Iranian Cyber Army providing botnet for rent

It appears the group of cyber attackers who recently went after Twitter and Baidu are running a for-rent botnet.

Research by Seculert has found that the group, known as the Iranian Cyber Army, which crashed both Twitter and Baidu by tampering with DNS (Domain Name System) records and caused users to be redirected to another website, may also be running a botnet. Seculert found a page where people can rent the botnet – simply by detailing what they’d like to attack.

We recently revealed just how DDOS attacks and botnets are the security elephant in the room and mentioned there are tons of rental services out there, if you know where to look. Whitehall and the Whitehouse have both been exploring the options of vying for control over large botnets. A source told TechEye: “Defence agents don’t just want to know how to neutralise a threat, but how to gain access to and control the world’s largest botnets to point at who they need to.”

The botnet allegedly supplied by the Iranian Cyber Army allows users to provide the number of machines they want to infect and their region. They then provide a dodgy download URL, and the group does the malware installation for them. 

The Iranian Cyber Army is believed to be behind the botnet because the administration panel showed the same e-mail address which was displayed after the defacements of Twitter and Baidu. A page displaying statistics on the number of infected machines also showed the group’s name in its HTML source code, according to Seculert. It said it had found an e-mail address that linked  the botnet to earlier attacks claimed by the Iranian Cyber Army.

The statistics page showed that as many as 14,000 PCs were being infected per hour.

The botnet has also been used to distribute some of the more notorious malware around including Zeus, which can be used to hack into online banking, and the data-stealing Trojans Gozi and Carberp.

Seculert said it was able to see the administration panel as it was left unprotected. The company has since notified the provider where the page is hosted.