The Yaha Q is the latest salvo in the Indo-Pak conflict in cyberspace
The war between the two nations has been going on since 1947. Replace the bullets with bytes, guns with worms and viruses and what you have is an extension of the ongoing conflict, fought between Pakistani and India virus writers and hackers.
This time round, the rivalry is being kept alive by Yaha Q (a variant of the Yaha worm) purportedly written by a group of hackers who call themselves Indian Snakes. The worm has been attacking sites in Pakistan (especially government sites), the Karachi Stock Exchange and ISPs according to the anti-virus firm Sophos, quoted in this BBC report.
This is what email management firm Message Labs says on their site: "Although not strictly politically motivated in their actions, ostensibly this strain of the Yaha virus is yet another attempt by the 'Indian Snakes' hacking group to disrupt the online activities of a number of key Pakistani websites." They also have detailed statistics, graphs and general information on the worm.
An earlier version of the worm appeared in January affecting computers in over 100 countries. Other Yaha variants have been around on the Net for over a year and are listed by anti-virus company Symantec.
There have been frequent instances of Indian and Pakistani hackers defacing sites and Project India Cracked has recorded many such cases over the years.
Last summer when terrorists attacked Parliament, Pakistani hackers attacked the official site of the Indian defence ministry and inserted messages proclaiming independence for Kashmir. The worms challenged the G-Force, a group of Pakistani hackers, to match the intelligence and expertise' of Indian hackers. This group, reportedly operate from Lahore.
Ethical hacker, Ankit Fadia, in this Express report, reveals that about 40-50 Indian sites are defaced by Pakistani cyber criminals monthly. Fadia has submitted a 25-page-white paper to the government on this topic.
Yaha is a mass mailing worm that is carried as an email attachment. It could have varying subject and message text, but the code is designed to propagate itself to all email in the victim's address book. This includes the address book (Microsoft Windows), messenger list (MSN and ICQ) and Yahoo! Pager. It is also known to disable some anti-virus and firewall programs.
Yaha Q, which was spotted last week by anti-virus firm Sophos, attempts to launch a 'denial-of-service' attack against five Pakistani sites. When a receiver opens an infected file, the virus spreads though the system. The worm floods the site with user requests, overwhelming the server and locking out visitors. If a user is unlucky, it also enters the IE browser and installs Indian Snakes as the default home page. Every time users clicks on Internet Explorer, they are automatically led to the site.
Last week's infections also resulted in the creation of a randomly named text file, placed in the Windows folder, that glorifies virus writers and asks others to join the Indian Snakes gang. The worm carries out one of four operations, when executed on a Wednesday, according to Sophos.
The virus does not infect a system until the attachment is clicked. F-secure offers a disinfection tool called YahaTool. Instructions on removal and downloading removal tools are available at Network Associates and Symantec.
The Yaha Q worm is not perceived as a big threat. This report says that security experts ruled out the fact that ordinary PC users have become pawns to the hackers' power struggle online. Graham Cluley, senior technology consultant at Sophos, in this Inquirer report says the cyber warfare slant has been overplayed and dismisses the virus as the "work of mischievous kids".
-- Yaha worm takes out Pakistani Web site
-- DialogNow discussion thread
-- Rediff Special: War in Cyberspace