Tuesday, December 30, 2008

Radical Muslim Hackers Declare CyberWar on Israel

This weekend more than 300 Israeli websites have been defaced in a period of 48 hours. In a website "defacement" a hacker violates the security of a web server and replaces the original content with his own message. In some defacements, the hacker places a fake banking website (called a phishing site). In others the hacker merely boasts about his prowess as a hacker, similar to a graffiti artist painting his name on the side of a train. The current round of defacements are instead part of a Propaganda War.

We've seen this type of Propaganda War before. The original cyber propaganda war was launched by Chinese hackers in May of 2001 after the collision of a Chinese fighter jet with a US Navy plane. Tens of thousands of US websites were defaced by Chinese hackers blaming the US for the incident. More recently the technique has been adopted by Muslim hackers, beginning with the defacement of thousands of Danish and American websites in February 2006 after the publication of cartoons about the prophet Muhammad, and against Israeli and US websites after the bombardment of Lebanon by Israel in August of 2006.

As soon as Israel started bombing Gaza we began to look for signs of a cyber response. And we've found it, in the form of more than 300 Israeli websites which have been defaced with anti-Israeli and anti-US messages.

One interesting aspect of a cyber propaganda war is that it doesn't matter what size the website is, or how important it is. It only matters WHERE the website is. "In the current situation, the hackers supporting Gaza clearly believe Israel AND the US are culpable. That means American webmasters may wish to be especially vigilant right now.

How do you prevent your webserver being used in the propaganda war?

Webmasters need to decide on a strategy. For many websites, its enough to have a daily review of your content to ensure that nothing has been changed. For more important websites, it would be worth investing in having your website professionally tested for weaknesses.

Some very common exploits can be avoided by applying security patches. If your website uses programs which you downloaded from a vendor, please be sure to check with that vendor's website regularly to determine if new versions are available. Many defacements occur when hackers scan for websites which are running vulnerable software, such as a common PHP program, image program, forum software, or other webmaster utilities, such as web statistics programs. One quick way to see if your software has a security vulnerability is to check the National Vulnerability Database, where you can search for the name of your product.

We have also seen many websites exploited recently because the password for the webmaster has been stolen. Just as with all passwords, its important to choose good passwords, and change them regularly. Its also important to use secure methods of uploading. "FTP" sends your userid and password in plain text when you upload your web pages. Using "Secure FTP", which is often packaged with SSH, will make sure your passwords are encrypted when uploading files to your website.

I originally posted images from the Propaganda War on this blog, but have been asked by more than a dozen individuals already, to remove them from my blog. While I don't condone censorship, I also don't want to shock anyone by seeing pictures of disfigured children and threats to destroy the United States.

Some of you WILL have a professional reason to need to see these images. If that is you, please email me, and I will provide you with a private weblink, not affiliated with any official source, only with me personally. Please email gar@askgar.com - and please use the email Subject: Propaganda War, and include why you need to see these images.

Tuesday, December 23, 2008

More than 1 Million Ways to Infect Your Computer

An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus. This is the first major "Scareware" infection we've seen since writing about the Federal Trade Commission's action in our December 10th blog post, FTC Moves Against Fake Anti-Virus Scareware.

The current scam takes advantage of the thousands of websites which have a "URL redirect" on them. A URL redirection program allows the website owner to "send you" to another website, while keeping track of where you went. They are often used in conjunction with an exit page that says something like "You are now leaving our site and being redirected to a new location. We aren't responsible for the content there." The problem is that many of those sites actually allow other people to use their URL to redirect traffic as well. That's what's happening here. A hacker has managed to cause Google to "learn" many of these URLs by placing them on sites they control.

In the current example, the hacker is using the site "00119922.com", which they have just registered December 19th. More than a million Google hits show that he has injected redirectors all around the Internet pointing to this site.


Sites like Microsoft.com, IRS.gov, countless media outlets, magazines, universities, and other websites can be found in the search engines in this way. The hackers get these entries into Google by littering tens of thousands of blog comments, guestbook entries, and imaginary blog stories all around the Internet. So, to choose one of the non-pornography related search terms, a hacker has written a program to comment on people's blog entries with a link to:


Now, if someone is searching for the phrase "download fruityloops 6 free", (fruityloops is apparently a music mixing software) because of Microsoft's popularity, their search term will take them to the number one position on Google.

The same technique has been used for many hundreds of phrases associated with pornography and software piracy. Some example search terms (and there are TENS OF THOUSANDS) all of which will give you the Microsoft open redirector as the #1 search result on Google:

"microsoft office 2002 download"
"hacking private myspace accounts"
"download runescape password hack"
"xxx rated joke"
"live free hardcore sex cams"


Some of the other sites with open redirectors being targeted by this attacker include: dbrecovery.com, togshop.com, wnbc.com, mrm.mms.gov, countrycurtains.com, portugal-info.net, cyberswim.com, nbcsandiego.com, thebostonchannel.com, thepittsburghchannel.com, hermanstreet.com, viadeo.com, nationalgeographic.com, barronscatalog.com, click2houston.com, lucy.com, wgal.com, rexart.com, kitv.com, bookmatestore.com, attarbazaar.com, titlenine.com, vermontteddybear.com, readthehook.com, theessentials.com, martlmadidebeli-gristianoba.com

Visiting the website redirects the visitor to 00119922.com, which in turn currently redirects the user to the site: netisecurity.com/ws/index.php?affid=04800, which pops up a warning:

Clicking "OK" on the warning, SEEMS to start a scan of your system, but a closer look will indicate that you are actually only seeing an animation playing from the netisecurity.com website:

When the scan is completed, a "Windows Security Alert" seems to pop up, although in reality you are still on the netisecurity.com website:

Clicking the "Remove All" button, which seems to be the reasonable thing to do, actually prompts the download of "install.exe".

You can review the coverage on "install.exe" on VirusTotal.com. As of this writing, we were the first one to report this malware to VirusTotal, where only 5 of 37 antivirus products were able to identify the file as malware.

File size: 62505 bytes
MD5...: 2bd950fdb5770ce6a1567f162dfa2679

eSafe and Panda call it "Suspicious file" (they call most things a suspicious file)
Ikarus says its "Trojan-Downloader.Win32.Delf"
Prevx1 says its "Malicious software"
TrendMicro calls it "PAK_Generic.001"

The other 32 anti-virus products offered no protection or detection.

install.exe was actually installed from the URL:

After "install.exe" runs, a more professional looking scanner executes. On our system the full product was installed under our logged in user's Documents and Settings in as: "1626125795\1300463089.exe". There were files in the directory indicating that a keylogger was in effect.

At the completion of the full scan, a new warning asked if we would like to "Remove all threats now" or "Continue unprotected".

Choosing "Remove all threats now" invites us to purchase the product for $51.45.

Refusing to purchase the software results in two types of annoyances constantly popping up. One warns that a worm is trying to steal my credit card with a full pop-up windows:

while the other is just a task bar reminder of the same thing:

Hopefully the FTC will take swift action to shut down this ring. In the meantime, there is a very real chance that your search engine results may contain links to this newest round of scareware. Surfers beware!


Microsoft has closed the Open Redirector which was being abused by the pages above. Clicking one of the Microsoft pages indicated in the Google search above will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them.

Monday, December 22, 2008

Trusted Internet Connections (TIC): Gated Communities and Ostriches

Various colleagues at InfraGard and elsewhere have been hitting my telephone and email inbox asking my thoughts on the "Security Cyberspace for the 44th Presidency" report, and the Comprehensive National Cyber Security Initiative (CNCI), established by National Security Presidential Directive 54 and Homeland Security Presidential Directive 23. I agree with my friend Joseph Concannon that these are things we should all be discussing and to which we should be reacting.

As one of the included initiatives that has been widely discussed, I'd like to start by asking some questions about the Trusted Internet Connections (TIC) initiative. The initiative was announced publicly in this Memo for Heads of Executive Departments and Agencies from the Office of Management and Budget's Clay Johnson. The memo discusses the requirement for each agency to develop a "comprehensive plan of action and milestones" to reduce their number of Internet connections, with the goal of having the entire federal government using only fifty Internet points of presence. The plan is similar to another DHS initiative, which believes that building a fence across the US-Mexico border will make it easier to secure the border. TIC works in exactly the same way. By having only fifty points of access, it becomes easier to identify what goes in and out of the Internet.

In the physical world we have the same concept in the Gated Community. Many of the same advantages and disadvantages of Gated Communities can also be expected here. Some of the advantages are that we can better control who comes into our communities, and even those who are allowed access have left clear record of their action, in the form of video surveillance at the gate checkpoints, and often through a log of visitors maintained by security guards who man these gates. These are exactly the advantages intended by the DHS Einstein III program, currently being used by at least 13 Federal agencies.

For an excellent discussion on Gated Communities and their roles in Security and Crime Prevention, please see "Public Places, Urban Spaces" by Matthew Carmona. Carmona's book is not primarily about Gated Communities, but rather about the decisions that should be considered as urban spaces are planned or designed.

Carmona argues that the design or an Urban Space should be seen in the context of Local, Global, Market, and Regulatory considerations, and must then take into consideration issues in the categories of Morphological, Perceptual, Social, Visual, Functional, and Temporal considerations.

The disadvantages that are primarily brought up with regard to the creation of Gated Communities typical begins by speaking about class segregation, and the annexation of previously public property to be used for the advantage of a relatively small subsection of the society which paid to create it. Even when the now segregated resources are granted "public use" during the day, privacy concerns commonly expressed about "surveillance societies" may cause some citizens to hesitate to visit these resources.

It strikes me that very few of Carmona's design processes were taken into account as the Trusted Internet Connection program began. For example, Perceptual Considerations -- will my Internet visits to government provided web resources now be monitored in a more comprehensive way? Will Einstein be learning and recording my interactions with the government similar to the Gated Community security guard who asks the name of the person I am visiting before allowing my vehicle to enter the GC?

What message should the rest of the Internet take from the decision by the Federal government that the way to be safe on the Internet is to restrict public access to a few carefully monitored Internet points of presence? As a practicing designer of network security considerations, I have to agree that the theory is strong. One of the first exercises I engage in with a client is to identify all possible paths in and out of their network, and what methods of securing and monitoring each of those paths are currently in use.

But how should this message play with the responsibility of the Department of Homeland Security to protect our Nation's Critical Infrastructures? Prior to the creation of DHS, a multi-agency partnership administered by the FBI existed under the auspices of the National Infrastructure Protection Center (NIPC). The NIPC Watch & Warn desk was the fastest single place to check about the status of any threat to our Nation's Critical Infrastructures, including the Cyber infrastructure. Now for Cyber matters we have US-CERT.

The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defenses against and responses to cyber attacks across the nation.
Source: http://www.us-cert.gov/aboutus.html

Interestingly, the mission of US-CERT is *NOT* to protect Federal Agencies, but rather to protect "the nation's Internet infrastructure", the vast majority of which will be on the OUTSIDE of the wall being created by the Trusted Internet Connections initiative. The program is rolling forward, with the first contract being announced in December 18th's DHS Daily Report, which stated:

The General Services Administration announced on Monday that AT&T has been awarded the first contract to deliver secure Internet connections to federal agencies via the Networx Universal telecommunications program. AT&T will offer Managed Trusted Internet Protocol Services under the Office of Management and Budget’s Trusted Internet Connections initiative, announced in November 2007. The goal is to reduce the number of Internet connections in the federal government to fewer than 100 in 2009; the exact deadline has yet to be determined. “GSA has provided resources to assist the successful implementation of the TIC initiative and made information systems security a priority in their strategic plans,” said the OMB administrator for e-government and information technology. “Fewer external connections mean fewer vulnerabilities and better secured networks.” Networx Universal is an indefinite delivery, indefinite quantity contract vehicle with a ceiling of $48.1 billion over 10 years. Combined with Networx Enterprise, it is the federal government’s largest telecommunications program. AT&T’s latest offering will include a system to detect computer network intrusions as well as a security operations center to protect agencies’ networks. GSA still is evaluating secure Internet connection proposals from Verizon and Qwest Communications, the other two vendors on Networx Universal.

(the DHS report quotes: http://www.nextgov.com/nextgov/ng_20081216_1938.php Gautham Nagesh)

What does this strategy mean for the rest of us? As with the Gated Communities, one of the disadvantages is the issue that those of us OUTSIDE the gates feel (or actually are!) disenfranchised. What does it mean for the Critical Infrastructures who are "outside the fence"? Should, for instance, the banking industry be looking into building their own Trusted Internet Connections program that only serves their industry? With price tags such as the one given above, it may be that only the government can afford to be secure. What does that say about the strategy as a means of protection ALL of us?

Wednesday, December 10, 2008

FTC Moves against Fake AntiVirus "ScareWare" companies

Microsoft may be getting all the press this month about Fake Antivirus products, but the Federal Trade Commission deserves some high praise as well. We'll get to the FTC stuff below, but first I wanted to mention that most of the press I've seen on the Microsoft announcement focused on Spectacular Big Numbers instead of focusing on the actual facts in their announcement.

Microsoft and Fake AV Products

During the first half of 2008, Microsoft removed almost 9 million copies of Win32/Zlob from infected computers - more than twice as many as any other threat. In their Security Intelligence Report 5 they described Zlob infections like this: "Once installed on the target computer, Zlob bombards the user with pop-up advertisements and fake 'spyware warnings' that are actually advertisements for rogue security software". An especially prevalent way to get Zlob during that times was to be prompted to install a missing Codec or Video player when visiting a site advertised by a spam message.

On November 19th, Microsoft announced that their Malicious Software Remove Tool could now remove the newest batch of fake antivirus products, and that in the first 9 days of the new release, they had removed 994,000 of these fake products, which they refer to collectively as Win32/FakeSecSen. The announcement came from the Microsoft Malware Protection Center's Threat Research & Response Blog, which revealed that 548,218 of those 944,061 machines were in the United States. For every 1,000 machines they scanned, five HAD BEEN infected with a fake Antivirus product.

Wait, HAD BEEN? Yes. The blog goes on to point out, that of those 944,061 machines which detected as infected, only 198,812 had an ACTIVE infection including the "main .exe". The other 700,000 or so had actually already had the infection declawed, either manually or by another anti-virus program, but residual files indicating the former infection were still present. In other words, the MILLION MACHINES CLEANED was really TWO HUNDRED THOUSAND MACHINES DISINFECTED, and EIGHT HUNDRED THOUSAND CLEANED UP A LITTLE BIT MORE THAN THEY ALREADY HAD BEEN. By comparison to that, the real danger may be Renos, where 565,000 machines were actually disinfected. But, what is Renos? Win32/Renos is another entire family of fake AV products. After the blog post was published, the Analysis section of the Win32/Renos entry was updated to say "On November 19th a signature for TrojanDropper:Win32/Renos.N started detected particular uninstall files. This incorrect detection affects users of all Microsoft Antivirus solutions." This was fixed in the December MSRT, but one has to wonder how many of the amazing number of Renos infections were due to this fake detection?

The most recent batch of fake products, covered by Win32/FakeSecSen, has a great collection of screen shots of the various fake products on the "Analysis" tab, including Micro Antivirus 2009, MS Antivirus, Spyware Preventer, Vista Antivirus 2008, Advanced Antivirus, System Antivirus 2008, Ultimate Antivirus 2008, Windows Antivirus, XPert Antivirus, and Power Antivirus.

Special Note:
Reports of rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar.

(from the Microsoft Malware Protection Center).

Earlier versions of MSRT also detected fake viruses, primarily under the names Win32/FakeXPA and Win32/SpySheriff, the former detecting mostly "Microsoft look-alike products" while the latter covered many of the first fake protection products, including BraveSentry, DiaRemover, MalwareAlarm, Mr. AntiSpy, PestTrap, PestWiper, SpyMarshal, SpySheriff, and SpyTrooper. An intermediary version was called Win32/FakeXPA.

The FTC and Fake AV

OK, with that as background, let's agree that millions of computers have been infected with various brands of fake security products and look at the FTC action.

On December 10th, the FTC released a Consumer Alert entitled:

"Free Security Scan" Could Cost Time and Money
Messages telling you to install and update security software for your computer seem to be everywhere. So you might be tempted by an offer of a “free security scan,” especially when faced with a pop-up, an email, or an ad that claims “malicious software” has already been found on your machine. Unfortunately, it’s likely that the scary message is a come-on for a rip-off.
The free scan claims to find a host of problems, and within seconds, you’re getting urgent pop-ups to buy security software. After you agree to spend $40 or more on the software, the program tells you that your problems are fixed. The reality: there was nothing to fix. And what’s worse, the program now installed on your computer could be harmful.
According to attorneys at the Federal Trade Commission (FTC), the nation’s consumer protection agency, scammers have found ways to create realistic but phony “security alerts.” Though the “alerts” look like they’re being generated by your computer, they actually are created by a con artist and sent through your Internet browser.

Click for the Full text of the FTC Consumer Alert as a PDF also available as an HTML version.

More importantly, they requested and received a temporary restraining order from the
U.S. District Court for the District of Maryland. In this action, they have accused five people of running two companies that are responsible for most of these fake products, and a sixth of receiving funds from the scam.

Under the FTC Act, 15 U.S.C. § 45(a), the Federal Trade Commission is in charge of enforcing the prohibition against "deceptive or unfair acts or practices in or affecting commerce. As part of that enforcement the FTC has the right to "secure such equitable relief as may be appropriate in each case, including restitution for injured consumers, consumer redress, and disgorgement" 15 U.S.c. § 53(b).

The companies being targeted here are:

"Innovative Marketing", a company incorporated in Belize, with offices in Kiev, Ukraine, who has done business as Billingnow, BillPlanet PTE Ltd., Globedat, Innovative Marketing Ukraine, Revenue Response, Sunwell, Synergy Software BV, Winpayment Consultancy SPC, Winsecure Solutions, and Winsolutions FZ-LLC.


"Bytehosting Internet Services", an LLC registered in Ohio with an office at 3864 McMann Road, Suite A, Cincinnati, Ohio.

The charge is that their business practice was "a massive Internet-based scheme that tricks consumers into purchasing computer security software" which exploited consumers' "legitimate concerns about Internet-based threats like spyware and viruses by issuing false security or privacy warnings to consumers for the sole purpose of selling software to fix the imagined problem". After running a simulated "Free scan", the software would claim to have detected "a host of malicious or otherwise dangerous files and programs, including viruses, spyware, or illegal pornography", and encourage the consumer to download their product to fix it. The downloaded products would run another scan, and then urge the consumer to spend $39.95 to solve the problem by buying "the full version".

(emphasis, and all those nice "!!!!!" added by the blogger)

These guys are the ones who have been making the money, all the way back to 2003, selling products including but not limited to WinFixer, WinAntivirus, DriveCleaner, WinAntiSpyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, XP Antivirus 2008, etc.

While most of us know these products as they are delivered by viruses, the defendants actually paid for advertising as well. Just one of the defendants purchased $3.3 million in advertisments from the MyGeek network (now known as AdOn) between October 2004 and November 2006. The ads were displayed more than 680 million times!

After MyGeek began refusing to run their ads, the defendants created their own fake advertising groups, such as Burn Ads, Preved Marketing, AdTraff, NetMediaGroup, and Uniqads, which they sold to websites offering a share of the advertising revenue. These fake advertising companies began to approach sites, claiming they represented legitimate sites that wanted to place advertisements, including CareerBuilder.com, Frontgate, Travelocity.com, Priceline.com, and other sites. The ads which were displayed, when viewed from IP addresses belonging to their business partners, always showed ads for the legitimate companies, but when viewed by outside IP addresses, the ads for their fake scanners were displayed.

Believing themselves to be doing business with legitimate advertising companies, the ads found their way to places such as Major League Baseball and National Hockey League sites, the National Association of Realtors, the Economist magazine, and others.

The defendants are:

James Reno (Bytehosting), who ran "setupahost.net". Reno provided contracts with some of these ad-distribution vendors, ran Bytehosting, and provided the Call Center which supposedly took tech support calls about their products. Part of the call center's job was to obstruct and delay consumers from obtaining refunds by misleading them about the nature of the scan, or telling them a refund had already been issued to them, when it had not. Almost all of Bytehosting's revenue came from Innovative Marketing.

Sam Jain (Innovative Marketing), who resided in California. Jain is the CEO of Innovative Marketing, and co-founded the company in 2002. A large financial investor in the company, Jain handled much of the marketing and sales, and worked out the relationship with companies to take their credit card payments.

Daniel Sundin (Innovative Marketing), who resided in London, England. Sundin ran Vantage Software and Winsoftware, Ltd. He was also the COO and is now CTO of Innovative Marketing. He set up the company headquarters in Kiev, and also opened facilities in Argentina and India. His old company, Vantage Software, paid for many of the original domain names, such as Winfixer.com, DriveCleaner.com, WinAntivirus.com, and SystemDoctor.com. The foreign banking is handled by Sundin.

Marc D'Souza (Innovative Marketing), who resided in Toronto, Canada. D'Souza ran Web Integrated Net Solutions. D'Souza took over the role of working on the credit card payment processor relationships. He and his father Maurice established numerous merchant accounts with payment processors around the world to clear their cards, which was hard to maintain because of the very high level of chargebacks and complaints from consumers. Marc and his father each retained "millions of dollars in proceeds" in their bank accounts. They are no longer associated with Innovative Marketing and are the subject of a lawsuit in Canada where Innovative Marketing claims they have embezzled millions of their dollars.

Kristy Ross (Innovative Marketing), who resided in Maryland. Ross was the marketing person, responsible for placing millions of dollars worth of false and misleading advertisements. Despite warnings on multiple occasions that the ads were exploitive and deceitful, she continued to place these ads.

Maurice D'Souza, who resided in Ontario, Canada and received "ill-gotten funds" from his son Marc (see above).

The FTC action includes a "Prayer for Relief" which requests that the court award "such relife as necessary to redress injury to consumers resulting from the Defendants' violations of the FTC Act, including but not limited to, rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies." They also ask that they protect and return funds and property that the defendants have in their possession or have purchased as a result of their ill-gotten gains or proceeds.

For more details on the case, please see:


which includes links to the:

Ex Parte Temporary Restraining Order
Complaint for Injunctive and Other Equitable Relife

Tuesday, December 09, 2008

Securing Cyberspace in the 44th Presidency: Part Two

Yesterday I provided some context for the Center for Strategic and International Studies report which was published yesterday:

Security Cyberspace for the 44th Presidency

The co-chairs of the committee, which was directed by James Lewis, were:
Representative James R. Langevin
Representative Michael T. McCaul
Scott Charney, Microsoft
Lt. General Harry Raduege, USAF (Ret)

I'll leave the interested reader to read the full list of committee members from Appendix A, but I was pleased to see many active voices for Cybersecurity and Information Sharing among them, including many that I met through InfraGard! Just to name a few, Peter Allor (who was presenting at an InfraGard National Conference when I met him, the day ISS became IBM ISS), Jerry Dixon, former NCSD for DHS and now the VP of Government Relations for InfraGard, Greg Rattray, who was the Director for Cyber Security on the White House National Security Council staff before there even was a DHS (and an advisor to InfraGard's National Board), Tom Kellerman (a New York InfraGard member) who worked closely with the World Bank, Paul Kurtz, Marcus Sachs of SANS Internet Storm Center (and Verizon), Phyllis Schneck who has been active in InfraGard for more than my own seven years, Michael Vatis, who led the NIPC back when InfraGard was partnered with their National Infrastructure Protection Center efforts, Amit Yoran, who was the original NCSD, and spoke at the June 2004 InfraGard National Conference.

The report consists of seven major chapters, which are bookended by the concept that we are in a Hidden War, and that we need to WIN the Hidden War.

The Introduction compares our current status to "the invisible struggle" between Britain and Germany over Ultra and Enigma.

The United States is in a similar situation today, but we are not playing the role of the British. Foreign opponents, through a combination of skill, luck, and perseverance, have been able to penetrate poorly protected U.S. computer networks and collect immense quantities of valuable information. Although the most sensitive U.S. military communications remain safe, economic competitors and potential military opponents have easy access to military technology, intellectual property of leading companies, and government data. These potential opponents have not hesitated to avail themselves of the opportunities presented by poor cybersecurity.

America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009. It is, like Ultra and Enigma, a battle fought mainly in the shadows. It is a battle we are losing.

Summary of Recommendations

  • Create a Comprehensive National Security Strategy for Cyberspace
    • Presidential statement that cyberspace is a vital asset and that the United States will protect it
    • Create a National Office for Cyberspace (NOC) within the Executive Office of the President
    • Open discussion on how best to secure cyberspace

  • Organizing for Cybersecurity
    • Establish a Cybersecurity Directorate in the National Security Council
    • Support same from the new NOC, which should absort the National Cyber Security Center and Joint Inter-Agency Cyber Task Force
    • NOC assumes additional responsibilities, including FISMA
    • Three new Public-private advisory groups
    • Continue DHS US-CERT relationships with all federal agencies

  • Rebuilding Partnership with the Private Sector
    • creation of three new public-private agencies

  • Regulate for Cybersecurity
    • Task the NOC to work with appropriate regulatory agencies to secure critical cyber infrastructures

  • Secure Industrial Control Systems and SCADA
    • NOC should work with NIST to develop Industrial Control System standards
    • NOC should continue to to determine the extent of government-owned infrastructures security from cyber attack

  • Use Acquisitions Rules to Improve Security
    • NOC and CIO Council development and implement security guidelines for IT procurement
    • NSA and NIST should reform National Information Assurance Partnership
    • Secure Internet protocol use should be increased.

  • Manage Identities
    • US should make strong authentication, including "robust in-person proofing" mandatory for critical cyber infrastructures
    • US should allow use of strong goverment-issued credentials for online activities
    • FTC should protect consumers by requiring businesses to use strong credentials for online activities
    • government agencies not using HSPD-12 compliant credentials after one year should have bonuses or awards restricted

  • Modernize Authorities
    • DOJ should reexamine statutes governing online crime and investigations to increase clarity, speed investigations, and better protect privacy
    • the Attorney General should issue guidelines for cyber incident response by law enforcement, military, or intelligence authorities.

  • Revise FISMA
    • Congress should rewrite FISMA to use performance-based measurements of security

  • End the Division Between Civilian and National Security Systems
    • legislation should be proposed that adopts risk-based approach to all federal computer security

  • Conduct Training for Cyber Education and Workforce Development
    • NOC and OPM should create training programs and career paths to enhance the federal cyber workforce and work with NSF to develop national education programs

  • Conduct Research and Development for Cybersecurity
    • NOC and Office of Science and Technology Policy should provide overall consideration of cybersecurity R&D. The US should increase its investment in longer-term R&D designed to create a more secure cyber ecosystem.

A summary at the beginning of the report gives 25 recommendations.

One of the recommendations is DO NOT START OVER.

"Let us be clear on the Bush administration's Comprehensive National Cybersecurity Initiative (CNCI): It is good but not sufficient. The next administration should not start over; it should adopt the initial efforts of the initiative, but it should not consider it adequate."

Regarding DHS, the report states:

We had a long and impassioned debate within the Commission over DHS's roles and responsibilities. Many felt that leaving any cyber function at DHS would doom that function to failure. ... The nature of our opponents, the attacks we face in cyberspace, and the growing risk to national and economic security mean that comprehensive cybersecurity falls outside the scope of DHS's competencies. DHS is not the agency to lead in a conflict with foreign intelligence agencies or militaries or even well-organized international cyber criminals.

Security cyberspace is no longer an issue defined by homeland security or critical infrastructure protection. This is far too narrow a scope.

As a Computer Forensics Researcher, of course I appreciated the call in the section "Expand and Focus Research and Development for Cybersecurity"
The federal government plans to spend about $143 billion in 2009 on R&D. We estimate that two-tenths of 1 percent of that will go to cybersecurity. To put this in context, the president's fiscal year 2009 budget requests $29.3 billion for life science research, $4.4 billion for earth and space science, $3.2 billion for the Advanced Energy Initiative, $2.0 billion for the Climate Change Science Program, and $1.5 billion for nanotechnology. The National Information Technology R&D (NITRD) programs will receive $3.5 billion. Cybersecurity R&D will receive about $300 million.

The report recognizes that many others, including the new Comprehensive National Cyber Initiative, have called for an increase in Cyber Security Research funding, but points out that much of what we have at NITRD "exists largely as a passive compilation of R&D activities by the NSF and various funding agencies rather than a driver of an agreesive research agenda."

Monday, December 08, 2008

Fake UMB Banking Demo leads to Password theft

Our Digital Certificate friends have started a new spam campaign. After
several days of targeting ClassMates.com with a fake video, they are now targeting UMB Bank with an online banking "Demo video", similar to the one we saw against Bank of America two weeks ago.

The emails look like this:

Update December 08, 2008.

Experience Digital Banking News for yourself.
Want to know how quick, easy and safe our online banking service is today?
You can view our demo of the service, which is ideal for those times when you’d like more detailed information.
The Demo requires Macromedia Flash Player.

Proceed to view UMB System Demo>>

Sincerely, Janie Howe.
Copyright 2006, 2007, 2008. UMB Financial Corporation. All Rights Reserved.

The webpage that the current spam points out looks like this:

Of course the video is fake, and trying to play the video (or just visiting the site) tries to get you to download a fake Adobe Player upgrade, which is actually a virus which is designed to steal login credentials.

Stolen credentials for any website where you log in, as well as FTP logins, ICQ logins, and IMAP and POP email logins, are passed to the criminal's computer in the Ukraine using strings that look like these:


The first five domains we saw vs. UMB Bank was:


These domains were created TODAY using the registrar BizCN.com. This
group usually has more domains than that. We expect more are being
created as I type. We've seen about 100 spam emails for this campaign
so far.

The nameserver for these domains, "ns1.panelhosts.com" was also
registered today, using this fake contact information:

Registrant Contact:
Marleyne Ash ash@aol.com
8524588488 fax: 8524588488
111 145 E. 93 St.
Brooklyn NC 11212

Subjects seen so far with this spam campaign:

  • UMB Bank Demo Tour - Do you have a specific question?
  • UMB Bank Demo Tour - Experience Digital Banking for yourself
  • UMB Bank Demo Tour - Explore Digital Banking
  • UMB Bank Demo Tour - Find out when you take a virtual tour.
  • UMB Bank Demo Tour - Our Web site was designed
  • UMB Bank Demo Tour - Run through this easy-to-use demo.
  • UMB Bank Demo Tour - See just how easy and useful online banking with UMB is
  • UMB Bank Demo Tour - Simply select the style of demo you'd like to view
  • UMB Bank Demo Tour - Take a tour
  • UMB Bank Demo Tour - Try our helpful 'Got a question?'
  • UMB Bank Demo Tour - Want to know how quick and easy our online banking service is?
  • UMB Bank Demo Tour - We've got a demo for you.
  • UMB Bank Demo Tour - Whether you're new to online banking
  • UMB Bank Demo Tour - You can also view our demo of the service
  • UMB banking system changes that you should know about
  • UMB NEW DEMO ACCOUNT - This unique service is offered exclusively to UMB Premier customers.
  • UMB NEW DEMO ACCOUNT - To begin demo, click the forward arrow or jump to a section with the menu to the right.
  • UMB NEW DEMO ACCOUNT - UMB NEW DEMO ACCOUNT - To try the online banking demo
  • UMB NEW DEMO ACCOUNT - Welcome to the demo for Global View!
  • UMB Premier DEMO ACCOUNT - from securely accessing your account information to paying bills to creating reports.
  • UMB Premier DEMO ACCOUNT - how to access your accounts, set up bill payees, transfer funds, and more!
  • UMB Premier DEMO ACCOUNT - how you can use UMB Online Banking
  • UMB Premier DEMO ACCOUNT - Online Banking and Bill Pay Demo
  • UMB Premier DEMO ACCOUNT - Online Banking Demo "
  • UMB Premier DEMO ACCOUNT - The Demo requires Flash Player, available at no cost from Macromedia.
  • UMB Premier DEMO ACCOUNT - Try it! View our interactive Demo to learn more
  • UMB Premier DEMO ACCOUNT - Use it! View our Guide for helpful step-by-step instructions
  • UMB Premier DEMO ACCOUNT - You can download and save the entire Guide, then print the pages you want.

The path name for the fake video is:


The initial malware drop is a file called:


The file had not previously been uploaded to VirusTotal.

VirusTotal detections were: 17 of 38

File size: 3169 bytesMD5...: 1165b5ef89c61f8f61d3b1d91b374c9c

Strings on that malware indicate that second stage malware will probably
be loaded from:


The Adobe2 file had also not been previously uploaded to VirusTotal.
Another interesting string was C:\m_unpacker\packed.exe

VirusTotal Detections were: 3 of 38
File size: 36864 bytesMD5...: 4cc95326ed31689a50ca395eda99e8b7

Adobe2.exe sends all of its stolen data to: Gee, does
that sound familiar to anyone?

As before, this is an advanced password stealer, grabbing webforms, ICQ,
POP3, and FTP passwords.

The spammed emails are advertising domains which are being served on
fast flux IP addresses. For example, the current IPs are:

When we look at some of these IPs to see what they have resolved, we
confirm that they have recently been used for a bunch of badness,
including the Classmates malware. For instance, included:

tempdir.cz <== Citibank phish domain

axknm.cn <== Google AdWords domain
bmspeedlab.org <== BMS Money Mule recruitment
bumotor.org <== BMS Money Mule recruitment
bumospo.com <== BMS Money Mule recruitment
bumospe.tk <== BMS Money Mule recruitment

You'll never believe this! BMSpeedLab.org has a Vacancy for a Regional
Financial Representative!!!!

You will be paid 10% commission out of every customer payment you have
to deal with for "Coordinating customer payments using your bank account".

Previous blog posts related to this malware family, which has previously targeted customers of: BancorpSouth, Bank of America, Bank of the West, CapitalOne, CareerBuilder, Chase Bank, Classmates.com, Colonial, Comerica, Eastern Bank, Google Adwords, Key Bank, LaSalle Bank, Merrill Lynch, M&I Bank, OceanBank, OpenBank, RBC, SunTrust, TD BankNorth, UMB, Wachovia, as well as abusing the Presidential election:

Nov 26th: Bank of America "Video Demo"

Nov 7th: McCain Video:

Nov 6th: Colonial Bank "Digital Certificate"

Nov 5th: Obama Acquisition Speech

Nov 4th: Wachovia/Wells Fargo Merger

Oct 31st: LaSalle Bank of America acquisition

Sep 23rd: Google Adwords

Aug 30th: Bank of America, SunTrust, TD BankNorth "Digital Certificate"

May 9th: Merrill Lynch "Digital Certificate"

May 6th: Merrill Lynch, Comerica, Colonial Bank "Digital Certificate"

Securing Cyberspace in the 44th Presidency: Part One

This morning's BusinessWeek headline blares U.S. Is Losing Global Cyberwar, Commission Says. The Commission's solution? Create a new "Center for Cybersecurity Operations".

Co-chaired by James R. Langevin, Michael McCaul, and Microsoft's VP of Trustworthy Computing, Scott Charney, the Commission was established in October 2007 with the full name being "the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency". Langevin describes it as being "a non-partisan commission composed of approximately 30 renowned cybersecurity experts, both in and out of government, from across the country.

This is a Two Part posting. In today's Part One we'll be reviewing the "where are we?" - the historical background of recommendations that lead to the need for this Commission and its Recommendations. Tomorrow we'll look at the recommendations themselves.

The Commission briefed the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Committee on Homeland Security back on September 16, 2008. (The Hearings were webcastand the prepared testimony of the various witnesses, as well as reports from David Powner's excellent team at the Government Accountability Office are available on the Committee's Hearings page.)

Homeland Security Committee Chairman, Rep. Bennie G. Thompson, opened his portion of the hearing with a scathing review of previous failures in this area, including the fact that the 2002 "National Strategy to Secure Cyberspace" presented problems, but mandated no changes, the fact that Richard Clarke's position in the White House as Advisor on Cybersecruity was eliminated in 2003, the fact that the position of the Congressionally mandated DHS Assistant Secretary for Cybersecurity was unfilled for more than a year, and then "buried four levels down in the bureaucracy.

Thompson makes it clear in his remarks: "So many years we've been at it, and we're still so far away. As the Chairman of the Homeland Security Committee, with oversight over this Department, I want to state clearly and for the record -- that is unacceptable to me."

For this blogger, I believe that for nearly six years the road to Cybersecurity has crawled forward with many fits, bumps and starts, but that 2008 has been a year where some significant new improvements have begun. I'm VERY excited about the new NCSD, especially his law enforcement background and training and active duty as an "ECSAP Agent" (Electronic Crimes Special Agent Program) for the US Secret Service, and I'm VERY excited about the twelve part National Cyber Security Initiative, especially after hearing more about the details first in Tallahassee at the Florida Government Technology Conference, and then last week as news from the Burton Group briefing keynoted by Steve Chabinsky, Deputy Director, Office of the Director of National Intelligence shared more details of the plan.

These things give me hope.

Back to the Commission though . . . the stage was set at the House Committee on Homeland Security by first reviewing the state of DHS Cybersecurity Initiatives.

David Powner, Director of Information Technology Management Issues for the Government Accountability Office, set the stage for the Commission's report with his testimony (available as GAO-08-1157T, CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Better Address Its Cybersecurity Responsibilities). Powner says that over the years the 30 recommendations made to DHS in this area by his team fell into six key areas:

  1. Bolstering cyber analysis and warning capabilities.
  2. Reducing organizational inefficiencies.
  3. Completing actions identified during cyber exercises.
  4. Developing sector-specific plans that fully address all the cyber-related criteria.
  5. Improving cybersecurity of infrastructure control systems.
  6. Strengthening DHS's ability to help recover from Internet disruptions.

GAO further identified 13 "DHS Key Cybersecurity Responsibilities" (see the full PDF for more detailed descriptions)

  • Develop a national plan for Critical Infrastructure Protection that includes cybersecurity.
  • Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector.
  • Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities.
  • Develop and enhance national cyber analysis and warning capabilities.
  • Provide and coordinate incident response and recovery planning efforts.
  • Identify and assess cyber threats and vulnerabilities.
  • Support efforts to reduce cyber threats and vulnerabilities.
  • Promote and support research and development efforts to strengthen cyberspace security.
  • Promote awareness and outreach.
  • Foster training and certification.
  • Enhance federal, state, and local government cybersecurity.
  • Strengthen international cyberspace security.
  • Integrate cybersecurity with national security.

The GAO testimony referred heavily to three previous reports where other DHS Cyber recommendations have been made:

GAO-08-588: CYBER ANALYSIS AND WARNING: DHS Faces Challenges in Establishing a Comprehensive National Capability July 2008 (67 page PDF)

GAO-08-825: CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise September 2008 (39 page PDF)

GAO-08-1075R: Federal Legal Requirements for Critical Infrastructure IT Security September 16, 2008 (72 page PDF)

Thursday, November 27, 2008

Mumbai Bombings: Coordinated Bombings in India are Nothing New

The Mumbai bombings are getting non-stop coverage on all the news channels this morning, but they seem to be missing one really crucial element that anyone who does terrorism research could easily point out:

Coordinated Bombings in India are Nothing New!

The only thing new here is the targeting of westerners.

For those who are coming to this realization recently, please forgive a diversion from our normal Cyber Crime topics to explain.

The most telling revelations about the current bombing will be to see the construction of the bombs, and none of the media outlets has that level of information right now.

The National Security Guard's National Bomb Data Centre has statistics on bombings in India. During 2007 there were 376 IED blasts and a total of 530 bombing incidents in 2007.

October 30, 2008 - The Assam Bombings

10 - 18 blasts kill 84, 470 injured

In the city of Guwahati, Assam, crowded shops in Pan Bazar and Fancy Bazar were hit with grenade attacks, while a car bomb went off at Ganeshguri. 41 killed in Guwahati, 21 killed in Kokrajhar, 15 killed in Barpeta. The explosions all occured within 15 minutes, and Assam police chief Mathur says most of the bombs were planted in cars. While the original attack was claimed by "Islamic Security Force-Indian Mujahideen" via text message, and original attribution was assigned to the Harkat-ul-Jihad-al-Islami (HuJI), investigations later focused on the National Democratic Front of Bodoland (NDFB), a separatist group focused on seeking an independent state for the Bodo people group. As the investigations unfolded, it became clear that there were actually three terror groups working together here. The ULFA (the United Liberation Front of Asom), the NDFB, and HuJI. These groups were actually united as a result of "Operation All Clear" which destroyed more than 30 terrorist camps in the southeastern area of Bhutan. While the Indian Chief of Army Staff, General N.C. Vij claims that more than 650 militants were neutralized during Operation All Clear, more than 2,000 other militants from these camps scattered to fight another day.

For more on Operation All Clear, see Praveen Kumar's article in "Strategic Analysis", External Linkages and Internal Security: Assessing Bhutan's Operation All Clear (21 page PDF).

Arrests in the Assam bombings continued as recently as last week, when Dipak Basumatary was identified as the NDFB Lieutenant behind the serial bombing. Investigators into the bombing shared details about the bomb according to the South Asia Terrorism Portal. (SATP has the hands-down best publicly available data on India's Terrorist groups)

The investigating agencies had found clues that ULFA and NDFB carried out the Assam serial blast of October 30 with the help of Bangladesh-based HuJI. "We have found that the Bangladesh-based HuJI has provided the expertise to ULFA and NDFB as none of them has the technology to explode such devastating bombs which claimed 84 lives," a Home Ministry official said. Home Ministry sources also added that the government is worried over the fact that the northeast militants has started using a deadly mixture of RDX, ammonium nitrate and plasticised explosives to carry out explosions which led to greater casualties which was never seen in the past. Though the operation was masterminded by HuJI at the behest of the ISI, the NDFB and ULFA had provided logistical support.

-- see Incidents Involving NDFB

Sep 13, 2008 - New Delhi Bombings

5 bombs kill 30 and injure 100+

Five small bombs went off in the spamce of 25 minutes in India's capitol city.

The New Delhi bombing has the similarity to the current situation in that an email of responsibility was sent claiming responsibility. In this case the email came just AFTER the first bombing, (see below for some where the email came BEFORE, which is of course much more interesting). The email, which was sent to several television stations claimed that there would be nine blasts in all, "Within five minutes from now . . . this time with the Message of Death, dreadfully terrorizing you for your sins". The email was quickly traced to a Mumbai suburb, with cooperation from Yahoo, (the from address was: Arbi Hindi -- al_arbi_delhi@yahoo.com. It was sent from an open WIFI connection belonging to Christian missionary Kenneth Haywood. "Guru Al-Hindi" was the signature on the email, which matched the emails sent prior to two other bomb attacks. Sunny Vaghela, a cyber-cop in Ahmedabad, shared the details with the IT Examiner for their story Avoid being arrested for sending terror mail:

26JUL2008 - alarbi_gujarat@yahoo.com - sent from - Kenneth Haywood's house in Navi Bombay - an unsecured WiFi router.

31JUL2008 - alarbi_gujarat@yahoo.com - sent from - the Medical College at Vaghodiya, in Gujarat. (This one was sent through a proxy, but traced ultimately the given location).

23AUG2008 - alarbi.alhindi@gmail.com - sent from - Khalsa College at Bombay - another unsecured WiFi router.

13SEP2008 - al_arbi_delhi@yahoo.com - sent from Kamran Power Limited at Bombay - another unsecured WiFi router.

If the current bombing's emails follow the same pattern, it could be an indication that they are related. The most recent email was accompanied by a 13-page document, which is certainly rich for forensic and linguistic analysis!

These earlier emails are thought to have been sent by Abdul Subhan Qureshi, who is called a "crack bomb-maker" after attending SIMI (Students Islamic Movement of India) terror camps from 2006 to 2008 to learn his craft. Before becoming a full-time terrorist, Qureshi worked for Wipro, a computer software company, where he disappeared in 2001, leaving a letter for his employers saying "I wish to inform you that I have decided to devote one complete year to pursue religious and spiritual matters". Despite the proof now that these were SIMI operations, the emails claimed to be from "Indian Mujahideen". Qureshi is also known as Abdul Subhan Tauqeer, and Bilal Qureshi. Qureshi was profiled in The Hindu, reprinted in Rediff as "The Hunt for the Indian Mujahideen's al-Arbi".

On July 30th, an email sent to the Japanese embassy in Delhi claiming responsibility for the Jaipur and Ahmedabad bombings, and stating that the next attack would be in New Delhi.

July 26, 2008 - Ahmedabad

21 bomb blasts - 56 killed and 200+ injured

Just before this series of 21 bomb blasts (some say as high as 30), various media outlets received an email saying "Await 5 minutes for the revenge of Gujarat" and "In the name of Allah the Indian Mujahideen strike again! Do whatever you can, within 5 minutes from now, feel the terror of Death!" The fourteen page email had many threats, but also said "Have you forgotten the evening of July 11, 2006 so quickly and so easily?" The fullest version of the email text I can find so far is on the website Islamic Terrorism in India.

Similar to the current event, a second set of bombs went off at hospitals one hour after the initial bombs. (See for example: The Tribune of Chandigarh). Some reports say four hospitals were targeted.

SIMI leader Abul Bashar Qasmi was arrested as the mastermind behind the July 26, 2008 bombings. (AKA Mufti Abu Bashir). Qasmi was arrested on August 16th, and it was reported on August 17th that he had confessed to his involvement in the blasts in Ahmedabad, and was still being questioned regarding Jaipur.

July 25, 2008 - Bangalore

7 bombs - 2 killed and 20 injured

While these bombings were highly coordinated, the intensity fo the bombs used indicated simplistic explosive devices, very different than those above. Could this have been an effort to shift anti-terror forces attention prior to the bombings which followed the next day? The explosives were based on "gelatin sticks" used in quarry blasting.

Another question is that this bomb run targeted the IT sector (40% of Information Technology businesses in India are in Bangalore) and the current attack is in the heart of the Financial Center for India. Is this a targeting of key infrastructure sectors?

Police originally said that this attack looked like the work of Harkat-ul-Jihad al Islami. Bangladeshi national Mohammad Hakim was taken into custody on July 29th in conjunction with this attack. He admitted that he was trained in bomb making by Mohammad Ansari, who is also a Bangladeshi national.

On September 25th, a SIMI operative named Mohammad Samee Bagewadi, aka Mohammad Samee, was arrested in conjunction with this attack. He had attended SIMI training camps in Castle Rock, Vagamon, and other camps. He was a close associate of SIMI leaders Safdar Hussain Nagori, Hafeez Hussain, Abu Bashar, and others.

May 13, 2008 - Jaipur

eight bombs - 80 killed and 150 injured

The bombs were created using RDX and ammonium nitrate, and filled with ball bearings. Several of the bombs were attached to bicycles.

No one claimed responsibility initially, but the following day an email was sent to various television stations which contained a photo of one of the bicycles, and a close up of the bicycle showing the serial number, which was used in the bomb. The email came from guru_alhindi_jaipur@yahoo.co.uk and said that Indian government must stop supporting the US in the international arena. It went on that "if you do continue then get ready to face more attacks at important tourist places."

As in others, a SIMI operative, Mohammad Shajid, was held for questioning, and raids were conducted in Jaipur, Ajmer, Fatehpur, Godhpur, Tonk, and Sikar.

On May 27th, a madrassa teacher and a telephone booth operator, Kamil, in Bharatpur was arrested for his role in the bombing. The teacher, who used the name "Hakimuddin" was from Nagla Imam Khan village, and had lived in Bharatpur for two years.

On August 24th, Shahbaz Hussain, a resident of Lucknow, was arrested for his involvement in Jaipur. He was called "a key player in planting the bombs" as well as selecting the team which executed the blasts. Shahbaz had a degree in mass communications and ran a cyber cafe in Maulviganj, and was a "key aide" to Sajid Mansoori, who was the mastermind of this attack.

On August 25th, seven more members from the Kota district were arrested. They were trained in three different terror camps between November 2007 and January 2008, along with SIMI activists Mufti Abu Bashir and Sajid Mansuri.

On September 1st, the Rajasthan Special Investigations Team (SIT) arrested four more for their parts in the Jaipur bombing - Munawar Husain (AKA Muzaffar Husain), Atiqur Rehman (AKA Abdul Hakim), Nadeem Akhtar (AKA Yaminuddin), and Mohammed Iliyas (AKA Mohammed Husain).

On September 7th, Mohammad Sohail and Azam from Jodhpur were arrested on their role in helping to generate funds for the Jaipur attacks.

On September 19th, two terrorists involved in the Jaipur, Ahmedabad, Hyderabad, and New Delhi blasts were killed when their flat was raided by the Delhi Police Special Cell. Mohammad Fakruddin (AKA Sajed) Mohammad Bashir (AKA Atiq) were both killed, while two others escaped. Inspector Mohan Chand Sharma, a police officer involved in the raid, was also killed in the firefight.

August 25, 2007 - Hyderabad

2 bombs - 42 killed and 50 injured

While 2 bombs were detonated, 19 other bombs were found, fitted with timers, at bus stops, cinemas, bridges, and a water fountain. The bombs which were detonated went off during a laser light show in a public park.

Sep 8, 2006 - Malegaon

3 blasts killed at least 37 people and injured at least 100

Police found that the explosives used were a mix of RDX, ammonium nitrate, and fuel oil, which is the same mixture used in the July 11, 2006 Mumbai train bombings. Most of those killed were gathered at a mosque where Friday prayers were being held.


July 11, 2006 - Mumbai Railway

7 bombs - 200 killed

Mar 7, 2006 - Varanasi

- 28 killed, 101 injured

Oct 29, 2005 -

49 killed, 200+ injured

Aug 25, 2003 - Mumbai

2 car bombs - 52 killed, 150 injured

Sep 24, 2002 - Akshardham temple in Gujarat

31 killed, 79 wounded, hostages taken

Feb 14, 1998 - Coimbatore

13 bombs in 11 locations - 46 dead, 200 wounded

Wednesday, November 26, 2008

Bank of America Demo Account - DO NOT CLICK

Beginning on November 25th, the UAB Spam Data Mine has been receiving messages claiming to be from Bank of America which will explain to us how to use our new "Webbanking-2009" interface. Following the link in these email messages will plant a keylogger trojan on your computer. All of your userids and passwords will be sent to the criminals.

The spammed email messages look like this:


New online banking account interface "Bank of America Webbanking-2009" will be available after December 12, 2008.
Please take a look on the new account features demo page.
Bank of America provides our clients with a Demo Account to learn how to use new account interface.
You will learn how to work with the Demo Account Station below.
This link will let you know all news in the Future Online Banking with Bank of America.


2008 Bank of America Corporation.

Why would anyone think of doing an online Demo Account malware campaign? Well, its because the Real Bank of America has invited their customers to view a demo of their new Free Online Banking.

Here's the REAL Bank of America "DEMO":

The URL for the real demo is:


What is most malware about today? Its about SOCIAL ENGINEERING. Can the criminal convince the victim that he is trustworthy by imitating someone or something that the victim is likely to trust. What is more trustworthy than your bank? So when the bank sends its customers an invitation to view a demo of their new Free Online Banking, the criminal follows suit.

Here are some of the Subject lines of the emails the criminal is sending:

  • Bank of America - Demo Account
  • Bank of America - DEMO ACCOUNT not working
  • Bank of America - Demo Account Set Up
  • Bank of America - Demo Account Setup
  • Bank of America - demo account traders
  • Bank of America - full access privileges for your DEMO account
  • Bank of America - learn how to trade with the Demo Dealer Station below
  • Bank of America - New Demo Account, Try for FREE
  • Bank of America - Open A Demo Account
  • Bank of America - provides our Bank of America - clients with a Demo
    Account to "paper trade" the Forex market.
  • Bank of America - register for a Demo Account to use new features.
  • Bank of America - Setting Up Your Demo Bank of America Account
  • Bank of America - Sign In.My Business Account Demo.
  • Bank of America - Sign In.My Business Account Demo.
  • Bank of America - The demo is best viewed with your browser
  • Bank of America - Try A Free Demo Account!
  • Bank of America - using a demo account
  • Bank of America - View Demo Account's professional profile
  • Bank of America - View Demo of Prime Account
  • Bank of America - View Site View demo website
  • Bank of America - We Give You The Tools You Need.
  • Bank of America - We Give You The Tools You Need. Try A Free Demo Account!
  • Bank of America - your Demo Account username and passcodes will be
    generated and emailed to you.

Each email has a ridiculously long URL, such as:


The superlong URLs are to try to cause us good guys problems when we try to fetch their pages into Windows, or zip them up using WinZip, where we'll occasionally get errors about "path too long". In reality, we can shorten the path dramatically and get the same effect. All of the URLs we've seen can be reduced to these five:


(All of the domains were registered in China - BizCN.com and TodayNIC.com -- all of the websites are being hosted with Fast Flux, or botnet machines. If your computer is part of their botnet, then YOU might be helping to host this website.)

Visiting any of these sites shows you a webpage that looks like this:

which prompts users to download "Adobe_Player9.exe" to view the Demo of their new account.

The first phase of the virus is that Adobe_Player9.exe, which is a tiny little dropper of 3,225 bytes in size. The current version has an MD5 of 2ef0de5993873f26529ac34012eb97d9, and is detected by 17 of 37 products according to a current VirusTotal.com report.

The second phase of the virus is downloaded from the URL:


That part of the virus does all the work and plants the keylogger and rootkit. This file is 59,392 bytes in size and has an MD5 of 227c31e1b0e4867bcaefe86a674a6981. Although VirusTotal is listing 10 out of 37 products detecting this in this VirusTotal.com report, its clear that most of these AV's actually do not know what this is, even if they may think it looks suspicious.

AhnLab, Ikarus, Microsoft, and NOD32 know what this virus is. The first three call it "Ursnif" and the last calls it "Papras". That is an accurate description. AVG, McAfee+Artemis, Norman, and SecurewWeb mark it as suspicious based on the fact that it is packed. (AVG calls it "Pakes", which I believe just means "packed file").

After becoming infected, a new Windows Service called "new_drv.sys" will be running on the computer, but will be hidden from most Windows processes. (For example, doing a directory listing, even at a DOS prompt, will not show the file, and listing running processes, for instance in Task Manager, will also not show the file. That's the job of the rootkit function, to hide the existence of the new program from Windows.)

Anytime Internet Explorer is active, userids and passwords, and really anything else that is entered into an online form, are sent to the criminal.

This is the same family of malware which we have warned about so many times in the past -- Papras is the common virus name for all of the "Digital Certificate" malware, and "URSnif" is the name of the routines which do keylogging and send the keys to the badguy in this particular way. We've been talking about Digital Certificates all the way back to our May 6th Digital Certificate Alert! story.

The combination of the old Digital Certificate keylogger with the fake AdobePlayer to see a video began with the Obama acceptance speech video, as we reported the day after the election in our story Computer Virus Masquerades as Obama Acceptance Speech.

Friday, November 21, 2008

AsProx: The Phisher King?

The most spammed phish on the planet took a brief respite after the McColo network was shut down, but the Phisher King is back again.

We see as many as ten thousand reports per day and more of the Asprox spammed phish, and sadly this has been going on non-stop for as long as we can remember, with the brief exception of last week.

The typical scenario is that ten domain names are chosen and used to spam URLs which contain a high degree of randomization. Abbey Bank has been their favorite target for nearly all of 2008. The first "word" of the URL is followed by a number, then the brand name, then a random string, and then the domain name. The path portion of the URL is consistent for each brand currently spammed. Following the path there is a question mark, and then what seems like random characters, but which actually can be decoded into the email address of the person who received the spam. (We'll leave the encoded email address portion off in our examples).

The "Abbey" path for some time has been "/CentralLogonWeb/Confirm?"

The current "Associated Bank" path is "/web_bank/confirm.asp?"




Just in the last twenty-four hours, we saw more than 25,000 variations of these URL patterns.

How does the Phisher King keep his domains alive? Part of it is his use of a wide and ever-shifting set of Registrars. For example, consider today's domains:

Abbey Domains:

code11.ca (registered 29oct08 with Internic.ca)
input2.cc (registered 06NOV08 with Moniker)
2r2cw3a8u.com (registered 12NOV08 with XIN NET Technology)
3jk2p84x1.com (registered 12NOV08 with XIN NET Technology)
topmango.com (registered in 2001 with TuCows)
3update.eu (registered 06NOV08 with PublicDomainRegistry.com)
ide08.gs (registered 12NOV08 with Key-Systems)
48filt.jp (funky .jp whois gives no useful data)
4logon.jp (funky .jp whois gives no useful data)
pif02.jp (funky .jp whois gives no useful data)
5version.mobi (registered 06NOV08 with Directi Internet Solutions)
25uid.name (registered 06NOV08 with Directi Internet Solutions)
sys17.name (registered 05NOV08 with UK2 Group)
8locate.tk ("locked" by the clueless idiots at "Dot TK" with the phish live)
15load.tv (registered 04NOV08 with UK2 Group)
17gdi.tv (registered 11NOV08 with UK2 Group)
manage5.tv (registered 29OCT08 with UK2 Group)
root71.ws (registered 06NOV08 with Directi Internet Solutions)
udp96.ws (registered 04NOV08 with Directi Internet Solutions)

Associated Domains:

sslweb5.bz (error)
code11.ca (registered 29OCT08 with Interic.ca Corp)
input2.cc (registered 06NOV08 with Moniker ONline Services)
6tagid.com (registered 05NOV08 with Moniker Online services)
3update.eu (registered 06NOV08 with PublicDomainRegistry.com)
ide08.gs (registered 12NOV08 with Key-Systems)
login5.gs (registered 30OCT08 with Key-Systems)
1server.jp (registered 04NOV08 - whois.jprs.jp)
48filt.jp (registered 30OCT08 - whois.jprs.jp)
4logon.jp (registered 31OCT08 - whois.jprs.jp)
asp29.jp (registered 12NOV08 - whois.jprs.jp)
log-in1.jp (registered 27OCT08 - whois.jprs.jp)
pif02.jp (registered 06NOV08 - whois.jprs.jp)
5version.mobi (registered 06NOV08 with Directi Internet Solutions)
25uid.name (registered 06NOV08 with Directi Internet Solutions)
sys17.name (registered 05NOV08 with UK2 Group Ltd)
8default.net (registered 05NOV08 with Moniker Online Services)
8locate.tk (dot.tk does odd things with domains)
15load.tv (registered 04NOV08 with UK2 Group)
17gdi.tv (registered 11NOV08 with UK2 Group)
manage5.tv (registered 29OCT08 with UK2 Group)
root71.ws (registered 06NOV08 with Directi Internet Solutions)
udp96.ws (registered 04NOV08 with Directi Internet Solutions)

That's just the beginning though. Then we have the problem of the nameservers and Fast Flux hosting. While most domains have two or three nameservers, these domains have as many as 19. ns1.sslweb5.bz, ns2.sslweb5.bz, ns3.sslweb5.bz . . . all the way up to ns19.sslweb5.bz.

The IP addresses used for the nameservers are compromised home computers running the Asprox malware. Without the knowledge of these computer's owners, they provide the nameserver resolution for the phishing domains. Just as an example, the following IP addresses are all currently acting as nameservers for the Asprox phishing sites:

Each one of these IPs provides nameservices for dozens of domains used by this criminal. Currently they are serving:

The Nameservers are used to direct email recipients to other infected computers where they are shown the fake bank pages. (Those computers are actually acting as a "proxy" to load the real phishing data from yet another location.)

In addition to the phishing pages, the other machines in the botnet also provide infection services.

The current domains being used for infection are:


Google Safe Browsing won't let you visit either of those sites, because they have been "an intermediary for the infection of 770 sites including ssaga-g.com, csmfilter.co.kr, parenthesis-mykonos.com". Google Safe Browsing goes on to answer the question "Has this site hosted malware?" by saying "Yes, this site has hosted malicious software over the past 90 days. It infected 3324 domains including csmfilter.co.kr, sarangsae.com, istanbulihl1991.com.

Checking Google Safe Browsing for one of those sites shows things like:

"Of the 423 pages we tested on this site over the past 90 days, 130 pages resulted in malicious software being downloaded and installed without user consent. The last time Google visited the site was 2008-11-21, and the last time suspicious content was found on the site was on 2008-11-21.

Malicious software includes 168 scripting exploits, 28 exploits, 4 trojans. Successful infection resulted in an average of 2 new processes on the target machine.

8 domains appear to be functioning as intermediaries for distributing malware to visitors of this site, including egyptgood.cn, 81dns.ru, berjke.ru

At the current moment, there are 18,400 "drive-by" infection sites just with that script site loaded in Google. Some of the infected sites are hotels, ski resorts, chemical companies, motorcycle sites, real estate sites, chemical companies, nail salons, churches, the government of Ohio (survey.workforce411.ohio.gov has many infected pages).

There have been MILLIONS of these pages . . . I'll have more details soon....

Thursday, November 20, 2008

Igor Klopov sentenced

Its nice to finish a story sometimes, so this brief entry will do that. Back in August 2007, we did a story called How Far Would You Travel for $7 Million describing the undercover sting where Igor Klopov was lured to the United States to be arrested.

Charges were brought against Klopov and described as:

The defendants have been charged with Conspiracy in the Fourth Degree, Grand Larceny in the First Degree, Attempted Grand Larceny in the First Degree, Money Laundering in the First Degree, Attempted Money Laundering in the First Degree, Grand Larceny in the Second Degree, Attempted Grand Larceny in the Second Degree, Money Laundering in the Second Degree, Attempted Money Laundering the in the Second Degree, Grand Larceny in the Third Degree, Attempted Grand Larceny in the Third Degree, Identity Theft in the First Degree, Forgery in the Second Degree, Criminal Possession of a Forged Instrument in the Second Degree, Criminal Possession of Stolen Property in the Fourth Degree and Criminal Possession of Forgery Devices. Money Laundering in the First Degree and Grand Larceny in the First Degree are both a class B felonies which are punishable by up to 25 years in prison.

So, with all those charges, what kind of sentence was actually passed down by New York Supreme Court Justice Gregory Carro?

Three and a half to Ten and a half years. WHAT?!?!?!! 3.5 Years!?!?!?

Apparently sentenced are slashed if you're really, really, really sorry.

The story has been used as a case study even before the sentence was reached, with Assistant District Attorney Jeremy Glickman doing lectures on the case from a Summer Intern "Brown Bag" Lunch to a National White Collar Crimes Summit presentation called Piercing the Iron Cyber Curtain: Case Studies in International Financial Crimes

Choosing victims from the Forbes Magazine 400 Richest People list, Klopov had several successful capers, with the largest being the theft of more than $1 million from a Fidelity Investments account belonging to a Silicon Valley couple, before he got stung going for his biggest case yet.

In his last attempt, the target was Charles Wyly. Wyly, who is George W. Bush's 9th largest "lifetime donor", is best known in computer circles as the guy who sold Sterling Software and Sterling Commerce for $8 Billion back in 2000, but the family has also dealt in Oil and Restaurants, and is currently behind a "Green Electricity" company called GreenMountain. Klopov managed to convince JP Morgan Chase to send a checkbook from Wyly's Home Equity Line of Credit account to Charles Dalton in Houston. Dalton then took the checkbook to the group's forger, Watson, who used it to write a $7 Million check to a gold broker in New York. JP Morgan Chase confirmed the check had not been issued by asking Mr. Wyly about it. The US Secret Service, working with the New Yorkers, managed to convince Klopo to come to the US to pick up the gold in person, which is when he got busted, back in May 2007.

More details about the case, including some other fascinating high end identity theft attmempts, are available from the New York County District Attorney's Office's initial press release, where they describe Klopov recruiting forgers and impersonators on online job sites.

His co-conspirators have all plead guilty:

IGOR KLOPOV, 5/12/83
5 Gospitaly
Moscow, Russia

517 Northwood Drive
Conroe, Texas

415 Spring Street
London, Kentucky

8810 Pembroke Avenue
Detroit, Michigan

4200 NW 12th Avenue
Ft. Lauderdale, Florida

Monday, November 17, 2008

Facebook Users Beware

I'm looking into an interesting Facebook phenomenon this morning. Several of my "friends" on Facebook have received messages that look like these:


hey did u know your facebook pic was just featured on kchangblab.com

hey has anyone told you ur facebook pic was just featured on srcate.com

hey do u realize your default image is displayed on moreprofilestrade.com

did you know your profile pic is all over brightium.com

has anyone told u ur facebook pic was just featured on gabblemodule.com


The question is, "What's causing these posts?" Did these messages really come from their friends? Are they being generated by malware on their friends computers? or has someone compromised their passwords?

While I wait for these friends-of-friends to respond, I thought I would dig in to the domain names in question.

The WHOIS data for each says the domains are owned by

Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas

According to DomainTools.com, bulletinpics@gmail.com has registered 491 different domain names!

On some, the address has an extra line that says:
"The site is a fun prank - the pic is of a monkey"

The phone number Adam uses, 702.922.1911, belongs to Spin Night Club Promotions in Las Vegas, Nevada. That address is across the street from the Hard Rock Hotel, and is used by the "Alexis Park Resort", which is a "Spin Promotion LV Company", Las Vegas' Premiere Upscale Hip Hop Venue. We've also been able to confirm that Adam Arzoomanian is a real person and is really associated with Spin Night Club at Alexis Park. For instance, this story from Las Vegas Weekly:

This new nightclub project is just one of many for Arzoomanian, who will also oversee the Alexis Park’s gaming initiatives, building a casino resort on the two lots behind the current property as well as expanding the suites and villa according to a three- to five-year plan. “This is just the tip of the iceberg for Alexis Park,” says Arzoomanian, who adds that of all the projects in the works, designing Spin is his hobby. At present, no rendering exists for the new club. “It’s in my head.”
(Full Story

The question remains whether the Real Adam knows anything about all of his domains . . . The number listed has a full voicemail box. Using the voicemail directory, we find that there are many many people who use the same voicemail service, including cleaning services, ticket services, hearing aid services, etc.

Let's see what other domains we can find for Adam Arzoomanian . . .


All of those domains (and probably many more) forward to the single domain:

friends-to-friends-only.com (created Oct 8, 2008 on Moniker Online)

which uses a frameset to pull the actual content from:


(TAF = Tell A Friend)

Rotating Destination is a TuCows registered domain created on September 29, 2008, with "protected" WHOIS information. Compete.com says the site gets 140,000 unique US-based visitors per month, and Quantcast ranks it as the 12,588th most popular site on the Internet.

After the "login" portion (and ask yourself again, WHY would anyone need to ask for a password here?) the action forwards to yet another website:

We've sent an email link to this blog entry to bulletinpics@gmail.com and are waiting for a response. As mentioned above, we weren't able to leave Adam a voicemail at his listed number, but the people at Alexis Park were much more helpful. Adam is no longer the GM at their resort. I've left a voicemail for their webmaster/computer guy at the resort, and hopefully that will get us somewhere further. It should be enough to get Moniker to "unregister" all the domains, we hope . . .

The site CLAIMS to be a "prank" site, where ultimately your friend sees a picture of a monkey and is supposed to giggle about how funny it is that their profile was said to be a monkey.

Question. Why would someone pay to register 491 different domain names to display a joke picture of a monkey?

Here's the sequence of webpages . . .

At the end there is one more link, inviting you to trick your friends by sending an email like this:

Here's how we recommend you trick your friends with this
harmless prank site. We're pretty sure they will send
you a funny reaction!

Send them an email. Try one of these lines...

did u know ur image is displayed on
do u realize ur photo is featured on
has anyone emailed you to let you know ur pic is all over
ur picture is at

Copy/Paste one of these domains to the end of your message.


For example:

do u realize ur photo is featured on stolenprofiles.com

(Note we rotate these suggestions often to avoid messages
being caught in spam filters even though they are not spam.)

Try sending it through regular email with no subject line.
That is most effective.

Try to avoid social sites like MySpace and FaceBook because
they may block your message or even call you a spammer or
a phisher. These sites don't want you to send friends
to external sites like ours. Regular email is best,
ie. Gmail, AOL, etc.

Have fun!

So what do you think? A prank? or an interesting way to harvest people's passwords? I don't know the answer yet, but it certainly struck me as something worth looking into more deeply.

Best theory at the moment . . . users are known to use the same passwords in multiple locations. Could this be a way of trying to harvest email and/or facebook userid and password pairs?

Note: About six hours after posting this, a friend shared with me that Trend Micro had already blogged about this subject. They found a couple things I didn't see -- including some pop-up messages that I missed because I didn't let the criminal run scripts on my laptop -- and some historical data tying the criminal's email address to a "Captcha" scheme he previously ran. Certainly worth reading if this subject interests you Click here for TrendMicro Blog coverage of this story.