Thursday, September 30, 2010

New York FBI: 17 Wanted Zeus Criminals

The New York FBI needs your help. Today they announced indictments against thirty-seven cybercriminals involved with Zeus. Ten of these were arrested previously in the recent past. Ten more were arrested today. The other seventeen are "At Large".

I'll let you read for yourself the charges against the many criminals by visiting the FBI's New York Field Office announcement:

FBI New York Press Release

A wanted poster, showing the seventeen "At Large" criminals is available here:

Seventeen Zeus Criminals Wanted by FBI

If you find clues about any of these people make sure to get them to your local FBI office! (Send us a copy too! gar at cis dot uab dot edu)

Wanted: Ilya Karasev

Known aliases: Goran Dobric, Alexis Herris, Fransoise Lewenstadd, Fortune Binot, Diman Karasev

Status: J-1 Visa issued May 2008. Converted to F-1 Visa in December 2008. Terminated January 11, 2010


April 13, 2010 - presented a Belgium passport in the name of Fransoise Lewenstadd to a TD Bank branch to open an account.

April 19, 2010 - presented a Greek passport in the name of "Alexis Herris" to open a TD Bank account.

June 2, 2010 - received $4200 stolen funds into the TD Bank Herris Account. Withdrew $4,000 from a TD Bank branch in Ocean Township, NJ.

July 1, 2010 - presented a foreign passport in the name "Fortune Binot" to open a TD Bank account in Brooklyn, New York

May 3, 2010 - "Herris" opened a Bank of America account. Received $12,300 in unauthorized wire transfer to that account.

May 20, 2010 - "Herris" withdrew $9,000 from Neptune, NJ branch. Made two debit card purchases totaling $3581.40 at a convenience store in Jersey City, NJ. (That's a lot of Doritos!!!)

Several more items are known with BOA withdraws from Little Silver, Little Eatontown, and Red Bank, New Jersey from a Bank of America "Fortune Binot" account.

There was also JP Morgan Chase activity.

Open Source Intelligence:

Facebook Profile

An Ilya Karasev, with many friends in New Jersey, has a Facebook account. In this picture from the account, he looks to be the same person as pictured above.

Other photos on his site include Ilya riding a bus, standing in front of Applebee's Time Square in New York. Ilya attended Volgograd State Technical University, class of 2005, where he majored in "Motor Transport."

Wanted: Dmitry Saprunov

Known Aliases: Lean Marc Garrot, Bazil Kozloff, Milorad Petrovic

Status: Entered the United States on May 19, 2009 on a visa.

A cooperating subject says that Saprunov lives as roommates with fellow co-conspirator Nikolai "Robert" Garifulin in an apartment in Brooklyn, New York. Subject says they recently accessed a safety deposit box, probably at Wachovia Bank. Gariflun recently traveled to Russia to "pay the hackers" carrying $150,000 cash concealed in his luggage.


June 4, 2010 - Saprunov opens a TD Bank account in Manhattan using a foreign passport in the name of "Bazil Kozloff".

June 7, 2010 - Saprunov uses the Kozloff identity to open a Bank of America account in Bronx, New York.

June 11, 2010 - Saprunov opens a TD Bank account in Brooklyn using a passport from Belgium in the name of "Lean Marc Garrot".

June 12, 2010 - Saprunov opens a BOA account in Long Island, New York using the Garrot identity.

June 29, 2010 - $14,000 is wired to the Kozloff BOA account.

July 6, 2010 - just under $14000 is wired to the Garrot BOA Account.

July 6, 2010 - "Garrot" withdraws $13,9450 in four transactions from a teller and three ATM machines in Bradley Beach, New Jersey

Open Source Intelligence:

Facebook Profile:

(from the Facebook album "AVE" (Possibly Avenue New York Club?) by Sergey Palychev.
Also pictured: Alejandro Martinez, Elizaveta Osadchikh, Anastasia Yudintseva, Natalya Vassilyeva

(Interesting note: Ildar Mukhamedov is a friend of both Saprunov and Karasev on facebook, and they are friends of each others.)

Watcha Got?

More will be added as time allows. If you have something you'd like to share, send it in!

Go Go, Maltego!!

Wanted: Lilian Adam

Known Aliases:

Wanted: Marina Oprea

Known Aliases:

Wanted: Kristina Izvekova

Known Aliases:

Wanted: Sofya Dikova

Known Aliases:

Wanted: Artem Tsygankov

Known Aliases:

Wanted: Catalina Cortac

Known Aliases:

Wanted: Ion Volosciuc

Known Aliases:

Testimony from State Department DSS Agent

Wanted: Artem Semenov

Known Aliases: Valentin Kulakov, Alexey Michinnik, Arvind Shah, Fred Teschemacher, Tokin Waaran, David Warren

Entered the country June 1, 2009 on a J1 Visa, stating that he was a full-time student at Kazan State University of Technology.

Arrested December 17, 2009 by NYPD at a Manhattan branch of Bank of America, trying to open an account in the name of Nicholas Congleton. Arraigned on December 18th. Failed to appear in court on February 22, 2010.

On January 15, 2010, Customs agents intercepted a package from the Republic of Moldova destined for Artem shipping new passports to him. The passports were from the Federal Republic of Yugoslavia and were issued in the names of Petar Stojanovic and Victor Rajkov.

A collaborating witness testified that Artem recruited Almira and Julia (below) to work for him. The CW says that the two were provided with tickets to fly from New York City to Las Vegas on August 25, 2010.

Wanted: Almira Rakhmatulina

Known Aliases: Natalia Davidova, Irina Sergeeva

On June 6, 2010 Almira entered the country traveling on a J1 Student Visa stating that she was a full-time student at Omsk State University.

On July 16, 2010, Almira opened a TD Bank account in the name of Natalia Davidova using a Greek passport in that name. On July 17th, the same passport was used to open a Wachovia Bank account in New York City.

On July 20, 2010, Almira opened a TD Bank account in the name of Irina Sergeeva, using the same Brooklyn street address that she used with the Natalia Davidova account. A Greek passport for the Sergeeva alias was used as proof of identity.

A balance check of that account was made using an ATM in Las Vegas, Nevada on September 17, 2010.

Wanted: Julia Shpirko

Known Aliases: Ekaterina Kaloeva, Ekaterina Smirnova

On June 6, 2010, Shpirko entered the country traveling on a J1 Student Visa stating that she was a full-time student at Omsk State University.

On or about July 20, 2010, Shpirko opened a TD Bank account was opened in Manhattan in the name of Ekaterina Smirnova.

Wanted: Yulia Klepikova

Known Aliases:

Wanted: Maxim Panferov

Known Aliases:

Wanted: Nikolai Garafulin

Known Aliases:

Wanted: Dorin Codreanu

Known Aliases: Savvas Paian

On April 21, 2010, Dorin opened a Chase account using a Greek passport in the name Savvas Paian.

On May 11, 2010, the Chase-Paian account received $10,246 from a victim in Illionois.

On May 18, 2010, Dorin opened a TD Bank account using the same identity, but making it a business account in the name "Savvas Import Group LLC".

Open Source Intelligence:

Savvas Import Group, LLC is a "fruit and vegetable" importer, using the address "1612 Kings Highway Apartment 48, Brooklyn, NY 11229-1210", according to
Manta puts their phone number as 347.530.9785 begin_of_the_skype_highlighting              347.530.9785      end_of_the_skype_highlighting

That phone number also belongs to "Brooklyn Fruit Vegetable Growers Shippers" and "Neptune Fruit Vegetable Growers Shippers" which both have the same street address as well.

On June 3, 2010, the

Wanted: Stanislav Rastorguev

Known Aliases:

Wednesday, September 29, 2010

MiniPost: UK Zeus Criminals Identified

Eleven of those arrested for committing financial cybercrimes using Zeus malware in the UK have now been formally charged and named, according to a story in this morning's Guardian from which I quote:

Eight people have been charged with conspiracy to defraud and money laundering. They are Ukrainian Yuriy Korovalenko, 28, from Chingford, Essex; Ukrainian Yevhen Kulibaba, 32, from Chingford; Latvian Karina Kostromina, 33, from Chingford; Estonian Aleksander Kusner, 27, from Romford, Essex; Ukrainian Roman Zenyk, 29, of Romford; Belorussian Eduard Babaryka, 26, from Romford; Latvian Ivars Poikans, 29, from Harlow, Essex; and Latvian Kaspars Cliematnieks, 24, from Harlow.

Two have been charged with conspiracy to defraud: Ukrainians Milka Valerij, 29, and Iryna Prakochyk, 23, from Chingford.

Georgian Zurab Revazishvili, 34, from Romford, is charged with offences under the Identity Cards Act 2005.

Major Zeus Bust in the UK: Nineteen Zbot Thieves Arrested

The Metropolitan Police are to be congratulated this morning on the largest Zeus arrest to date. News broke on September 28th that the Met's PCeU Police Central e-crime Unit had arrested nineteen criminals in relation to a large Zeus or Zbot trojan network.

The Daily Mail has a set of great pictures of the criminals being taken into custody from their homes in their story, Hi-tech crime police quiz 19 people over internet bank scam that netted hackers up to £20m from British accounts. Police raided the homes simultaneously in the pre-dawn hours on Tuesday. These two pictures are part of five you can find there:

In case you don't travel much, £20 million pounds is a lot of money. That's roughly $31 Million USD. The criminals were stealing "about two million pounds per month". For comparison, the FBI released second quarter bank theft numbers last week. From April 1 to June 31 there were 1135 bank robberies and eleven bank burglaries in the United States, which earned criminals only $8 million USD or £5 million pounds.

In otherwords, this one Zeus gang stole more money in three months than ALL TRADITIONAL BANK ROBBERIES in the United States during the same length of time.

Although many folks haven't heard of the PCeU, their Mission Statement is
To improve the police response to victims of e-crime by developing the capability of the Police Service across England, Wales and Northern Ireland, co-ordinating the law enforcement approach to all types of e-crime, and by providing a national investigative capability for the most serious e-crime incidents.

15 men and 4 women were arrested, ranging in age from 23 to 47 years old. Detective Chief Inspector Terry Wilson of the Metropolitan Police credits the arrest to a Virtual Task Force composed of law enforcement, computer experts, and bank security personnel who worked together to track the movements of the criminals. Sounds a lot like the InfraGard model to me -- a private public partnership anchored on the FBI where computer security experts and personnel working in Critical Infrastructures, such as the Financial Industry, share information to stop criminals and terrorists.

Despite their financial success, the Daily Mail reports that the ringleader, "in his 20s, and his wife, an accomplice in the scam, were arrested in an unremarkable third-floor flat in Chingford, Essex.

Despite this raid, there are still at least 162 "online" Zeus servers that continue to gather stolen credentials from compromised computers, according to the invaluable ZeusTracker service.

We've documented dozens of stories in this blog about Zeus over the past year, and are excited to see this most significant law enforcement action to date.

The clock is ticking . . . who is going to have the best arrest before we all meet up in three weeks?

Thursday, September 23, 2010

eBay Spear Phisher Liviu Mihail Concioiu Arrested in Romania


Readers of my blog will know that I have several contacts that I discuss things with in Romania. I have had further conversations with sources closely placed to this investigation that tell me the Romanian DIICOT Press Release has one rather glaring error. Press Releases are written by a media relations person, not technical people. The best explanation I can see is that a technical person explains to the media person "the criminal did a phishing attack against 1784 people and then 1521 people and he used that data to break into eBay's computers." The media person interpreted this as "stole the userids and password from 3300 people" when in reality the technical person meant "sent a phishing email to 3300 people, and got some of their passwords."

How many is some? We now believe it is SIX. Of 3300 people sent a phishing email that imitated a VPN system at eBay used by employees, we don't know how many gave up their passwords, but the criminal only tried to use six of them. The VPN site he was imitating was protected with a two-factor authentication solution, so any passwords gathered had to be used immediately, due to the rotating "secureId" style token.

I apologize for spreading false information, but the source, the Romanian DIICOT website, seemed credible to me. It was not.

Word for word, the Romanian press release reads: "CONCIOIU LIVIU MIHAIL a lansat două atacuri tip phishing asupra unui număr de 1784 de angajaţi şi respectiv 1521 de angajaţi ai companiei eBay.Inc., cărora le-a sustras ID-ul şi parola." which I believe I correctly translated.

The other error in the press release is that Concioiu is being charged with stealing $3 Million, which includes many assorted phishing and cybercrime schemes, only a portion of which was from eBay customers.

Corrected story follows

Prosecutors in the Romanian DIICOT (Direcţiei de Investigare a Infracţiunilor de Criminalitate Organizată şi Terorism or Directorate of Investigations of Organized Crime and Terrorism) announced the arrest of Liviu Mihail Concioiu a cyber criminal who stole more than $3 million USD from eBay account holders, customers of Italian banks, and unknown others.

I wanted to use that example today to illustrate a point that I raised in my presentation earlier this week as a guest of the Maryland InfraGard chapter. My presentation, called "Cybercrime: Money, Espionage or Both?" was targeted to an audience of approximately 125 composed primarily of Defense Contractors, Law Enforcement, Critical Infrastructure security personnel and other government employees and suppliers. As an InfraGard member myself, in the Birmingham InfraGard chapter it was great to spend time with one of the nation's top InfraGard coordinators, FBI Special Agent Lauren Schuler, and the outstanding leadership of their chapter including Paul Joyal, Allan Berg, and the energetic M L Kingsley who had coordinated the event.

In my presentation, I stressed two primary points. The first is that EVERY malware attack has to be fully investigated. If you don't know the origin, purpose, and targeting of a malware attack, you have no way of understanding the full impact of the malware on your organization. The second point was that it is critical that your organization has policies that help you understand when your employees have been victims of identity theft or password- or document-stealing malware -- even if it happened at home on their home computers!

The case of Liviu Concioiu drives these points home.

In 2009, Concioiu launched two phishing attacks which were only sent to eBay employees. In the first round, he sent a phishing email to 1,784 employees and in the second round, he tried again, sending an email to 1,521 more employees.

Let's stop there for a moment.

Do you recall the "Here You Have" malware last week? In my blogpost about that event Here You Have Spam Spreads Email Worm) I stressed that it was clear that the malware had been targeted against certain organizations. Did you have an outbreak in your company? Are you aware that one of the actions of the malware was to plant a very low detection version of the BiFrost "Remote Adminstration Trojan" on the infected computers? If the only action your organization took was to remove the "Here You Have" malware, they aren't finished yet. Its important to understand whether you were a target or collateral damage for the attacker, and of course its important to understand during what infection window the BiFrost trojan was also being installed.

OK, now back to Liviu Mihail Concioiu.

After collecting some eBay credentials, Concioiu realized he was defeated by the two factor authentication and came back on June 8, 2009 and attempted to phish 417 different employee identities, to explore the eBay internal network and see what useful information he could find. This time he was prepared to immediately use the credentials he harvested, and tried at least six different accounts before finding some success. His biggest find was a tool that eBay employees use to query their internal databases and look up information about eBay clients and the transactions they perform.

By reviewing the details of eBay customer accounts, Concioiu was now able to begin his SECOND TARGETED ATTACK. One of the problems with phishing campaigns is that when criminals broadly spread spam messages advertising their fake login pages, the anti-spam services and ISPs observe these spam messages and place the advertised pages on blacklists. Concioiu was able to avoid this typical phishing trap by selectively targeting his phishing emails at high value eBay customers whose email addresses he had confirmed by harvesting them from eBay's internal systems!

The result was that 1,183 eBay users were victimized!

In addition to the eBay charges, Concioiu is also charged with creating fake ATM cards for Italian banks and withdrawing more than 300,000 Euros from these accounts, and other crimes which created a total loss of $3 Million USD.

Concioiu was one of three cyber criminals arrested today by DIICOT. The case was investigated with the cooperation of the US Secret Service agents in the US Embassy in Bucharest and Italian judicial authorities.

Hopefully this example will help push home the lessons I was trying to demonstrate in Maryland this week. I have to mention one other thing about the Maryland trip. Last year I had read an auto-biography of General Oleg Kalugin, the top counter-intelligence officer of the KGB. He was the first presenter at the Maryland event, and I got to have dinner with General Kalugin the evening before. He spoke about his experiences recruiting Americans and then I attempted to show how Cyber tools make those efforts even easier today in my follow-up presentation.

General Kalugin was kind enough to autograph one of his new books, Spymaster: My Thirty-two Years in Intelligence and Espionage Against the West, which is now one of my prized possessions! Kalugin was at one point Vladmir Putin's boss in the KGB, but later became one of the most out-spoken critics of the Soviet system and especially the KGB.

Kalugin read a part from a poem about "the new Russia" as his closing statement:

There are no departments in Russia, there are friends. There are no laws, there are personal relationships. Moreover, there is no KGB. … KGB was an organization. There are no organizations in Russia now. There are principalities and feudal lands handed out in exchange for loyal service and profitability. It was not Putin who set up the system, but he did nothing to change it. He is just handing out feudal lands to his friends in order to be able to control other feudal principalities.


(I'm not sure of the origin, but I found the quote online here: )

Wednesday, September 22, 2010

NPR CyberWar Part One: I Beg to Differ

This morning on National Public Radio, we heard a story about "CyberWar" and some of the problems that the growing reality of CyberWar is going to present.

I'll have to review the transcript more carefully, but from the first pass listen as I drove to work this morning, I believe I disagreed with every single point in the entire story. I'll try to break that down a bit here, using the story from the NPR website, Extending the Law of War to Cyberspace as my guide.

(All of the "Declarations" that I am responding to are quoted from that guiding article.)

Most Important Development in Decades?

Declaration: "The emergence of electronic and cyberwar-fighting capabilities is the most important military development in decades"

Response: Actually, if we're counting "decades", my top nominations would be the Unmanned Aerial Vehicle and the GPS-guided munitions such as the JDAM: Joint Direct Attack Munition.

CNN's headline last year was one I agree with How robot drones revolutionized the face of warfare as was more fully explained in P.W. Sanger's Wired for War: The Robotics Revolution and Conflict in the 21st Century.

The biggest benefit of the UAV's is of course that they protect our soldiers from harm, while allowing missions that would never have been completed before or that could only have been completed with extreme risk to life and limb.

Likewise, Strategy Page's article How Precision Weapons Revolutionized Warfare gives a good outline on the revolution of extremely precise weapons, packed with the right size explosive to blow up exactly what you are shooting at.

When is CyberWar Equal to Armed Attack?

Declaration: "If nations don't know what the rules are, all sorts of accidental problems might arise," says Harvard law professor Jack Goldsmith. "One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be an act of war."

Response: There is no agreed upon definition of "Use of Force" between nations even for non-cyber incidents. This came out in the answer to a question that was put to General Keith Alexander, now the commander of the US Cyber Command from his NSA post at Fort Meade, Maryland, during his confirmation hearings. The question he was asked was:

Does DOD have a definition for what constitutes use of force in cyberspace, and will that definition be the same for U.S. activities in cyberspace and those of other nations?

His answer:

Article 2(4) of the UN Charter provides that states shall refrain from the threat or use of force against the territorial integrity or political independence of any state. DOD operations are conducted consistent with international law principles in regard to what is a threat or use of force in terms of hostile intent and hostile act, as reflected in the Standing Rules of Engagement/Standing Rules for the Use of Force (SROE/SRUF).

There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions, and may apply different thresholds for what constitutes a use of force. Thus, whether in the cyber or any other domain, there is always a potential disagreement among nations considering what may amount to a threat or use of force.

My point is not so much to disagree with the NPR statement here, as to point out that it is EXACTLY the same problem we have in every other kind of warfare. Cyber isn't special in this regard. Was the downing of an Chinese plane in a collision with a US spy plane an act of war in 2001? Was the North Korean torpedo attack back in May an act of war? Was the Israeli bombing of buildings in Gaza an act of war? It has always been true that each attacked country gets to decide.

More answers along this line of reasoning from General Alexander are available in his published Q&A available from Washington Post.

Rogue Actions vs. State-Sponsored

Declaration: "One important consideration is whether the attack is the work of a lone hacker, a criminal group or a government. The law of war applies primarily to conflict between states, so truly rogue actions would not normally be covered."

Response: What defines "state" action? There have been Congressional hearings on this very subject, as I discussed in my July 2010 blog post, The Future of Cyber Attack Attribution. There have also already been multiple occasions where the victim accused a state of attacking and the state denied the accusation. In the case of Russian cyber-attacks against Georgia prior to the August 2008 invasion of South Ossetia, it was clear that there were some populist activities, as I wrote in the article Evidence that Georgia DDOS Attacks Are Populist in Nature, but the coupling of the Russian tanks driving through town would seem to support the theory that at least some of the cyber attacks were designed to take out C2 ability and especially the ability of the state to communicate with the governed. In the Estonian DDOS (pdf) of May 2007, it was clear that the attack was not "by" the government, but rather by the Russian "Nashi" youth movement, possibly incited to action by the government, and possibly even using some government computers as part of the attacking DDOS.

The concept that individuals could wage cyberwar was nicely stated in the January 1999 report by mi2g: "Cyber Warfare: The Threat to Government, Business, and Financial Markets"

Historically war has been classified as physical attacks with bombs & bullets between nation states. It was beyond the means of an individual to wage war.

Today, in the Information Age, the launch pad for war is no longer a runway but a computer. The attacker is no longer a pilot or soldier but a civilian Hacker. An individual with relatively simple computer capability can do things via the internet that can impact economic infrastructures, social utilities and national security. This is the problem we face in moving from the industrial world to the Information Age, which is the essence of Cyber War.

I suppose I mostly agree with this point, except to say that there are many ways, such as the Estonia example, where a country may be so clearly involved in inciting their citizenry to "cyber attack" that a nation-level response may be warranted.

Civilian Infrastructure Attacks

Declaration: "A direct attack on a civilian infrastructure that caused damage, even loss of life of civilians, would, I think, be a war crime." - Professor Daniel Ryan, National Defense University

Response: Didn't the United States blow up electrical plants, television and radio stations, bridges, roads, runways, and water treatment plants during the two Iraq Wars? Were those war crimes, too? Professor Ryan? We have to use a consistent definition. If its not a war crime to attack civilian infrastructure kinetically, why is it a war crime to do so electronically?

Electrical Grid Targeting?

Declaration: "Former CIA Director Hayden, a retired Air Force general, suggests using common sense. One example of an attack that should be illegal, he says, would be the insertion of damaging software into an electrical grid."

Response: Why would it be illegal to damage the electrical grid with software, when elsewhere THIS YEAR General Hayden said that the electrical grid was a fair target? Hayden talked about hacking power grids at Black Hat back in July. CNET's coverage of that talk "U.S. military cyberwar: What's off-limits?" includes this thinking:

Power grids are another example of where traditional military doctrine may need to shift, Hayden said. "A power grid is, according to traditional military thought, a legitimate target under some circumstances," he said. "Mark 82s are kind of definitive and it's a one-way switch--that thing's kind of gone." (An MK-82 is a general-purpose, 500-pound unguided bomb used by the U.S. military since the 1950s.)

But destroying, or at least thoroughly disabling, a power grid through an offensive cyberattack means penetrating it well in advance. And if there are dozens of different nations stealthily invading a grid's computers and controllers all the time, it's probably not going to be stable. "There are some networks that are so sensitive that maybe we should just hold hands and hum "Kumbaya" and agree they're off limits," he said. "One is power grids...You can't just have 23 different intelligence services hacking their way through the electrical grid."

So, its ok to use an MK-82 to blow up power plants, but it should be illegal to insert software into them because that might damage them. What kind of messed up logic is that?

Hostile Intent

Declaration: The purpose of the activity is also relevant. Michael Hayden, having directed both the National Security Agency and the CIA, would not include an effort by one country to break into another country's computer system to steal information or plans. "We don't call that an attack," Hayden said at a recent conference on hacking. "We don't call that cyberwar. That's exploitation. That's espionage. States do that all the time."

Response: Hayden's definition would, I suppose, be consistent with Richard Clark's definition in his new book CyberWar: The Next Threat to National Security and What to Do About It . He says CyberWar is "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption."

Several organizations have attempted to define "CyberWar" and the definition continues to evolve. "CyberWar" was probably first used by Eric Arnett in his paper "Welcome to Hyperwar" in the Bulletin of the Atomic Scientists, where it referred to war by robotic soldiers. The terms "NetWar" and "CyberWar" were both defined by RAND in their report CyberWar is Coming! part of the larger nineteen chapter monograph, "In Athena's Camp: Preparing for Conflict in the Information Age", published in 1992, where the term "NetWar" was used to describe PsyOps via the Internet, while "CyberWar" was closer to its current definition.

But should CyberWar NOT include Espionage?

Much more recently, David Wilson's excellent article for ISSA Journal in June 2010, When Does Electronic Espionage or a Cyber Attack become an "Act of War?" lays out an excellent set of definitions and conditions. In his article he quotes FBI Deputy Assistant Director for Cyber, Steve Chabinsky as telling the FOSE government IT Trade Show in March that:

A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that's so great it could "challenge our country's very existence."

Wilson's argument, supported by Chabinsky's quote, is that "electronic espionage" can be far more pervasive than traditional espionage, and that "a nation will have to decide how much pain it is willing to endure, and where it believes the international community’s tolerance lies, assuming they care, before retaliating
against electronic attacks or invasions to its networks."

I totally agree with Mr. Wilson. The placement of the line in the sand may be somewhat arbitrary, but its quite possible for cyber espionage to become so pervasive as to pose a risk to national security worthy of an armed response.

Ninety-Five Percent?

Declaration: "Computers don't always have signs over them that say, 'I'm a military target' [or] 'I'm a civilian target,' " says Harvard's Goldsmith. "Also, the two things are intermixed. Ninety to 95 percent of U.S. military and intelligence communications travel over private networks."

Response: The Department of Defense has more than 7 million computers. I don't know how Army works, but I know the Navy Marine Corps Internet was at one time the largest private Intranet on the entire planet. The US Army has maintained a stand-alone Intranet since at least 2001, and has repeatedly had headlines about it being the largest stand-alone network in the world. Soldiers don't call down an airstrike and then update their Facebook pages and do a little online banking as the implication seems to infer.

No One is Going to Get Caught

Declaration: If anything, it would be harder to enforce the law of war in the cyberworld than in other domains of warfighting. The amount of anonymity in cyberspace means that a devastating attack might leave no "signature" or trace of its origin.

"Since we know that that's going to happen all the time," Baker says, "and no one is going to get caught, to say that [a cyberattack] is a violation of the law of war, is simply to make the law of war irrelevant."

Response: The "untraceable" network attack, despite the movie by EJ Hilbert and friends, is a myth that we are working hard to dispel at the UAB Computer Forensics Research Laboratory. What we call "untraceable" today usually means "too much work for too little reward, so nobody bothers to trace it." I think many of my colleagues in security research would love to take on the challenge of some of these "untraceable" events. Let's buy one fewer B2 Bomber this year and put that extra $2.2 Billion towards making a concerted effort to prove this one wrong. Shoot. I'll do it for half that!

For more interesting reading on CyberWar, I strongly recommend:

Congressional Research Service Report: Information Operations and Cyberwar: Capabilities and Related Policy Issues

Twitter Hack: From "Harmless" Exploration to Criminal Action

If you blinked you missed it. I blinked yesterday. I was playing Planes Trains and Automobiles in Maryland and only heard about "the Twitter Worm" when the media contacted me for my comment late in the day. It made some fascinating reading this morning, and should be an important reminder about the dangers of cross-site scripting, or XSS.

Cross Site Scripting has been a known technique since at least 1999, when Georgi Guninski and David Ross warned Microsoft about the technique leading to the January 25, 2000 meeting with CERT as described in the syngress book XSS Attacks: Cross Site Scripting Exploits and Defense. If you really want to understand Cross Site Scripting, in addition to that book, you'll want to keep tabs on the XSS Cheat Sheet maintained by Robert Hansen (@RSnake), who, along with Jeremiah Grossman (@JeremiahG), are the leading experts in this space.

The underlying discovery for all of the Twitter mischief yesterday was that when a URL was followed by an "@" sign, whatever followed the @ sign would also be interpreted as part of the URL. The primary use of this activity yesterday was to show that a URL, even a short and unresolvable URL such as "" could be followed with an "onmouseover=" command which would execute whatever javascript followed when a Twitter reader moved their mouse over that URL.

Yesterday Japanese Twitter explorer Masato Kinugawa said he had reported a Cross Site Scripting bug to Twitter on August 14th, but no one did anything to fix it. In his posting, he provided a link to an article explaining his demonstration, where he could change the color of Twitter posts or pop up "Alert" messages as a way of demonstrating the flaw. In his post, he linked to a "Social Programming" post by Matt Sanford on GitHub: Social Programming that demonstrated the flaw.

Matt's post suggested a long list of tests that a Twitter-client author would want to put into place to make sure that Tweets passed to their Twitter-client were not exploitable via Cross-Site Scripting, as well as many "fixes" that could help when a user accidentally made an error posting a URL which would cause to much of the text to be interpreted as a URL.

Only two hours ago (9 AM US Central Time, 22SEP2010), posted again, this time in English, a warning:

"There is still XSS on Twitter.I have already reported about 2 month ago.I never disclose this until fixed,but Twitter should fix asap."

Reading through Kinugawamasato's posts really is a great tutorial for understanding how the Twitter bug came about. I'm happy to report that my Firefox NoScript plug-in worked to block all of these things, dutifully reporting "Possible Cross-Site Scripting" alerts when I looked at Kinugawa's posted links.

While Twitter already killed Kinugawa's original "@rainbowtwtr" account, Kinugawa had actually created a backup account as well, where his August 14th demonstration is still available to be seen:

Kinugawa strikes me as a reasonable "full disclosure" researcher who is working with the "good guys" to find ways to protect from XSS. Unfortunately, as often happens to the Full Disclosure Crowd, as soon as his revelations were made public, others pounced on them to do "more evil" things.

One example of this would be that using this technique of passing JavaScript commands to Twitter, another user learned how to create a Worm, where every person who fell for the JavaScript "onmouseover" exploit, would propagate the message themselves.

JudoFyr claims to be the first to turn the "onmouseover" into a Twitter worm, using this technique:

The val(this.innerHTML);$('.status-update-form').submit() was his key to resending the message back to Twitter.

Others then took the "still intending to be innocent" worm, and hooked it up to spread malicious links. One example of the latter used an encoding technique to push a particularly popular URL which may have been tweeted a few hundred thousand times yesterday:




People kept looking at that URL and saying "I don't get it! How is "u002f" a website?

Its not, its a Unicode Encoded "/", which has the ASCII value of "2F". So this code really called the URL shortening service "" and asked for the URL with the shortcut "fl9A7". That URL was the shortcut for the site:

which caused visitors to repost a twitter status that propogated the twitter message. pulled Javascript code from:

which forwarded visitors to a Japanese porn website on ""

FlashBack Moment

Some of you will probably have had the same reaction to this worm as I did -- a Flashback to the Samy MySpace Worm. In that worm, Samy Kamkar spread a worm that caused any MySpace member who saw his code in a browser to make Samy their "friend" and then post a link to all of their friends' MySpace pages, declaring "Samy Is My Hero" and containing the malicious code.

Samy was sentenced on January 31, 2007 - convicted as a felon for violation of Penal Code section 502(c)(8) and placed on three years probation and ordered to serve 90 days of community service.

Samy's timeline and other events related to the worm are retold on the page I'm Popular. Apparently the goal of the worm was to find pictures of random hot girls to look at. That page contains a screen shot Samy took showing that he had 919,664 friends at that time.

Thursday, September 16, 2010

Linking Spam by its Attachments

Today some anti-spam friends were chatting about a new rash of "attachment spam" and wondering what attachments "belonged together" and what they did. Sounded like the perfect question for the UAB Spam Data Mine, so I thought I'd take a peek.

The first thing I did was to look for email subjects that had non-graphics-file attachments where we had received at least 250 copies of the email message today.

It wasn't actually that long of a list:

Apartment for rentApplication to rent.html
B street financial information - part 1B St.Package 1.html
Church of Body ModificationChurch of Body Modification.html
Cops kill active shooter at Johns Hopkins HospitalHospital violence on the rise, agency warns.html
Daniel Covington dieDaniel Covington.html
detailsShadow Ranch Marketing
Employment letter for visa applicationjun wang letter.html
Evite invitation from (Random Name)Evite invitation.html
Evite invitation from (Random Name)Evite
Facebook password has been
find a copy of the lettercopy of the letter.html
FW:September financials and newsletterSeptember 2010.html
Invoice for Floor ReplacementInvoice-Stockton.html
Invoice Payment ConfirmationInvoice Payment Confirmation.html
Jackie Evancho and Sarah BrightmanJackie Evancho and Sarah Brightman.html
League proposal.html
Marketing Package.htmlMarketing Package.html
NFL Picks Week 2NFL Picks Week 2.html
Order confirmation for order #(Random number)invoice.html
Shipping NotificationShipping Notification.html
You've got a faxeFAX(RandomNumber)

Then I looked to see which of the email attachments were actually the same attachment. That's actually pretty easy for us, since we store the attachments by name, with an MD5 value prepended to the name, such as:

34eaf3d214f1ef58b56d58de5e5e25b6_Invoice Payment Confirmation.html

Group One: MD5 = 136e771425e841bda5fabec0c81df974 -

For the Attachment with an MD5 value of:


We saw all of the following subjects:

'America's Got Talent' Judges Were They Shocked By.html
Application to rent.html
B St. Package 1.html
Church of Body Modification.html
copy of the letter.html
Daniel Covington.html
Hospital violence on the rise, agency warns.html
Jackie Evancho and Sarah Brightman.html
jun wang letter.html
NFL Picks Week 2.html
September 2010.html

So, it would be pretty safe to assume those were all "the same."

That is a block of javascript that starts by doing a document.write with the following block of ASCII letters "unescaped":


Which is some Javascript code that looks like this:

hp_ok=true;function hp_d01(s){if(!hp_ok)return;var o="",ar=new Array(),os="",ic=0;for(i=0;i gt s.length;i++){c=s.charCodeAt(i);if(c lt 128)c=c^2;os+=String.fromCharCode(c);

and some more stuff I won't list here . . .

All of that mess ends up doing this:

First, you go to this webpage: on the IP address

That page told my browser:


Then did a "Meta Refresh" which sent me to: on

while at the same time loading an IFRAME which took me here: on IP address

That site dropped a 15kb file on my machine.

The IP also hosts the sites:

"" is a free domain provider that the criminals are abusing like crazy right now.

Other domain names located on include:

All of those except "" use Yahoo nameservers.

Group Two: MD5 = 34eaf3d214f1ef58b56d58de5e5e25b6 -

For MD5:


We saw all of the following subjects:
Evite invitation.html
Invoice Payment Confirmation.html
Shipping Notification.html

This group's attachment is also a BASE64 encoded html file.

If a user simply clicks the attachment, it SEEMS to take us to a Canadian Pharmacy website of the GlavMed variety:

But unfortunately, a deeper analysis of the code shows it takes the long way around. First the site sends us to: on IP address in Latvia

Then it sends us on to "" on in China's Guangdong province.

The ZIP Files: Group One -

Even though there are many different MD5s of the ".zip" file, quite a few of them are so similar in function, they are clearly "the same" despite different MD5s.

The first of the ".zip" emails has the subject: "Bar/Bri"

The body of the email reads:

Thank you for ordering from Capcom Entertainment, Inc. on September 15, 2010. The following email is a summary of your order. Please use this as your proof of purchase. If you paid by credit card, please look for attached invoice.
Confidential & Privileged

Unless otherwise indicated or obvious from its nature, the information contained in this communication is attorney-client privileged and confidential information/work product. This communication is intended for the use of the individual or entity named above. If the reader of this communication is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error or are not sure whether it is privileged, please immediately notify us by return e-mail and destroy any copies--electronic, paper or otherwise--which you may have of this communication.

Attachment: used the MD5:

25 of 43 detection at VirusTotal - mostly called "FraudLoad" or "ZBot".

When we launched this malware, it connected to several servers in rapid order:


and downloaded a 471kb file from That file was my FakeAV present. It stored in my current user's "Local Settings\Temp" directory as "dfrgsnapnt.exe"

VirusTotal FakeAV Report (20 of 43 detects)

A backup version was also running as "wscvc32.exe" from the same location.

The second ".zip" email had the Subject "details" and contained this email body:


As with all bank owned assets there is a strong desire to sell. The Lender is anticipating a sale before year end and they have encouraged us to bring them qualified offers to purchase.

I will contact you shortly to discuss in detail.



Shadow Ranch Marketing used the MD5:


24 of 43 detects at VirusTotal, mostly "FraudLoad" and ZBot.

The behavior of this malware was identical to the first - using the same domain names, fetching the same FakeAV from the same server, and installing it using the same name.

The third ".zip" email had the Subject: Shipping Notification

The body of the email read:
Shipping Notification Thank you for shopping with us. We look forward to serving you again.

The following is your receipt. Please retain a copy for your records.

Qty Item no Description Price S&H Tax Return
1 FC864-2038B Msg Drma7303 White 650.99 6.95 3.37 ____

Merchandise total 650.99
Shipping and handling 6.95
Tax on mdse 6.75% 3.37
Invoice total 706.31

Welcome to the convenience of shopping JCPenney Catalog

Shipping used the MD5s:

218adbd9f6abb8f0b7fd73765e62d005 behaved just like the first two entries on this list, in that it began by visiting,,,,, and downloaded the same Fake AV from the same location.

The first has 24 of 43 detects at VirusTotal, mostly Fraudload, FakeAV, and ZBot.

The second has 26 of 43 detects at VirusTotal, mostly ZBot.

The fourth ".zip" email had the subject:

The body of the email was very simple, with a Random Name in the body that matched the "From" name:
============================================================ Jed Keller used the MD5s:


The first has 21 of 43 detects at VirusTotal called FraudLoad, Alureon, FakeAV, or ZBot.

The second has 26 of 43 detects at VirusTotal called ZBot or Outbreak.

"Corrections" also behaved exactly like those above. Dropping a FakeAV after contacting and the others.

The ZIP Files: Group 2 =

The sixth ".zip" email uses the subject: Facebook password has been changed

The body of the email contains:
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.

Important Message!
You can find your new password in attached document.

Thank you.
Facebook Team.

Attachment: used the MD5:

This one is ESPECIALLY TRICKY, because the filename is hidden from the user! The email contains this code:

Content-Type: application/zip;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

Which makes the attachment, which is actually called "" show up as a ".jpg" file, like this:

22 of 42 detects at VirusTotal mostly called BredoLab or Sasfis.

Launching "New_password" generated lots of quick webtraffic, starting with connections to "" on IP, from which I did this get:


I have no idea what that means, but it feels familiar -- for instance, compare with the URL Dancho talked about back in May with some itunes spam.

It also fetched from the unlikely named machine:

which has the IP address

Then we downloaded the file "/milk/dogpod.exe" from

I also did a crazy long fetch that began with "/get2.php?c=ALOVLEKD" from the host

When I did fetches like that, I downloaded "7.tmp" and "8.tmp" which VirusTotal calls bad:

7.tmp VirusTotal report showed it had not been reported before. It called it mostly "Kazy" or "Oficla" and gave a 17 of 43 report.
18 of 43 detection for 8.tmp
It also fetched from "" before loading some BBC News.

The last ".zip" email has the subject line You've got a fax

The body has a nice graphic and reads "The Fax message is attached to this email!"

The attachment has random numbers in the name, such as "":

eFAX(randomnumbers) used the MD5:

19 of 39 detects at VirusTotal mostly called ZBot, Oficla, or Sasfis.

When we launched this file, which was 22kb in size, it connected to "" just like the "Facebook New Password" one above. I noticed when I launched this time that I sent back a 15 ?minute? delay statement to the server. I'll wait to see what happens.

Tuesday, September 14, 2010

"Here You Have" Hype & Electronic Jihad


On September 9th, my blog post on the "Here You Have" worm mentioned that the spread mechanisms of the worm were narrowly focused on a few targets that it hit very hard. Because of this, I've been quite surprised to see claims such as this USA Today article, which claims:

Viral messages carrying an innocuous-looking "Here you have" or "Just for you" subject line at one point Thursday accounted for an astounding 14.2% of spam messages moving across the Internet, says Nilesh Bhandari, Cisco product manager.

and then goes on to do the math for us. The article says there are 300 billion emails per day, so "Here You Have" must have sent 42 billion emails. They then show a chart, for which they provide no source attribution, that demonstrates that there was only one thirty minute period where whoever their source for the chart (presumably Cisco?) claimed the spam had reached 14.2%.

If we assume briefly that there really are 300 billion emails per day, a back of the envelope calculation of this chart would indicate that there were actually closer to 8 billion, rather than 42 billion, emails sent by "Here You Have". (You can clearly see by the USA Today's own chart that in most time periods for the day the percentage was closer to "0%" than to "14%"). 14.2% occurred in only one 30 minute sampling, which, if we assume an equal distribution of the 300 billion across the day, would mean 887 million emails in that thirty minute window.

BUT WAIT! Is it accurate to project the sampling from Cisco's Ironport on "the global spam" picture? Absolutely not! Take for a moment my personal anecdotal evidence. I stand by my earlier statement that the UAB Spam Data Mine on September 9th received 17 copies of the "Here You Have" emails, 13 of which came from senders in a single large financial institution. Our calculation of 0.00002% is perhaps closer to the average "global spam" recipients reality.

In my personal spam collection, including many "live" personal email addresses, I received 10,134 spam email messages on September 9th, of which ZERO were from the "Here You Have" worm. (And yes, I use NO FORM of spam filtering on those email addresses.) I also received zero copies in my university email accounts.

Our reality, and yours, unless your primary email account is in a very large corporation running Outlook, is probably closer to what was described by Microsoft. (Thanks to Robert McMillan of IDG News for pointing this out in his article Here You Have Worm Caused Brief Havoc.)

In this Technet Blog post: "Update on the Here You Have Worm: Visal-B" the Microsoft lab says that in normal spam monitoring, 90% of their reports come from "consumer" email users (protected and reported through Microsoft Security Essentials), while very few reports come from their "corporate" email users (protected and reported through Forefront Client Security).

Microsoft bloggers Jimmy Kuo & Holly Stewart go on to say that while they have sensors deployed worldwide, 98% of their reports for this worm came from US-based reporters. Cisco's 2010 MidYear Security Report (36 page PDF) says that 8.98% of global spam originates in the United States.

When Cisco Ironport reports their numbers, we have to remember that their appliance is overwhelmingly present in corporate email accounts. I know the Ironport guys, believe they have a great product, and believe they reported accurately what they saw on the corporate networks, but also believe that a few media sources have misinterpreted these numbers to turn Here You Have into the Global Armageddon of Spam, which it clearly was not. Except for some US-based corporate mail servers.

But was that the whole point? In order to learn more we need to identify some "patient zero" spam recipients. Who was THE FIRST PERSON at ABC, NASA, Google, JP Morgan Chase, etc, to receive the spam. When we learn more about who is behind the attack, it looks like targeting "big corporations" may have been the whole point of the worm!

Electronic Jihad

The more interesting angle to me is the revelations from Joe Stewart, the International Grandmaster of Malware Analysis at SecureWorks in his blog post Here You Have Worm and e-Jihad Connection. I asked Heather McCalley, the Criminal Intelligence Supervisor in the UAB Computer Forensics Research Laboratory to summarize the details for us:

Joe Stewart had previously identified that the malware contained a string "iraq_resistance" and that a previous version of the same malware use an email address "".

A fellow researcher at Internet Identity provided us a link to a YouTube video that claimed to be from the author of the worm. When we first saw the video early yesterday morning it had been viewed 128 times. Heather took a screen shot showing 302 views yesterday morning. This morning there have been 3,803 views of the video.

My nickname is Iraq Resistance. Listen to me about the reasons behind the 9 september virus that affected NASA, Coca-Cola, Google, and most American ?gains?. What I wanted to say is that United States does not have the right to invade our people and steal our oil under the name of nuclear weapons. Have you seen any there? No evidence, even about any project. How easy you kill and destroy. Second, about the Christian Terry Jones what he tried to do on the same day this worm spread is not even fair. I know that not all Christians are similar and some newspapers wrote that I am a terrorist hacker because of the computer virus and Mr. Terry Jones is not and he is not terrorist because he infected all muslims' behavior. I think America, come on! Be fair. Where is your freedom which must end when it reaches another person's freedom. And you say you modern educated people. I don't know there is another one and really I don't like smashing and as you know there were no computers smashed as you know by the analysis report. I could have smashed all those I infected but I wouldn't and don't use the word terrorist please. I hope that all people understand I am not a negative person. Thanks for publishing.

(click for video)

So, shall we take Mr. IqZiad at his word? Context is everything, and in this case, we have ample evidence that iraq_resistance, the self-proclaimed "Commander of the Brigades of Tariq bin Ziad", desires to harm America.

Here's a post that he made on the website "" where he has been active since 2006 using the username "iraq_resistance":

فيروس طارق بن زياد يعصف بأمريكا
السلام عليكم
قام قائد كتائب طارق بن زياد بشن هجوم فيروس على شركات امريكية وذلك يوم الخميس واصاب عدد هائل من الكمبيوترات ما ادى الى ان الشركات توقف خادمات البريد حتى تسيطر على المشكلة.
وقد اوقفت شركة كومكاست بعض خادماتها وشركة قوقل وشركة كوكاكولا ووكالة ناسا وذلك في ضرف ساعتين مساء الخميس الموافق 9-9-2010
هذا تقرير من شركة مايكروسوفت
وهذا تقرير الدايلي ميل البريطانية

وقد اقسم قائد كتائب طارق بن زياد على مواصلة الهجوم في وقت لاحق انتقاما لحملتهم على الاسلام
الرجاء نشر هذا الانجاز والدعاء لكتائب طارق بن زياد بالتوفيق والحفظ

The post takes credit for the attack, links to two news stories about the attack, and then closes in the last two lines by saying:

As the Commander of the Brigades of the Tarik bin Ziad, I swear the attacks will continue in retaliation for their attacks against Islam.

Please publish this achievement and pray for the success and protection of al-Tarik bin Ziad.

Well, Mr. IQZiad, I've published your achievement, but I am certainly praying for a different outcome than the one you request.

The user iraq_resistance has been a member of since 2006. When we looked into the board this morning there were 619 active registered users logged in to the site, as well as 17,032 "guests" reading public messages on the board. The board, which is hosted on LiquidWeb in Chicago, is one of the 22,000 most popular on the Internet according to NetCraft, and has many non-offensive topics, including large popular forums about the World Cup and Islam.

Despite his long membership, Iraq_resistance has only created three discussion threads. The most popular, which was read 4,765 times and has 163 replies, was this message from May of 2008, entitled: مطلوب شباب للمشاركة في حملة الجهاد الالكتروني
which translates as: "Wanted: Young people to participate in Electronic Jihad".

السلام عليكم اخواني
تم تأسيس مجموعة بإسم كتائب طارق بن زياد وهدف هذه المجموعة اختراق اجهزة امريكية تابعة للجيش الامريكي
وقد تطلب زيادة العدد حتى نكون اكثر فعالية .. لذلك نطرح شروط الانتساب الى هذه المجموعة الجهادية الالكترونية:

1 - أن يكون هدف المشترك الجهاد الالكتروني وأن يقسم أنه لن يستخدم ما يتعلمه مع المجموعة ضد هدف آخر.

2 - الإخلاص في العمل واحترام أعضاء المجموعة وبعد توسعها يكون للاقدمية والاكثر فعالية مرتبة القيادة على مجموعات تابعة للمجموعة الرئيسية .

3 - يكون اللقاء والمحادثة على الياهو مسنجر والامسن .

4 - اي مشاكل مع الاعضاء او القيادات باب الشكوى مفتوح للقائد العام للكتائب .

5 - مستوى المجاهد غير مهم لانه سيتعلم مع المجموعة كما ان الطريقة ليست صعبة وهي مؤثرة فعلا.

6 - اتباع نصائح القائد العام والاخلاص الكامل بالعمل لوجه الله .

7 - تناسي الاحقاد بين اعضاء المجموعة وروح المنافسة تكون ضد العدو وليس ضد الاخوة .

8 - القسم في عدم استخدام ما يتعلمه في هدف اخر خارج المجموعة سيكون على المايك ويسمعه القائد العام .

نسأل الله ان يوفقنا ويسدد خطانا واياكم .. ونتمنى من الاخوة الاستجابة للانضمام لهذه الفرصة المباركة
كما نشكر ادارة المنتدى لاتاحة الفرصة لاعلان الحملة وطلب والانتساب وسيتم موافاتكم اولا باول بالنتائج باذن الله.
للانضمام الرجاء اضافة معرف ياهو


بانتظار المجاهدين لقبول اضافتكم
اخوكم القائد العام لكتائب طارق بن زياد

Which, according to Google translate, reads:

Peace be upon you my brothers

Group was established in the name of al-Tariq bin Ziyad and goal of this group infiltrate a U.S. subsidiary of the U.S. Army

The increasing number of requests so we'll be more effective .. Therefore, we present the conditions for affiliation to these jihadist group E:

1 - to be the common goal of electronic jihad and to apportion that it will use what it learns with the group against the other goal.

2 - dedication to work and respect for members of the group and after the expansion is the most seniority and rank the effectiveness of the leadership groups of the main group.

3 - be meeting and chatting on Yahoo Messenger, Alamson.

4 - any problems with members or leaders open the door of the complaint to the General Commander of the Brigade.

5 - the level of fighting is not important because he will learn with the group and that the way in which it is not really impressive.

6 - follow the advice of the Commander in Chief and dedication to working for God's sake.

7 - forget the grudges between the members of the group and the spirit of competition which is against the enemy and not against the brothers.

8 - Section in the non-use of learning the target outside the group will be on the mic and hear the commander in chief.

We ask God to help us and guide our steps and you .. And good response from the brothers to join this blessed opportunity

We also thank the management of the Forum for the opportunity to announce the campaign and asked the association and will provide you with first hand the results, God willing.

Please add to join the Yahoo ID


Waiting for the Mujahideen to accept Adavckm
Brother Commander General of the Brigades, Tariq ibn Ziyad

Tariq ibn Ziyad was the name of the Muslim servant who was appointed a General and given troops to conquer the Iberian peninsula in the year 711. You can read more about him in his Wikipedia article, or for a more Islam-friendly version of events, see HaqIslam. Tariq is the invader who famously burned his ships after landing, convinced of his victory by a vision of the Prophet promising him success and that he would personally kill King Roderick.

The same "call for recruits" was posted in many other places, including: (by user "iraq_resistance", active since December 2006, hosted on SoftLayer in the USA.) (by user "iraq_resistance", active since November 2005, hosted on SoftLayer in the USA.) (by user "iraq_resistance", active since July 2004, hosted on BlueHost in the USA.) (user "iraq_resistance", active since March 2006, hosted on XLHost in the USA.)

In addition there are malware author recruiting ads, such as this one:

The call is for assistance from those who can create computer viruses to strike the enemy. Malware coders who want to help in the cause were instructed (in Arabic):

To subscribe send a message to

And please send a message to email the following to configure a lethal army of God Almighty in the future


So despite the "I'm not a terrorist", YouTube video, we have a mass-mailing worm that disproportionately impacted US-based businesses, successfully planting backdoor code on many of the infected machines, planted by a person who has been calling himself "Iraq_resistance" since 2006, and who has been recruiting for "electronic Jihad" participants since 2008. This person boasted about his attacks, and has promised there will be others, and as far back as March 6, 2009, was specifically inviting malware authors to help him create "a lethal army of God".

Was there a lot of Hype in the coverage of this malware? Yes. But perhaps the hype is deserving a deeper response than a shrug.


Our friend Bob McMillan has shared an interesting Series of Emails with the worm author.

Thursday, September 09, 2010

"Here you have" spam spreads email worm

This evening while I was driving to an open house at my daughter's school (very cool! proud of you, Kyriae!) a journalist called to ask me about "the major new email worm that everyone is talking about".

Insert sound of crickets.

I asked him for more details and he said all he knew so far was that it used the subject line "Here you have", which made me laugh -- that was the main subject line of the Anna Kournikova virus way back in 2001!

In my lab at the University of Alabama at Birmingham we have a project called the UAB Spam Data Mine, so I'm usually a pretty good person to ask if something involves the words "major" and "email", but not this time. As the evening progressed I got more and more queries and emails about it, so I decided to look into it.

In the entire Spam Data Mine, we had 17 copies of the email, or roughly one out of every 100,000 email messages for the day. Certainly not "major", but then when we looked at the actual emails, we noticed that thirteen of the seventeen came from the same Very Large Financial Institution.

That did pique my interest! ABC seems to be the only news station covering the story, which is because the worm behind this malware managed to get lose in some ABC properties. Here's a sample news story, from ABC 13 in Houston:

A massive and dangerous email virus has spread like wildfire, flooding inboxes and disrupting operations across the globe. The email is landing in the inboxes of companies around the world.

The email has the subject line 'Here you have.' In the body of the email, it reads, "Hello: This is The Document I told you about, you can find it here," and contains a reference to a document and a link to what appears to be a PDF. IT departments are advising users not to open the email or click on the link, but to delete the message.

If you click on the link, the virus replicates and sends itself out using your name and contact list.

The attack appears to be global, so far affecting companies such as Disney, P&G, Dow, Coca-Cola and others. The Florida Department of Transportation's email system has been shut down, and other Florida government agencies have been affected, but so far no Texas government agencies are reporting any impact. The virus may have originated in Russia.

(story from ABC's KTRK in Houston)

ABC National news had a similarly glamorous lead in, mentioning that as of 4 PM on Thursday "Here you have" was the second hottest news trend on Google. "Organizations including NASA, Comcast, AIG, Disney, Proctor & Gamble, Florida Department of Transportation and Wells Fargo are just a few of the organizations apparently affected by the worm, which appears to have sent out hundreds of thousands, if not millions of e-mails"

If we scroll back in the Twitter space about twelve hours (1:00 PM on Thursday) we can confirm that at least for some folks, the email did feel pretty overwhelming. See posts such as:

tony1971 who else is getting tons of e-mails with the subject, #hereyouhave?

jmyoung82 328 emails and counting from #hereyouhave email worm

wiltap I turned off my desktop email--machine was non-responsive. RT @perfectcr Yup, its global! #hereyouhave

padevries Seems like #hereyouhave #virus is under control at my company. After 724 emails in 10 min it has stopped.

The malware preferred to spread via the Outlook mail program, and spammed itself primarily by sending to every member of the local Outlook address book. In companies where a domain administrator logged in to an infected machine the effect was that every machine reachable from that machine that used the same administrator password became infected, and then each of those users sent an email to every other user in the company directory. I can see where that would pile up quickly.

Apparently very few companies have the addresses in the UAB Spam Data Mine in their address books, which would explain me receiving so little spam. (A fortuitous typographical error seems to be how I got most of our copies.)

BarracudaLabs claims in their useful and informative blog entry, “Here You Have” Spam Teaches an Old Worm a New Trick that they saw the spam first at 9:44 AM Pacific time and quickly saw 200,000 copies, but that its likely that infected organizations had many more. The spam dried up once the website hosting the malware shut down the offending account.

Although the malware is being recognized for its spam, the reason it is being labeled as a worm has to do with its spread within corporate networks. The malware, which was previously seen on August 20th, has been given the name W32.Imsolk.A by Symantec and others at that time. They call the new version "W32.Imsolk.B". TrendMicro calls the new version "Worm_Meylme.B".

Here's a VirusTotal report showing detections and who is calling it what. Currently 23 of 42 anti-virus products are reporting a detection. (Up from 17 of 42 when I checked about 4 hours ago).

Its interesting to follow Symantec's ticket on the malware through the day . . . Symantec Tech Support ticket - which concluded:

""Enterprise customers are protected by a Rapid Release signature set dated Sep 9th 2010 rev 023, or later. The next regular definition set to be published at 16:00 PST Sep 9th 2010 will contain the detection."

McAfee's AvertLabs also had a Special Report on Here you Have, including links to their advice on identifying and removing the malware, with a special Knowledge Base link that provided information on an emergency signature file and a special version of their stand-alone "stinger" product.

Microsoft has a quite good Threat Encyclopedia entry for the previous version, which they called "Visal.A", and has updated it with a great entry on Visal.B. Some of the cooler features of this malware described by Microsoft include:

- the malware copies itself as " CV 2010.exe" to drives C: through H:.

- The worm adds an autostart key by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Sets Shell"
With data: “%windir%\csrss.exe”

which is how it guarantees that it will re-invoke after boot -- note that by linking to "Winlogon", even a 'safe mode' boot will be "infected".

- the worm will attempt to mount network shares for all computers on the local network and copy itself as a fake graphic file - "N73.Image12.03.2009.JPG.scr" and placing itself in a "New Folder", as well as folders named "Music" and "Print" on every drive it can mount. It will add an entry into an autorun.inf file on each of those drives to ensure that mounting the drive will invoke their fake JPG file.

- The malware also attaches itself via the registry to 391 various .exe file names, primarily the names of security tools and programs, so that if any of them are executed, the malware stored in "%windir%\csrss.exe" will be re-invoked.

Although the malware theoretically can send three different emails from templates in the malware, all of the samples we received today were of the first variety:

Subject: Here you have

This is The Document I told you about,you can find it Here.

Please check it and reply as soon as possible.


The first actual copy of the email we saw was actually from an employee of a local utility company. In all the copies I saw, the actual link was downloading the content from:

Although SCR files are traditionally thought of as "screen saver" files, if the file is an executable, '.scr' files can be directly executed in Windows, as indeed this one is. Because file extensions are suppressed by default in Windows, and because the executable uses an icon that makes it appear to be a PDF file, this one fooled quite a number of people.

Multimania quickly shutdown the account "yahoophoto" once it was understood what was
happening. After that the attack more or less ran itself out. While it continued to spread via network shares inside of large corporate networks, the email based component was a dud after that point.

Random Pseudo-URLs Try to Confuse Anti-Spam Solutions

For the past couple weeks things have NOT been normal for the Spam & Phishing folks at the UAB Computer Forensics Research Laboratory. The Phishing Operations team has been inundated by URLs being reported to them as "potential phish" that are not only not phish, they are not even URLs!

Here's a handful of the recently received URLs (in the past 5 minutes or so):

Without a "pattern", its hard to "mass-whack" the URLs, and so they keep ending up in our "Phishing-URLs-to-be-checked" list. The problem is that MOST of those domains actually exist! is owned by "Future media architects" offers free domain names (so we see them sometimes on phish normally!) is a research & development incubator is a tourism site for the city in Spain. claims to be the Online Finance Company. is a redirector to is the Patricia Seybold Group is the Scientific Applications & Research Association is a webcam chatting service is a parked domain on FirstLook.
only "" is not "live" somewhere.

The UAB Spam Data Mine has been seeing similar things. We're accustomed to spammers creating a "wildcard" DNS entry for a host, and then they can make up any random hostname they want and use 1,000 different machine names to refer to one Viagra sales website. We actually deal with that quite effectively, because once we have seen five hostnames for the same domain, we create a random domain name ourselves. If the contents of a random hostname for a domain gives us the same results as a spammed hostname for a domain, we mark all of them as being related and stop checking the rest. When "normal" spammers are using many hostnames, we only see a few domains using this technique per 15 minute work period, so even though, for instance, on August 8th we saw 2,670,602 hostnames in spam, (counting repeated hostnames), it wasn't such a big deal.

The problem with this new spam is that rather than having one destination per 15 minute work period that has randomization for the domain, we may have thousands in a single 15 minute work period.

On September 5th we saw 450,976 UNIQUE hostnames advertised in spam! To put that in perspective, from August 1 until August 28 the highest single day unique hostname count we had was 38,452. On August 29th, we had 391,594 unique hostnames advertised in spam! A tenfold increase in a single day! And its stayed there. We've had more than 370,000 every single day in September.

Or did we? My anti-spam friends RedDwarf and SiL were discussing this recently, over on the "InBoxRevenge" forums, and they mentioned that another lab had seen a dramatic jump in unique URLs beginning about August 26th. Its hard for me to see the same jump in unique URLs, because we see millions of URLs per day, and the number hasn't changed so dramatically -- but when we look at unique hostnames instead, we do see an enormous jump!

This corresponds to the second problem we observed in the lab. In our multi-phase spam parsing, phase two is "resolve the domains to IP addresses and store that data in a database." We started experiencing a backlog in that phase that was brought to my attention on September 1st. We hadn't put the two pieces together until last night when someone called attention to the RedDwarf posts on this topic.

I ran another query to count how many times we have seen each unique DOMAIN name -- not HOST name -- and the tail goes "to infinity and beyond" on this chart!

In the first seven days in September, we saw 149,964 unique DOMAIN names used in spam!!!

I tried to chart the distribution of domain names, but the chart ends up looking like I've shown you an empty chart because the tail is SO long and the drop-off is so dramatic. I'll try it as a table instead:
30 domains25,000+ times
132 domains10,000 - 24,999 times
1,051 domains1,000 - 9,999 times
5,818 domains100 - 999 times
21,417 domains10 - 99 times
13,907 domains5 - 9 times
39,580 domains2 - 4 times
68,030 domains1 time

An analysis of how often these "pseudo" domain names appear helps us to understand that the selection process for these host names is NOT a random selection from a dictionary, but rather a random selection from a large text sample. We know this by the frequency of commonly occurring words. During that same period, here is the count by domain name for the spam:

179,958 - - #1
100,255 - - #2
74,603 - - #4
66,104 - - #6
47,307 - - #5
42,713 - - #3
28,217 - - #7
20,051 - - #13
18,234 - - #17
18,097 - - #29
17,512 - - #12
16,178 - - #14
14,962 - - #16
13,990 - - #26
13,879 - - #15

The number following the domain name is that word's frequency from "The Most Common Words in English." The fact that they don't follow the true frequency count probably points to the fact that while they have a large language sample, its not a truly enormous language sample, or we would see a true-er frequency distribution.

The first possible "double-usage" domain comes here:

13,526 -

Apple is not one of the 500 most common words in English.

Clearly most of these are NOT going to be "Pseudo-URLs", as we know that "apple" is not nearly as common a word as "are" and "from". In fact, most of the emails we have with in them are unlikely to be spam at all. Other domains that we saw with at least this high a count are either "whitelisted" domains or they are clearly "spam" domains. (List below has "whitelisted" domains supressed).

58,039 -
53,504 -
41,012 -
39,629 - (???)
33,724 -
31,613 -
31,579 -
29,704 -
28,802 - (???)
27,752 -
27,572 -
27,184 -
25,928 -
25,583 -
24,164 -
23,800 -
23,300 -
23,152 -
23,004 -
22,808 -
22,800 -
22,784 -
22,100 -
21,696 -
21,648 -
21,144 -
20,892 -
20,880 -
20,530 -
20,460 -
20,416 -
20,400 -
20,360 -
20,236 -

When we get down to the single use domains, it becomes clear again that the "word list" for these randomly created domains is not a dictionary. We have words like "bariloche" "doughton", "vignarajah", and "okjeo", which does seem to lend credence to the idea that has been floated that these are words selected from Wikipedia.

Example One: Pharmacy Express

But what does the spam actually LOOK like? and what does it do?

(Click here to see the original email)

Here is an example image from the spam:

In the spam message that used this image, the image was loaded from the URL:

and clicking on the spammed image would take the visitor to:

which contained an auto-forwarder that would have sent the visitor instead to:

Which is a Pharmacy Express pill sales site hosted on

Please note that the URL on "" is a compromised domain, as we discussed in our August blog article Viagra Spammers as Hackers, where compromised domains were used as spam targets and redirected the visitors to a Pharmacy Express domain.

The NOISE in that spam message however, includes links to non-existent images including:

Then there is a block of text, hidden from the email recipient by a "span style" tag that reads:

The variation among the German dialects is considerable, with only the neighboring dialects being mutually intelligible. NYS School of Industrial and Labor Relations. The then-reigning government (cabinet Persson) stated that they would only take into consideration the results of the referendum in Stockholm Municipality. They too have been deaf to the voice of justice and of consanguinity. The country accounts for two-fifths of global military spending and is a leading economic, political, and cultural force in the world. A National Public Radio affiliate, and Public Broadcasting Service television station WPBA 30. Stadiums with a capacity of more than 40,000. New York City at the Open Directory Project. The other professional rugby union team in the city is second division club London Welsh, that plays home matches in the city. A sense of Indonesian nationhood exists alongside strong regional identities.

Mixed in among that text are additional non-existent image tags:

Example Two: Canadian Pharmacy

(Click here to see the original email)

The group above actually hasn't been so troublesome, because we don't bother to resolve every .jpg URL that comes through our spam. The explosion actually has come from the group described in THIS example. In this email there are a large mix of ".php" URLs mixed into the hidden data.

The image displayed in the spam has a randomly created name itself, in this case anchored to the "real" domain "". In this example the graphic file was retrieved as:

but, just as a test, I told my browser to load instead "", a name that I just made up. I get the same image either way. In fact, any machine name with any file name that ends in ".gif" will show you the same graphic if the domain name is "".

The same is true for the URL that you are directed to if you click on the graphic in your spam. Going to "" with any machine name and NO filename will cause the autoforwarder to send you to:

Which looked like this when we visited:

There are currently thirty "real" spammer domains, each of which function in the same way as the "" domain:

The Pseudo URLs in this email included:

And the same "style span" trick was used to supress text intended to confuse spam filtering systems, which in this example read:

Expansion of transportation options encouraged economic expansion. Kahn then founded LightSurf in 1998. Temperate grasslands, savannas, and shrublands. Subtracted from 10, that leaves a result from 1 to 10. After the Cold War, the 86th was realigned to become an Airlift Wing, which it remains today. Just under three quarters of Australia lies within a desert or semi-arid zone. Since this ion is three steps removed from atmospheric CO 2, the level of inorganic carbon storage in the ocean does not have a proportion of unity to the atmospheric partial pressure of CO 2. Japanese Journal of Religious Studies 33. The law went into effect in March 16, 2006, garnering much local and national media attention. Wars involving the Illinois Country, Illinois Territory, and State of Illinois. NGS FAQ - What is a geodetic datum. Archived from the original on 6 July 2010. Australia is also powerful in track cycling, rowing, and swimming, having consistently been in the top-five medal-winners at Olympic or World Championship level since 2000. The SI units for both systems are summarized in the following tables. Time has seen significant improvements in the usability and effectiveness of computer science technology. The ISBN separates its parts (group, publisher, title and check digit) with either a hyphen or a space.