Thursday, April 17, 2008

Dear CEO . . . You are Commanded to Go Phishing!

This week has been busy with yet another Spear Phishing campaign being launched against the Execs of US-based companies. This is not a new trend by any means. In my presentation at the DOD CyberCrime Conference this year, "Spear Phishing: Hackers Target High Value Targets", I shared information about the October "Better Business Bureau" spear phishing attack and the January "US Department of Justice" spear phishing attack. Its clear that this round is a continuation of these.

In the current round, the email contains the real name of the executive (we have confirmed it is not only CEOs, so that is also consistent with the previous attacks), and their real telephone number in the body of the email. Here are some excerpts from one such email . . .


SUBPOENA IN A CIVIL CASE

Case Number:

(numbers here)
United States District Court

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of
the United States District Court at the place, date, and time specified
below.

...

Please download the entire document on this matter (follow this link)
and print it for your records.

...

Failure to appear at the time and place indicated may result in a
contempt of court citation. Bring this subpoena with you to the
courtroom and present it to the bailiff.


The initial domain used in the attack, "cacd-uscourts.com" was registered through the Registrar "Web4Africa" on April 12th. On Monday, we had the good fortune that someone reported this phish to the CastleCops PIRT Team, where it was assigned PIRT #792683. Monday evening, PIRT received an email back from Web4Africa informing us that the site had been disabled, which they did by changing their NameServers to "suspended1.web4africa.net" and "suspended2.web4africa.net", as you can see in their Current WHOIS record.

I wasn't able to fetch the malware the first round, as I was away from my lab at the incredible Usenix LEET 08 Workshop, where I was able to meet some security heroes of mine, Thorsten Holz and Neils Provos, the authors of Virtual Honeypots: From Botnet Tracking to Intrusion Detection. (Subliminal mode on -- Buy this Book! -- Subliminal Mode Off).

I got home Wednesday afternoon and went straight to the lab, only to learn that the Phisher was stupid enough to immediately try again. When I arrived in the lab, I checked for other sites hosted by the original nameservers and saw that a new domain name had been registered early Tuesday morning. They chose a different name, "casd-uscourts.com", which they hosted on the exact same IP as the other box, (which incidentally hosts several other malware sites which infect their visitors by installing software via "IFRAME" and Encrypted Javascript techniques).

We used CastleCops to get the site shut down again last night, but not until we first made some screen shots and infected a goat machine with the malware to see what it would do. (Thanks to two of my UAB CIS graduate students for staying late and working on this last night!)

The site is using ActiveX to deliver its malware, and requires an Internet Explorer browser, as you can see from the two screen shots below:






Several people have said "No CEO would click on a subpoena in email!" That's probably true. The CEO would probably send it to the corporate counsel, who would click on the subpoena in email.

Regardless WHO clicks on it, here is what happens if someone does:

The browser goes to "Acrobat.php", which causes the creation of a hidden file called \Windows\system32\Acrobat.dll.

The registry is modified by placing the value: "rundll3d acrobat.dll Anit" in the registry key: \HKLM\Software\Microsoft\Windows\CurrentVersion\Run

A listening port is opened (in our case it was on port 1900).

Every 60 seconds, the machine notifies this computer in China of its infected status by visiting a URL like this:

http://124.94.101.48/MMM/parse.php?mod=cmd&user=MachineName

where MachineName is the system name of the machine in question.

That is probably all the details I'll share for now.

If anyone has observed network traffic going to this IP, there is a very good chance someone in your network is infected. I'd love to know what other communications your infected machine is exhibiting. Please do send me an email!

Wednesday, April 09, 2008

"Grey Pigeon" banking trojan leads to jail time in China




On April 3, computing.co.uk reported the arrest of four Chinese men for breaking into the online bank accounts of their fellow citizens. The report was high on theory and low on details. For the moment we will ignore the "spin" being placed in this story elsewhere in the media -- does this mean the Chinese government wants to stop hackers, but only if they are hacking other Chinese? -- let's just examine the facts.

The four men, who have the surnames of Duan, Wei, Li, and Ruan, according to an April 1 report from Shanghai Daily News received sentences ranging from 8 years to 2.5 years. They were also fined 155,000 yuan, or about $20,000 USD. The sentencing occurred in the Luwan District People's Court.

According the Shanghai Daily News report, the hackers did their work by using a hacker tool called "Grey pigeon 2006vip". After planting this software on various websites, visitors to those websites became infected with a trojan which stole their userids and passwords when they logged on to their bank. We call this type of infection a "Drive By Infector". All that is necessary to be infected is to visit a website hosting the malware.

Li's role was to hack the website and install "Grey Pigeon". Duan received the accounts and transferred the money out of the victim accounts to an account controlled by the hackers. Wei and Ruan had the hands-on job of withdrawing the cash from ATM machines.

The withdraws mentioned in the trial occurred on April 11, 2007 and May 12, 2007.

Luwan district, which is part of Shanghai, has seen similar cases of this type recently, including the the conviction of Bai Yongchun last September, who was also convicted of stealing money by using the Grey Pigeon software.

Grey Pigeon can be found being discussed at "hacker120.com", which also goes by the name of "www.hkop.cn", in a forum called: 黑客攻防技术专区

The current version of Grey Pigeon (Grey Pigeon 2008, or 微尘灰鸽子2008免杀版), has been available at hacker120.com since January 31, 2008. The virus tries to edit your registry to make itself a Windows Service, by adding the tag:

HKLM\SYSTEM\CurrentControlSet\Services\Windows XP Vista

to your registry, with a pointer to itself. The originally downloaded file is named "hacker.com.cn.ini", but this file is renamed to an ".exe" with the same name as it is copied to create the Windows Service named "Windows XP Vista".

Sophos detects the current version of Grey Pigeon as "Troj/Mdrop-BQA", and has protected against it since Feb 2008, according to this Sophos information page.

In China, the Grey Pigeon family is prevalent enough that Chinese anti-virus company "Rising" has a special detection program for it, which can be downloaded from their website (GPDetect.exe), where they have a link to Grey Pigeon information from their main website homepage. (The information page about Grey Pigeon has been being updated since originally published by Rising in 2005!)

Thursday, April 03, 2008

Welcome Cornelius Tate, our new NCSD!



Today Brian Krebs broke the story in his Washington Post "Security Fix" blog, that Cornelius Tate had been named to head the Department of Homeland Security's National Cyber Security Division.

Cornelius Tate is a perfect example of a Computer Science major making a difference in the world of Cyber Crime. Tate received his bachelor of science in Computer Science from the University of Mississippi in 1985, but when a friend of his joined the Secret Service during Tate's junior year, he realized that he would rather be investigating computer crimes than writing code. (Source: DiversityCareers.com)


Like former NCSD Director, Jerry Dixon, Tate worked at the IRS after graduating from college. US-CERT will not be something new to him -- in 2002, Tate served as the Carnegie Mellon University's Software Engineering Institute as the "resident liaiason" from the USSS to the CERT Coordination Center (CERT/CC). Tate initiated the use of CERT/CC staff in high profile protection planning as part of the "Critical Systems Protection Initiative" (CSPI) which included having CERT members travel with the Secret Service to prepare cyber systems for events such as the 2002 Olympic Games and Super Bowl XXXVI.

Tate also recognizes the value of R&D. In this feature from SEI's CERT/CC Tate says of the Service, "We bring hands-on experience, and the CERT/CC provides a research and development capability that extends beyond the scope of our traditional protective mission."

While at CERT/CC, Tate was part of the "Insider Threat Study" research staff that lead to the development of the "MERIT" system, which we actually had presented in Birmingham at the joint "FBI InfraGard/USSS Computer Crimes Working Group" meeting in 2006. MERIT stands for "Management and Education of the Risk of Insider Threats", and we learned a great deal from the presentation.

When Tate was assigned to the Presidential Protective Detail, he served as the Supervisory Administrator for Technology Systems, and was actively involved in tracing email and Internet-based threats to the White House and its residents.

InfraGard members will know of Mr. Tate's work, not only from his participation in the famous InfraGard Houston conferences, but also in the form of their DHS-appointed Protective Security Advisors. Mr. Tate oversaw all of our nation's PSA's in his position as the Director of Field Operations for the Protective Security Division. In Birmingham we are very grateful for the active participation of our PSA in the Birmingham Chapter of InfraGard.

Congratulations on the new position, Mr. Tate. As an InfraGard President, and a Cyber Crime Researcher, I wish you well, and look forward to working with you and your staff in your new endeavors.

In Nigeria, Yahoo Boys picked up by EFCC Raids

Cyber Cafes in Akure in the state of Ondo, and Onitsha, in the state of Anambra were raided today. The locals have a term for the type of cyber criminal who lurks in these cafes. They call them "yahoo boys".


(image from "Hey CyberCafe" in Onitsha, not included in the raid, just a sample picture of an Onitsha-based cybercafe)

In Akure, agents of the EFCC (Econonmic and Financial Crimes Commission), acting as customers, mingled about the crowd, bought airtime, and began using computers themselves while observing the activities of those around them. Once their suspicions were confirmed, they rose and identified themselves, requiring each of the users of the cafe to remain on site until they had confirmed what email addresses they had been using, and what activities those email addresses had been performing. "This Day" in Lagos reports that at least one Yahoo Man jumped out the window when the raid began. This Day reports that the following day the cyber cafes were nearly empty, "leaving only those with serious business".

In Onitsha, things went a bit differently, according to The Nigerian Tribune, with officers arriving in an unmarked Toyota van and blocking off the road leading to Main Market to prevent the flight of cyber cafe operators.

Sixteen arrests were made, primarily of Yahoo Boys, who spend their days reading and sending scam emails hoping to encourage rich Americans to part with their money. At least one cyber cafe operator was also arrested, and several computers were confiscated as evidence.

The most fascinating part of this story, however, is not in the current day's news. For the story behind the story we have to go back to March 17th, when the President of Nigeria, Umaru Yar'Adua, announced that he was planning to establish a separate body known as the National Cyber Crimes Commission. The bill, which was described in Nigeria's Business Day Online, was called necessary precisely because the EFCC cannot effectively "handle the cyber crimes in addition to its other responsibilities". Business Day Online's source said the activities of the Yahoo Boys are having a negative impact on the government and on investment and a separate agency was required to handle the situation.

The bill to establish the National Cyber Crimes Commission is still in the National Assembly. With the president leaning on both chambers for quick passage, is the EFCC trying to prove the bill is unnecessary?

Public opinion has turned against the EFCC, as represented in a recent column in the IndependentNGOnline, called "Heroes, Yahoo Boys, and the Rest of Us". (Sorry, the article is no longer online, the author "angrymichael2004@yahoo.com" has a regular column called "Conversations of an Angry Man"). The column calls the Yahoo Boys "Criminal Eaglets", and warns the EFCC that if they continue to "deliberately overlook" the Yahoo Boys, they are going to use their relative wealth to graduate to the true houses of power.

The columnist continues "I had the impression that the EFCC may rather wait for these fraudsters to cut their teeth in politics or public administration before going after them", but he then goes on to say those who chase down and catch these crooks are the true heroes. While the President is welcoming as national heroes Nigerian boxer, Samuel Peter, and the Under 17 World Championship Nigerian soccer team, the Golden Eaglets, the columnist recommends the President proclaim those who catch cyber criminals National Heroes instead.

Whether the NCCC is formed, or whether the EFCC decides to take their cyber crime responsibilities more seriously, the benefit on the American public should be positive. For today, the EFCC are Crime Fighting Heroes. I hope it continues!

Tuesday, April 01, 2008

AKILL Convicted - Are we safer now?

Last night the BBC World Service called to ask me what I thought of the AKILL conviction. We primarily discussed that the news here should not be that AKILL is the criminal mastermind of the Internet, but that its Good News that we've managed to catch someone and get a conviction.




AKILL, Owen Thor Walker, AKA "Snow Whyte" (Whyte was his mother's maiden name), AKA "Snow Walker" (note to hackers, don't use your own name as your alias), is a troubled young man living in New Zealand. Up until his conviction he was a quiet, gifted programmer, who worked for Trio Software Development. The media is painting him to be the ring leader of a worldwide criminal enterprise which controls 1.3 Million computers and has caused $20 Million USD in damages.

There is no question Walker was brilliant. He is diagnosed with Asperger's Syndrome, a disorder in the same family as autism, characterized by very poor social interaction, and a fixation on a narrow range of intellectually challenging pursuits that often involve a high degree of repetition. His mother says he left school at age 14, largely because of problems with bullies, and completed his education via correspondence courses.

But what were the actual charges? ComputerWorld New Zealand is reporting this morning that the only damages they have charged him with are $13,000 in costs which the University of Pennsylvania incurred in recovering from a Botnet attack he launched against the TAUNET service housed at UPenn. (See ComputerWorld.nz

The Sydney Morning Herald, which ran a picture of Walker and his mother in this article of Feb 29, 2008, said:

Walker was arrested in November last year in the northern city of Hamilton as part of an international investigation into a cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts.


But the original story which brought AKILL into the International eye was the charges brought by the FBI under Operation Bot Roast II, which Forbes magazine mentioned like this as recently as yesterday:

The FBI's deputy assistant director of its Cyber Division, Shawn Henry, points to the November arrest of the hacker known as AKILL, an 18-year-old in New Zealand running a botnet of 50,000 computers.


The other charge that we know about AKILL is that he has been accused "by Dutch authorities" of being part of a scheme where hackers installed advertising software on computers they compromised. One of the other targets of Operation Bot Roast II was Robert Matthew Bentley, of Panama City, Florida. Bentley was convicted of his charges on March 6, 2008, according to this FBI Jacksonville Press Release.

I am saying that it is very likely that this is actually the same scheme that AKILL was tied up in, (but haven't found the proof of that yet). Bentley was accused of installing software for a scheme called "Dollar Revenue". Dollar Revenue was fined $1.54 Million USD by Dutch authorities in a scheme where hackers were paid 15/100 of a Euro for installing the adware on European computers, or 25 cents for installing the adware on American computers. (See this PC World article)

These types of revenues fall more in line with what was said during AKILL's trial, where the judge was considering whether to force Walker to pay restitution of "$8,000". New Zealand media are reporting that Walker plead guilty to infecting "at least 20,000" computers, and his bank accounts show that he had received payments of "$40,000 NZD". (See for example this New Zealand TV station's report.

What actually was the "criminal mastermind" activity that AKILL performed? He took source code for a previous botnet program and made some slight modifications to it. Detective Inspector Peter Devoy of the New Zealand police confirmed in interviews that AKILL is responsible for the "AkBot" malware. (See Security IT World's story for more.) (Devoy was also the one quoted in the original New Zealand Police press release: Waikato Police investigate cyber-crime

How was Walker caught? It looks like a good job of International Cooperation, but one lynchpin in the investigation goes back to making poor choices in friends online. Ryan Goldstein, AKA Digerati, has been a troublemaker for years. Ryan, a 21-year old student at UPenn, was a member of a hacking group called "TeamLoosh", and couldn't decide what color his hat should be.

TeamLoosh leader, rofles, basically went on a character-assassination rampage against Ryan, posting defaming photographs and emails intended to show that Ryan was a pedophile anywhere that he saw Ryan making posts. Some of these appeared in places like "governmentsecurity.org", posting links to a file named: http://www.teamloosh.com/txt/Digerati-Exposed.zip (now offline).

Ryan was angry, but having been banned from several places because of these accusations, he behaved in his typical fashion. He promised AKILL access to several "elite" hacker websites where he still had influence, if he would help him get revenge. The DDOS, intended to punish the TAUNET Internet Relay Chat servers which had banned "Digerati", was said to include 50,000 attacking computers, which were launched against TAUNET by AKILL.

The Digerati Indictment is available from the Pennsylvania US Attorney's Office. It reveals the exact nature of the payment offered to AKILL. (Quoting from page 5 of the indictment:


"I can get you some good private stuff, i can also pay you, to take taunet down...i have access to a lot of stuff you might want...www.findnot.com/servers.html - i have a legit login/pass for that, guaranteed to work through 2007 at least...undetected, unreleased bifrost (trojan) beta with 100% av (antivirus) and fw (firewall) bypass."


I'm very pleased that Ryan/Digerati and Owen/AKILL/Snow Whyte have been apprehended, but the point of what I tried to say on BBC World Service this morning was let's not make this a fishing story. We haven't landed Moby Dick here. We haven't stopped a "Criminal Mastermind". We caught a few juveniles with anger management and social problems, who made $40,000 selling hacked computers to a Dutch advertising company and attacked a University chat room because the boys there told another boy he was not their friend any more.

Its a message that International Law Enforcement Cooperation is working, at least between the Dutch, the FBI, and the New Zealanders, but we still have a long way to go before the Internet is going to be a safe place to play.

-----

Corrections Made:
Ryan Lee, ryan1918, has pointed out an error in the original version of this posting. Ryan Lee (ryan1918) is *NOT* Digerati, and should not be confused with Ryan Goldstein.

To Priest, stm, rofles, Gammarays, Zerofool2005 - thanks for the comments - send me an email. Happy to learn more and have a more accurate article.