Intel Intelligencer: Bin Laden-Related Links Warning

Posted on 2 May 2011 by


We were going to run with an entirely different direction this morning but last night’s announcement of the death of Usama bin Laden took the relevance away from what we had on the plate. Today we have some looks at what happened from various points of view, with the prevailing ones being that Pakistan must have been heavily involved with the operations, after we look at the malware angle:

The first order of business is to make sure that law enforcement agencies understand that many of the websites and links about the killing of bin Laden and especially to photographs and insider details are likely to be malware-related – attacks began last night as the news broke and are continuing, as are search engine results poisoning attacks – which create pages that lead to malicious code in response to searches on the subject.

SecurityWeek’s Mike Lennon writes of the dangers of bin Laden-related information links leading to malicious code sites; Steve Ragan of The Tech Herald wrote this morning,

… as was the case with the Royal Wedding, the criminals are moving to target the secondary keywords first. Later, they will use these secondary terms to boost results related to the main search. In this case it’s “Osama Bin Laden Dead”.

The malicious sites that appear the most in the search results are pushing Rogue anti-Virus applications. This junk software will leave a system sluggish, and in some cases completely useless. Variants of this type of fake software will promote it as a system optimization tool, such as a registry cleaner. In either case, the infected system is brought to its knees by a loss of function and a flood of fake warnings.

On, Kaspersky Lab expert Fabio Assolini posted examples of search engine poisoning this morning, while the McGrew Security Blog ran a piece entitled Fake Bin Laden Death Pics/Videos Probably on the Way. Over at Imperva, their team put up some specifics of an SEO attack on their security blog,complete with screenshots and video. And to highlight just how entrenched social media have become in the newsscape of all our lives, CNET is reporting that news of the US operation and the death of bin Laden hit first on Twitter, and thence to traditional media outlets. Paul Duckin at the Sophos NakedSecurity Blog says that most of the links out there will likely be legitimate, but  especially to watch out for shortened links, such as those from (that we here at PLI use).

And the first large-scale example of this came later in the day; as Graham Cluley wrote on the Sophos NakedSecurity blog, an Osama Bin Laden death video scam was spreading virally on Facebook by day’s end. The FBI’s Internet Crime Complaint Center ran a warning on 3 May about all the same stuff we put here.

All this is serious business for law enforcement, as it is a likelihood that many in law enforcement are going to be seeking information today and into this week – we recommend that analysts issue warnings where appropriate to inform officers and commanders of the dangers that lurk. In fact, we’d think that creating a list for internal dissemination within your agencies might be a great idea, so that you can issue links to pre-vetted pages you know to be real.

Some interesting links on the intel side of things come courtesy of Team Cymru’s Dragon Newsbytes service, including this one from The Guardian (“Osama bin Laden: it took years to find him but just minutes to kill him“) and to another piece in Osama Bin Laden’s Compound Already Mapped on Google).


UPDATE: According to SANS, the wave of malware has been lower than expected. One wag on Twitter suggested that we “wait ten years” before seeing it at full effectiveness. The Register’s John Leyden reports on an Usama-themed banking Trojan, and the attack on the website of the blogger who first Tweeted about the raid (while not understanding that it was a SEAL raid against UBL).


In terms of reading material on the actual operation and its results, in addition to all the usual media outlets, we’d recommend looking at the intelligence press. STRATFOR is somewhat cautious about its proclamations (by the way, even if you’re not a subscriber to STRATFOR – which you should be, if you possibly can be – you can get access to these articles free in exchange for your email address), pointing out that Pakistani intelligence officials were leaking to US media that their assets were involved in the death of bin Laden well before Obama’s announcement. STRATFOR raises the high tensions in US-Pakistani relations since the Raymond Davis Affair.

These relations are themselves precisely why the people over at KGS Nightwatch are more direct in their analysis that the Pakistanis not only participated in the leadup to the raid, but indeed may have been responsible for it, because, as they say,

The conclusion is inescapable that the Pakistan Army protected bin Laden and recently decided to give him up, rather than sacrifice the Army’s relationship with the US. The terms are not known as yet, but there certainly is a trade in which bin Laden was sacrificed. The trade might involve an end to US drone attacks across the border, which humiliate the Pakistan Army, or a new coordination regime for drone attacks into Pakistan.

That’s a point of view shared by The Telegraph in the UK, which states that documents obtained by WikiLeaks show that the Pakistani security services tipped off bin Laden whenever US troops approached, and that Pakistan’s Inter-Services Intelligence Directorate (ISID) also smuggled al-Qaeda terrorists through airport security to help them avoid capture.

Finally, an interesting take on this is available over at in a piece entitles, The Secret Team That Killed bin Laden.