the mind of what may be a new breed of Jihadi hacker.  



09/10/2010 11:55 AM



Hi there,

I'm a US reporter working on a story.

Just wondering if you were behind this worm

http://www.symantec.com/security_response/writeup.jsp?docid=2010-082013-3322-99&tabid=2

and the "Here you have" outbreak from yesterday?

Bob



> > From: Never Defeat <iraq_resistance@yahoo.com>

> > To: <robert_mcmillan@idg.com>

> > Date: 09/10/2010 11:09 PM

> > Subject: Re: Press inquiry -- Iraq resistance

> >

> > So?



09/11/2010 07:47 AM



Hey, thanks for getting back to me.

So I wrote a story about this yesterday, saying that there are things that linked Iraq Resistance to these two worms.

http://www.computerworld.com/s/article/9184718/Cyber_jihad_group_linked_to_Here_you_have_worm

Are you saying that you were behind both incidents? It wasn't clear whether or not that was true, or whether someone just wanted to make is seem that way?

Could you tell me anything about yourself and why you released this worm? It turned out that this latest one was pretty disruptive. Any thoughts on that? Do you plan to release more? Is there another way of reaching you if this Yahoo address stops working?



Regarsd,



Bob



> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/11/2010 10:58 AM

> Subject: Re: Press inquiry -- Iraq resistance

>

> Hi Mr Robert,

>

> what i wanted to say is that u.s doesn't have the right to invade

> our people and steal the oil under the name of nuclear weapons..

> have you seen any there??! ,bad war game,second that the christian

> Terry Jones what he tried to do at the same day this worm spread is

> not even fare, i know that not all christians are similar and how

> you decide i am terrorst and he is not terrorist because he effected

> all muslims.

>

> I think America come on, be fare.

>

> i am even worried about my saftey, and in such unfare world i am

> terrorist because of a computer virus and mr terry jones is not!

> where is your freedom which must end when it reachs another person

> freedom!!! as you say you modern,educated people!!

>

> i don't think that there is another one and really i don't like

> smashing and even there were no computer smashed  as you know from

> the analysis report, i could smash all those infected but i wouldn't

> and don't use the word terrorst please.

> i hope all people undestand that i am not negative person!

> thanks for publishing.



09/11/2010 11:52 AM

Hi,



Thanks for writing me back. I am interested in learning your side of the story, but I still don't understand why you released this worm.  Could you explain your motivation a little further?



In particular, with the worm released this week, there were back door access and credential stealing components. What were you hoping to achieve with that? What are your thoughts on the results you achieved.



Bob



> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/11/2010 12:40 PM

> Subject: Re: Press inquiry -- Iraq resistance

>

> I gave you just the information you need as general information,

> having such things like backdoor is just a plus for what maybe i

> need later, the creation of this is just a tool to reach my voice to

> people maybe.. or maybe otherthings.I think this information is

> enough for you and having more looks like investigation and i don't

> see my self that criminal.

>

> i can even meet you but what you published show i am terrorist

> hacker..listen i am not terrorist and i didn't destroyed any of that

> computers and i don't think they lost anything.

> because i know what i made.. actually i didn't expect that level of spread.



09/11/2010 04:21 PM

I didn't use the word "terrorist" in my story.



I'm just trying to understand *why* you released these worms. That's the part I still don't get.



Bob



> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/12/2010 12:50 PM

> Subject: Re: Press inquiry -- Iraq resistance

>

> Hi,

>

> I left a record on youtube. just write  "Here You Have" Virus  in

> youtube search.

>

> Bye.



09/12/2010 12:54 PM

This video?



http://www.youtube.com/watch?v=IkMifFGqt78



Bob



09/12/2010 03:44 PM

Hey so I'm going to write a story on this.



The youtube profile lists your location as Spain? Is that correct?

Continue Reading