Sunday, April 25, 2010

Iranian "Sun-Army" attacks NASA and JDA

What does NASA, the US space agency, have in common with the Jerusalem Development Authority of the Israeli government? They've both been attacked this week by the new Iranian hacking group, "Sun-Army".

The Defacement authority, Zone-H.org reports that this group did their first reported hacks on February 17th, one more on February 27th, and then on February 23rd defaced:

maorm.larc.nasa.gov
pic.larc.nasa.gov
fabrication.larc.nasa.gov
ohcm.larc.nasa.gov
sw-eng.larc.nasa.gov
cmar.larc.nasa.gov
careertalk.larc.nasa.gov
oea.larc.nasa.gov
technologygateway.nasa.gov

www.zhemgang.gov.bt
www.jda.gov.il



Their earlier defacements accuse "traitors to the Islamic Republic of Iran" and quotes from the Quran - "Sura Araf verse 179"

That verse says, "And in the law of retaliation there is saving of life for you, O' people of understanding, so that you may guard yourselves against evil."

(These verse were teachings to prevent "tribal feuds" - prior to the Quran, when someone was killed, his family would seek vengeance by killing all of the murderers tribe that they could. This passage of the Quran teaches that retaliation should be one for one. The accused can seek limited vengeance, but once retaliation has been achieved, there should be no on-going feud. Lives are saved by limiting the retaliation.)

Here is their defacement of the Jerusalem Development Authority:



The current NASA defacement contained this English language text:

In The Name Of God

The Nasa organization which is funded by Usa and plays an important role not only in the most of scientific fields but also in many other projects like "Star Wars" which was aimed to weeken the former soviet union , now has come down to its knees toward
the scientific level of young iranians and iran , the birth place of Cyrus the great, who formed the biggest empire the world has ever seen.

the scientific apartaide which is imposed by Usa and it alies can never prevent us from progressing in international scene , special peaceful nuclear energy.

We Congratulate You On The Occasion Of Worlds Astronomical Day


The same message is repeated in Persian, with the following line added at the end:

که ایران و ایران زمین زنده باد /// سر افراز و جاوید و پاینده باد

I can't seem to translate that well with Google Translate it is rendered as:

Iran and the Iranian Live Earth / / / partition and the eternal and lasting head wind

(If you can provide a better translation, please let me know! gar at uab dot edu)



The more recent defacement points to the Sun-Army.com website, shown here:



The Sun-Army says on their website that they were created by inviting the leaders of many influential hacking groups to join forces under the new name to support Iran's security and the Quran. They claim the group was created on February 26, 2010.

Mehdy007 is a fairly regular visitor to the Iranian hacking site, Ashiyane Digital Security. One of his posts, from August 2009, shows him uploading links to a set of 55 hacking videos on a wide-range of hacking topics. On February 24th of this year he was sharing SQL Injection attack techniques with the group, one of which he demonstrated by hacking "sciencescotland.org"

Nitrojen26 also is a member at Ashiyane, and has in the past used the Yahoo email address "Nitrojen26@yahoo.com"

The.Mo3tafA, Nitrojen26, and BodyGuard all regularly show up on pages defaced under the name "Ashiyane Digital Security Team" along with Behrooz_Ice and Q7x, with this trademark logo:



MagicCoder is the relative newcomer to the group, though he has done some solo-hacking according to his Zone-H stats, and has his own logo as well:



He's a gmail user = magicc0d3r@gmail.com

PLUS is an unknown for me. Great hacker name, since its basically impossible to Google-search. He's been involved as a named party on a number of "team defacements" for Ashiyane, including ones that left this fairly recent tag:



On defacements that use that image, the message in Persian and English is:

Our belligerence is religious and does not own any borders, thus we are here as long as atheism and blasphemy exist. We do know that effrontery of blasphemy to Imam Khomeini is what that only you can do. This is just a warning to your governmental sites!


The list of members on those hacks is:
Behrooz_Ice -Q7x -Sha2ow -Virangar -Nitrojen26 -BodyGuard -tHe.Mo3tafA MagicCoder -0261 -Ali_Eagle -PLUS -Jok3r -System.Fehler
We Love Iran
Ashiyane Digital Security Team




The WHOIS registration information for Sun-Army.com lists the same email address as their defacements -- sun.army@asia.com -- as well as this address:

Sun Army
Sun Army (sun.army@asia.com)
Iranian Apartment. Azadi Sq. Tehran
Tehran
Zanjan,12365
IR
Tel. +009.2122532689

Domain servers in listed order:
ns4.mihanblog.com
ns3.mihanblog.com


The domain was registered by PublicDomainRegistry.com (DirectI Internet Solutions)

Those nameservers serve more than 700 other domains . . . mostly Iranian TLDs, ".ir"

Many of those domains are listed as attack pages, sucvh as "karrar.ir," which is described by Google SafeBrowsing as:

What happened when Google visited this site?

Of the 871 pages we tested on the site over the past 90 days, 37 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-04-25, and the last time suspicious content was found on this site was on 2010-04-22.

Malicious software includes 987 scripting exploit(s).

Malicious software is hosted on 4 domain(s), including link313m.persiangig.com/, link313m.blogfa.com/, bidel.ir.googlepages.com/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including link313m.blogfa.com/, boxeshia-sonni.mihanblog.com/.

This site was hosted on 1 network(s) including AS30176 (PRIORITYCOLO).


Following the links from that SafeBrowsing page find warning of malware, including malware being distributed via "sarzaminnews.mihanblog.com", "karrar.mihanblog.com", and "karrar.ir".

Saturday, April 24, 2010

Carders and Video Pirates?

This summary is not available. Please click here to view the post.

Tuesday, April 20, 2010

Dmitry Naskovets of CallService.biz, Meet the FBI

CallService.biz Gets a New Website


On April 19th a friend sent me a Facebook link announcing that CallService.biz had been closed. The news was officially announced by the New York FBI on Monday, although the arrests happened on April 15th.

The website, even as of this writing, displays a new homepage that looks something like this:



When the FBI designed to take over the management of the CallService.biz website, they did a little relocation first. For some reason they didn't want to host it in Moscow, I guess. The old location, 212.158.162.5, is the home of such great websites as:

1001russian-bride.com, a fine site for buying your new Russian wife (you can talk to her first for only $5.99 per minute...)

and

AdmiralSlots.com, a Casino that I'm assured by all of my spam is a great place to play. They have a wonderful affiliate program which will pay you 20% of the deposits your customers sign up. Errr... "Привлекая новых клиентов в наше казино, вы будете получать 20% от всех их депозитов, независимо от выигрыша." Thankfully, they NEVER send spam. "Запрещена реклама с помощью спама и методами, противоречащими действующему законодательству и нормам морали." See?

Tracking the various organizations that have hosted this criminal website sends us through such dark corners of the Internet as Net Access Corporation (NAC) in New Jersey (66.246.206.121), Garant Park Telecom (89.111.176.54) at Moscow State University, and Caravan.ru (212.158.162.5) also in Moscow.

CardingWorld.cc, also mentioned in the Indictment, is hosted at RusTelecom.biz and was registered using a clever gmail account - cardingw@gmail.com, although originally the owner used the more discrete email - cardingworld_cw@yahoo.com or cwivanov@googlemail.com.

The Indictment



The Indictment (thanks to ThreatLevel@Wired for providing a copy...saves me a couple bucks on my PACER account), says that Dmitry M. Naskovets (Дмитрий Насковец) resided in the Czech Republic and the Republic of Belarus and that he operated the online business CallService.biz with his co-conspirator, Sergey A. Semashko (Сергей Семашко), and that such business was "an online enterprise designed to help identity thieves profit from stolen financial data."

(Dmitry was arrested in the Czech Republic on April 15th. Sergey was arrested in Belarus the same day, while Lithuanian police seized the cardingworld.cc website related to the case, which was housed at 193.219.5.196, IP space belonging to Elneta, elnet.lt.)

From at least June 2007 up to and including April 2010, Naskovets and Semashko operated CallService.biz. Part of their service was to recruit English and German speakers to pose as authorized account holders in order to conduct or confirm fraudulent transactions on behalf of CallService.biz customers. The website allowed Russian speaking customers to place orders for these services. From the indictment:

Orders consisted of, for example, the name of the bank the user wanted to contact, the stolen account information that the user had illegally obtained, and instructions from the user as to what to say, or the fraudulent transaction that was to be conducted, during a phone call to the bank. NASKOVETS and his co-conspirators would assign an appropriate individual, including one who was the same gender and spoke the same language as the authorized account holder. After the requested call was made, NASKOVETS and his co-conspirators would report the results to the CallService.biz user, who could issue instructions for further telephone calls, if necessary.


The indictment quotes from an advertisement that Semashko placed on another website to advertise their service. That website, CardingWorld.cc, was owned and operated by Semashko. The advertisement claimed that CallService.biz had 'over 2090 people working with it' and had done 'over 5400 confirmation calls' to banks, meaning calls to confirm or conduct fraudulent transactions, as described above."

Charges placed against Naskovets and Semashko include:

Title 18 Section 1343, accusing them of "unlawfully, willfully, and knowingly, having devised and intending to devise a scheme and artifice to defraud, and for obtaining money and property by means of false and fraudulent pretenses, representations, and promises, [that] would and did transmit and cause to be transmitted by means of wire, radio, and television communication in interstate and foreign commerce, writings, signs, signals, pictures, and sounds for the purpose of executing such scheme and artifice."

The charges are supported by Instant Message logs which talk about registering the domain name, and wiring fees as much as $35,000 between the two. Other messages contained details of online purchases, including the victim's name, address, email address, Social Security number, answers to security questions related to their banking account, and other information.

Other charges included violations of:

Title 18 USC Sections 1029(a)(2) (obtaining a thing of value greater than $1000 through use of one or more unauthorized access devices during a one-year period)

Title 18 USC 1029(a)(3) (possessing fifteen or more counterfeit or unauthorized access devices)

Title 18 USC 1029(a)(5) (receiving payment exceeding $1000 in interstate and foreign commerce via access devices issued to another person)

Title 18 USC 1028A(c), 1028A(a)(1) and (2) - possession of credit card numbers and bank account numbers (access devices) belonging to other people and transferring them to co-conspirators who used them to facilitate fraudulent transactions.


The Reaction in the Russian Underground



The reaction to this news has been pretty swift. In the carding forum, http://forum.xakepok.org/, one of the moderators, "Maestro", posted a Russian translation of the FBI press release and warned people that the logs from the Callservice.biz site were in the possession of the FBI and that people should immediately discontinue use of any emails or ICQ programs that they had used on that server.

Over on Web-Hack.ru the criminals are warning one another to be careful ("Будьте осторожны - берегите себя!") , and to keep an eye on this situation - especially if the US manages to extradite the criminal! One of the posters mentions that the press release says the criminal could face 39 1/2 years in prison, but then jokes, "of course he'll get off in 3 years."

The moderators at CarderNews.ru start off their very lengthy column by saying "this is not a news story to read quickly and shake your head and forget...this is an information bomb!" The moderator goes on to say, "first, don't panic. Nobody is going to use the information on these servers to start busing petty thieves", but then he goes on and reminds people that even petty thieves should be using SSL and VPN for their internet traffic. He concludes with "do not panic, and do not forget about your safety" (не поддавайтесь панике и не забывайте о своей безопасности.)

CarderNews then does an interview with "Cesar" a moderator who says he worked on the "technical administration" side of the CardingWorld server. Nothing too informative in the interview. It was clear Cesar was limiting what he was going to say.

Thursday, April 15, 2010

Fake AV In the News

Last week I had the opportunity to speak to the IT-360 conference in Toronto, Canada. One of the points that I made in my talk was that we need to respond differently to malware. Rather than just deleting the malware, those who are able should spend a bit of additional time to gather intelligence and share that intelligence with the public and law enforcement. Brian Jackson from ITBusiness Canada took that message to heart, and contacted our lab this week to ask what we could tell him about a curious Google search that he performed.

Brian was looking for more information on the plane involved in the recent death of the President of Poland, a plane known as a "TU-154" called a "Careless" by NATO. When he did his Google search:

TU-154 Careless

nine of the top ten hits he got back were links to pages containing malware. He tells his own version of the story in his article Hackers exploit Polish President's death with scareware attack. Now, even three days later, several of the top Google results still are pointing to malware sites, including:

haroldmedia.com.au
insidekbm.com
innerproductsgroup.com

We passed Brian's request for research to our Malware Analysis group, led by UAB Computer & Information Sciences Masters student, Brian Tanner, who was able to give a quick response to the request - having a strong understanding of what was going on in the first thirty minutes, including identifying a high school website in North Alabama that had been compromised to help distribute the malware! Others joined Brian in the analysis to provide more details.

These sites are running extreme SEO malware - Search Engine Optimization pages which function by building "news headline" sites designed to achieve top Google ranks. For instance, Google is currently indexing 741 unique news headlines pointing off the InnerProductsGroup website, most are current news headlines or "hot searches" such as:

mine rescue teams
mine rescue chambers
frank lucas wife
new york times crossword answers
mega piranha trailer
nbc news brian williams
kristen stewart budapest
tupolev 154 cockpit
the katyn massacre movie
national katyn massacre movie
smolensk airport
jack johnson tour dates usa 2010
spartacus episode 12
Remax.com Homes For Sale Houston

Here's an example from that list - a search for "Kristen Stewart Budapest" shows three malware pages in the top ten results on Google, in positions #4, #7, and #9 for me, but only one of the three is currently properly labeled as "This Site May Harm Your Computer"



What happens if you visit one of these sites? It launches a malware installation of a part that we call "Fake AV" malware. Let me start by showing you what one of these LOOKS like:



Clicking OK results in a web page that appears to be doing a Virus Scan.



The AV, which was really a web page, then says it needs to be updated, and offers an update for you to install.


Running that one actually does install the Fake AV product.




After installing the Fake AV, many imaginary viruses on your computer are "detected", and you are asked if you would like to "Remove All".



Choosing "Remove All" prompts you for credit card information, offering several purchase plans ranging from $49.95 to $89.95 for a "lifetime" Fake AV product.




If you decide not to complete the transaction, you will be bugged relentlessly with pop-ups like these.




Reporting ScareWare



Sounds scary, doesn't it? The industry calls this type of malware "Scareware". Its going to keep trying to make you believe that the only way to keep your machine safe is to give the criminal your credit card information.

Last June, the US Government's Federal Trade Commission fined one of these Scareware vendors $1.9 Million for selling more than 1 million copies of his fake anti-virus software! That's proof that people really do get victimized by this software! I experienced some of James Reno and Innovative Marketing's software first hand when I visited a hotel in San Diego last year. The Business Office computers were all "protected" with one of their fake anti-virus software packages.

There's big money in Fake AV, which is why the current gang continues so diligently even after seeing one of their fellows fined $1.9 Million!

If you've been scammed by these criminals, be sure to file a complaint! I recommend complaining to the FBI's Internet Crime & Complaint Center (ic3.gov). Because of the FTC's previous involvement with Fake AV, you might also want to file your complaint there using their FTC Complaint Assistant.

While neither of these complaint forms is ideally suited for dealing with a Fake AV product, both do offer the opportunity to enter a free-form complaint towards the end of the process. Put as much descriptive detail as you can there.

(Watch FTC Video ScamWatch: How To File A Complaint.)

How does it work?



The sites that have been SEO optimized to show up in news headline and other popular searches act as redirectors. If you type the URL in directly, it forwards you to CNN.com. If you are REFERRED to the URL from Google, Yahoo, or Bing, you are redirected instead to the fake "scanner" page. That page will vary widely, but it started in our case above with a redirect to:

www.bestsafety9.xorg.pl

That first copy of the malware it installed, "packupdate_build8_195_2.exe" was only lightly detected. In a VirusTotal Report on this malware, only 8 out of 40 anti-virus products detected this software as malicious. Major products including ClamAV, F-Prot, Kaspersky, McAfee, Sophos, and Symantec did not report this software as malware.

We let the software run in the lab for a bit to see what computers it would connect to. Here's a partial list:

myfairland.com (91.207.192.24) - Sam Tam, UK
paymentsafety.net (94.102.63.61) - Ecatel, NL (nameserver = 64.86.16.19)
report.land-protection.com (91.207.192.24) - Sam Tam, UK
update1.winsystemupdates.com (188.124.7.156) - Vital Teknoloji, TR
report1.stat-mx.xorg.pl (109.196.132.41) - Vline, Ltd, Moscow
update2.winsystemupdates.com (93.186.124.92) Vital Teknoloji, TR
secure1.safepayzone.xorg.pl (188.124.7.158) Vital Teknoloji, TR
virtest.com (95.169.186.3) - Keyweb, RU - ICQ: 570352881 / virtest@gmail.com
invoiceerica.com (213.229.83.84) - ?? Bluesquare House, Berkshire, UK?
webpaybill.net (66.197.156.53) - NOC, Inc, Scranton, Pennsylvania
system-defender2010.com (91.212.226.199) - Artem Zhirkov, Russia
update1.savecompnow.com (188.124.7.158) Vital Teknoloji, TR

"virtest.com" is a service similar to Virus Total, only this one is clearly run to help criminals determine if there malware is detected or not. VirusTotal, run by white hat security researchers in Spain, shares details of submitted viruses with all participating anti-virus companies. VirTest is almost the opposite. As our friends at Damballa pointed out recently, VirTest charges money to scan your submitted malware and pledges anonymity and that your submissions will NEVER be shared with anti-virus vendors. Our infected computer constantly checked VirTest to see whether it was detected or not. After a while, the malware replaced itself with some new code that we found running from the location:

C:\Documents and Settings\All Users\Application Data\ea73a34\CUea73.exe /s /i /uid=195 /ls=6

That copy of the malware was only detected by 5 of 39 anti-virus products, according to this VirusTotal Report.

After this software ran, we noticed changes in our HOSTS file. All Google sites, for many different country codes, as well as Bing and Yahoo! search pages were being redirected via the HOSTS file to point to 209.212.147.138. That's on the Coloquest network in Arlington Heights, Illinois.

Many of the domains we linked to were hosted on common IP addresses with other domains, such as:

softdialogonline.com
windowspc-defender.com
online-systemscanner.com
system-updates.net

Several of those domains are registered to "Garritt Kooken" with Netherlands email address gkook@checkjemail.nl, who strangely uses the Chinese telephone number +86.592257788 despite having a street address in India.

Mr. Kooken really likes to make fake AV product websites, and hosts many of them on Ecatel in the Netherlands, such as:

best-pc-defender.net
cleanupantivirus.com (94.102.63.64)
cleanviron-mypc.net
dopc-checkprotect.in
exodus130.com
fast-guardcleaneronpc.net
fastscanandcleansoft.com
fastzone-guard.com
holduponyourpc.com
hotcleanof-yourpc.net
lastcheckonmy-zone.net
new-system-defender.net
on-guardzone.com
paymentsafety.net (94.102.63.61)
pcliveguard.com (94.102.63.65)
pcregrtuy.com
safeantivirus.net
safetypcprotection.net
save-secure.com
search4vir.net
securityantivirus.net (94.102.63.67)
seekviron-mypc.net
systemmdefender.com  (94.102.63.61)
systemmguard.com
systemonlinepayment.com
thebestcleanofpc.net
windowsadditionalguard.net
winguard-pro.com
xmopolit67re.com
your-securepayment.com   (94.102.63.61)
your-staffdefender.com
yourzone-best-defender.com

Looking at some IP Neighbors for computers our infected lab machine connected to, we find:

Looking at some "IP Neighbors":

Ecatel of the Netherlands (AS29073)
-----------------------------------
safety-payment.net - 94.102.63.62
safetypayment.net - 94.102.63.62
secures-guard.com - 94.102.63.64
systemmguard.com - 94.102.63.64
cleanupantivirus.com - 94.102.63.64
windowspc-defender.com 94.102.63.65
windowsguard-pro.com - 94.102.63.68
safeantivirus.net = 94.102.63.69
paymentsecurity.net = 94.102.63.69
secure.greywall.net = 94.102.63.69

on Vital Teknoloji in Turkey (AS44565)
------------------------------
update1.winsystemupdate.xorg.pl - 188.124.7.155
securemyfield.com - 188.124.7.156
newsystem-guard.com - 188.124.7.156
update1.winsystemupdates.com - 188.124.7.156
savecompnow.com - 188.124.7.156
newsystem-guard.net - 188.124.7.156
secure1.safetypayment.xorg.pl - 188.124.7.158
newsystemshield.net - 188.124.7.158

on Vline Ltd in Moscow (AS39150)
-----------------------------
www3.tr-leech-kl.xorg.pl - 109.196.132.41
update2.sysupdate-n2.xorg.pl - 109.196.132.41
update2.sysupdt-n2.xorg.pl - 109.196.132.41
report1.stat-mx.xorgl.pl - 109.196.132.41
www1.free-scan-offer-nl.xorg.pl - 109.196.132.40
update1.sysupdate-n3.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-k24.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-nihob.xorg.pl - 109.196.132.40

Unfortunately this is just a drop in the bucket. This bad guy has 1800 domain names to his registration.

Our friend Dancho Danchev mentioned gkook in his series A Diverse Portfolio of Fake Security Software back in December.

A search at the excellent MalwareURL.com shows that this email address has been associated with this type of malware since at least October 9th, when "windows-pcdefender.com" was being reported.

Kimberly at Stop Malvertising did an excellent write-up showing this criminal poisoning searches for St Patrick's Day Celebrations.

She also reported back on December 1, 2009, that Tiger Woods SEO poisoning was leading to Fake AV products in this same group.

Monday, April 12, 2010

Nicolae Popescu, Romanian hacker, at large!

Last week we congratulated DIICOT and their FBI partners on the successful arrest of 70 Romanian Internet fraudsters from three large cybercrime rings. This story continues to develop with more facts being shared as the legal proceedings move forward - but the most significant development is that one of the ring leaders is missing!

While 34 fraudsters are being held in Râmnicu Vâlcea for 29 days while the prosecution builds their cases against them, the most signficant news is one of the individuals NOT being held!


(source: Stirile Pro TV)

One of the ringleaders of the group captured last week, Nicolae Popescu, 'released himself' from custody and is now at large. Apparently when the initial arrests were made, the legal documents under which they were being held were set to expire at 1830 on the day of their arrest. The DIICOT prosecutors were working madly to make their claims to hold each of those arrested for 29 days further investigative period, as is typical in Romanian law, but when 6:30 PM came and went and no papers had been served against Nicolae, he asked to be released, and legally, there was nothing that could be done to stop him! Apparently he quietly walked out the front door without anyone notifying the DIICOT staff what was going on.

I read about this in Impact Real, but many other Romanian news sources are covering the story. No one knows where he is at this time. If you've got more info, please send it this way!

If you live in Romania, you are being asked to report any contact or sighting of Nicolae to the emergency police number. People are also being asked to look out for his vehicles. 30-year-old Nicolae is from Alexandria, Alexandria, Teleorman, Romania. He owns a white Mercedes Benz ML with the license plate "B-63-JOC" (B63"Play" in Romanian), a Black Mercedes Benz CLS 350 with the license plate "B-42-JOC", and a black Audi A6 with the license plate "B-80-BJI".

The Internet Scammers Blog has quoted Romanian Masura Media who is covering the case. Masura says that thirty-four hackers arrested in Valcea will be held for 29 days while further investigation is underway. Their names:

Florin Dan Mişcoci, Alexandru Răduţ, Marius Adrian Ologu, Marian Sorin Grigorie, Laurenţiu Dumitru Anghel, Vasile Petronel Avram, Florin Buceag, Iulian Stere, David Gabriel Cârstea, Narcis Nicolae Petrache, Sebastian Lungu, Bogdan Mehedinţu, Daniel Alexandru Ciomag, Aurel Cătălin Dincă, Gheorghe Tiberiu Budărescu, Ionuţ Sorin Dumitru, Gabriel Drăghici, Nicolae Cristian Ciucă, Nicolae Popescu, Dumitru Daniel Busogioiu, Ovidiu Vlad Cristea, Ştefan Iordachi, Florin Nicula, Nicolae Andrei Paraschiva, Cătălin Sârbu, Marian Lovită Priboi, Mihaela Florina Ungureanu, Vlad Nicolae Vrapciu, Flore Valentin Boje, Alin Constantin Cotă, Florin Dorin Răducu, Călin Cornel Fălcuşan, Alexandru Nicolăescu, Claudiu Marian Turica.

Googling almost any of those names will find many more stories in Romanian. . .

Impact Real also lists the items seized during the raids on this group:

77,350 euros, 49,000 U.S. dollars, 64,860 pounds, 60,645 lei, a luxury watch, a rifle, three pistols and 150 grams of gold. 70 laptops, 165 mobile phones, 35 desktop computers, 15 modems, new servers, 10 blank cards, 2425 SIM cards, 40 cards, 325 memory sticks , 1040 CD-DVD, 20 hard disks, 30 disks and six video cameras. As well as seven cars, worth over 300,000 euros.

Hmmm... what would bad guys be doing with 2,425 SIM cards? Very interesting!

Tuesday, April 06, 2010

70 Romanian Phishers & Fraudsters Arrested

On March 4th, FBI Director Robert Mueller was given a speech on Cybercrime to the RSA conference where he mentioned that:
And we have worked with the Romanian National Police to arrest more than 100 Romanian nationals in the past 18 months. Four years ago, several American companies threatened to cut cyber ties with Romania because of the rampant hacking originating from that country. And yet today, Romania is one of our strongest partners.


Hotnews.ro followed this up with a 7 minute interview from March 9, 2010 with FBI Legal Attache Gary Dickson who is the liaison between the FBI and Romanian cyber police. He states in the interview that Romanian cyber criminals steal "hundreds of millions of dollars" from Americans each year.


(click to play interview in YouTube)

When asked what the main type of crime was that Romanians committed against Americans, Dickson said it was primarily Auction fraud - where they sold imaginary goods to Americans.

There is good news on that front today from Romania!

On Tuesday, April 6, 2010, the Romanian Police released the news of a police raid organized by the prosecutors at D.I.I.C.O.T. - the Directorate for Investigating Organized Crime and Terrorism - had arrested 70 members of three separate organized cyber crime groups.

DIICOT Press Release

Since 2006 these groups have stolen funds from citizens of Spain, Italy, France, New Zealand, Denmark, Sweden, Germany, Austria, the United States, Canada, and Switzerland - primarily through online auction fraud. International authorities have identified more than 800 victims with more than 800,000 Euros worth of losses.

300 gendarmes and 400 policemen, including 260 members of the Special Investigations Brigade of the Gendarme participated in the arrests, which included 101 search warrants being served. 31 in Bucharest, 41 in Valcea, 12 in Teleorman, 4 in River, and one each in Arges, Prahova, Brasov, Constanta, Doj Giurgiu, Suceava, Botosani, Bacau.

DIICOT says that the raids were conducted in collaboration with the FBI and US Secret Service officers from the US Embassy in Bucharest.

A video of one of their raids was posted as an MP4 file -- here's a few stills from that video:





The story is starting to hit the wires with April 7th bylines - follow along in Romanian if you wish:

The story FBI Descends on Prahova indicates searches were also conducted related to this case in Prague and in the USA.

According to the Gazeta de Sud the raid was codenamed "Operation: Valley of the Kings" (Valea Regilor).

Gandul News has a photograph I haven't seen elsewhere, and reports that the criminals were selling fictional electronic and luxury cars and even airplanes. Recent sales included a BMW X5, Lexus and Infiniti vehicles, and even a recreational aircraft that sold for 67,000 Euros to a rich American. The group also sold motorcycles, laptops, and gold and platinum Rolex watches -- all fakes. Officers monitored the three groups for a year before pulling the trigger on the raid.

Realitatea got a statement from DIICOT executive, Nicolae Blaga - "Computer fraud and the sale of information stolen by phishing are well-known practices" or something like that -- (Modul de fraudă informatică este arhicunoscut cu procurarea datelor prin fishing, inducerea în eroare a părţilor vătămate prin licitaţii frauduloase.)

Nicolae's statement to the Adevarul.ro included the statement that "the support he received from the FBI was of great importance." (Am beneficiat de spijinul FBI care a fost de mare importanţă")

Agentia is the only story so far that specifically mentions fake eBay sites being involved. It is likely that the account take-overs that allowed the convincing sale of vehicles began with an eBay phishing campaign to steal credentials.

According to this story in Brasov one particular student, pays his way through college by selling imaginary yachts and villas on the Internet. He received his wake-up call from the Organized Crime Brigade in his dorm room at the University of Transylvania.

Thursday, April 01, 2010

PWN2OWN & Fuzzing

Charlie Miller got quite a bit of buzz for his fuzz when at CanSecWest he owned a fully patched Mac with fully patched Safari "in 10 seconds". He got more attention when he announced that he wasn't going to release his discovered vulnerabilities, but rather provide a detailed methodology that would allow the vendors to find all the bugs that he had found, plus more. Forbes Magazine shares that much of Charlie's skills was acquired while working for five years at the NSA as a "global network exploitation analyst". What a cool title!

While I have some head knowledge about fuzzing - having read and played with the book Fuzzing: Brute Force Vulnerability Discovery, what really made me understand its value was working a Penetration Testing engagement with Packet Ninja Daniel Clemens. Dan does most of his work at a hand-crafted "ninja intuition" level, but when he has discovered a potentially vulnerable app, he's absolutely willing to throw a fuzzer at it and let it churn. In this case, I got to watch him in action with Burp Intruder.

I knew that Dragos, another famous fuzzer, listed Burp Intruder as one of his Ten Favorite Web Application Fuzzing Tools. But watching this tool in the hands of a master Pen-Tester like Dan really made the lights come on for me!

Still, its one thing to fuzz forms on a website, and quite another to fuzz applications (although Dan does that quite successfully, too). When I heard about Charlie's "three-peat", winning PWN2OWN for the third consecutive year, I started hitting all the blogs looking for first hand accounts from people who were there. One of the most amazing things to me was that Charlie claimed to have found all of these vulnerabilities using "a dumb 5-lines of python fuzzer". I got some hints that things were more complicated than that by looking at some slide-shots from CanSecWest 2010 In Pictures, including scary ones like this:


and

(pics from "infosecevents.net")

Charlie's talk demonstrated his results using his fuzzing technique on PDF files using Adobe Acrobat Reader and Mac PDF Preview and on PowerPoint files, using Open Office PPT, Microsoft Office PPT. From his previously discussed work in Safari and IE we know that his techniques have much broader implications.

Today I finally got a much deeper understanding when I saw from the Thoughts from a Technocrat blog that Charlie had posted his CanSecWest slides from his presentation -- Babysitting an army of monkeys: an analysis of fuzzing 4 products with 5 lines of Python (PPT file).

His presentation contains this hint at the Five Lines of Python you've been breathlessly waiting for:

numwrites=random.randrange(math.ceil((float(len(buf)) / FuzzFactor)))+1for j in range(numwrites):rbyte = random.randrange(256)rn = random.randrange(len(buf))buf[rn] = "%c"%(rbyte);


Charlie actually recommends three other presentations on fuzzing within his slidedeck:

Fuzz by Number - Charlie Miller, 2008

!exploitable and Effective Fuzzing Strategies as a Regular Part of Testing - Jason Shirk, 2009

Effective Fuzzing Strategies - David Molnar and Lars Opstad, 2010

If you are responsible for ANY application security, you really need to evaluate Charlie's methods. His setup involved fuzzing for three weeks on five Mac OS boxes. Surely the authors of major web browsers can afford a setup of at least that complexity? Hmmmm....(dear students, what do you think *WE* could set up???)

Charlie's Fuzzing book is available at Amazon.com:

Fuzzing for Software Security Testing and Quality Assurance

Be sure to follow Charlie on Twitter if this is a topic of interest to you:

http://twitter.com/0xcharlie


(Full Disclosure: For the observant, yes, the Amazon links in this presentation are affiliate-tagged. If enough of you buy the books, my copy is free. When I buy security books they go in my library for students in the UAB Computer Forensics Research lab to use. If you want to send us free books some other way, that's cool, too. 8-)