Tuesday, March 30, 2010

Microsoft Releases "Out of Band" IE Update

Microsoft has released a new patch for Internet Explorer, and no, your calendar isn't off, this is NOT the Second Tuesday of the month. According to the Microsoft Security Advisory, updated today, the reason for the out-of-band release was that the vulnerability described in CVE-2010-0806, "Uninitilized Memory Corruption Vulnerability", was being widely seen in the wild.

Interestingly, Microsoft thanks Chinese security company "VenusTech" for providing them notice of that exploit.

Absolutely. On March 10th the exploit was added to the MetaSploit framework, and instructions on how to use the exploit immediately hopped on many hacker boards. We saw it first on the replacement for Milw0rm, XpltDB: Exploit-DB.com.

Here is just a sampling of some of the places its being openly discussed:

hackua.com - the Ukrainian hacking forum, had a post on March 14, 2010 by "Dementor" explaining the use of the exploit, which quoted the HD Moore version, including the comments about the exploit being observed in the wild by Red-Sec, who observed the exploit on the website www.topix21century.com

0day.net in Guizhou province, China, had the Chinese language version of the discussion beginning on March 12th, posted by the owner of the forum, asphack. He provided a .rar file of the exploit from his website, asphack.com.

exploit.in, which despite the India country code is a Russian language website carrying banner ads for various Russian-language cybercrime sites, such as "InstallsMarket", "SecretsLine VPN", and "EvaPharmacy". As an example of those, InstallsMarket will install your malware on 1,000 US-based bots for $100. Interesting place to be discussing IE vulnerabilities, no?

Korea's SecurityPlus also was sharing details, and the exploit.

Several Chinese hacker sites linked back to: BBS.pediy.com. Their very active "Software Debugging Forum" had several members contributing suggested improvements to the shell code. 45 replies to the thread so far, but the thread has been read almost 5,000 times!

The Microsoft Bulletin is here:


Some of the issues addressed include:

CVE-2010-0267 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0488 - Post Encoding Information Disclosure Vulnerability
CVE-2010-0489 - Race Condition Memory Corruption Vulnerability
CVE-2010-0490 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0491 - HTML Object Memory Corruption Vulnerability
CVE-2010-0492 - HTML Object Memory Corruption Vulnerability
CVE-2010-0494 - HTML Element Cross-Domain Vulnerability
CVE-2010-0805 - Memory Corruption Vulnerability
CVE-2010-0806 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0807 - HTML Rendering Memory Corruption Vulnerability

Yeah, I think we ought to install that patch!

Sunday, March 28, 2010

Arrests on the Rise

Lots of little newsworthy updates recently . . . they've been well-covered elsewhere, but we wanted to make sure our readers saw them as well.

Russia: Safe Haven no more?

One of the constant complaints that we hear is "the criminal is probably in Russia", as an excuse for why a case is not worth investigating. Back on November 11, 2009, we posted a story The $9 Million World-wide Bank Robbery, where VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia; SERGEI TŠURIKOV, 25, of Tallinn, Estonia; and OLEG COVELIN, 28, of Chişinău, Moldova were charged with leading the robbery, which actually occurred in 2008. This week the Financial Times has revealed that Viktor Pleshchuk was arrested by the FSB. Their story leads with:

Russia has quietly arrested several suspects in one of the world's biggest cyberbank thefts, raising hopes of a previously unseen level of official co-operation in a country that has been a haven for criminals.

Other sources, for instance Bank Info Security News have confirmed that Sergei and Oleg were also arrested by the FSB at the same time.

Your Federal Friends on Facebook?

Pasquale Manfredi isn't exactly a nice guy. The authorities have wanted to arrest him for some time because of his naughty habits such as assassinating his enemies by shooting a bazooka at their car. The Daily Mail says that he also maintained a Facebook account under the name "Georgie", with Al Pacino's "ScarFace" as his Profile picture. According to The Register, authorities used intelligence gathered from his Facebook page to identify his location and successfully make the arrest.
(Image from Daily Mail)

The Associated Press's Richard Lardner followed up with a story about the way MySpace and Facebook are both being used as investigative goldmines. See his story Break the law and your new 'friend' may be the FBI.

Twitter Hacker in France

"Hacker Croll" an unemployed 25-year-old hacker who lived with his parents had his moment of fame after breaking into the Twitter accounts of President Obama and Britney Spears. The AP story says he was arrested by French police, who have released him to reappear on June 24th for his trial. The hacker calls himself "more of a pirate than a hacker", and has explained his method to the police. French prosecutor, Jean-Yves Coquillat, says the young man was acting on a bet, and that he is "the sort who likes to claim responsibility for what he's done." According to an AFP Story TechCrunch had received more than 300 documents belonging to Twitter employees that were provided by Hacker Croll. Twitter has acknowledged that they seem legitimate.

Monday, March 22, 2010

Most Dangerous Cities for Cyber Crime?

Symantec Riskiest Cybercrime Cities

Symantec released a study today in conjunction with Sperling's Best Places today. According to their Executive Summary to make their list they considered a number of factors, including:

- Number of malicious attacks
- Number of potential malware infections
- Number of spam zombies
- Number of bot infected computers
- Level of Internet Access
- Expenditures on computer hardware and software
- Wireless hotspots
- Broadband connectivity
- Internet usage
- Online purchase

The report lists the Ten Riskiest Cities, and then gives a list of recommendations, the first of which is of course to buy Security software. (#2 - keep your computer patched, and #3 - Stay Educated about current threats. They recommend www.everyclickmatters.com for that. I actually would add to that recommendation that geeks should read this blog and non-geeks should visit StaySafeOnline.org, a great site by the NCSA that has advice for Home users, K-12, Higher Ed, and Small Business users.

Here's the Top Ten "Riskiest Cities for Cyber Crime":

1. Seattle
2. Boston
3. Washington DC
4. San Francisco
5. Raleigh
6. Atlanta
7. Minneapolis
8. Denver
9. Austin
10. Portland

PC World's JR Raphael reported today on The 50 Riskiest Cities for Cybercrime in America, from the same Symantec report. Disappointed that your city is not on the list? I was too. No Birmingham, Alabama, which points out a flaw in the methodology. The Symantec report assumes that the greatest dangers are in the most wired cities (rate goes up for broadband acceptance, wifi hotspots, etc.)

I honestly believe that a different look at the numbers would show that rates of cybercrime are higher in places with higher populations of retired computer users, a lower education (or at least CYBER education) level, and places where computers have only recently been added to the home and are new to concepts of email and online banking. These are likely to be the exact opposite places as found in the Symantec report.

Just to look at a couple examples . . .

Symantec says Seattle is #1 for Cybercrime.
The FTC Consumer Sentinel put them at #78 for complaints about Fraud.
The FTC Consumer Sentinel put them at #148 for complaints about Identity Theft.

Symantec says Boston is #2 for Cybercrime.
The FTC Consumer Sentinel put them at #254 for complaints about Fraud.
The FTC Consumer Sentinel put them at #252 for complaints about Identity Theft.

Symantec says Washington DC is #3 for Cybercrime.
The FTC Consumer Sentinel put them at #36 for complaints about Fraud.
The FTC Consumer Sentinel put them at #82 for complaints about Identity Theft.

Symantec definitely considers other factors that WOULD increase with higher rates of acceptance - bots like high speed broadband, and if you have more computer users, you'll have more spammers, etc. They are in a unique position to model that, and I give them their due for studying their numbers and sharing them with the public. But . . . I think when most people think about Cyber Crime Risk, they want to know if they are going to have their money or their identities stolen. The Symantec model just doesn't answer that question very well.

What is the FTC's Consumer Sentinel? Funny you should ask!

FTC's Consumer Sentinel Report

One way of spot-checking the data would be to review what the likely threats are in each city based on actual criminal complaints. Its called the "Consumer Sentinel" report from the Federal Trade Commission. Each year about this time, the FTC puts out their annual report gathered from a variety of sources, including the FBI's Internet Crime & Complaint Center (IC3.gov), one of the best places a consumer can report cyber crime victimization.

This year's Consumer Sentinel Network Data Book for January - December 2009 was released on February 22nd. 1.3 Million complaints were received, including 721,418 complaints of online Fraud were made to the network, with 630,604 victims reporting average losses of $2,721 for a total of $1.7 Billion in fraud losses last year.

48% of those frauds were originated by email - part of the reason that the UAB Spam Data Mine is such an important part of our research at UAB. With $850 Million worth of fraud being linked to email last year, we think email-based crimes are well worth studying.

The Consumer Sentinel report breaks down complaints per capita on a state-by-state in the categories of "Identity Theft" and "Fraud & Other Complaints".

The Top Ten states for Identity Theft:
(# = Complaints per 100,000 residents)
1. Florida122.3
2. Arizona119.4
3. Texas116.4
4. California114.2
5. Nevada106
6. New Mexico98
7. Georgia97.2
8. New York95
9. Colorado93.8
10. Illinois91.8
(17. Alabama)76.2

Top Ten States for Fraud & Other Complaints
1. Nevada412.9
2. Arizona412.4
3. Texas397.2
4. California393.6
5. Nevada391.7
6. New Mexico377.7
7. Georgia376.1
8. New York369.3
9. Colorado366.8
10. Illinois361.9
(20. Alabama)296.1

Top Ten Large Metropolitan Areas for Fraud and Other Consumer Complaints
# per 100,000 residents
1. Mount Vernon-Anacortes, WA 684.7
2. Dunn, NC 684.3
3. Greeley, CO 656.8
4. Boulder, CO 640.5
5. Allegan, MI 631.4
6. Gainesville, GA 625.5
7. Roseburg, OR 618.5
8. Thomasville-Lexington, NC 617.8
9. Eugene-Springfield, OR564.9
10. Montgomery, AL 549.8
171. Birmingham-Hoover, AL351.5

Top Ten Large Metropolitan Areas for Identity Theft Complaints
# per 100,000 residents
1. Brownsville-Harlingen, TX 262.4
2. McAllen-Edinburg-Mission, TX 247.4
3. Laredo, TX196
4. Miami-Fort Lauderdale-Pompano Beach, FL193.2
5. Madera, CA180.9
6. Dunn, NC173.8
7. Merced, CA 172.7
8. Corpus Christi, TX 171.3
9. Greeley, CO 169.4
10. Bakersfield, CA 168.2
11. Visalia-Porterville, CA 168.2
12. Thomasville-Lexington, NC 160.4
13. Montgomery, AL 155.8

Consumer Reports "State of the Net"

I first heard about the Consumer Reports "State of the Net" survey when I attended the National Press Club kick-off for "October is Cyber Security Awareness Month" in 2008 and met Jeffrey Fox, the Consumer Reports Technology Editor. I was amazed by the quality of the data! Finally we could make some reasonable statements about the level of phishing losses to consumers! We'll hopefully see the 2010 edition soon, but in the meantime, let me recommend their work from June 2009, Boom Time For Cybercrime, where they estimate the cost of cybercrime to $8 Billion per year.

Why is their number so much larger than the number from the Federal Trade Commission Report? The FTC report is ACTUAL VICTIMS who have taken the time to report their victimization to one of the agencies represented in the Consumer Sentinel. The Consumer Reports model builds a statistically supported model and surveys enough folks to project across the entire US population. For instance, Consumer Reports says that 1 in 13 online households in the US knows that they gave their personal information to a phisher during the previous two years, and that 1 in 7 of these lost money (so 1 in 90 households lost money to phishing - or roughly $483 Million). Their costs also include other damages however, such as the fact that 1 in 12 households replaced a computer in the past six months due to "serious problems" with viruses or spyware ($1.7 Billion), and that 1 in 7 households had experienced a "serious" virus problem ($5.8 Billion in clean-up costs).

Alabama's Top Cities for Fraud and Identity Theft

Here's a little special section for friends in Alabama (where UAB is based)

Alabama had 8,546 Fraud Complaints, for $13,739,250 in losses last year.
Alabama also had 3,586 Identity Theft Complaints.

For Fraud, our "Metropolitan Areas" on the list were:

#10. Montgomery 2,012 complaints / 549.8 per 100,000
#101. Huntsville 1,539 complaints / 398.1 per 100,000
#139. Gadsden 387 complaints / 374.9 per 100,000
#171. Birmingham-Hoover 3,895 complaints / 351.5 per 100,000
#206. Anniston-Oxford 378 complaints / 334.2 per 100,000
#212. Decatur 496 complaints / 332.3 per 100,000
#217. Auburn-Opelika 430 complaints / 329.5 per 100,000
#247. Tuscaloosa 650 complaints / 316.7 per 100,000
#256. Daphne-Fairhope-Foley 535 complaints / 311.5 per 100,000
#258. Dothan 431 complaints / 309 per 100,000
#272. Mobile 1,235 complaints / 305.4 per 100,000
#336. Florence-Muscle Shoals 391 complaints / 273.1 per 100,000

For Identity Theft in Alabama

#13. Montgomery 570 complaints / 155.8 per 100,000
#77. Tuscaloosa 221 complaints / 107.7 per 100,000
#130. Birmingham-Hoover 1,023 complaints / 92.3 per 100,000
#136. Gadsden 94 complaints / 91.1 per 100,000
#141. Dothan 125 complaints / 89.6 per 100,000
#160. Anniston-Oxford 98 complaints / 86.6 per 100,000
#176. Mobile 339 complaints / 83.8 per 100,000
#188. Auburn-Opelika 107 complaints / 82 per 100,000
#210. Decatur 116 complaints / 77.7 per 100,000
#219. Daphne-Fairhope-Foley 130 complaints / 75.7 per 100,000
#312. Florence-Muscle Shoals 83 complaints / 58 per 100,000
#315. Huntsville 218 complaints / 56.4 per 100,000

Thursday, March 11, 2010

PKK Hackers Arrested in Turkey

Hacker sites and foreign press are picking up the story today of the arrest of at least 23 hackers in 13 different provinces in Turkey. The news was first seen in Russian on 09MAR2010, but is now spreading into the English speaking press, with more details available.

News.AZ ran the story 23 Kurdish hackers arrested in Turkey, which provides some basic facts that the hackers are associated with the Kurdistan Workers' Party, or PKK, and were taken to Diyarbakır for further questioning. This article calls the hacker team the "Cold Attack Team", and says that it took orders from leaders in Kandil in Iraq and in Europe regarding what websites to hack and what messages to place there. It also mentions that the hackers distributed a PowerPoint attachment via email which would trojan the readers computer.

It is unknown if this story is related to news first released in February about another PKK hacker. A story in Today's Zaman provides a bit more depth, PKK hacker faces up to 10 years in prison, identifying the leader of a PKK hacker group as having been apprehended on November 14th, and charged with "acquiring state secrets and confidential documents on behalf of the PKK terrorist organization". The indictment unveiled by a Diyarbakır prosecutor reveals that the hacker, who they call by his initials, R.Ç., had classified documents on his computer belonging to Turkey's National Intelligence Organization, the Milli Istihbarat Teskilati (MİT), and evidence that the hacker had an "online friendship" with Murat Karayılan, who leads the PKK in northern Iraq. R.Ç. claims he was introduced to Murat by a friend in France, and that they gained the classified documents through "computer virus programs he placed on pornographic Web sites visited by army members."

Mr. WaGrAnT is probably a member of the group - a YouTube tribute to his hacks, posted by "KurdishKANGAL58" back in August shows many examples of his works, under the title: Cold Hackers Kυrdish Hαcкєяѕ Gяσυρ 2σσ9, but there are actually many other Kurdish hacker tributes, including this one that gives you a nice exposure to Kurdish rap music: Kurdish Hacker " Mr.WaGRaNt " Dünyaya Karsi.

COLDHACKERS VE THT YANI TOLHILDAN HACK TEAM UNLU KURD HACK GRUBU TURKLERIN SANAL KABUSU is one of many other sites, which actually shows the group name "ColdHackers" where they call themselves "Cyber Median's Guerillas".

Zone-H statistics for the ColdHackers gives them credit for 2,661 website defacements on 1,230 unique computers, including 3 hacks in the past 48 hours.

(click image to visit Zone-H)

The team's website, ColdHackers.team-forum.net is still live as of this writing. Members share their PKK pride with avatars such as this one:

Someone on the team also maintains their "cold-hackers.spaces.live.com" website at Microsoft -- which has this example of their photoshop abilities. Famous hackers need a good PhotoShop team!

This image is from their defacement in December of a Turkish government website:

Wednesday, March 10, 2010

HM Revenue & Customs Refund Portal - Ten Phish in One

This morning I was reading a report from Kenneth Paschal, a member of the UAB Phishing Operations research team, that contained an interesting group of new phishing sites. The campaign advertises an "HM Revenue & Customs" page using an email with this message body:

After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a tax refund of 988.50 GBP. Please submit the tax refund request and allow us 2-3 days in order to process it.

Click Here to submit your tax refund request

Note : A refund can be delayed a variety of reasons, for example submitting invalid records or applying after deadline.

Best Regards

HM Revenue & Customs

The so-called "Tax Refund Portal" looks like this:

Each of the icons takes the visitor to a very professional looking phishing site to have the credentials for that bank stolen. The banks currently making up the pool including:

Lloyds TSB
Royal Bank of Scotland
Egg Bank
Alliance & Leicester

In most cases the URL advertised in the phishing email actually is a forwarder to another location. For instance, the most recent phish from today forwarded to this site to show the actual content:

hxxp://daegups.com/bbs/data/bbs2/folder/folder/New Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/index.htm

We had previously seen seventeen such phishing sites, in July and August of 2009, but the front has been quiet until March 1st. A quick peek into the UAB PhishURLs database shows that we're seeing an escalated number of these sites being created.

2010-03-01 | http://www.tvlinko.com/refundportal.htm
2010-03-02 | http://www.tvlinko.com/hmrc/refundportal.htm
2010-03-03 | http://romeningh.dz/img/glyph/hmrc/refundportal.htm
2010-03-03 | http://www.michaelmucklow.com/wp-content/hmrc/refundportal.htm
2010-03-04 | http://www.urbanecology.org/szjtd/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/me/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/ms/hmrc/hmrc/refundportal.htm
2010-03-04 | http://www.ardeola.org/lib/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/all/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.bloomingdaledc.org/joomla/cache/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/images/file/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/images/image/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/upimg/pro/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/upimg/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.planet-promo.de/roxx/cache/hmrc/hmrc/refundportal.htm
2010-03-06 | http://mojwlasnydom.com/gallery/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.peterkinitsolutions.com/demos/lingerie/images/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.peterkinitsolutions.com/demos/Jewellery/images/hmrc/hmrc/refundportal.htm
2010-03-06 | http://planet-promo.de/cache/hmrc/hmrc/refundportal.htm
2010-03-06 | http://planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.examsheets.net/images/hmrc/hmrc/refundportal.htm
2010-03-07 | http://bogatypolak.com/hmrc/hmrc/refundportal.htm
2010-03-07 | http://www.cz.etechsol.pk/cp/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/uk/hmrc/hmrc/refundportal.htm
2010-03-07 | http://artemoda.uol.com.br/fotos/hmrc/hmrc/refundportal.htm
2010-03-07 | http://bogatypolak.com/uk/hmrc/hmrc/refundportal.htm
2010-03-07 | http://www.ingatlanok.erdelyitelkek.ro/re_images/UK/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/images/hmrc/hmrc/refundportal.htm
2010-03-07 | http://artemoda.uol.com.br/downloads/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/libs/hmrc/hmrc/refundportal.htm
2010-03-08 | http://www.ingatlanok.erdelyitelkek.ro/re_images/UK/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/templates/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/myimages/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/_private/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/images/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/_vti_bin/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/banners/hmrc/refundportal.htm
2010-03-10 | http://www.restoretherepublic.com/images/hmrc/refundportal.htm
2010-03-10 | http://www.eab-gmbh.de/images/hmrc/refundportal.htm
2010-03-10 | http://www.eab-gmbh.de/cgi-bin/hmrc/refundportal.htm

The UAB Spam Data Mine had samples in our March 6th spam at 12:30 AM, 1:30 AM, 4:30 AM and 5:45 AM spam collections for "planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm". After that site was terminated, the bad guys relaunched in our 12:15 PM spam collection with "www.examsheets.net/images/hmrc/hmrc/refundportal.htm". As you can see, many others have followed.

We'll continue to watch for emerging patterns like this one, and share with you what we find. For now, be wary of this "Tax Refund Portal"!

Monday, March 08, 2010

Energizer DUO: Trojan yourself for only $19.99

(image from EnergizerRecharge.eu)

The Energizer DUO, a USB-powered battery recharger, was confirmed on Friday by Energizer Holdings to contain malicious code. According to this Energizer Press Release, they were notified by the CERT Coordination Center that the Windows software that ships with their DUO Charger "contains a vulnerability".

Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory.

Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software. Additional technical information can be found at http://www.kb.cert.org/vuls/id/154421.

Apparently Unix tutorial author Ed Schaller was the one who reported the malware to US-CERT. US-CERT then asked Symantec to evaluate the malware, which was written up by Liam Murchu in the Symantec Security Response Blog.

According to the US-CERT article, Arucer.dll is launched in the traditional way, with a "rundll32" call from the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key.

The hashes for the malware file, Arucer.dll, which is 28,672 bytes in size, are:

MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

US-CERT indicates that the file properties indicate the file was written on a Chinese computer. (Language set = 0x0804)

The detection on that malware as of last night is still pretty sketchy according to VirusTotal. In this VirusTotal Report for Arucer.dll it showed that only 9 of 42 anti-virus products would have triggered on this malware. Microsoft, Sunbelt, and Symantec are now detecting it as "Arugizer" (or Arurizer in Microsoft's case). F-secure, Fortinet, McAfee, and Sophos are also detecting.

Although Symantec's Liam indicates they were able to download the software from the Energizer website on Friday, all links we could find for the downloadable package, formerly at:
now redirect to an Energizer homepage.

If you REALLY want to trojan yourself, perhaps your best bet is to buy one of these systems from a third party, such as Amazon.com who still offers Energizer Charger USB Duo for $16.99.

Symantec reports that after infection, the machine begins to listen on port 7777. Valid commands which can be sent to that port are in the form of XOR'ed CLSIDs, with the list being:

• {E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
• {F6C43E1A-1551-4000-A483-C361969AEC41}
• {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}
• {783EACBF-EF8B-498e-A059-F0B5BD12641E}
• {0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}
• {98D958FC-D0A2-4f1c-B841-232AB357E7C8}
• {4F4F0D88-E715-4b1f-B311-61E530C2C8FC}
• {384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}
• {8AF1C164-EBD6-4b2b-BC1F-64674E98A710}

US-CERT has released Snort rules for these various detects, which it has named:
Arucer Command Execution
Arucer DIR Listing
Arucer WRITE FILE command
Arucer READ FILE command
Arucer NOP command
Arucer FIND FILE command
Arucer YES command
Arucer ADD RUN ONCE command
Arucer DEL FILE command

which seems to indicate a wide-range of possibilities from this trojan.

Gregg Keizer wrote a nice piece for ComputerWorld on this topic: Energizer Bunny's software infects PCs, which reminds us that in 2007 Seagate shipped trojaned drives, and Apple shipped some trojaned iPods, and that in 2008 Best Buy sold Digital Picture frames with attack code in them.

Thanks to @EdNadrotowicz for the Twitter tip-off on this story...

Friday, March 05, 2010

RSA Keynotes: Howard Schmidt

I've always regretted not attending the RSA conference with more than 500 speakers in 15 different tracks, and perhaps never so much as this year. A special disappointment was not attending the Secure Computing Awards dinner where this year they gave out their first Blogger Awards, including "Most Popular Security Blogger", which was awarded to Gary Warner, author of Cybercrime & Doing Time! Thanks to my friends and readers who voted.

The "Best Corporate Security Blog", went to Proofpoint for their Email Security Blog. The other contenders in my category included two of my favorite security bloggers -- Brian Krebs for his blog Krebs on Security, and fellow spam-researcher Graham Cluley for his Blog at Sophos. Bruce Schneier's Schneier on Security and Securosis rounded out the ballot for Most Popular Security Blogger.

This week I'll be summarizing some of the RSA Keynotes, starting with Howard Schmidt's RSA keynote

Howard Schmidt - U.S. Cybersecurity Coordinator

I was excited when the announcement was made that Howard Schmidt was the new Cybersecurity Coordinator for President Obama, primarily because I've had the chance to see this man's passion for cybersecurity. Howard and I are both InfraGard members, and one of the most impressive times I saw him was in Knoxville, Tennessee where we were back-to-back speakers for the their "October is Cybersecurity Awareness Month" conference. Not only was Howard speaking there, he actually had 40 speaking engagements during the 31 days of the month to address audiences about the importance of Cybersecurity Awareness! I can't think of a more energetic or appropriate person to be in this new position!

Howard began his talk with a discussion of the evolution of cyber security, comparing it to the evolution of fire fighting. He described how after people got tired of watching buildings burn down, we started building them near rivers so we could have a ready source of water to try to put out the fire. Then we had a volunteer fire department that could help prevent things from burning to the ground. We trained them how to put out fires. Later we started looking at how to keep fire's from being so devastating. We came up with "building codes" to make less flammable buildings. Why do we still have anything that can catch on fire in a building? Because we have to. Since we couldn't stop every fire, we put sprinkler systems in buildings. Will things still catch on fire? Sure. But hopefully we'll put them out quickly.

Then he made all the similar cybersecurity comparisons, leading up to his new role in the administration, representing President Obama, and working with Intelligence, Law Enforcement, Defense, and civil agencies to try to build a Secure, Trustworthy, and Resilient computing infrastructure.

In many ways his new job is to respond to the Near Term action items on the Cyber Policy Review completed by Melissa Hathaway. He used most of his talk to provide an update on the ten items:

1. Appoint somebody - (Howard)
2. Update the strategy -
3. Bring private industry into the discussion
- new FISMA performance metrics
- acknowledges that you can be FISMA compliant and not secure
- new guidelines work toward real-time security awareness
4. Appoint privacy & civil liberties person
5. Review legal issues regarding their work
6. Create a national and international security awareness policy
- national awareness (DHS)
- formal cybersecurity education (DOE)
- federal workforce structure (OPM/DOD)
- national workforce training (DHS/DOD/DNI)
7. International cybersecurity policy
8. Cybersecurity Incident Response Plan
9. Develop a framework for Research & Development (NIST, DHS S&T)
10. Cybersecurity based identity management strategy

(the fully described 10 action item "Near Term Action Plan" is given in the 76-page Cyberspace Policy Review final report

He also discussed the "open information" approach of President Obama's administration. I recall attending a briefing by Cornelius Tate in 2008 where he talked about EINSTEIN and the Trusted Internet Connections program for one of the first times publicly. Even then, all he could say about the other ten initiatives of the CNCI was that they were classified.

The Comprehensive National Cybersecurity Initiative (CNCI) has been reclassified so that we at least know what the twelve areas of the CNCI are. (These are now available on WhiteHouse.gov/cybersecurity/ => CNCI (html) or CNCI (pdf))

Wednesday, March 03, 2010

Spamming Botnets - Strategies welcome

Several mailing lists have been buzzing in the aftermath of the recent shutdown attempts against the Waledac network. The results of this shutdown can best be seen by visiting the Waledac tracker run by our friend Jeremy at SudoSecure.

Prior to the action of Microsoft's Digital Crimes Unit in their Operation b49, Waledac was propagating itself with more than 200 Chinese-registered domain names, and was found just in December to have sent more than 651 million emails just to hotmail.com recipients! In response to their action in court, "Microsoft Corporation v. John Does 1-27", the unusual motion was granted to have Verisign terminate the domains in light of the refusal of China Springboard to cooperate. In the days immediately following this action, the final few domain names were terminated, most recently "frostep.com" and "walkali.com".

Waledac was a peer-to-peer / P2P botnet that uses fast-flux hosting of Chinese registered domain names in order to guarantee long-life to itself. Waledac was often called the successor to the Storm botnet because the bots do not communicate directly with the "true" Command & Control, but rather have a "peer list" which they are in constant contact with. Bots make queries either to their hard-coded peers, or by asking one of the bot-controlled domain names for a file, usually a .gif, .jpg, or .png file. Instead of receiving back a graphics file however, they receive back a custom-coded reply which either gives them an instruction, or causes them to update their spam template or receiving email list.

Some excellent research has been performed on Waledac in recent months, including the "Walowdac" research project lead by Thorsten Holz and researchers at the University of Mannheim and the University of Vienna (Ben Stock, Jan Gobel, Markus Engelberth, Felix Freiling). Their custom-crafted Waledac clone was able to fully communicate with the botnet, but did not send spam. They found that Waledac had an average size of 55,000 active bots on any given day (August 6, 2009 - September 1, 2009).

At UAB we had mostly focused on alerting the public of various attempts by the Waledac network to spread itself via email, including:

- 2009 New Years greetings
- Fake coupon offers
- Fake Reuters story about a Terrorist bomb
- an SMS Spy program
- Independence Day Fireworks
- 2009 Christmas / 2010 New Year's cards

What Next?

Unfortunately, while Waledac was at various times in the past year a "Top Ten Spam Botnet", the biggest botnets are orders of magnitude larger and still spamming like crazy.

Michael Kassner and Terry Zink have both been blogging on the current situation. Kassner gave a list of the Top 10 spam botnets: New and Improved over at TechRepublic, largely based on Terry's series Which botnet sends the most spam? over on MSDN in his Anti-malware Blog.

The Top Ten list, from their perspective, includes:

Bot Names# of BotsSpam Per Day
Grum600,00040 billion
Bobax (aka Kraken)100,00027 billion
Pushdo/Cutwail/Pandex?19 billion
Rustock2,000,00017 billion
Bagle/Beagle/Mitglieder500,00014 billion
Mega-D/Ozdok50,00011 billion
Maazben300,0002.5 billion
Xarvester60,0002.5 billion
Donbot100,000800 million
Gheg60,000400 million

Are those numbers "true"? Every security company has a different opinion on the size and strength and spam volume of the various botnets. What I can say is "their estimates are based on sound logic".

One of my personal favorites for sizing spamming botnets is the guys over at M86 Security with their weekly chart called Tracking Spam Botnets. Here's their most recent graphic:

Looking at the historical data over at their website, although we can talk about the Top Ten, Rustock has been the top spamming botnet since at least July, and currently is responsible for 50.7% of all the spam on the planet! I've challenged this over-emphasis on Rustock with their researchers, actually while they were still "Marshal", and as I said above, "their estimates are based on sound logic".

Another of my favorite spam trackers is MessageLabs. These guys produce fantastic intelligence that is quite accessible in their monthly Messagelabs Intelligence Reports. I'll call special attention to their 2009 Annual Security Report which had as a major theme "Botnets Bounce Back with Sharpened Survival Skills".


Those of you have heard me speak in person know that I believe the answer to these botnets and their continued survival must be the Criminal Justice process. When McColo was shut down (see Analyzing the Aftermath of the McColo Shutdown or Brian Krebs' Major Source of Online Scams and Spams Knocked Offline) spam had a significant world-wide drop in volume, but it rebounded. Why? Because no bad guys went to jail.

Our friends at FireEye are doing amazing botnet work (see their blog @ FireEye Malware Intelligence Lab, but without convictions, even the successful botnet takedowns, like their work on Smashing the Mega-D/Ozdok Botnet eventually rebound.

(by the way - FireEye has the best low-down on the Pushdo/Cutwail botnet and its current Command & Control structure.)

Cautions are already being expressed as a result of the Waledac take-down, that by using TECHNOLOGY to do the takedowns instead of CRIMINAL JUSTICE APPROACHES that we are just helping to rapidly evolve the capabilities of the various cyber criminals who make their living through spam.

We have to move from DISABLING the C&C networks, to MONITORING the C&C networks. Bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door. Its why we do what we do the way we do at UAB. Our Computer Forensics Research program partners the Computer & Information Sciences department with the Justice Sciences department, and draws heavily on graduate students and faculty members from both departments to help make a better informed and better equipped cybercrime investigator with the goal of changing the way we fight cybercrime.


Today Panda Labs released details of the takedown of the Mariposa Botnet. This botnet, run by the DDP Team (Días de Pesadilla Team), had a shocking discovery at the end - TWELVE MILLION IP addresses were making regular contact with the C&C servers! From the article:
On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. “jonyloleante”, and J.B.R., 25, a.k.a. “ostiator”. Both of them were arrested on February 24, 2010."

The AP also issued a story about the arrests: Authorities bust 3 in infection of 13M computers. Fox News also ran a story, Malicious Botnet Found in 50 of Fortune 100.

Congratulations to the Spanish Civil Guard, Panda Labs, and the other members of the Mariposa Working Group (Defence Intelligence, and the Georgia Tech Information Security Center)

A technical analysis of the Mariposa botnet is available from Defence Intelligence.