Terrorist group claims responsibility for Slammer worm

By Dan Verton, Computerworld, 5 Feb 2003

A radical Islamic group that is on the U.S. State Department's list of designated terrorist organizations has claimed responsibility for the release of the Slammer worm late last month (see story).

In an exclusive exchange of e-mails with Computerworld spanning two weeks, Abu Mujahid, a spokesman for Harkat-ul-Mujahideen (HUM), a self-proclaimed radical Islamic jihadist organization, said the group released the Slammer worm as part of a "cyber jihad" aimed at creating fear and uncertainty on the Internet.

U.S. intelligence officials allege that HUM, formerly known as Harkat-ul-Ansar, has ties to al-Qaeda and Ahmad Omar Sheikh, who was arrested for the January 2002 kidnapping and murder of Wall Street Journal reporter Daniel Pearl. The group operates primarily in Pakistan and the Kashmir region, but it has also run terrorist training camps in eastern Afghanistan, according to a U.S. Navy profile.

According to Mujahid, one of the worm's first instructions, a so-called "push" command, includes the number 42, which is the sum of the letters H, U and M if you add up the numbers that correspond to the point at which each one falls in the Roman alphabet. H is the eighth letter; U is the 21st; M is the 13th. When eight, 13 and 21 are added up, the total is 42

However, Internet security experts were quick to dismiss HUM's claims of purposely injecting a fingerprint into the code of Slammer as a way to claim credit.

Pedram Amini, an analyst at iDefense Inc., a security firm based in Chantilly, Va., said the size of the worm is such that there is very little room for any arbitrary fingerprints to have been included in the code. In addition, the push command referenced by Mujahid and the numbers that followed it are not something a coder could inject, but are instead something generated by the execution of the code, said Amini.

"It is and has always been my opinion that the author of the worm cannot be identified [by studying the code]," said Amini. HUM's claim of injecting a fingerprint into the code "does not hold water," he said, noting that the code that went into the worm could have been downloaded from multiple locations on the Internet by anybody.

For example, according to iDefense analysts, a Chinese hacker group called the Honker Union of China is known to have posted code similar to that of the Slammer worm on its Web site prior to the attack. In addition, proof-of-concept code released last August at the Black Hat hacker conference by researcher David Litchfield is also believed to have been used as a basis for the worm (see story).

Bill Murray, a spokesman for the FBI's National Infrastructure Protection Center (NIPC), would not call members of HUM suspects, but he did say that an NIPC analyst has looked into the group in connection with the Slammer investigation.

"Do not underestimate our abilities to create fear and chaos on the Internet, using programs we find and modify to our purposes," said Mujahid. "We do not need to attack the infrastructure to terrorize the Kufars," he said, referring to non-Muslims. "We use the Internet to spread misinformation and confusion."