Internet Security Systems - AlertCon(TM)

Jihad 3.0 Analysis

Posted by Mark Yason and Chris Valasek on November 09, 2007 at 3:47 PM EST.

Description:

Overall, Jihad is a very minor threat, because ping floods (especially icmp echo requests) are easy to block with both IPS technology and firewall rules.

Remember, this client application has to be downloaded, installed, and run manually. This is NOT malware that is dropped on a machine.

  • The client tries to authenticate with http://al-jinan.net/tlog.php (THIS DOMAIN IS ACTIVE, even though the webpage says its not)
  • If it can't authenticate, you can try to register a new username/password, (also sending a user name of a person that invited you).
  • If you've authenticated with http://al-jinan.net, then it will send you a list of URLs
  • The client creates a batch file that will execute "ping.exe -t -l <payload_size> <host> 
    The payload size is probably determined by one of the three radio buttons on the DoS form.  Weak, Medium, Strong.

Analysis of the User Interface: 

Login Form

 

Title: Login to the heavens

Button Left : Registration

Button Right: Entry

Label Upper: Username

Label Below: Password

Long Text: Note: If Russell forgotten password management to recover 

Connection: http://al-jinan.net/tlog.php

 

New User Form
 


 

Title: Registration username

Button: Registration

Bottom Text:

Will add 24 points to the name of the user who invited you

Check the site for details

 

Label 1st Line: Username

Label 2nd Line: Password

Label 2nd Line: Confirm password

Label 4th Line: You were invited by

 

DoS Form

 

Title: The electronic Jihad

 

Text in 1st Text Box: The goal is updated automatically

Label in 1st Text Box: Goal

Label in 2nd Text Box: Service provider

Label in 3rd Text Box: Success

Label in 4th Text Box: Failed

 

Left Button: Your number

Right Button: Attack

 

Option Label: The pace attack:

Option 1: Weak

Option 2: Medium

Option 3: Strong

 

Long Text:

Important notes:
1-All you need to do is to select speed and pressed the button
Attack, will be recording a point per hour involving
Attack.
2-Use service provider if the site is prohibited from
Internet service you have.
3 - If you did not show any success this means that the site
Dependent or prohibited
The number of failures mean the number of attacks has not responded
Site them.
4-filled program several times in case you had Internet
Quick.
5-way use of the service provider
Proxy: port
6-any additional information see explain the program
Location.

 

Behavior: 

 

Installer Program:
e-jihad30.exe

Installed Files: 
MSWINSCK.OCX
e-Jihad.exe
unins000.dat
unins000.exe

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.