Ahmadenijad Blog Contains A Little Surprise For Israeli Readers Using Windows and Internet Explorer

by Caitlyn Martin


Iranian President Mahmoud Ahmadenijad now has his very own blog. That's fine. The content is entirely what you might expect with one notable exception. Several Israeli bloggers, including Yael K.'s Step By Step, which I read regularly, report that if you access the Ahmadenijad blog from an Israeli IP address the site sends you a little gift, a cyberattack in the form of a virus or trojan (reports vary) designed to exploit an Internet Explorer vulnerability.

To quote Yael:
Does Iran now use the Internet to harass Israeli citizens? To take advantage of the increasing Iranian-Israeli dialog online?

In a word: yep. The attack is smart enough to mostly ignore IP addresses from anywhere other than Israel, though it has been reported to have been triggered from Spain as well.

My one little piece of advice for friends and readers in Israel: Ehad Linux, an Israeli Linux distribution based on Mandriva 2006, is really quite easy to install and use. (Yes, I plan to write a review.) Those of us who run Linux have been blissfully immune to all the security nonsense which routinely plagues Windows users. Indeed, security has been one of the issues which has helped propel Linux adoption in corporate and government data centers in recent years.

No, installing Linux is not a security panacea. You still need to patch regularly and become educated about keeping your system secure. It is, however, a very good start.

49 Comments

Daragaard
2006-08-15 03:32:25
in Windows you can use Firefox and avoid most of those attacks.
or Opera.
Caitlyn Martin
2006-08-15 08:44:42
Daragarrd: What you say is true only for attacks targeting IE vulnerabilities such as the one used on the blog in question. Thse are certainly not the only vulnerabilities Windows users face.


Microsoft has always had a rather cavalier attitude towards security and honestly appeared to be pretty clueless when it came to security in general until Server 2003 came out. In general a UNIX/Linux environment, if configured properly and kept updated, will offer superior security to Windows. For the desktop user life is just plain easier from a security standpoint running a modern, user friendly Linux distribution.

Cyrus Farivar
2006-08-15 11:16:41
http://www.theregister.co.uk/2006/08/15/iran_pres_weblog_alert_flap/
interested observer
2006-08-15 11:40:15
they could also disable most features in msie's restricted zone, i.e., download files + active/direct x + all scripting; add "ahmadenijad.ir" to said zone.


doolittle
2006-08-15 12:10:09
Hey don't forget VMware's player and the browser appliance ;)
roncorvus
2006-08-15 12:31:10
For Yael to say President "A" is harassing Israeli citizens logging onto his website is like Billo Reilly claiming a call-in caller to his radio show was harassing Billo by mentioning Keith Olbermann's name.


Besides, it's the least he could do for Israel.

tom
2006-08-15 12:59:17
Couldn't you confirm this, perhaps, before spreading a rumor?
Yubby
2006-08-15 15:25:59
You forgot Apple. All though they get a spanking once in a while they are nice and secure.
hihhih
2006-08-15 18:29:18
So Ahmadenijad is a criminal. It does not change anything if you are a president or not. If your puprose is to send viruses and make attacks like that then you are a CRIMINAL. It's also quite ridiculous that president does something like that. Meybe Iranias understand word president a bit differently to rest of the world.
Ash T
2006-08-15 18:48:07
I'm surprised you post such unconfirmed rumours and innuedo as fact. Did you check this out yourself or are you relying on the gospel spoken by your Israeli friend? And I'm amazed at some of the posters, who believe your unsubstantiated stories as the truth and start tirades against someone. Is this what Americans have fallen to? Shame on you!
Search Engine WEB
2006-08-15 19:26:48
Is it possible that this was done without his knowledge?


What would be the benefit to him in ordering this?

Caitlyn Martin
2006-08-15 21:38:21
For those of you who think this is false, lets go through this one step at a time:


1. The Register article headline claims it's false but the actual text of the article says no such thing:

"The most likely explanation is that there is some scripting on the site that, although not malicious, triggers an alert from Symantec's firewall software," said Carole Theriault, senior security consultant at UK-based net security firm Sophos.


"It is possible that malicious content has once been on the site, but has since been removed. It is also theoretically possible, though very unlikely in our opinion, that the malicious content targeted visitors from an Israeli address," she added. ®


So, it could have been there and been removed from the site or else hidden in code she can't find from the U.K. Not a convincing defense, is it?


2. Most of my family is in Israel, including one information security expert, so I did check it out.


So, for Tom and Ash T., yep, the code was there. Is it still there? Nope. Was this real? Yep. Was it removed once it spread across the blogosphere? Yep.


Please don't assume I'm an idiot and that I don't check things before posting. The only one who should be ashamed is Mr. Ahmadenijad's webmaster, and perhaps Ash T. for making unfounded assumptions. FWIW, I doubt the madman of Iran is computer savvy enough to have done it for himself.

Caitlyn Martin
2006-08-15 21:43:13
Yubby: I agree that MacOS (really FreeBSD with a very nice proprietary Apple GUI) does ecurity well. How is there support and software for Hebrew? Without knowing that I can't make such a recommendation.


Can I recommend Ehad Linux based on first hand experience? Yep. I'm running this from a system currently running Ehad Classic 2. I have upgraded Firefox to 1.5.0.6 (Hebrew version) but have my locale and language settings currently set to U.S. and American English. Ehad is nothing more than a very nicely localized, somewhat stripped down version of Mandriva 2006 with everything the Hebrew language used needs.

Ivan Pope
2006-08-16 00:43:38
Caitlyn, you use this quote to back up your story: '"The most likely explanation is that there is some scripting on the site that, although not malicious, triggers an alert from Symantec's firewall software," said Carole Theriault, senior security consultant at UK-based net security firm Sophos.


"It is possible that malicious content has once been on the site, but has since been removed. It is also theoretically possible, though very unlikely in our opinion, that the malicious content targeted visitors from an Israeli address," she added.'


Well, let's go through the quote: 1. the most likely explanation is non-malicious scripting triggering an alert 2. possible that there was malicious content but it has been removed 3. very unlikely that it was targetting Israeli IPs.
Does this back up your story? Hardly. Most likely it was some scripting that was not malicious and not targetting Israeli IPs. Small possibility of malicious content that has been removed. Your choice of quote, hardly justifies your story.

michesm1th
2006-08-16 01:12:34
Now I see. Ahmadinejad is not a criminal but rather an overzealous linux activist. Clearly he's focusing on Israelis because their history of communal living makes them more receptive to being early adopters of any open source operating system. He's a smart one, that Mahmoud.
Dave F
2006-08-16 05:32:38
It would affect Spain because Spain was part of the Caliphate and they want it back.
Space Ear
2006-08-16 08:30:11
Ok - so let me point out that neither Apple, Linux or any other "alternative" o/s is actually more secure than MS offerings!


In fact because Windows is so good, it is very popular, because it is popular it gets more attention from hackers. No one is going to take over the world sending trojans to the few linux and apple machines that exist in the world as they don't have enough combined resource to do much, so they don't bother.


Reality is that due to the amount of attention from hackers and writers or viri MS has to be more secure because more of the flaws are pointed out quicker and resolved!


I put it to you lot, that you were all unpopular at school and so relate to the geeky lesser "alternatives" and hate the captain of the football team / most popular kid in class! MS probably hates you as much as you hate them!

Caitlyn Martin
2006-08-16 09:29:55
Ivan Pope: I use the quote to show that The Register doesn't know what happened and that there flat out headline that the story was false is unjustfied, not to back up the original story. I use the fact that I independently verified the story to back it up. Sorry, it was real.


Space Ear: No security expert worth their salt (including me) would agree with you. More popular does not equate to more secure. The reason Linux has captured betwene 35-40% of the server market (depending on whose numbers you believe) is in part about cost but it is very largely about security, particularly in the ISP and government sectors, both of which I have worked in.


Dave F.: It would affect Spain because they got their IP address blocks wrong, plain and simple. Another alternative is that the person in Spain who reported this got a false positive on some software as has undoubtedly happened in some cases.


Do some Islamic extremists want to conquer Spain? Yep, and the rest of the world as well. Does Mahmoud Ahmadenijad seem to fit in this group based on his writings and speeches? Yep.


The point, in case some missed it, is that you miss out on all sorts of interesting security nonsense by moving away from Microsoft. For many of us the gain outweighs the effort. Of course I was also pointing out a rather silly and easily avoided cyberattack being used by Iran.

Ben Houston
2006-08-16 10:28:21
This is just rumor and it sounds very implausible unless one is of the paranoid persuasion. The source for this is also someone that isn't that technically adept.
John S.
2006-08-16 11:26:08
Such propaganda - are people really that naive to believe everything they read?
Caitlyn Martin
2006-08-16 15:50:39
John, Ben: If you don't believe it it's "unlikely" or "propoganda". Hmmm.... Sounds like "don't confuse me with the facts" to me. As I said I had this checked independently by someone I consider both expert and honest. Why is it so hard to believe considering Iran's attitude towards Israel?
Frank Lee
2006-08-16 16:58:15
"Why is it so hard to believe considering Iran's attitude towards Israel?"


Because of Isreal's attitude towards Iran.

Caitlyn Martin
2006-08-16 17:41:17
Frank wins the ridiculous comment of the day award. First, it's Israel, not "Isreal". Second, what attitude is that? I don't know of any country that wouldn't be upset if another country proclaimed a desire to wipe it off the map and was building nuclear weapons to do just that. Finally, what does that have to do with malicious code? Malicious code that was widely reported? Malicious code that was independently verified?
John Graham
2006-08-16 19:09:56
I am an experienced web developer and web server systems administrator, and so far I cannot find anything on the ahmadinejad.ir website that could be malicious. I tried to access it through a family member in Israel's computer, yet still the same.


Could you please double-check that the site is malicious? If it is not and you said it is for some other reason then that is not good journalism. Also, it is possible to check what the source of the website contained on a particular date through various web archiving systems.


Just reading over your comments, the only comment I have is that journalists are meant to be impartial, that's completely impartial.

Raj Bala
2006-08-16 20:59:09
There appears to be some doubt as to the validity of the statements regarding Israel being targeted by the blog with malware.
Caitlyn Martin
2006-08-16 22:35:30
John:


First, the malicious code was removed by the 15th. It's not there anymore. That is why you can't find it. It's amazing what a little negative publicity can do, isn't it? As you probably know this story was widely circulated through the blogosphere and even some media outlets. That might just have had something to do with the code disappearing, don't you think?


Second, I don't claim to be a journalist.


Third, find me one, just one, impartial journalist. You can't. They don't exist. Look at all the charges of bias against everyone from Fox News to the BBC. Look at all the charges of fauxtography surrounding the recent violence in Lebanon and Israel. Imparitality is journalism is a myth.


Fourth, I stand by this story. It is entirely accurate and has been independently verified. Whether you believe it or not is your problem, not mine.

Behzad - CS Student
2006-08-17 00:52:32
I'm living in Iran. People, let me honestly tell you that those people who desgined Ahmadi-nezhad's website are not knowlegdable enough to create such viruses or whatever you call it.


Caitlyn Martin! Why do you think that Iran is making nuclear weapons? Iran is a member of NPT, Israel is not. Understand? Everyone knows that Israel has nuclear and biological weapons.


CIA, G.W.Bush, and many people like you said IRAQ has nuclear weapons. I'm just tired to see such stupidity again around the globe.

Space Ear
2006-08-17 02:40:07
Caitlyn,


If you were a "security expert" (self proclaimed) then you would realise that linux is as unsecure as the next o/s. The point that I was making (and you seem to have missed) is that the reason for less attacks on alternatives to MS are simply due to the lack of people actaully trying to hack these systems and not because it is flawless - no "security expert" worth their salt would not agree that any o/s is safe (especially open source). Take off your geek blinkers, stop talking to strangers on Ham radio, wake up and smell the coffee!


I am not saying more popular = more secure I am saying more popular = a bigger target.


Where did you get your stats from? Your own personal server collection? I think your stats are about as believable as the whole malware propaganda that kicked of this blog.


Perhaps you should read some facts?
http://www.microsoft.com/windowsserver/facts/analyses/default.mspx


"Windows servers recover approximately 30 percent faster from security attacks than Linux servers"


survey respondents found "a 100 percent improvement in Microsoft's security in the past 12 months."


You think open source is safe? Just interested to know!

Space Ear
2006-08-17 02:46:30
Correction:


no "security expert" worth their salt would agree that any o/s is safe (especially open source).


I typed faster than i was thinking!

Curley Wurley
2006-08-17 04:06:46
Time out people!!


The are benefits to having an open source OS, because the OS is open source means anyone can view the code and therefore the code benefits from all the programmers out there looking at it and fixing its issues. Microsoft is a comertail entity, which means they need to make changes through some sort of change control. Change controls take time. MS do fix their bugs.


The reason why unix is used more and more in server deployments is due largely to cost and configurability. Again because there are more programmers globally then there are working for Microsoft. This means unix deployments can be customised for individual applications. That is why it is used by so many governments and ISPs.


Any security 'expert' will tell you that you only install the services you need - this is what makes a system secure, not having services running that can be taken advantage of. MS windows installs a lot of stuff you don't need so I will consider on this point that unix is 'more secure' because you can configure what you want and leave out what you don't. This does not mean that, if you know what you are doing, you can not remove the stuff you don't want from Windows.


Here is an idea people: Base your opinions on what you have done, what you have tested and what you have broken/hacked. Stop repeating what you have read on some blog, newsgroup or whatever. Learn that not everything you read on the internet is true.

Space Ear
2006-08-17 04:15:58
Another benefit to open source would be that as anyone can see the code anyone can find exploits easily and find a way to use them!
Marina
2006-08-17 09:47:49
Iranian President site has been recently cracked by Russian blogger:


http://leordn.blogspot.com/2006/08/blog-post_16.html

Caitlyn Martin
2006-08-17 10:58:12
Curley gets it right.


Regarding Space Ear, I probably shouldn't feed the troll, but...


1. My credentials as a security analyst include time with Lockheed-Martin and Red Hat. I make most of my money now doing security consulting. I wrote the first whitepaper on NSA Security Enhanced Linux for the federal agency I supported while with Lockheed. Would you like a list of my certifications as well?


2. The idea that one OS isn't inherently more secure than another is nonsense. How long did NetBSD go without a single CERT advisory? It was over five years, wasn't it? Was that due to lack of popularity? No, it was due to the fact that NetBSD was designed, first and foremost, to be a secure OS. All UNIX derivatives and Linux started in life as network/server operating systems and were built with security in mind. Windows, originally a GUI for DOS, was not. Microsoft has been playing catch-up in the security field for years and its monolithic OS design and insistance on supporting large volumes of legacy code render Windows nearly impossible to secure properly.


3. What is the Windows equivalent to NSA Security Enhanced Linux? Oh wait, there isn't one. SeL is included in the Linux kernel which is included in every current Linux distribution. The security tools offered by Linux are simply not matched by Microsoft. SeL is even enabled by default out of the box on Red Hat/Fedora systems. Red Hat holds 91% of the U.S. Linux server market. SuSe/Novell, which is #1 in Europe, and Turbolinux, the #1 player in Asia, also include SeL. Oh, and please don't embarass yourself by claiming that the U.S. National Security Agency doesn't know security.


4. The popularity argument is bogus. The combined market share of Linux and UNIX servers has exceeded the Microsoft share in the server room since 2000. Note that I am quoting Tim O'Reilly here. The lowest number I could find for Linux server market share, is the number claimed by IDC of 28.3%. in 2004, and even they see a 37.6% number by 2008. Gartner, for example, quotes much higher numbers. That doesn't include UNIX at all. Adding commercial UNIX and Apple (which is based on FreeBSD) even IDC has Microsoft behind Linux/UNIX. I should also point out that the current Novell NetWare release is based on a Linux kernel as well so they really should be added in too.


Further, these are sales numbers, i.e.: how many servsers shipped with Linux installed vs. Windows, Solaris, etc... Since Linux can, and often is, freely downloaded many smaller businesses convert Windows or NetWare servers to Linux, meaning that actually server room penetration (percentage of servers in use) is even higher.


Finally, visit the Netcraft website and plug in the URLs of all the largest, heavy traffic websites. The percentage running Windows is truly tiny. Google, for example, is a large Linix cluster. Yahoo! runs on FreeBSD. CNN runs on Linux. Need I go on? These are the primary targets for crackers and hijackers, not your underpowered little home PC.


I've been working in the corporate IT world for 26+ years. So.. Space Ear, other that Microsoft sales literature, which is what you quoted, what facts do you have to back up your claim that Windows is inherently as secure as Linux? Who is wearing the blinders here?

Franck Lee
2006-08-17 11:33:43

Thanks for the award yesterday ;)
The only point I was making was, that no matter who started it, now both countries and their citizens are not in the best of terms and I can't trust what an Iranian or there family members say about israel , and vice versa.
And to answer your question "what does that have to do with malicious code?"
Simply put anything relating to the President of Iran ( specially when israelis are involved) is a political issue and should be viewed through such a lens.



ants
2006-08-17 13:56:19
It is quite clear that Caitlyn may be somewhat home in security, but politically she is just another dumbass. Peddling such utter nonsense is counterproductive. Your credibility will not go up with this. Most of the commentators here do not believe this ****, its time to own up that this is false. And your clear attitude against Ahmadinejad does not help you very much.
ants
2006-08-17 14:05:50
And by the way, you should read Yael K. weblog again to get some grip on things.
Lets be clear, you probably didnt read in the first place. It says clearly, it triggered alert when she clicked on links in the left, which btw. go to the khamenei.ir website, and which btw. is quite old.
Caitlyn Martin
2006-08-17 15:27:01
Calling me names really gives ants credibility, doesn't it?


First, I made clear that while I first read about this on Yael's blog (and yes, I read it in great detail), that wasn't my sole source. Yael is not technically savvy as others have pointed out and that would not have been good enough for me.


Sorry, this isn't false. I'd like those who claim it is, and throw in an ad hominem attack or two, to show even one shred of evidence to prove the code wasn't there. Clue: you haven't because you can't.


Don't believe it? Fine with me. You think President Ahmadinejad is a great guy and you agree with him? That's fine with me too.

ants
2006-08-18 05:21:13
What I think of Ahmadinejad is besides the point, nor is my credibility or lack thereof important here. The point is: owning up your mistake would give you some credibility back.


And the important thing is: nobody believes it, neither TheReg, Symantec or any other, quote:


We believe what happened was that an IPS (Intrusion Prevention System) signature in Norton Personal Firewall triggered an alert on the www.khamenei.ir website due to HTML code on that page that must be present to exploit the MS IE DragDrop Embed Code vulnerability. Upon investigation, it appears that while the code in this case is harmless, its presence was suspicious enough to trigger an alert. Additionally, this issue is not limited to Israel, as we were able to reproduce the issue ourselves.


The facts are plain: this khamenei.ir site uses shitty html code, which trigered an alert and thats all. btw. Have you ever heard of Occam's razor?

Caitlyn Martin
2006-08-18 09:41:43
I can't own up to a mistake I didn't make. CLearly "nobody believes this" isn't true as it was widely reported. Once again, the malicious code was removed. What you describe is what is on the page now. Get over it. Repeating nonsense doesn't make it true.
Dar
2006-08-18 13:55:32
Can you post the code you copied from the site before it was deleted? I'd like to take a look at it and make my own determination.
Caitlyn Martin
2006-08-18 16:57:36
Dar: If you read the article and thread I'm not the one who verified this or copied code from the site. I will ask, however, if the code in question was saved off and if I can have and publish a copy. Fair enough?
Dar
2006-08-18 20:40:52
Appreciate it. I just don't believe everything I read on the internet and there has been such a fuss about this with conflicting stories I would like to see for myself.
johnx
2006-08-20 13:59:25
We at Symantec Security Response have investigated this issue thoroughly and can find no indication of malicious code being present on that nor on the www.ahmadinejad.ir landing page that triggered the alert.


We believe what happened was that an IPS (Intrusion Prevention System) signature in Norton Personal Firewall triggered an alert on the www.khamenei.ir website due to HTML code on that page that must be present to exploit the MS IE DragDrop Embed Code vulnerability.


Upon investigation, it appears that while the code in this case is harmless, its presence was suspicious enough to trigger an alert. Additionally, this issue is not limited to Israel, as we were able to reproduce the issue ourselves.


We have taken steps to modify the IPS signature which was causing this alert to appear and the updates will be available shortly. In the meantime, we recommend that all user ensure that their software, such as browsers and operating systems, are fully patched and their security software up to date with the latest updates and definitions.


We see in others what we know to be true within ourselves.

Percy
2006-08-21 04:09:18
I'm sure the iranian president is not doing this on purpose. There must be more to this than meets the eye. And as far as linux is concerned, its definitely safer but less user friendly. One really needs to know a lot before installing it. Windows is very comfortable to use.
Percy
Caitlyn Martin
2006-08-22 21:48:56
I've deleted the comments dealing with an identity theft issue I'm fighting through. The accusations made described real events--just not events I had anything to do with. Law enforcement is involved and I am certain that it will all get sorted out eventually after much pain for me.


Folks: in the U.S. people are innocent until proven guilty but thanks to the internet all sorts of false things about the innocent can be published.


Rule 1: All off topic comments to my blog postings will be deleted without futher ado.


2006-08-22 22:52:34
The "attack" as decribed is technically possible (as is the subsequent removal of the malevolent code).


History shows us that the occurance of such an attack is totally plausible.


So technically and historically there is no reason to doubt the reports of this claimed "attack".

kevin
2006-08-23 18:18:01
christ almighty, i'm from ireland and alphabeticaly right between israel and iran, is it mess my computer up?
kevin
2006-08-23 18:34:22
victory to the resistance! the leb half destroyed, signing the quick ceasefire (proxy) , undisclosed dead, couldn't have too many heavy stuff left, no more than a few days, noticable by the last volley, israel looks weak but for me it was another israeli victory, but as usual they lost the propaganda war again. gotta learn its a television war.
Caitlyn Martin
2006-08-23 23:21:08
Kevin: Attacks like this one (and no, I didn't review the code myself) usually work by IP address. Alphabetical order of country names makes no difference whatsoever. I could argue your analysis of the political and military situation in the Middle East but that sort of political discussion really doesn't fit on this blog. There are other forums for that.


Percy: Nobody has said that President Ahmadenijad ordered the code to be written or even was personally aware of it. An overzealous web programmer is all it takes. In any case I doubt anyone will ever know the genesis of this except those involved.


Also, Linux is no more difficult to use than Windows. You are comfortable with Windows because it's what you're used to. People whom I've helped migrate over have bene up and running comfortably in no time at all. You really don't need to "know a lot" to run Linux. Installation of an OS, *ANY* OS including Windows, is another matter.