The official Web site of the government of Pakistan is apparently the
victim of a politically motivated attack launched by the latest version of
an Internet worm.
Virus experts said the Yaha.E worm, first identified on June 15, contains a
payload designed in part to disrupt the home page of the Islamic Republic
of Pakistan with a rudimentary denial of service attack.
Attempts to reach the site, located at www.pak.gov.pk, were unsuccessful
According to an analysis of
Yaha.E by F-Secure Corporation, Yaha causes an infected computer to make
repeated connection attempts to the Pakistan government site. "If the worm
is widespread, this can cause a DoS (Denial of Service) attack on that
webserver," said the analysis.
The last high-profile worm to include a denial-of-service component was
Code Red, which was designed to flood the White House site using infected
Web servers running Microsoft's IIS software.
The MessageLabs virus information service currently rates Yaha.E the second
most prevalent virus after Klez.H. The managed e-mail security service said
it has blocked over 7,000 Yaha.E infections in the past 24 hours.
Yaha is a mass-mailing worm carried in an infected e-mail attachment. It
arrives with a message containing widely varying subject lines and body
contents. The code is designed to propagate itself to all e-mail addresses
in the victim's Microsoft Windows Address Book, MSN Messenger List, Yahoo
Pager list, and ICQ list. According to an analysis by Trend Micro, Yaha.E contains code that
attempts to terminate anti-virus and firewall software.
Roger Thompson, malicious code expert for ICSA Labs, said the worm creates
a text file on the victim's computer that says Yaha.E was the work of
"sNAkeeYes,c0Bra." The file exhorts Indian hackers and virus writers to
"c0me & w0Rk wITh uS" against "tHE GFORCE-pAK shites" -- a reference to the
Pakistani hacker group G-Force Pakistan.
Thompson said the worm's denial of service attack "is more like a boa
constrictor than a cobra strike" because it slowly overwhelms the target
site as more systems become infected with the worm.
As such, Yaha differs from most denial of service attacks, which are
suddenly launched by an attacker. "Someone has a bunch of zombies and
presses the 'Go' button," said Thompson.
Officials at Comsats Internet Services, which hosts the Pakistan government
site, were not immediately available for comment. By Brian McWilliams