Tuesday, July 29, 2008

FBI & Facebook: Storm Worm gets it all wrong!

The newest version of Storm is out again . . . this time making claims about the FBI and Facebook.

The virus-laden website looks like this:

The subjects of the spam email messages, according to UAB's Spam Data mine, include:

F.B.I. agents patrol Facebook
F.B.I. busts alleged Facebook
F.B.I. Facebook Records
F.B.I. Looks Into Facebook
F.B.I. may strike Facebook
F.B.I. on the Hunt for Facebook users
F.B.I. tries to fight Facebook
F.B.I. wants instant access to Facebook
F.B.I. Watching Hezbollah in Facebook
F.B.I. Watching Possible Terrorists on Facebook
F.B.I. watching us
F.B.I. watching you
Facebook Coming Under F.B.I. Scrutiny
Facebook Coming Under FBI Scrutiny
Facebook's F.B.I. ties
Facebook's FBI ties
FBI bypasses Facebook to nail you
FBI can watch our conversation through Facebook
FBI Facebook Crime Survey
FBI Facebook Records
FBI Looks Into Facebook
FBI may strike Facebook
FBI on the Hunt for Facebook users
FBI tries to fight Facebook
FBI wants instant access to Facebook
FBI Watching Hezbollah in Facebook
FBI Watching Possible Terrorists on Facebook
Get Facebook's F.B.I. Files
Get Facebook's FBI Files
The F.B.I. has a new way of tracking Facebook

Although the earliest versions of the spam pointed to websites by their domain name, including:



The most recent versions used an IP address instead, such as: Comcast (Chicago) Earthlink Charter Cable WideOpenWest (Naperville, Illinois) AT&T (Atlanta) AT&T (Chicago) Charter Cable AT&T (Chicago) Comcast (Savannah, GA) AT&T (Texas) Comcast (Michigan) Road Runner AT&T (Kalamazoo, Michigan) Comcast (Minnesota) Windstream (Little Rock, Arkansas) Rock Hill Telephone Company (Rock Hill, SC) Butler-Bremer Mutual Telephone (netINS, Inc)

As with most emerging viruses, coverage for this malware in the anti-virus community is quite pathetic at the moment. They will certainly catch up soon, but the current scan at VirusTotal revealed only SIX of Thirty-Three AV products could detect this virus. Detection was not present for any of the leading AV products, including McAfee, Symantec, and Trend Micro. Microsoft also fails to detect at this time.

To Understand the War on Terror: Read This

The handful of you who follow my annual book list know that in addition to my science fiction and haiku poetry diet, I read books on world politics, terrorism, and the intelligence community. I don't normally talk about them here, but this week I read a book that I believe would be a Must Read.

Ronald Kessler's book, The Terrorist Watch: Inside the Desperate Race To Stop the Next Attack could not have been written by anyone other than the columnist of The Washington Insider. As a long-time member of the FBI Fan Club, I was surprised by the things Kessler revealed that I simply didn't know about the Bureau and the War on Terror. Especially after his crucifixion of former FBI Director Louis Freeh (1993-2001) in his book "The Bureau: The Secret History of the FBI", I really hadn't imagined what a good friend of the Bureau Kessler could be.

Kessler takes a few current FBI Myths and jumps straight to the source, asking for, and getting, unprecedented access, including interviews in their environment, with Willie Hulon, then the Executive Assistant Director of the FBI's National Security Branch, Art Cummins, then the Deputy Director of the National Counterterrorism Center (he since took Willie's old job), FBI Director Robert Mueller, CIA Director Michael Hayden, and White House advisor on counterterrorism Fran Townsend, are just some of the highlights of his Who's Who in Counter Terrorism tour.

Myth: The CIA and FBI don't share information

Response: Kessler gives us a guided tour of the National CounterTerrorism Center (NCTC), spending a great deal of time on the layout of the 10,000 square-foot operations center which has the FBI's Counterterrorism Division watch center on one end, and the CIA's Counterterrorism Center's watch center on the other end. No walls separate the entire workspace, and Kessler explains in detail how the analysts from sixteen different intelligence agencies interact in the space, and share information to keep the "mother of all databases", the Terrorist Information Datamart Environment, up to date and synchronized with what is known by each of the intelligence agencies. In a chapter called "Dr. Strangelove", Kessler walks us through what happens in the daily "SVTCs" - the all agency briefings that are run from the NCTC at 8 AM, 3 PM, and 1 AM, seven days a week.

One of the biggest challenges to understand, and one that still receives a great deal of criticism, is how the FBI can go about being both an Intelligence Agency and a Law Enforcement Agency.

Kessler illustrates "the old thinking" vs. "the new thinking" this way . . . (quoting Art Cummings):

The director [Mueller] said, 'We've got this new mission. Its a prevention mission.'

Pre-9/11, the first consideration was, I got an indictment in my pocket . . . slap it down on the table, pick the guy up, throw him on an airplane...put him in jail and you go, 'Okay, I've done a great job today.'"

Through interviews with Philip Mudd, Art Cummings, Pat D'Amuro, and others, Kessler makes it clear that that is no longer the situation. Now the first concern, when the suspect has a possible terrorism connection, is intelligence gathering. The Bureau's unique approach to extracting intelligence, whether it be in months long "friendly interrogations", through human surveillance teams, or through "technical collection", were explained to a level rarely seen in a public work.

While its clear Kessler is in the Fan Club with me, he doesn't skirt around the challenges. He addresses FISA, National Security Letters, the Computer Incompetency of the Bureau (Sentinel and Virtual Case File), whether we'd be better off with an MI5 style agency, Gitmo, and the various media feeding frenzies.

Most books about the Intelligence Community and the War on Terror focus on government screw-ups, incompetencies, and secret agendas and have as their mission the undermining of the public's confidence in our government. It was refreshing to read Kessler's "insider look" offering an alternative view into these issues, and I hope others will join me in checking out this book.

Saturday, July 26, 2008

Top News in Spam = Old News

First, I wanted to say that I am appalled and saddened by the news that Eddie Davidson, the escaped convict who was serving time for spam has killed his wife and three year old child before committing suicide. Many of these spammers and cyber criminals are sick sociopaths who believe they are beyond the law, but its still sad news whenever innocent lives are taken. My prayers are with the family as they grieve.

For yet another day, the Top News in spam is Old News. The "News Headline" or "Video.exe" spammers continue to dominate our in boxes.

More than 90 compromised webservers have been used in this newest attack, which uses more than 90 new email subjects to trick the public into infecting themselves.

Each website contains the files:


The file 00.html contains an encoded block of Javascript code, which, when uncoded reveals the hostile code downloader.

First the subjects:

"I Won't Raise Taxes," Says Schwarzenegger, "except For The Indians."
50 Cent sues Taco Bell
Apple nosedives on Jobs' death
Arnold Says im Gay Too!
Arnold Schwarzenegger to make movie
Astronauts Pose With The U.S. Snoopy
B52 bomber crashed in Hawaii
Batman is gay. Watch the proof.
Battle Of The Butts, J Lo V Britney Spears
Beijing Olympics cancelled
Bin Laden driver denies al Qaeda links
Black Panthers Sue White Guys For Stealing Copyrighted Gesture
Blair: Im Not Gay, Thats Just My Accent
Brave Suicide Bomber Survives Blast!
Britney and Justin are together again
Britney Clothed Photo Fury
Bush Accidentally Starts The War On Iran
Bush To Reporters: Fuck The Constitution
Bush 'Troubled' by Gay Marriages. Declares San Francisco Part of 'Axis of Evil'
Buy stocks now to make money
Cambodia declares war on foreigners
Cell phone use increases cancer
Clubs refuse to release players for Olympics
Courtney Love Vows To Wear Clothes
Earthquake in Japan kills millions
Ebay Lists Another Cheese Sandwich
Fat Chinese Man Kills And Eats Brother Because He Was Hungry
Ferguson fears Chelsea
Four Horsemen Of The Apocalypse Unveil New Alert System
French Have More Sex In Surveys Than Any Other Country
Gay Marriage Could Be Profitable
Gay Men Perceive Each Other As Homophobic
How to avoid paying credit cards
How To Break Up With Your Girl, Then Get Some Bootie Time!
Hurricane Dolly damages infrastructure
I Liked The Part When The French Got Their Asses Busted - G.W. Bush
Insider tips to these stocks
IT departments lauded for selling data
Join our weekly poker tournaments
Kidney stealing ring busted
Man gets pole stuck in handcuffs
McCain diagnosed with pancreatic cancer
McCain's health suspect
My Scrotum Is Getting Really Huge These Days
New betting tips for new season
New National Anthem Proposed By Bush
Obama bribes voters
Obama diagnosed with brain tumor
Obama engages rappers in election aid
Obama Is Anorexic Over-Exerciser
Obama withdraws support for Israel
Obama's mistress speaks up
Oil prices fall sharply
Osama caught sodomizing lieutenants
Osama Seen Dining At The Paris Ritz
Osama trains goats for tactical bombing
Pamela and Britney are lesbian lovers
Pamela Anderson To Sell Her Clothes; Announcement Causes Nationwide Frenzy
Please Baby, Give Me Another Chance
Possible Spam : Shocking Video Shows Spongebob And Gay Sex!
Prada gives fake bags to charity
Release Of The Nancy Pelosi Sex Dvd Causes Mass Erectile Dysfunction In Us
Richard Nixon Speaks From The Grave!
Right To Own Guns Upheld
Sarah Jessica Parker Arrested For Gross Negligee
School Board Adopts Gay-Ass Uniform Policy
Schwarzenegger reduces minimum wages
Scientists Create Prosthetic Brain
Shocking Video Shows Spongebob And Gay Sex!
South Korea goes to war over dead tourist
Spongebob Denies Reports That Hes Gay
Steve Jobs down with cancer
Steve Jobs to resign from Apple
Stock Markets Close As Global Earth World Planet International Buys All Shares
Studies show Americans love complaining
Studies show Europeans hate Asians
Studies show female bosses love flirting
Stupid millionaire gives huge tips
Stupid woman buys iPhone for 5000
Switzerland To Be Devoured By Black Hole
Terrorist bombs Philippines killing 30
Texans Do The Unthinkable
Theodore Roosevelt Was A Gay Man
Tiger Woods Will Call Next Son Monkey
Tupac Shakur Speaks Out From Beyond The Grave: "Stop Releasing My Stanky Old Songs"
WalMart declares bankruptcy
Woman chokes after swallowing Tiffany diamond
Woman found with bottle in vagina
Your tickets have been confirmed

If you are in control of any of hacked webservers, we would like very much to speak with you regarding the method of compromise. We are hearing that the servers are being compromised through FTP sessions, with a real FTP Password being used. Are these brute forces? have they "sniffed" the FTP password (which we should remember, should never be used, as it is sent across the internet in an unencrypted method!), or have they "keylogged" the FTP passwords from the users machines? We need to know!

We have looked up the "WHOIS" information on all of these domains and sent an email to each webmaster, asking for more details about their attack, and informing them of the bad content on their servers so they can get it cleaned up.

Sadly, many of these domains either do not have WHOIS information, or have expired email addresses, so even when we TRY to contact the webmaster, we are unable to do so without poring over their websites looking for contact information. If the WHOIS data were properly implemented, a simple program could inform all of these webmasters.

My favorite WHOIS data was for the domains beatmung-sachsen.eu, cmeedilizia.eu, and deliriuslaspalmas.com, which gave as the Administrative Contact:

This domain exists, but because the European Registry of Internet Domain Names (EURid) is, in our view, run by incompetent administrators who failed to properly manage the server, you cannot view the domain registration data unless you visit their Web site, www.whois.eu

Like the authors of that WHOIS data, I am not spending my time visiting the page.


Wednesday, July 23, 2008

Two Spammers Doing Time and One That Got Away

Just a short update before I head to the airplane . . .

The big news in the spam world this week has been the sentencing of Robert Soloway. Its actually been the big news for a couple weeks, with some great stories like CIO Magazine's "Soloway Case Reveals Big Business Behind Spam".

Last Friday I sat in my office with a 41-page Sentencing Memo from Soloway's Defense Attorney, and told my students, "This is not going to go well."

Honestly I read the document from Richard Troberman, Attorney at Law, with some skepticism, assuming that a lawyer for a spammer may not be the most altruistic person, but many of the claims were shocking.

Troberman claimed that "90% of the claimed losses" in the case came from 12 individuals, and then proceded to SMASH their credibility. Claims such as:

Marcia Branum, who calculated that Soloway had cost her $369,500, which she calculated by saying his spam cost her "80 hours per week times nine months at $30.00 per hour", with the rest of the claim being comprised of the fact that Soloway had caused "actual loss of potential in the first year alone of over $1,000,000.00" which is what she lost by not being able to to enter into an online business with a friend in California and a "3rd cousin in Ohio who are literally making millions" because she was spending 80 hours a week dealing with Soloway spam.

or Tamra Burgess, who calculated that Soloway had cost her $328,000, based on the fact that she spent "18 hours per day, at $50.00 per hour, for 365 days responding to spam". Troberman points out that when she complained about Soloway to the Better Business Bureau, she says "I haven't lost any money".

Ronald Carter estimated his losses at $250,000. He must have received quite a bit of spam from Soloway!

Matthew Hexter claimed a loss of $48,149, which was because he had been "guaranteed" a 400% increase in sales" by buying Soloway's spamming products, and had not actually seen that increase.

Eduardo Vanci says he lost $48,740 due to a four week interruption of service. Troberman points out that would mean Vanci normally earns $588,880 per year.

Troberman proceeds through his 41 pages, sometimes admitting fault, sometimes bashing witnesses who were "quite simply, not credible", and by the time I finished the document, I told my students, "He'll still get time, but not nearly enough. If this is really what the State brought against him, they need to do their homework better next time, if Troberman is telling the truth."

The sentencing is in. Instead of the requested Nine Years, Soloway will serve 47 months. Seattle PI broke the story with 'Spam King' gets nearly four years in prison.

On July 15th there was another spammer sentenced. I mentioned Adam Vitale in my blog back in November (And Now Some Good News), when his partner Todd Moeller was sentenced to 27 months in prison. Vitale now receives his own 30 months in prison for spamming AOL.

As an example of how little evidence we really need in court - this case focused on a SINGLE WEEK of email messages sent to AOL subscribers by "Trill" and "Batch1". During that week, back in August of 2005, the "g00dfellas", as the duo called themselves, sent 1.2 million emails to subscribers of AOL.

That's it? Well, not quite. But that's the majority of it.

And the one that got away?

(photo from: Daily Camera.)

"Fast Eddie", the 35-year-old Edward Davidson from Louisville, Kentucky, was sentenced to 21-months at a minimum security federal prison camp. He began his email marketing company in 2002, and became involved in "Pump and Dump" spam in 2005. Eddie was also ordered to pay $714,139 in restitution.

Apparently "Fast Eddie" didn't like prison, so while serving on a work crew on Monday, July 21st, he walked away. The U.S. Marshals Service has now taken over the search.

The Denver FBI has a press release regarding his escape on their site.

Fast Eddie, if you are reading this, you might like to know about the US Marshals Fugitive Safe Surrender Program.

Thinking of the US Marshals reminds me of the USA Series about the Witness Protection Program,In Plain Sight, which I link to here for no apparent reason. Haha!

Tuesday, July 22, 2008

Amero to Replace Dollar? Could Storm Worm Be Right?

According to the newest version of the Storm Worm, the Amero is about to replace the dollar:

The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.

Spam received July 21st and July 22nd by the UAB Spam Data Mine used subjects like these to advertise websites hosting the new malware:

Amero - the secret currency
Amero arrives
Amero currency Union is now the reality
Amero is not a myth
AMERO to replace Dollar
Bye bye dollar, hello amero
Collapse of the Dollar
Death of the U.S. Dollar
Dollar is replacing by Amero
Dollar is replacing by new currency
Fall of the Dollar, beginning of AMERO
No dollars anymore
North American Union is the reality now
One Currency for Canada, U.S and Mexico - The Amero
Say Goodbye to the Dollar
The Amero is here
The Dollar disappeared
The new currency is coming
Welcome the Amero
You can forget about Dollars

According to Virus Total only 14 of 33 anti-virus products detected the new malware.

AntiVir, Avast, GData, Kaspersky, and WebWasher called it Zhelatin. (Worm/Zhelatin.zi, Win32: Zhelatin-DIO, Email-Worm.Win32.Zhelatin.afa)

AVG, McAfee, Microsoft, and NOD32 called it Nuwar (I-Worm/Nuwar.V, W32/Nuwar@MM, Backdoor:Win32/Nuwar.gen!D, "a variant of Win32/Nuwar.DF")

BitDefender named it "Trojan.Peed.JPS" while Sophos called it "Mal/Dorf-O" and Symantec called it "Trojan.Peacomm.D"

The file we reviewed was 91137 bytes, with MD5 of 2a9c2cefd361e950fbfe58f0df6981ca.
Our copy was retrieved from, on Buckeye Cablevision.

News Headlines Still Out of Control

We reviewed 66 websites which were found in email messages which made reference to today's News Headline Infection file, "/viewmovie.html".

Forty-one of the domains were live at the time of this review.

Not all of those actually had the virus live on them though . . .

Those which did, download a file "codecinst.exe" after telling the visitor they are missing the proper Codec to view the video file.

My McAfee Anti-Virus doesn't currently detect this file as being a virus, however many others do, including Norton, which strangely calls it "Trojan.Pandex".

The websites which were hacked in order to host the infection files include:


As many as 21 of these domains were hosted on a single IP address,, which is actually on the "DadaNet" hosting provider in Italy. (We've sent them a notice with the 23 domain names, including 2 others on

97 different Spam subjects were used by this campaign (or group of campaigns) in the past 48 hours.

"brainstorming" To Be Banned Under Equality And Diversity Rules
[audio] Catholic Church Condemns Metrosexuality
[audio] Church Group Offers Homosexual New Life In Closet
[audio] Mccain Vows To Withdraw All Troops From The U.S.
[video] Bush Tours America To Survey Damage Caused By His Disastrous Presidency
[video] Hulk Smashed
2008 Presidential Election Results Leaked
Al Qaeda Reports Declining Revenues in Fiscal '08
All Baseball Players May Be Indicted For Steroid Abuse
Angeline Jolie Pregnancy. 'it Was All A Hoax!'
Army Relent On Shooting Live Pigs In Training Exercise - Will Shoot Illegal Immigrants Instead
Arnold Says im Gay Too!
Barack Obama Caught In A Time Warp
Bearded Lady Gives Birth
Blair:Im Not Gay, Thats Just My Accent
Boy 4, pulls off sister's ear
Boy pokes fork into sister's eye
Brave Suicide Bomber Survives Blast!
Bush Down to 8 Friends on Myspace
Bush Sells Louisiana Back to the French
Bush 'Troubled by Gay Marriages. Declares San Francisco Part of 'Axis of Evil'
Cindy Mccain Talks About Her Boobs
Cristiano Ronaldo Disses Paris Hilton "um Louro Mudo Feio!"
Existince of Poor People A Surprise, Says Bush
Gay Bishop Was A Wrestling Pro
Gay Marriage Could Be Profitable
Gay Men Perceive Each Other As Homophobic
Gays Banned From Owning Pets In New York
George W Bush Slams Tony Blair
God Accepts Responsability for Hurricane Katrina
God Destroys Boise For Not Being Gay Enough
Gus Hiddink Heads for Gulag
Hillary Clinton Gets Night Job
Home Office To Deport Anyone with Iq Below 100
Horse gets swallowed by snake
Horse kicks Harrison Ford in stomach
Horse kicks Ralph Lauren in stomach
Horse wins owner $17m
Horses breaks riders skull in freak attack
Ican To Shut Down Email Services World Wide
JFK long-lost heir found
JFK memoirs reveal affair
JFK memoirs reveal illegitimate son
Kids leave robbery victim dead
Kids rob elderly, police open fire
Madonnas Former Home Destroyed By Jesus
Man breaks arm in horror fall
Man loses eye in fight
Martian Soil Fantastic For Growing Weed Says Nasa
Mccain - Iran Has Weapons of Mass Destruction
Mccain And Bush To Dance In Puppet Show
Mccain Says Unsure If Obama A Secret Hippopotamus
McDonald's Happy Meals In San Francisco To Include Gay Marriage License
Michael Jackson is hermaphrodite. Watch the video.
Microsoft's AntiSpyware Tool Removes Internet Explorer
NASA to use Space Shuttles to Kill Birds
nazi Toddlers Ruined My Birthday
Obama Captures Osama
Obama Is Anorexic Over-Exerciser;
Obama is gay. Watch the Proof.
Old Man Dies Inside Paris Hilton
One Hot White Chick Injured in Tsunami Disaster
Pamela Anderson Shouts, "i'm Gonna Remarry My One And Only True Love Tommy!"
Paris Hilton Charges For Pussy
Paris Hilton Infested With Cockroaches
Paris Hilton Initially Denies Having Inverted Nipples
Paris Hilton Is Going To Jail
Paris Hilton Lectures on Dickens And Dostoevsky
Paris Hilton To Operate New Atom Smasher
Paris Hilton Tosses Dwarf On The Street
Paris Hilton Wins Pulitzer Prize
Pepsi sues Coke for $892mn
Police open fire on elderly in Iowa
PopeWatch: Fox News Personally Confirms the Pope's Death
President Bush's iPod: The Complete Playlist
Prominent Male Hooker Forced To Step Down After Sex With Sleazy Evangelist
Raw footage of snake swallowing horse
Release Of The Nancy Pelosi Sex Dvd Causes Mass Erectile Dysfunction In Us
Right To Own Guns Upheld
Ronald Reagan Prime Suspect In Bank Robbery
Sarah Jessica Parker Arrested For Gross Negligee
Sarkozy Carla Bruni Sex Film Shocker At Windsor Castle
School Board Adopts Gay-Ass Uniform Policy
Shocking Video Shows Spongebob And Gay Sex!
Snake caught swallowing horse
Spongebob Denies Reports That Hes Gay
Stock Markets Close As Global Earth World Planet International Buys All Shares
Switzerland To Be Devoured By Black Hole
Teenage Girl obviously Having Affair With Bat
The Meat Wars: Jessica Simpson's Shirt Tees-Off Pam Anderson
Theodore Roosevelt Was A Gay Man
Tiger Woods Will Call Next Son Monkey
Ufos Sighted Over Uk
Unemployed To Be Used For Soup
White Male Workers Banned In Britain
Woman loses foot in shock attack
Woman loses nose after dog attack

Thursday, July 17, 2008

Russian Cybercrooks, CoreFlood, and the Amazing Joe Stewart

If the Anti-Virus world was run like the Chess world, we would all know Joe Stewart from SecureWorks as an International GrandMaster of Malware Analysis. One of the advantages of being an International GrandMaster of Malware Analysis is that you get to shine spotlights on really bad stuff -- and people listen! I'm talking about Stewart's excellent article in yesterday's USA Today on the Coreflood Gang. Before I returned home to find a copy of the article clipped and laying by my recliner by my dutiful paper-reading mother-in-law, I had several queries about "the Coreflood Gang", and I didn't know they even existed. Coreflood was a word from distant memory, dealing with pre-Windows XP machines for me. In fact the first searches I did took me to articles such as this 2003 Redmondmag article where Chris Belthoff from Sophos explains how the virus works. With a little digging we are able to see that the Coreflood Gang is Stewart's name for the group who is applying this virus from "ancient history" in Internet years to
a new purpose and with a much higher payback. Other common names for the virus were Corefloo and AFCore.

The article, which seems a rehash of the Robert McMillan IDG article, (here from InfoWOrld): Trojan lurks, waiting to steal admin passwords, from July 2nd, is a much-needed escalation from the technical press to the general public. Unfortunately it rings an alarm bell without giving any of the necessary details to know what to do about the possibility of your own machines being infected.

It lays out a situation where Stewart was able to come into possession of a cache of data which was harvested by the trojan he has dubbed Coreflood. The server contained MORE THAN 500 GIGABYTES of stolen data in compressed form, showing evidence of 378,758 unique Coreflood infections inside thousands of organizations.

The chart that accompanies the article discusses single organizations, including hospitals, hotel chains, universities, and school districts, which had many hundreds of infections located at a single organization. The worst example was a school district where more than 31,000 computers had been infected with this trojan.

As the PC World article made clear, the reason this type of infection is possible is because of a program called "PsExec", which is a SysInternals program currently distributed by Microsoft. The purpose of PsExec is to allow a Windows Domain Administrator to perform remote administrative tasks on machines throughout their network. The thing which has made the CoreFlood trojan, first disclosed in 2001, suddenly newsworthy is its use of this tool. As Stewart explains in his Technical Analysis of Coreflood/AFCore, infected hosts lie in wait on their networks, waiting for a Domain Level Administrator to log in to the box. When the trojan detects that it has Domain Administrator privileges, it then uses its copy of PsExec to perform a remote installation on all of the other hosts where that Domain Administrator account has control. A single infected computer can then become an entire network of infected computers in a matter of minutes!

Once infected, the computer becomes part of a very professional and elaborate botnet control system, which uses an SQL Database to sift, sort, and manage all of the data which it has stolen from keyloggers and files on its infected machines. In this way the controllers of Coreflood can make simple queries to their central database of stolen data such as, "Show me a bank account on Bank XYZ, where the balance is greater than $100,000!"

As I'm sure interest will be high in this virus after the story, I thought I would give some more hints on finding the AV program articles about it. (Since googling on CoreFlood will give you 2,000 blog articles on Joe's article!)

McAfee has been following malware called CoreFlood since at least October of 2001. As recently as July 3, 2008 they mention Coreflood and the fact that a tool called JailBreak is often installed on the same computer, which is used to export items from the Windows Certificate Store. The file "sstore2K.exe" should be searched for if you are looking for recent CoreFlood infections. Their main article, which they call "CoreFlood.dr" was "recently updated to Low-Profile due to media attention", they say, referring to a PCWorld article from July 2nd on the trojan.

Symantec, like McAfee until last week, has considered Coreflood to be a "Risk Level 1: Very Low" according to their Main Coreflood article. They rate its number of infections as being "More than 1000" at a number of sites "More than 10", in the article which was posted in 2002, with updates as recently as June 20, 2008. They describe the trojan as being "primarily designed to conduct Denial of Service (DoS) attacks", which was certainly what everyone believed until Stewart's revelation.

Symantec also has a detection for webpages that try to infect visitors with Coreflood, which has been the main path of infection since at least 2003, when the exploit described in Microsoft Security Bulleting MS03-032 were used to do "drive-by" attacks on webpage visitors.

A search at Sophos finds A 2003 article on CoreFloo-C, where it describes the earlier IRC-controlled trojan, as well as a 2004 article on CoreFloo-D. They make it all the way through the alphabet several times with this one, with Afcore AJ being in August 2004. The current version seems to be named "CoreFlo", such as Troj/CoreFlo-P in January 2007, which they alias as "Backdoor.Win32.Afcore.cm", and CoreFlood.dll, and Backdoor.Coreflood.

Speaking of through the alphabet, F-Secure has enough version of "Backdoor.Win32.Afcore" that they were on version "di", according to their July 13th version of their anti-virus signatures. Here's a description from Version Q, in 2003, which seems to be the last time this virus deserved its own article.

Good luck, Virus Hunters! I hope this article will help you move from "concerned" to "informed"!


Wednesday, July 16, 2008

22 More Romanians meet The Long Arm of the Law

How Long is the Long Arm of the Law? Its at least long enough to reach from eBay headquarters to Romania. In another example of the successful international cooperation between the FBI and Romanian Cyber officials, 22 more Romanians have been arrested for Internet Fraud Crimes.

The first English language story that I've seen was on Romanian Authorities Arrest 24 Suspects in Internet Frauds.

A Romanian story with today's date has more details, for those who speak Romanian:

Romanian story here: În afacerea Malware, 21 de persoane arestate
. The Romanian story mentions that some of the electronic commerce sites targeted by the group included e-Bay, Equine.com, and Craigslist.com. Along with computer equipment and equipment to make false identities, the police seized mobile phones, SIM cards, and funds in Lei (romanian money), Euros, British Pounds, and US Dollars.

The arrests were made in the Romanian cities of Bucharest, Ramnicu Valcea, Sibiu, Alexandria, Dragasani, and Hundeoara. The leader of the group, Romeo Chiţă, was arrested in an apartment home belonging to a Romanian elected official, Dumitru Puzdrea. Puzdrea denied knowing anything about Chiţă's illegal activities.

One news crew was on site to see some of the hackers arrested. Here's a video taken in Râmnicu Vâlcea from yesterday afternoon. Watch to the end to see hackers in handcuffs. The accompanying Romanian News Story is getting commented on heavily - 57 comments already by this posting. Very educational. It seems the "F" word is the same in English as it is in Romanian.

Three un-named Romanian Hackers from Ramnicu Valcea:

I'll post more information as it becomes available, but congratulations to the FBI, and to the Brigada Specială de Intervenţie a Jandarmeriei, and DIICOT (Romanian organized crime and anti-terrorism squad)

Monday, July 07, 2008

Nuwar Looks for News Readers?

What news headlines would make you click an email link, even though you KNOW you aren't supposed to do that? The authors of the newest round of Nuwar, which may or may not be the same "storm" worm that we've seen two rounds of already this month, think they know.

Based on a review of this afternoon's "infect you through news headlines", the virus authors believe you want to know about Obama, McCain, Angelina Jolie, and the new Batman movie.

The spam for malware-infection "PornTube" sites is really out of control lately.

The current trend is to hack into someone's site, leave an "r.html" file there, and then send spam with totally unrelated subjects which, when clicked on, will open very offensive porn images and also try to infect the visitor by sending them to a secret website through an "iFrame". (The iFrame redirection site, digitaltreath.info, is now down and will hopefully stay down, after nearly a month of hosting badness.)

The malware which is present on each site is a file called "video.exe", which at least several AV products (AVG, McAfee, Microsoft, Trend) are calling "Nuwar", aka Storm.

Symantec calls it "Trojan.Erotpics", while several others call it "Exchanger" (AhnLab, BitDefender, ClamAV, Fortinet, VBA).

eSafe, F-Prot, Panda haven't weighed in yet -- VirusTotal shows 22 of 33 detections right now.

The template seems to be, pick a random subject, pick a random body line, pick a random website, with the choices I've seen today including:


  • Actors required Sign up now
  • Angelina jolie shock pregnancy discovery
  • Angelina Jolie suffers miscarriage
  • Apple files for bankruptcy
  • Are you getting enough
  • Beyonce breaks up with Jay Z
  • Blast in Pakistan
  • Brad Pitt confesses to betrayal
  • China fires missle in Taiwan's direction
  • Christopher Nolan's Knight vision
  • Clinton withdraws support for Obama
  • Eminem found dead in disco toilet
  • Fantastic year for spanish athletes
  • Federer crashes out
  • Fight for your benefits and rights
  • Heath Ledger never saw the Dark Knight
  • Hurricane hits Caribbean islands
  • India plans attack on terrorists
  • Join our talent hunt contest
  • Latest gossips on celebrities
  • Madonna admits to extra marital affair
  • McCain suffers heart attack
  • McCain withdraws from presidential race
  • McCaine vows to remain celibate
  • Memorabilia for heroes only
  • Miley cyrus naked photos expose
  • Obtain your degree in six months
  • Oil falls below $100 a barrel
  • Party scenes with American idols
  • Retire a millionaire
  • Search for singing talents
  • Spielberg found dead in freak accident
  • Take a look only if you are worth it
  • The Mummy 3 movie bankrupt, release delayed


  • A-rod admits to previous secret gay fetish
  • Asian girls mass Org partying
  • Barack Obama has been exposed to lack patriotism and shows loss of support from the masses
  • Can you take on two hot girls
  • Check out your popularity polls among colleagues
  • Elton John’s new lover
  • European girls group Org scenes
  • FBI surveillance team reveals trade secrets
  • French hospital in the south of France has admitted Hollywood actress Angelina Jolie
  • Fully online Master's degrees available at accessible prices
  • Gays in U.S military
  • Gun ban threatens to destroy obama's campaign
  • J Lo secret marriage threatens to destroy current marriage
  • John McCain gathers support from lackeys in Iraq and Afghanistan towards his election campaign
  • Kobe Bryant traded to Toronto in latest blockbuster trade
  • Late and great Ledger in running for posthumous Oscar award
  • Lindsay lohan drugged out at own birthday party
  • Madonna split finalized, Guy Ritchie in tears
  • ndia vows to find the masterminds behind the suicide attack that have killed entire embassy staff in Afghanistan
  • Obama belittles McCain's ability to be a presidential candidate contender at his age
  • Obama openly supports abortion and gay rights in bid to win more support from the masses
  • Oprah Winfrey announces wedding plans
  • Paris Hilton in new naked pictures romp at 4th of july party
  • Places to go for secret rendezvous
  • Pregnant Angelina Jolie asked the media to leave her alone while she waits to give birth to twins
  • President Bush latest political guffaw
  • Rating of stolen car for 2007
  • Republican John McCain admits he has no ideas how to jump start the economy and that the Democrat's stimulus plan is the way to go
  • Senator McCain found unconscious in toilet
  • Start your own business and make more money
  • The sky is the limit for Christian Bale as he returns for a second attempt at taming Gotham City
  • This week top travel destination
  • Videos of your neighbors making things
  • Videos on sports celebs and their flings
  • Wesley Clark snubs McCain's service as forgettable in July 4 tribute to the nation
  • Your colleagues are earning more than you

Note, all of these sites may contain legitimate business on other pages, but these "r.html" pages have been placed on these domains by a hacker. We aren't saying these sites are guilty of anything other than having bad security.

There seem to be at least two "active" sets of templates (so, you would never see "Angelina Jolie" subjects with the "Kobe Bryant" body, because they are in different template sets, as an example.)

So, news readers, beware . . .

Thursday, July 03, 2008

Storm Worm Salutes Our Nation on the 4th!

I had just left for my holiday weekend when one of our UAB Computer & Information Sciences students
called to let me know he thought he had a new Storm version on his hands.

He had received an email wishing him a happy Fourth of July, followed by an IP address, which he recognized as a traditional Storm-style email.

I ran a quick check in the UAB Spam Data Mine, and here is what we had so far (the oldest of these is around 90 minutes ago, so we'll have a fuller picture tomorrow I'm sure.)

Amazing firework 2008
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Birthday, America!
Happy Independence Day
Happy Independence Day!!
Independence Day firework broke all records *
Spectacular fireworks show
Stars and Strips forever
The best of 4th of July Salute
Time for Fireworks
Wish your friends a happy Independence Day

Amazing Independence Day show
America the Beautiful
Celebrating the Glory of our Nation
God bless America
Sparkling Celebration of Independence Day
Stars and Strips forever
Super 4th!
The best firework you've ever seen

IP Addresses

The website, which seems to invite visitors to play a fireworks video,
actually downloads the Storm malware in the form
of an executable called "fireworks.exe".

Detection is fairly good already, with 16 of 28 AV engines detecting at
VirusTotal.com, with each calling it the various well known names for Storm:

Sophos = "Troj/Dorf-BP"

AVG = I-Worm/Nuwar.U
McAfee = W32/Nuwar@MM
Microsoft = Backdoor:Win32/Nuwar.gen!D
NOD32v2 = Win32/Nuwar.DC

Symantec = Trojan.Peacomm.D

BitDefender = Trojan.Peed.JLV

VirusBuster = Trojan.Tibs.AMZ

AntiVir = WORM/Zhelatin.Gen
GData = Email-Worm.Win32.Zhelatin.add
Kaspersky = Email-Worm.Win32.Zhelatin.add
Webwasher = Worm.Zhelatin.Gen

Because this is a holiday weekend, there may be quite a few people who don't get blocking in place right away.

Best of luck to you all, and to those who are fortunate enough to live in the United States of America, Happy Independence Day!

Wednesday, July 02, 2008

7-11 ATM Hackers (?) - More details

More details are now available about a trio of hackers who were indicted back in March on charges of stealing more than $5M from customers of ATMs. In a July 1st USA Today story few facts were revealed, but it was enough to spin the story back up in the media. I'm getting enough questions about it, I thought I would try to summarize what we know.

Kevin Poulsen had many details, including an affidavit by FBI cyber-crime agent Albert Murray and an affidavit by Ari Baranoff, a US Secret Service Electronic Crimes Task Force agent working in the Eastern District of New York, in his June 28th WIRED Blog.

Baranoff deposed Olena Rakushchynets, the wife of the primary suspect, Yuriy Rakushchynets, who was arrested February 28, 2008 in their Brooklyn residence.

The search warrant against their residence had revealed that Yuriy participated in several Internet carding forums, and had purchased information used to encode blank ATM cards, which he then used to withdraw cash from ATMs. In February 2008 alone, he withdrew approximately $750,000, and on September 30, 2007 and October 1, 2007, he took out $100,000 in the 48 hour period. They also found $800,000 in cash ($690,000 in bags in their bedroom closet), a $34,000 Mercedes, and, from the pocketbook of Olena, 51 $20 bills in sequential order. Olena also had $99,000 in three separate safe deposit boxes, and had made more than $50,000 in deposits to the Ukranian National Federal Credit Union. (See WIRED's copy of the affadavit.

Yuriy, elsewhere called "Ryabinin", a 32-year-old Ukranian immigrant, Ivan Biltse, elsewhere called "Belyayev", 30, and Angelina Kitaeva, were all named in the indictment which covered activities from October 2007 to March 4, 2008. They were charged with "Conspiracy to Commit Access Device Fraud", and that they

unlawfully, willfully, and knowingly, and with intent to defraud, in an offense affecting interstate commerce, did effect and attempt to effect transactions, with one and more access devices issued to another person and persons, to receive payment and other things of value during a one-year period the aggregate value of which is equal to or greater than $1,000.

The indictment states Forfeiture claims on $2,000,000 in property, including the $800,000 seized from Yuriy on February 29, 2008 and an additional $800,000 seized from Ivan on March 4, 2008. (See WIRED's copy of the indictment.

Ivan Biltse, of Bensonhurst, New York, was originally arraigned on March 6, 2008 after being picked up for stealing $9,624 in 12 withdrawals from a Washington Mutal Bank ATM in Bay Ridge back on October 1. According to the New York Daily News, Ivan and Yuriy (who lived in Kensington) were cousins. (See Two Brooklyn Men ripped off $5M from ATMs around globe.)

The case actually started much earlier than that, when back on October 3, 2007, according to the FBI affadavit, First Bank notified the St. Louis Secret Service office that four "iWire" Prepaid Card accounts had been compromised. On just the dates September 30 and October 1, 2007, these four accounts were used to attempt more than 9,000 withdrawals from ATMs around the world, resulting in a loss of approximately $5 Million.

First Bank provided a list of withdrawal attempts, and several hundred of them came from banks in Brooklyn, including the Washington Mutual location that we already mentioned. Transaction and surveillance video pulled from several ATMs and nearby cameras showed:

a Caucasian male making withdrawals at the times and ATM terminals indicated in the First Bank Withdrawal Information for the Compromised Accounts. In the ATM video, this male is wearing a dark blue or black baseball cap emblazoned with the words "Top Gun" and a star and wings symbol, as well as a tan-colored sweatshirt or jacket with a dark blue or black front panel and dark blue or black trim at the zipper and collar.

Separately, on February 1, 2008, Citibank informed the FBI that a Citibank server(*) that processes ATM withdrawals at 7-11 convenience stores had been breached. A fraud alert system was established to flag all uses of these accounts, and the Citibank Withdrawal Information was used in a similar method. Surveillance video was pulled for many of these transactions, and some of them, including some on February 20, 2008 at the Citibank branch at 502 86th Street in Brooklyn, were made by the same individual, wearing the same "Top Gun" hat and sweatshirt as in the October withdrawals.

(Poulsen mentions that Citibank denies a breach. The USA Today article points out that the ATMs in question were not operated by Citibank, but by two other companies, Houston-based Cardtronics, and Brookfield, Wisconsin-based Fiserv. At this point, I don't think anyone has revealed what server was actually breached.)

This individual was quickly identified as Yuriy Ryabinin / Rakushchynets, and was found to have made $750,000 in fraudulent ATM withdrawals just in the month of February. How? Investigators searched Carding forums for individuals who were trading in First Bank or Citibank ATM information. One of these individuals was listing an ICQ number for contact. The ICQ had been registered earlier by "Yuri" a "29 years old male from brooklyn, USA".

A search for the same ICQ number showed that it belonged to a ham radio operator who signed his posts in Ham Radio websites with the same ICQ number. Some of those posts included photographs of Yuri in Dayton at a convention, wearing the same sweatshirt as the individual in the Washington Mutual and Citibank ATM surveillance videos.

A further search on the Ham Radio call sign that he used in these forums found that the FCC had sent him a letter, mentioning his call sign, regarding some minor administrative violations. The letter was addressed to "Mr. Yuriy Ryabinin, 679 Coney Island Avenue 2, Brooklyn, NY 11218".

A public records search found a Florida driver's license in that name, with a matching photograph. Ryabinin also had a Michigan driver's license under the name "Yuriy Rakushchynets".

Very Nice Work, Special Agent Albert Murray.

It will be interesting to see how much of the rest of the initial $5M in First Bank transactions can be identified.

You know I had to Google around a bit and find his call sign, right?

Yuriy Rakushchynets also had a hotmail account -- n2tta@hotmail.com, which he used to post a query looking for a job "within 2 hours drive of Brooklyn, NY". I have no idea what a "CQ-Contest" is, but Yuri was very active in them apparently, listed as a "fulltime operator" for events like the "CQWW SSB Soapbox", and other places giving his name and his call sign in things like:

Yuri, N2TTA, will be active as NP2/N2TTA between February 12-19th. His activity will include the ARRL DX CW Contest (February 16-17th) as NP2S and as a Single-Op/All-Band entry. Yuri informs OPDX that he will be active on CW and SSB on all bands including 30/17/12 meters.

Yeah, I guess with a couple mill of other people's money, you can buy some nice radios, eh, Yuri?

Tuesday, July 01, 2008

July Storm Worm gives us some Love

The authors of the Storm Worm must have had some good success with their "love theme" for last month's Storm Propagation Spam, because they have decided to repeat the theme today.

Right about midnight the UAB Spam Data Mine began to receive spam messages for the new Storm Worm.

After being directed to a website that looks like this:

we followed the links on the site to receive some fresh malware. How fresh was it? The executables, which were named "winner.exe" and "mylove.exe" depending on whether you follow the banner ad or the text link, were uploaded to VirusTotal where we found these results:

At our initial scan, of 33 different AV engines, only FOUR of them knew this was a virus, and only two could label it correctly. (Currently we are up to EIGHT AV products properly identifying this as storm. My university machine, which runs McAfee Anti-Virus, does not detect it with a fresh signature update.)

We have seen a wide variety of subject lines in the spam so far . . .

All I need is You
Always on my mind
Can't forget You
Can't stay away from you
Crazy in love
Crazy in love with you
Deep in my heart
Deeply in love with you
Fallen for you
For you...Sweetheart!
Hate that I love you
Here in my heart
Hold you close
I give my heart to you
I knew I Loved You
I'll never stope loving you
I'll Never Find Someone Like You
I'll Still Love You More
I Love Being In Love With You
I love you so much!
In your arms
Just you and me
Lost In Love
Lost In Your Eyes
Love me tender, love me true
Lovin' You
Lucky to have you
Madly in love
Miss you with all my heart
Missing you
My heart belongs to you
My heart to yours
My heart was stolen
Not the same without you
Only Wanna Be With You
Somebody loves you
Stand by my side
Together forever
We belong together
With all my love
With you by mi side
You are always on my mind
You are in my heart
You are my world
You are the ONE
You feel up my senses
You have touched my heart
You make my world beautiful
You make my world special

The domain names which have been used so far are:


(Yes, we actually have spam samples for every one of these domains. For most we have MANY samples. That's what the Spam Data Mine does!)

All of these domains seem to be registered with Chinese Registrar "www.bizcn.com".

They use the nameservers (ns# as the prefix on each of these, ns, ns1, ns2, etc.):


and their own domain (ns1.wholoveguide.com, etc.)

The latter nameserver, verynicebank.com, was also used during the Beijing Earthquake version of the storm worm, described by f-secure. It served as the nameserver for "grupogaleria.cn", which was used in the attack described by F-Secure in their blog on June 19th. It also served as the nameserver for "nationwide2u.cn", although we are not yet sure of the purpose of that domain name.

We are actively seeking termination of the last few domains now (most are already down).