Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 16th, 2009

Iranian Opposition Launches Organized Cyber Attack Against Government Sites

The Iranian opposition coordinated a cyber attack yesterday that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception – there’s no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people’s information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return “server is too busy” error messages: – Mahmoud Ahmadinejad’s Official Blog – under attack – Office of the Supreme Leader, Sayyid Ali Khamenei – under attack – Presidency of The Islamic Republic – under attack – Fars News Agency – under attack – Islamic Republic of Iran Broadcasting – under attack – News Portal – “Service Unavailable” – Islamic Republic News Agency – “service unavailable” – Ministry of foreign affairs , Islamic Republic of Iran – under attack – Ministry of Interior – under attack – National Police – under attack – Ministry of Justice – under attack – Iranian Press TV – “server is too busy”

Among the first web-based denial of service attack used, is a tool called “Page Rebooter” which is basically allowing everyone to set an interval for refreshing a particular page, in this case it’s 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

“Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei.”

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing, and The script has since changed its location and is advertised under a new domain.

The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.

The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors. The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it.

SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously –;;;;;;;;

There have already been speculations that the magnitude of these local attacks — Iranian users targeting Iranian web sites – is contributing to the “strange changes in Iranian traffic transit” reported during the last couple of days. The attacks are still ongoing.

Credit: Security Blogs

Share this item with others:

More on CyberInsecure:
  • Radio Free Europe Have Been Under Heavy DDOS
  • Twitter DNS Hijacked By ‘Iranian Cyber Army’, Inaccessible And Defaced For An Hour
  • Twitter DNS Hackers Hit Chinese Search Engine
  • U.S. Government Contractor Northrop Grumman Suspends Remote Network Access, Raising Cyber Attack Suspicions
  • Official Web Site Of Iran’s President, Ahmadinejad, Attacked By Hackers

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Iranian Opposition Launches Organized Cyber Attack Against Government Sites

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.