NEWS FROM THE LAB - Wednesday, December 8, 2004

Virus attacking websites of the Chechen rebels Posted by Mikko @ 21:25 GMT

We have a small number of reports of a virus known as Maslan.

This worm can spread using LSASS and DCOM exploits as well as a massmailer in emails looking like this:

  From: Maria.Smith@hotmail.com (varies)
  To: (random address)
  Subject: 123
  Hello Bob
  Best regards,
  Maria        Maria.Smith@hotmail.com
  Attachment: PlayGirls2.exe

Interestingly, this virus launches a distributed denial-of-service attack against several websites operated by the Chechen rebels.

Chechen rebels have been fighting the Russian army for over a decade. They are best known for two recent sieges against civilians: one in a Moscow theater and one in a school in Beslan.

Chechen rebels have been operating several different websites for years. One of these sites is kavkazcenter.com, which has been a source of lots of recent controversy. This site has been a target of several network attacks (some of them reportedly originating from the ip range owned by Russian Federal Security Service FSB). The site has been closed down and kicked out from several countries, including Russia, Lithuania, Estonia and Finland. Right now it's operating in Sweden.

Maslan launches the attack against these domains: