Yaha Worm Takes Out Pakistan Government's Site

Virus uses victim computers as denial-of-service agents, and tries to recruit Indian hackers into a cross-border cyber war

The official Web site of the government of Pakistan is apparently the victim of a politically motivated attack launched by the latest version of an Internet worm.

Virus experts said the Yaha.E worm, first identified on June 15, contains a payload designed in part to disrupt the home page of the Islamic Republic of Pakistan with a rudimentary denial of service attack.

Attempts to reach the site, located at www.pak.gov.pk, were unsuccessful Wednesday.

According to an analysis of Yaha.E by F-Secure Corporation, Yaha causes an infected computer to make repeated connection attempts to the Pakistan government site. "If the worm is widespread, this can cause a DoS (Denial of Service) attack on that webserver," said the analysis.

The last high-profile worm to include a denial-of-service component was Code Red, which was designed to flood the White House site using infected Web servers running Microsoft's IIS software.

The MessageLabs virus information service currently rates Yaha.E the second most prevalent virus after Klez.H. The managed e-mail security service said it has blocked over 7,000 Yaha.E infections in the past 24 hours.

Yaha is a mass-mailing worm carried in an infected e-mail attachment. It arrives with a message containing widely varying subject lines and body contents. The code is designed to propagate itself to all e-mail addresses in the victim's Microsoft Windows Address Book, MSN Messenger List, Yahoo Pager list, and ICQ list. According to an analysis by Trend Micro, Yaha.E contains code that attempts to terminate anti-virus and firewall software.

Roger Thompson, malicious code expert for ICSA Labs, said the worm creates a text file on the victim's computer that says Yaha.E was the work of "sNAkeeYes,c0Bra." The file exhorts Indian hackers and virus writers to "c0me & w0Rk wITh uS" against "tHE GFORCE-pAK shites" -- a reference to the Pakistani hacker group G-Force Pakistan.

Thompson said the worm's denial of service attack "is more like a boa constrictor than a cobra strike" because it slowly overwhelms the target site as more systems become infected with the worm.

As such, Yaha differs from most denial of service attacks, which are suddenly launched by an attacker. "Someone has a bunch of zombies and presses the 'Go' button," said Thompson.

Officials at Comsats Internet Services, which hosts the Pakistan government site, were not immediately available for comment.

By Brian McWilliams

Before it's here, it's on the Bloomberg Terminal.