Tuesday, December 30, 2008

Radical Muslim Hackers Declare CyberWar on Israel

This weekend more than 300 Israeli websites have been defaced in a period of 48 hours. In a website "defacement" a hacker violates the security of a web server and replaces the original content with his own message. In some defacements, the hacker places a fake banking website (called a phishing site). In others the hacker merely boasts about his prowess as a hacker, similar to a graffiti artist painting his name on the side of a train. The current round of defacements are instead part of a Propaganda War.

We've seen this type of Propaganda War before. The original cyber propaganda war was launched by Chinese hackers in May of 2001 after the collision of a Chinese fighter jet with a US Navy plane. Tens of thousands of US websites were defaced by Chinese hackers blaming the US for the incident. More recently the technique has been adopted by Muslim hackers, beginning with the defacement of thousands of Danish and American websites in February 2006 after the publication of cartoons about the prophet Muhammad, and against Israeli and US websites after the bombardment of Lebanon by Israel in August of 2006.

As soon as Israel started bombing Gaza we began to look for signs of a cyber response. And we've found it, in the form of more than 300 Israeli websites which have been defaced with anti-Israeli and anti-US messages.

One interesting aspect of a cyber propaganda war is that it doesn't matter what size the website is, or how important it is. It only matters WHERE the website is. "In the current situation, the hackers supporting Gaza clearly believe Israel AND the US are culpable. That means American webmasters may wish to be especially vigilant right now.

How do you prevent your webserver being used in the propaganda war?

Webmasters need to decide on a strategy. For many websites, its enough to have a daily review of your content to ensure that nothing has been changed. For more important websites, it would be worth investing in having your website professionally tested for weaknesses.

Some very common exploits can be avoided by applying security patches. If your website uses programs which you downloaded from a vendor, please be sure to check with that vendor's website regularly to determine if new versions are available. Many defacements occur when hackers scan for websites which are running vulnerable software, such as a common PHP program, image program, forum software, or other webmaster utilities, such as web statistics programs. One quick way to see if your software has a security vulnerability is to check the National Vulnerability Database, where you can search for the name of your product.

We have also seen many websites exploited recently because the password for the webmaster has been stolen. Just as with all passwords, its important to choose good passwords, and change them regularly. Its also important to use secure methods of uploading. "FTP" sends your userid and password in plain text when you upload your web pages. Using "Secure FTP", which is often packaged with SSH, will make sure your passwords are encrypted when uploading files to your website.

I originally posted images from the Propaganda War on this blog, but have been asked by more than a dozen individuals already, to remove them from my blog. While I don't condone censorship, I also don't want to shock anyone by seeing pictures of disfigured children and threats to destroy the United States.

Some of you WILL have a professional reason to need to see these images. If that is you, please email me, and I will provide you with a private weblink, not affiliated with any official source, only with me personally. Please email gar@askgar.com - and please use the email Subject: Propaganda War, and include why you need to see these images.

Tuesday, December 23, 2008

More than 1 Million Ways to Infect Your Computer

An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus. This is the first major "Scareware" infection we've seen since writing about the Federal Trade Commission's action in our December 10th blog post, FTC Moves Against Fake Anti-Virus Scareware.

The current scam takes advantage of the thousands of websites which have a "URL redirect" on them. A URL redirection program allows the website owner to "send you" to another website, while keeping track of where you went. They are often used in conjunction with an exit page that says something like "You are now leaving our site and being redirected to a new location. We aren't responsible for the content there." The problem is that many of those sites actually allow other people to use their URL to redirect traffic as well. That's what's happening here. A hacker has managed to cause Google to "learn" many of these URLs by placing them on sites they control.

In the current example, the hacker is using the site "00119922.com", which they have just registered December 19th. More than a million Google hits show that he has injected redirectors all around the Internet pointing to this site.


Sites like Microsoft.com, IRS.gov, countless media outlets, magazines, universities, and other websites can be found in the search engines in this way. The hackers get these entries into Google by littering tens of thousands of blog comments, guestbook entries, and imaginary blog stories all around the Internet. So, to choose one of the non-pornography related search terms, a hacker has written a program to comment on people's blog entries with a link to:


Now, if someone is searching for the phrase "download fruityloops 6 free", (fruityloops is apparently a music mixing software) because of Microsoft's popularity, their search term will take them to the number one position on Google.

The same technique has been used for many hundreds of phrases associated with pornography and software piracy. Some example search terms (and there are TENS OF THOUSANDS) all of which will give you the Microsoft open redirector as the #1 search result on Google:

"microsoft office 2002 download"
"hacking private myspace accounts"
"download runescape password hack"
"xxx rated joke"
"live free hardcore sex cams"


Some of the other sites with open redirectors being targeted by this attacker include: dbrecovery.com, togshop.com, wnbc.com, mrm.mms.gov, countrycurtains.com, portugal-info.net, cyberswim.com, nbcsandiego.com, thebostonchannel.com, thepittsburghchannel.com, hermanstreet.com, viadeo.com, nationalgeographic.com, barronscatalog.com, click2houston.com, lucy.com, wgal.com, rexart.com, kitv.com, bookmatestore.com, attarbazaar.com, titlenine.com, vermontteddybear.com, readthehook.com, theessentials.com, martlmadidebeli-gristianoba.com

Visiting the website redirects the visitor to 00119922.com, which in turn currently redirects the user to the site: netisecurity.com/ws/index.php?affid=04800, which pops up a warning:

Clicking "OK" on the warning, SEEMS to start a scan of your system, but a closer look will indicate that you are actually only seeing an animation playing from the netisecurity.com website:

When the scan is completed, a "Windows Security Alert" seems to pop up, although in reality you are still on the netisecurity.com website:

Clicking the "Remove All" button, which seems to be the reasonable thing to do, actually prompts the download of "install.exe".

You can review the coverage on "install.exe" on VirusTotal.com. As of this writing, we were the first one to report this malware to VirusTotal, where only 5 of 37 antivirus products were able to identify the file as malware.

File size: 62505 bytes
MD5...: 2bd950fdb5770ce6a1567f162dfa2679

eSafe and Panda call it "Suspicious file" (they call most things a suspicious file)
Ikarus says its "Trojan-Downloader.Win32.Delf"
Prevx1 says its "Malicious software"
TrendMicro calls it "PAK_Generic.001"

The other 32 anti-virus products offered no protection or detection.

install.exe was actually installed from the URL:

After "install.exe" runs, a more professional looking scanner executes. On our system the full product was installed under our logged in user's Documents and Settings in as: "1626125795\1300463089.exe". There were files in the directory indicating that a keylogger was in effect.

At the completion of the full scan, a new warning asked if we would like to "Remove all threats now" or "Continue unprotected".

Choosing "Remove all threats now" invites us to purchase the product for $51.45.

Refusing to purchase the software results in two types of annoyances constantly popping up. One warns that a worm is trying to steal my credit card with a full pop-up windows:

while the other is just a task bar reminder of the same thing:

Hopefully the FTC will take swift action to shut down this ring. In the meantime, there is a very real chance that your search engine results may contain links to this newest round of scareware. Surfers beware!


Microsoft has closed the Open Redirector which was being abused by the pages above. Clicking one of the Microsoft pages indicated in the Google search above will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them.

Monday, December 22, 2008

Trusted Internet Connections (TIC): Gated Communities and Ostriches

Various colleagues at InfraGard and elsewhere have been hitting my telephone and email inbox asking my thoughts on the "Security Cyberspace for the 44th Presidency" report, and the Comprehensive National Cyber Security Initiative (CNCI), established by National Security Presidential Directive 54 and Homeland Security Presidential Directive 23. I agree with my friend Joseph Concannon that these are things we should all be discussing and to which we should be reacting.

As one of the included initiatives that has been widely discussed, I'd like to start by asking some questions about the Trusted Internet Connections (TIC) initiative. The initiative was announced publicly in this Memo for Heads of Executive Departments and Agencies from the Office of Management and Budget's Clay Johnson. The memo discusses the requirement for each agency to develop a "comprehensive plan of action and milestones" to reduce their number of Internet connections, with the goal of having the entire federal government using only fifty Internet points of presence. The plan is similar to another DHS initiative, which believes that building a fence across the US-Mexico border will make it easier to secure the border. TIC works in exactly the same way. By having only fifty points of access, it becomes easier to identify what goes in and out of the Internet.

In the physical world we have the same concept in the Gated Community. Many of the same advantages and disadvantages of Gated Communities can also be expected here. Some of the advantages are that we can better control who comes into our communities, and even those who are allowed access have left clear record of their action, in the form of video surveillance at the gate checkpoints, and often through a log of visitors maintained by security guards who man these gates. These are exactly the advantages intended by the DHS Einstein III program, currently being used by at least 13 Federal agencies.

For an excellent discussion on Gated Communities and their roles in Security and Crime Prevention, please see "Public Places, Urban Spaces" by Matthew Carmona. Carmona's book is not primarily about Gated Communities, but rather about the decisions that should be considered as urban spaces are planned or designed.

Carmona argues that the design or an Urban Space should be seen in the context of Local, Global, Market, and Regulatory considerations, and must then take into consideration issues in the categories of Morphological, Perceptual, Social, Visual, Functional, and Temporal considerations.

The disadvantages that are primarily brought up with regard to the creation of Gated Communities typical begins by speaking about class segregation, and the annexation of previously public property to be used for the advantage of a relatively small subsection of the society which paid to create it. Even when the now segregated resources are granted "public use" during the day, privacy concerns commonly expressed about "surveillance societies" may cause some citizens to hesitate to visit these resources.

It strikes me that very few of Carmona's design processes were taken into account as the Trusted Internet Connection program began. For example, Perceptual Considerations -- will my Internet visits to government provided web resources now be monitored in a more comprehensive way? Will Einstein be learning and recording my interactions with the government similar to the Gated Community security guard who asks the name of the person I am visiting before allowing my vehicle to enter the GC?

What message should the rest of the Internet take from the decision by the Federal government that the way to be safe on the Internet is to restrict public access to a few carefully monitored Internet points of presence? As a practicing designer of network security considerations, I have to agree that the theory is strong. One of the first exercises I engage in with a client is to identify all possible paths in and out of their network, and what methods of securing and monitoring each of those paths are currently in use.

But how should this message play with the responsibility of the Department of Homeland Security to protect our Nation's Critical Infrastructures? Prior to the creation of DHS, a multi-agency partnership administered by the FBI existed under the auspices of the National Infrastructure Protection Center (NIPC). The NIPC Watch & Warn desk was the fastest single place to check about the status of any threat to our Nation's Critical Infrastructures, including the Cyber infrastructure. Now for Cyber matters we have US-CERT.

The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defenses against and responses to cyber attacks across the nation.
Source: http://www.us-cert.gov/aboutus.html

Interestingly, the mission of US-CERT is *NOT* to protect Federal Agencies, but rather to protect "the nation's Internet infrastructure", the vast majority of which will be on the OUTSIDE of the wall being created by the Trusted Internet Connections initiative. The program is rolling forward, with the first contract being announced in December 18th's DHS Daily Report, which stated:

The General Services Administration announced on Monday that AT&T has been awarded the first contract to deliver secure Internet connections to federal agencies via the Networx Universal telecommunications program. AT&T will offer Managed Trusted Internet Protocol Services under the Office of Management and Budget’s Trusted Internet Connections initiative, announced in November 2007. The goal is to reduce the number of Internet connections in the federal government to fewer than 100 in 2009; the exact deadline has yet to be determined. “GSA has provided resources to assist the successful implementation of the TIC initiative and made information systems security a priority in their strategic plans,” said the OMB administrator for e-government and information technology. “Fewer external connections mean fewer vulnerabilities and better secured networks.” Networx Universal is an indefinite delivery, indefinite quantity contract vehicle with a ceiling of $48.1 billion over 10 years. Combined with Networx Enterprise, it is the federal government’s largest telecommunications program. AT&T’s latest offering will include a system to detect computer network intrusions as well as a security operations center to protect agencies’ networks. GSA still is evaluating secure Internet connection proposals from Verizon and Qwest Communications, the other two vendors on Networx Universal.

(the DHS report quotes: http://www.nextgov.com/nextgov/ng_20081216_1938.php Gautham Nagesh)

What does this strategy mean for the rest of us? As with the Gated Communities, one of the disadvantages is the issue that those of us OUTSIDE the gates feel (or actually are!) disenfranchised. What does it mean for the Critical Infrastructures who are "outside the fence"? Should, for instance, the banking industry be looking into building their own Trusted Internet Connections program that only serves their industry? With price tags such as the one given above, it may be that only the government can afford to be secure. What does that say about the strategy as a means of protection ALL of us?

Wednesday, December 10, 2008

FTC Moves against Fake AntiVirus "ScareWare" companies

Microsoft may be getting all the press this month about Fake Antivirus products, but the Federal Trade Commission deserves some high praise as well. We'll get to the FTC stuff below, but first I wanted to mention that most of the press I've seen on the Microsoft announcement focused on Spectacular Big Numbers instead of focusing on the actual facts in their announcement.

Microsoft and Fake AV Products

During the first half of 2008, Microsoft removed almost 9 million copies of Win32/Zlob from infected computers - more than twice as many as any other threat. In their Security Intelligence Report 5 they described Zlob infections like this: "Once installed on the target computer, Zlob bombards the user with pop-up advertisements and fake 'spyware warnings' that are actually advertisements for rogue security software". An especially prevalent way to get Zlob during that times was to be prompted to install a missing Codec or Video player when visiting a site advertised by a spam message.

On November 19th, Microsoft announced that their Malicious Software Remove Tool could now remove the newest batch of fake antivirus products, and that in the first 9 days of the new release, they had removed 994,000 of these fake products, which they refer to collectively as Win32/FakeSecSen. The announcement came from the Microsoft Malware Protection Center's Threat Research & Response Blog, which revealed that 548,218 of those 944,061 machines were in the United States. For every 1,000 machines they scanned, five HAD BEEN infected with a fake Antivirus product.

Wait, HAD BEEN? Yes. The blog goes on to point out, that of those 944,061 machines which detected as infected, only 198,812 had an ACTIVE infection including the "main .exe". The other 700,000 or so had actually already had the infection declawed, either manually or by another anti-virus program, but residual files indicating the former infection were still present. In other words, the MILLION MACHINES CLEANED was really TWO HUNDRED THOUSAND MACHINES DISINFECTED, and EIGHT HUNDRED THOUSAND CLEANED UP A LITTLE BIT MORE THAN THEY ALREADY HAD BEEN. By comparison to that, the real danger may be Renos, where 565,000 machines were actually disinfected. But, what is Renos? Win32/Renos is another entire family of fake AV products. After the blog post was published, the Analysis section of the Win32/Renos entry was updated to say "On November 19th a signature for TrojanDropper:Win32/Renos.N started detected particular uninstall files. This incorrect detection affects users of all Microsoft Antivirus solutions." This was fixed in the December MSRT, but one has to wonder how many of the amazing number of Renos infections were due to this fake detection?

The most recent batch of fake products, covered by Win32/FakeSecSen, has a great collection of screen shots of the various fake products on the "Analysis" tab, including Micro Antivirus 2009, MS Antivirus, Spyware Preventer, Vista Antivirus 2008, Advanced Antivirus, System Antivirus 2008, Ultimate Antivirus 2008, Windows Antivirus, XPert Antivirus, and Power Antivirus.

Special Note:
Reports of rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp and Program:Win32/FakeRednefed may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar.

(from the Microsoft Malware Protection Center).

Earlier versions of MSRT also detected fake viruses, primarily under the names Win32/FakeXPA and Win32/SpySheriff, the former detecting mostly "Microsoft look-alike products" while the latter covered many of the first fake protection products, including BraveSentry, DiaRemover, MalwareAlarm, Mr. AntiSpy, PestTrap, PestWiper, SpyMarshal, SpySheriff, and SpyTrooper. An intermediary version was called Win32/FakeXPA.

The FTC and Fake AV

OK, with that as background, let's agree that millions of computers have been infected with various brands of fake security products and look at the FTC action.

On December 10th, the FTC released a Consumer Alert entitled:

"Free Security Scan" Could Cost Time and Money
Messages telling you to install and update security software for your computer seem to be everywhere. So you might be tempted by an offer of a “free security scan,” especially when faced with a pop-up, an email, or an ad that claims “malicious software” has already been found on your machine. Unfortunately, it’s likely that the scary message is a come-on for a rip-off.
The free scan claims to find a host of problems, and within seconds, you’re getting urgent pop-ups to buy security software. After you agree to spend $40 or more on the software, the program tells you that your problems are fixed. The reality: there was nothing to fix. And what’s worse, the program now installed on your computer could be harmful.
According to attorneys at the Federal Trade Commission (FTC), the nation’s consumer protection agency, scammers have found ways to create realistic but phony “security alerts.” Though the “alerts” look like they’re being generated by your computer, they actually are created by a con artist and sent through your Internet browser.

Click for the Full text of the FTC Consumer Alert as a PDF also available as an HTML version.

More importantly, they requested and received a temporary restraining order from the
U.S. District Court for the District of Maryland. In this action, they have accused five people of running two companies that are responsible for most of these fake products, and a sixth of receiving funds from the scam.

Under the FTC Act, 15 U.S.C. § 45(a), the Federal Trade Commission is in charge of enforcing the prohibition against "deceptive or unfair acts or practices in or affecting commerce. As part of that enforcement the FTC has the right to "secure such equitable relief as may be appropriate in each case, including restitution for injured consumers, consumer redress, and disgorgement" 15 U.S.c. § 53(b).

The companies being targeted here are:

"Innovative Marketing", a company incorporated in Belize, with offices in Kiev, Ukraine, who has done business as Billingnow, BillPlanet PTE Ltd., Globedat, Innovative Marketing Ukraine, Revenue Response, Sunwell, Synergy Software BV, Winpayment Consultancy SPC, Winsecure Solutions, and Winsolutions FZ-LLC.


"Bytehosting Internet Services", an LLC registered in Ohio with an office at 3864 McMann Road, Suite A, Cincinnati, Ohio.

The charge is that their business practice was "a massive Internet-based scheme that tricks consumers into purchasing computer security software" which exploited consumers' "legitimate concerns about Internet-based threats like spyware and viruses by issuing false security or privacy warnings to consumers for the sole purpose of selling software to fix the imagined problem". After running a simulated "Free scan", the software would claim to have detected "a host of malicious or otherwise dangerous files and programs, including viruses, spyware, or illegal pornography", and encourage the consumer to download their product to fix it. The downloaded products would run another scan, and then urge the consumer to spend $39.95 to solve the problem by buying "the full version".

(emphasis, and all those nice "!!!!!" added by the blogger)

These guys are the ones who have been making the money, all the way back to 2003, selling products including but not limited to WinFixer, WinAntivirus, DriveCleaner, WinAntiSpyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, XP Antivirus 2008, etc.

While most of us know these products as they are delivered by viruses, the defendants actually paid for advertising as well. Just one of the defendants purchased $3.3 million in advertisments from the MyGeek network (now known as AdOn) between October 2004 and November 2006. The ads were displayed more than 680 million times!

After MyGeek began refusing to run their ads, the defendants created their own fake advertising groups, such as Burn Ads, Preved Marketing, AdTraff, NetMediaGroup, and Uniqads, which they sold to websites offering a share of the advertising revenue. These fake advertising companies began to approach sites, claiming they represented legitimate sites that wanted to place advertisements, including CareerBuilder.com, Frontgate, Travelocity.com, Priceline.com, and other sites. The ads which were displayed, when viewed from IP addresses belonging to their business partners, always showed ads for the legitimate companies, but when viewed by outside IP addresses, the ads for their fake scanners were displayed.

Believing themselves to be doing business with legitimate advertising companies, the ads found their way to places such as Major League Baseball and National Hockey League sites, the National Association of Realtors, the Economist magazine, and others.

The defendants are:

James Reno (Bytehosting), who ran "setupahost.net". Reno provided contracts with some of these ad-distribution vendors, ran Bytehosting, and provided the Call Center which supposedly took tech support calls about their products. Part of the call center's job was to obstruct and delay consumers from obtaining refunds by misleading them about the nature of the scan, or telling them a refund had already been issued to them, when it had not. Almost all of Bytehosting's revenue came from Innovative Marketing.

Sam Jain (Innovative Marketing), who resided in California. Jain is the CEO of Innovative Marketing, and co-founded the company in 2002. A large financial investor in the company, Jain handled much of the marketing and sales, and worked out the relationship with companies to take their credit card payments.

Daniel Sundin (Innovative Marketing), who resided in London, England. Sundin ran Vantage Software and Winsoftware, Ltd. He was also the COO and is now CTO of Innovative Marketing. He set up the company headquarters in Kiev, and also opened facilities in Argentina and India. His old company, Vantage Software, paid for many of the original domain names, such as Winfixer.com, DriveCleaner.com, WinAntivirus.com, and SystemDoctor.com. The foreign banking is handled by Sundin.

Marc D'Souza (Innovative Marketing), who resided in Toronto, Canada. D'Souza ran Web Integrated Net Solutions. D'Souza took over the role of working on the credit card payment processor relationships. He and his father Maurice established numerous merchant accounts with payment processors around the world to clear their cards, which was hard to maintain because of the very high level of chargebacks and complaints from consumers. Marc and his father each retained "millions of dollars in proceeds" in their bank accounts. They are no longer associated with Innovative Marketing and are the subject of a lawsuit in Canada where Innovative Marketing claims they have embezzled millions of their dollars.

Kristy Ross (Innovative Marketing), who resided in Maryland. Ross was the marketing person, responsible for placing millions of dollars worth of false and misleading advertisements. Despite warnings on multiple occasions that the ads were exploitive and deceitful, she continued to place these ads.

Maurice D'Souza, who resided in Ontario, Canada and received "ill-gotten funds" from his son Marc (see above).

The FTC action includes a "Prayer for Relief" which requests that the court award "such relife as necessary to redress injury to consumers resulting from the Defendants' violations of the FTC Act, including but not limited to, rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies." They also ask that they protect and return funds and property that the defendants have in their possession or have purchased as a result of their ill-gotten gains or proceeds.

For more details on the case, please see:


which includes links to the:

Ex Parte Temporary Restraining Order
Complaint for Injunctive and Other Equitable Relife

Tuesday, December 09, 2008

Securing Cyberspace in the 44th Presidency: Part Two

Yesterday I provided some context for the Center for Strategic and International Studies report which was published yesterday:

Security Cyberspace for the 44th Presidency

The co-chairs of the committee, which was directed by James Lewis, were:
Representative James R. Langevin
Representative Michael T. McCaul
Scott Charney, Microsoft
Lt. General Harry Raduege, USAF (Ret)

I'll leave the interested reader to read the full list of committee members from Appendix A, but I was pleased to see many active voices for Cybersecurity and Information Sharing among them, including many that I met through InfraGard! Just to name a few, Peter Allor (who was presenting at an InfraGard National Conference when I met him, the day ISS became IBM ISS), Jerry Dixon, former NCSD for DHS and now the VP of Government Relations for InfraGard, Greg Rattray, who was the Director for Cyber Security on the White House National Security Council staff before there even was a DHS (and an advisor to InfraGard's National Board), Tom Kellerman (a New York InfraGard member) who worked closely with the World Bank, Paul Kurtz, Marcus Sachs of SANS Internet Storm Center (and Verizon), Phyllis Schneck who has been active in InfraGard for more than my own seven years, Michael Vatis, who led the NIPC back when InfraGard was partnered with their National Infrastructure Protection Center efforts, Amit Yoran, who was the original NCSD, and spoke at the June 2004 InfraGard National Conference.

The report consists of seven major chapters, which are bookended by the concept that we are in a Hidden War, and that we need to WIN the Hidden War.

The Introduction compares our current status to "the invisible struggle" between Britain and Germany over Ultra and Enigma.

The United States is in a similar situation today, but we are not playing the role of the British. Foreign opponents, through a combination of skill, luck, and perseverance, have been able to penetrate poorly protected U.S. computer networks and collect immense quantities of valuable information. Although the most sensitive U.S. military communications remain safe, economic competitors and potential military opponents have easy access to military technology, intellectual property of leading companies, and government data. These potential opponents have not hesitated to avail themselves of the opportunities presented by poor cybersecurity.

America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009. It is, like Ultra and Enigma, a battle fought mainly in the shadows. It is a battle we are losing.

Summary of Recommendations

  • Create a Comprehensive National Security Strategy for Cyberspace
    • Presidential statement that cyberspace is a vital asset and that the United States will protect it
    • Create a National Office for Cyberspace (NOC) within the Executive Office of the President
    • Open discussion on how best to secure cyberspace

  • Organizing for Cybersecurity
    • Establish a Cybersecurity Directorate in the National Security Council
    • Support same from the new NOC, which should absort the National Cyber Security Center and Joint Inter-Agency Cyber Task Force
    • NOC assumes additional responsibilities, including FISMA
    • Three new Public-private advisory groups
    • Continue DHS US-CERT relationships with all federal agencies

  • Rebuilding Partnership with the Private Sector
    • creation of three new public-private agencies

  • Regulate for Cybersecurity
    • Task the NOC to work with appropriate regulatory agencies to secure critical cyber infrastructures

  • Secure Industrial Control Systems and SCADA
    • NOC should work with NIST to develop Industrial Control System standards
    • NOC should continue to to determine the extent of government-owned infrastructures security from cyber attack

  • Use Acquisitions Rules to Improve Security
    • NOC and CIO Council development and implement security guidelines for IT procurement
    • NSA and NIST should reform National Information Assurance Partnership
    • Secure Internet protocol use should be increased.

  • Manage Identities
    • US should make strong authentication, including "robust in-person proofing" mandatory for critical cyber infrastructures
    • US should allow use of strong goverment-issued credentials for online activities
    • FTC should protect consumers by requiring businesses to use strong credentials for online activities
    • government agencies not using HSPD-12 compliant credentials after one year should have bonuses or awards restricted

  • Modernize Authorities
    • DOJ should reexamine statutes governing online crime and investigations to increase clarity, speed investigations, and better protect privacy
    • the Attorney General should issue guidelines for cyber incident response by law enforcement, military, or intelligence authorities.

  • Revise FISMA
    • Congress should rewrite FISMA to use performance-based measurements of security

  • End the Division Between Civilian and National Security Systems
    • legislation should be proposed that adopts risk-based approach to all federal computer security

  • Conduct Training for Cyber Education and Workforce Development
    • NOC and OPM should create training programs and career paths to enhance the federal cyber workforce and work with NSF to develop national education programs

  • Conduct Research and Development for Cybersecurity
    • NOC and Office of Science and Technology Policy should provide overall consideration of cybersecurity R&D. The US should increase its investment in longer-term R&D designed to create a more secure cyber ecosystem.

A summary at the beginning of the report gives 25 recommendations.

One of the recommendations is DO NOT START OVER.

"Let us be clear on the Bush administration's Comprehensive National Cybersecurity Initiative (CNCI): It is good but not sufficient. The next administration should not start over; it should adopt the initial efforts of the initiative, but it should not consider it adequate."

Regarding DHS, the report states:

We had a long and impassioned debate within the Commission over DHS's roles and responsibilities. Many felt that leaving any cyber function at DHS would doom that function to failure. ... The nature of our opponents, the attacks we face in cyberspace, and the growing risk to national and economic security mean that comprehensive cybersecurity falls outside the scope of DHS's competencies. DHS is not the agency to lead in a conflict with foreign intelligence agencies or militaries or even well-organized international cyber criminals.

Security cyberspace is no longer an issue defined by homeland security or critical infrastructure protection. This is far too narrow a scope.

As a Computer Forensics Researcher, of course I appreciated the call in the section "Expand and Focus Research and Development for Cybersecurity"
The federal government plans to spend about $143 billion in 2009 on R&D. We estimate that two-tenths of 1 percent of that will go to cybersecurity. To put this in context, the president's fiscal year 2009 budget requests $29.3 billion for life science research, $4.4 billion for earth and space science, $3.2 billion for the Advanced Energy Initiative, $2.0 billion for the Climate Change Science Program, and $1.5 billion for nanotechnology. The National Information Technology R&D (NITRD) programs will receive $3.5 billion. Cybersecurity R&D will receive about $300 million.

The report recognizes that many others, including the new Comprehensive National Cyber Initiative, have called for an increase in Cyber Security Research funding, but points out that much of what we have at NITRD "exists largely as a passive compilation of R&D activities by the NSF and various funding agencies rather than a driver of an agreesive research agenda."

Monday, December 08, 2008

Fake UMB Banking Demo leads to Password theft

Our Digital Certificate friends have started a new spam campaign. After
several days of targeting ClassMates.com with a fake video, they are now targeting UMB Bank with an online banking "Demo video", similar to the one we saw against Bank of America two weeks ago.

The emails look like this:

Update December 08, 2008.

Experience Digital Banking News for yourself.
Want to know how quick, easy and safe our online banking service is today?
You can view our demo of the service, which is ideal for those times when you’d like more detailed information.
The Demo requires Macromedia Flash Player.

Proceed to view UMB System Demo>>

Sincerely, Janie Howe.
Copyright 2006, 2007, 2008. UMB Financial Corporation. All Rights Reserved.

The webpage that the current spam points out looks like this:

Of course the video is fake, and trying to play the video (or just visiting the site) tries to get you to download a fake Adobe Player upgrade, which is actually a virus which is designed to steal login credentials.

Stolen credentials for any website where you log in, as well as FTP logins, ICQ logins, and IMAP and POP email logins, are passed to the criminal's computer in the Ukraine using strings that look like these:


The first five domains we saw vs. UMB Bank was:


These domains were created TODAY using the registrar BizCN.com. This
group usually has more domains than that. We expect more are being
created as I type. We've seen about 100 spam emails for this campaign
so far.

The nameserver for these domains, "ns1.panelhosts.com" was also
registered today, using this fake contact information:

Registrant Contact:
Marleyne Ash ash@aol.com
8524588488 fax: 8524588488
111 145 E. 93 St.
Brooklyn NC 11212

Subjects seen so far with this spam campaign:

  • UMB Bank Demo Tour - Do you have a specific question?
  • UMB Bank Demo Tour - Experience Digital Banking for yourself
  • UMB Bank Demo Tour - Explore Digital Banking
  • UMB Bank Demo Tour - Find out when you take a virtual tour.
  • UMB Bank Demo Tour - Our Web site was designed
  • UMB Bank Demo Tour - Run through this easy-to-use demo.
  • UMB Bank Demo Tour - See just how easy and useful online banking with UMB is
  • UMB Bank Demo Tour - Simply select the style of demo you'd like to view
  • UMB Bank Demo Tour - Take a tour
  • UMB Bank Demo Tour - Try our helpful 'Got a question?'
  • UMB Bank Demo Tour - Want to know how quick and easy our online banking service is?
  • UMB Bank Demo Tour - We've got a demo for you.
  • UMB Bank Demo Tour - Whether you're new to online banking
  • UMB Bank Demo Tour - You can also view our demo of the service
  • UMB banking system changes that you should know about
  • UMB NEW DEMO ACCOUNT - This unique service is offered exclusively to UMB Premier customers.
  • UMB NEW DEMO ACCOUNT - To begin demo, click the forward arrow or jump to a section with the menu to the right.
  • UMB NEW DEMO ACCOUNT - UMB NEW DEMO ACCOUNT - To try the online banking demo
  • UMB NEW DEMO ACCOUNT - Welcome to the demo for Global View!
  • UMB Premier DEMO ACCOUNT - from securely accessing your account information to paying bills to creating reports.
  • UMB Premier DEMO ACCOUNT - how to access your accounts, set up bill payees, transfer funds, and more!
  • UMB Premier DEMO ACCOUNT - how you can use UMB Online Banking
  • UMB Premier DEMO ACCOUNT - Online Banking and Bill Pay Demo
  • UMB Premier DEMO ACCOUNT - Online Banking Demo "
  • UMB Premier DEMO ACCOUNT - The Demo requires Flash Player, available at no cost from Macromedia.
  • UMB Premier DEMO ACCOUNT - Try it! View our interactive Demo to learn more
  • UMB Premier DEMO ACCOUNT - Use it! View our Guide for helpful step-by-step instructions
  • UMB Premier DEMO ACCOUNT - You can download and save the entire Guide, then print the pages you want.

The path name for the fake video is:


The initial malware drop is a file called:


The file had not previously been uploaded to VirusTotal.

VirusTotal detections were: 17 of 38

File size: 3169 bytesMD5...: 1165b5ef89c61f8f61d3b1d91b374c9c

Strings on that malware indicate that second stage malware will probably
be loaded from:


The Adobe2 file had also not been previously uploaded to VirusTotal.
Another interesting string was C:\m_unpacker\packed.exe

VirusTotal Detections were: 3 of 38
File size: 36864 bytesMD5...: 4cc95326ed31689a50ca395eda99e8b7

Adobe2.exe sends all of its stolen data to: Gee, does
that sound familiar to anyone?

As before, this is an advanced password stealer, grabbing webforms, ICQ,
POP3, and FTP passwords.

The spammed emails are advertising domains which are being served on
fast flux IP addresses. For example, the current IPs are:

When we look at some of these IPs to see what they have resolved, we
confirm that they have recently been used for a bunch of badness,
including the Classmates malware. For instance, included:

tempdir.cz <== Citibank phish domain

axknm.cn <== Google AdWords domain
bmspeedlab.org <== BMS Money Mule recruitment
bumotor.org <== BMS Money Mule recruitment
bumospo.com <== BMS Money Mule recruitment
bumospe.tk <== BMS Money Mule recruitment

You'll never believe this! BMSpeedLab.org has a Vacancy for a Regional
Financial Representative!!!!

You will be paid 10% commission out of every customer payment you have
to deal with for "Coordinating customer payments using your bank account".

Previous blog posts related to this malware family, which has previously targeted customers of: BancorpSouth, Bank of America, Bank of the West, CapitalOne, CareerBuilder, Chase Bank, Classmates.com, Colonial, Comerica, Eastern Bank, Google Adwords, Key Bank, LaSalle Bank, Merrill Lynch, M&I Bank, OceanBank, OpenBank, RBC, SunTrust, TD BankNorth, UMB, Wachovia, as well as abusing the Presidential election:

Nov 26th: Bank of America "Video Demo"

Nov 7th: McCain Video:

Nov 6th: Colonial Bank "Digital Certificate"

Nov 5th: Obama Acquisition Speech

Nov 4th: Wachovia/Wells Fargo Merger

Oct 31st: LaSalle Bank of America acquisition

Sep 23rd: Google Adwords

Aug 30th: Bank of America, SunTrust, TD BankNorth "Digital Certificate"

May 9th: Merrill Lynch "Digital Certificate"

May 6th: Merrill Lynch, Comerica, Colonial Bank "Digital Certificate"

Securing Cyberspace in the 44th Presidency: Part One

This morning's BusinessWeek headline blares U.S. Is Losing Global Cyberwar, Commission Says. The Commission's solution? Create a new "Center for Cybersecurity Operations".

Co-chaired by James R. Langevin, Michael McCaul, and Microsoft's VP of Trustworthy Computing, Scott Charney, the Commission was established in October 2007 with the full name being "the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency". Langevin describes it as being "a non-partisan commission composed of approximately 30 renowned cybersecurity experts, both in and out of government, from across the country.

This is a Two Part posting. In today's Part One we'll be reviewing the "where are we?" - the historical background of recommendations that lead to the need for this Commission and its Recommendations. Tomorrow we'll look at the recommendations themselves.

The Commission briefed the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Committee on Homeland Security back on September 16, 2008. (The Hearings were webcastand the prepared testimony of the various witnesses, as well as reports from David Powner's excellent team at the Government Accountability Office are available on the Committee's Hearings page.)

Homeland Security Committee Chairman, Rep. Bennie G. Thompson, opened his portion of the hearing with a scathing review of previous failures in this area, including the fact that the 2002 "National Strategy to Secure Cyberspace" presented problems, but mandated no changes, the fact that Richard Clarke's position in the White House as Advisor on Cybersecruity was eliminated in 2003, the fact that the position of the Congressionally mandated DHS Assistant Secretary for Cybersecurity was unfilled for more than a year, and then "buried four levels down in the bureaucracy.

Thompson makes it clear in his remarks: "So many years we've been at it, and we're still so far away. As the Chairman of the Homeland Security Committee, with oversight over this Department, I want to state clearly and for the record -- that is unacceptable to me."

For this blogger, I believe that for nearly six years the road to Cybersecurity has crawled forward with many fits, bumps and starts, but that 2008 has been a year where some significant new improvements have begun. I'm VERY excited about the new NCSD, especially his law enforcement background and training and active duty as an "ECSAP Agent" (Electronic Crimes Special Agent Program) for the US Secret Service, and I'm VERY excited about the twelve part National Cyber Security Initiative, especially after hearing more about the details first in Tallahassee at the Florida Government Technology Conference, and then last week as news from the Burton Group briefing keynoted by Steve Chabinsky, Deputy Director, Office of the Director of National Intelligence shared more details of the plan.

These things give me hope.

Back to the Commission though . . . the stage was set at the House Committee on Homeland Security by first reviewing the state of DHS Cybersecurity Initiatives.

David Powner, Director of Information Technology Management Issues for the Government Accountability Office, set the stage for the Commission's report with his testimony (available as GAO-08-1157T, CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Better Address Its Cybersecurity Responsibilities). Powner says that over the years the 30 recommendations made to DHS in this area by his team fell into six key areas:

  1. Bolstering cyber analysis and warning capabilities.
  2. Reducing organizational inefficiencies.
  3. Completing actions identified during cyber exercises.
  4. Developing sector-specific plans that fully address all the cyber-related criteria.
  5. Improving cybersecurity of infrastructure control systems.
  6. Strengthening DHS's ability to help recover from Internet disruptions.

GAO further identified 13 "DHS Key Cybersecurity Responsibilities" (see the full PDF for more detailed descriptions)

  • Develop a national plan for Critical Infrastructure Protection that includes cybersecurity.
  • Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector.
  • Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities.
  • Develop and enhance national cyber analysis and warning capabilities.
  • Provide and coordinate incident response and recovery planning efforts.
  • Identify and assess cyber threats and vulnerabilities.
  • Support efforts to reduce cyber threats and vulnerabilities.
  • Promote and support research and development efforts to strengthen cyberspace security.
  • Promote awareness and outreach.
  • Foster training and certification.
  • Enhance federal, state, and local government cybersecurity.
  • Strengthen international cyberspace security.
  • Integrate cybersecurity with national security.

The GAO testimony referred heavily to three previous reports where other DHS Cyber recommendations have been made:

GAO-08-588: CYBER ANALYSIS AND WARNING: DHS Faces Challenges in Establishing a Comprehensive National Capability July 2008 (67 page PDF)

GAO-08-825: CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise September 2008 (39 page PDF)

GAO-08-1075R: Federal Legal Requirements for Critical Infrastructure IT Security September 16, 2008 (72 page PDF)