Me and Iraq Resistance -- a conversation with a worm author

It wasn't that long ago that we thought that all cybercrime was all about the money. The bad guys, we were told, wanted to keep a low profile so they could keep running their scams, and racking up big bucks. The age of the attention-seeking hacker was over.

Well not quite. On Sept. 9 the "Here you have" worm started spreading and many antivirus researchers immediately felt like they were getting a blast from the past. Even the worm's subject line, "Here you have" was lifted from the Anna Kournikova virus. And as with past old-school outbreaks, "Here you have's" author is happy for whatever publicity he can get to promote his criticism of the U.S. war in Iraq and a planned public burning of the Koran -- which seems to have inspired the worm in the first place. He's posted a YouTube video, and he seems happy to answer emails sent to his Yahoo address.

Here's what he's told me over the past few weeks. Most of these e-mails were sent just after the worm was released. I've tried to make the timestamps here all in Pacific time, but if you look at when my messages were timestamped on his computer, it appears as though he is emailing me from UTC +3.  This is not the time zone in Libya, where he is thought to be based, but that could be misdirection. Or it could place him in any country that uses Arabia Standard Time -- Iraq, Saudi Arabia, or even eastern Africa. Though his English is not good, they give you a peek into the mind of what may be a new breed of Jihadi hacker.  

09/10/2010 11:55 AM

Hi there,

I'm a US reporter working on a story.

Just wondering if you were behind this worm

http://www.symantec.com/security_response/writeup.jsp?docid=2010-082013-3322-99&tabid=2

and the "Here you have" outbreak from yesterday?

Bob

> > From: Never Defeat <iraq_resistance@yahoo.com>

> > To: <robert_mcmillan@idg.com>

> > Date: 09/10/2010 11:09 PM

> > Subject: Re: Press inquiry -- Iraq resistance

> >

> > So?

09/11/2010 07:47 AM

Hey, thanks for getting back to me.

So I wrote a story about this yesterday, saying that there are things that linked Iraq Resistance to these two worms.

http://www.computerworld.com/s/article/9184718/Cyber_jihad_group_linked_to_Here_you_have_worm

Are you saying that you were behind both incidents? It wasn't clear whether or not that was true, or whether someone just wanted to make is seem that way?

Could you tell me anything about yourself and why you released this worm? It turned out that this latest one was pretty disruptive. Any thoughts on that? Do you plan to release more? Is there another way of reaching you if this Yahoo address stops working?

Regarsd,

Bob

> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/11/2010 10:58 AM

> Subject: Re: Press inquiry -- Iraq resistance

>

> Hi Mr Robert,

>

> what i wanted to say is that u.s doesn't have the right to invade

> our people and steal the oil under the name of nuclear weapons..

> have you seen any there??! ,bad war game,second that the christian

> Terry Jones what he tried to do at the same day this worm spread is

> not even fare, i know that not all christians are similar and how

> you decide i am terrorst and he is not terrorist because he effected

> all muslims.

>

> I think America come on, be fare.

>

> i am even worried about my saftey, and in such unfare world i am

> terrorist because of a computer virus and mr terry jones is not!

> where is your freedom which must end when it reachs another person

> freedom!!! as you say you modern,educated people!!

>

> i don't think that there is another one and really i don't like

> smashing and even there were no computer smashed  as you know from

> the analysis report, i could smash all those infected but i wouldn't

> and don't use the word terrorst please.

> i hope all people undestand that i am not negative person!

> thanks for publishing.

09/11/2010 11:52 AM

Hi,

Thanks for writing me back. I am interested in learning your side of the story, but I still don't understand why you released this worm.  Could you explain your motivation a little further?

In particular, with the worm released this week, there were back door access and credential stealing components. What were you hoping to achieve with that? What are your thoughts on the results you achieved.

Bob

> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/11/2010 12:40 PM

> Subject: Re: Press inquiry -- Iraq resistance

>

> I gave you just the information you need as general information,

> having such things like backdoor is just a plus for what maybe i

> need later, the creation of this is just a tool to reach my voice to

> people maybe.. or maybe otherthings.I think this information is

> enough for you and having more looks like investigation and i don't

> see my self that criminal.

>

> i can even meet you but what you published show i am terrorist

> hacker..listen i am not terrorist and i didn't destroyed any of that

> computers and i don't think they lost anything.

> because i know what i made.. actually i didn't expect that level of spread.

09/11/2010 04:21 PM

I didn't use the word "terrorist" in my story.

I'm just trying to understand *why* you released these worms. That's the part I still don't get.

Bob

> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/12/2010 12:50 PM

> Subject: Re: Press inquiry -- Iraq resistance

>

> Hi,

>

> I left a record on youtube. just write  "Here You Have" Virus  in

> youtube search.

>

> Bye.

09/12/2010 12:54 PM

This video?

http://www.youtube.com/watch?v=IkMifFGqt78

Bob

09/12/2010 03:44 PM

Hey so I'm going to write a story on this.

The youtube profile lists your location as Spain? Is that correct?

Is there any more information you can tell me about yourself?  Your name, what you do for a living, how old you are, or why you released this worm? It's still not 100 percent clear to me.

Thank you again for taking the time to write me.

Bob

> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/12/2010 08:18 PM

> Subject: Re: Press inquiry -- Iraq resistance

>

> hehehe are you going to find a job seriously for me or what? how

> come i tell you this information that maybe lead me to face a legel

> action?, i am worried even to record with my voice..what you think

> about that?

09/12/2010 08:29 PM

Hey I have to ask those questions. I'm not surprised you don't want to tell me. My story is up now, so your YouTube video should be getting some more hits.

http://www.computerworld.com/s/article/9184818/Anti_US_hacker_takes_credit_for_Here_you_have_worm

For what it's worth, every American I know thinks that book-burning is idiotic. But it's a big country.

Bob

Never Defeat <iraq_resistance@yahoo.com> wrote on 09/13/2010 07:00:54 PM:

> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/13/2010 07:01 PM

> Subject: Re: Press inquiry -- Iraq resistance

>

> i sent this to eWeek on request as well.

>

> Hi,

>

> first thing that all said i am terrorist hacker and this might be

> big problem if i faced a legel action, i am not terrorist and not

> bad person,i am very modest and educated,not closed mind,yes i

> created the virus and the responsibility on mr terry jones not on

> me,how you think about just your self and don't respect more than 1.

> 5 billion moslims around the world?

> don't say this is freedom,cause freedom ends when it  reachs another

> person freedom.

> yes i did that video and i hope the people understand i am not

> criminal, i didn't destroy any of their computers,and they knew i

> could do that.

> other thing i heared panda sent information about me to spainish

> police, what i did until they do that and do a terrorism propaganda

> against me!

> at the end i am good and positive person not devil.

>

> thanks for publish

09/13/2010 09:23 PM

Hey,

Thanks for the update. I see the story is getting picked up by quite a few publications. Are you really worried about the Spanish police?

Please feel free to drop me a line anytime.

Bob

Never Defeat <iraq_resistance@yahoo.com> wrote on 09/14/2010 11:53:14 AM:

> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/14/2010 11:54 AM

> Subject: Re: Press inquiry -- Iraq resistance

>

> Ofcourse,if you was me you don't worry? Thanks

09/14/2010 02:20 PM

Depends on whether I lived in Spain or not. :-)

09/22/2010 02:47 PM

Hey It looks from your IP address that you're based in the UK. Is that correct?

Bob

> From: Never Defeat <iraq_resistance@yahoo.com>

> To: <robert_mcmillan@idg.com>

> Date: 09/23/2010 06:48 AM

> Subject: Re: Press inquiry -- Iraq resistance

>

> Hi,

>

> it looks like you're still working on the same issue.

>

> Do you have any information about this for me?

>

> I can appear from wherever i want, so its hard to know where am I.

> you must know that hackers can use lots of proxies or hacked

> computers to send messages from and i don't need to say what I do.

>

> however I'll let you know some good information in the good time.

>

> Keep in Touch, Bye.

Related:
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!