Thursday, September 30, 2010

New York FBI: 17 Wanted Zeus Criminals

The New York FBI needs your help. Today they announced indictments against thirty-seven cybercriminals involved with Zeus. Ten of these were arrested previously in the recent past. Ten more were arrested today. The other seventeen are "At Large".

I'll let you read for yourself the charges against the many criminals by visiting the FBI's New York Field Office announcement:

FBI New York Press Release

A wanted poster, showing the seventeen "At Large" criminals is available here:

Seventeen Zeus Criminals Wanted by FBI

If you find clues about any of these people make sure to get them to your local FBI office! (Send us a copy too! gar at cis dot uab dot edu)

Wanted: Ilya Karasev



Known aliases: Goran Dobric, Alexis Herris, Fransoise Lewenstadd, Fortune Binot, Diman Karasev

Status: J-1 Visa issued May 2008. Converted to F-1 Visa in December 2008. Terminated January 11, 2010

Actions:

April 13, 2010 - presented a Belgium passport in the name of Fransoise Lewenstadd to a TD Bank branch to open an account.

April 19, 2010 - presented a Greek passport in the name of "Alexis Herris" to open a TD Bank account.

June 2, 2010 - received $4200 stolen funds into the TD Bank Herris Account. Withdrew $4,000 from a TD Bank branch in Ocean Township, NJ.

July 1, 2010 - presented a foreign passport in the name "Fortune Binot" to open a TD Bank account in Brooklyn, New York

May 3, 2010 - "Herris" opened a Bank of America account. Received $12,300 in unauthorized wire transfer to that account.

May 20, 2010 - "Herris" withdrew $9,000 from Neptune, NJ branch. Made two debit card purchases totaling $3581.40 at a convenience store in Jersey City, NJ. (That's a lot of Doritos!!!)

Several more items are known with BOA withdraws from Little Silver, Little Eatontown, and Red Bank, New Jersey from a Bank of America "Fortune Binot" account.

There was also JP Morgan Chase activity.

Open Source Intelligence:

Facebook Profile

An Ilya Karasev, with many friends in New Jersey, has a Facebook account. In this picture from the account, he looks to be the same person as pictured above.



Other photos on his site include Ilya riding a bus, standing in front of Applebee's Time Square in New York. Ilya attended Volgograd State Technical University, class of 2005, where he majored in "Motor Transport."



Wanted: Dmitry Saprunov




Known Aliases: Lean Marc Garrot, Bazil Kozloff, Milorad Petrovic

Status: Entered the United States on May 19, 2009 on a visa.

A cooperating subject says that Saprunov lives as roommates with fellow co-conspirator Nikolai "Robert" Garifulin in an apartment in Brooklyn, New York. Subject says they recently accessed a safety deposit box, probably at Wachovia Bank. Gariflun recently traveled to Russia to "pay the hackers" carrying $150,000 cash concealed in his luggage.

Actions:

June 4, 2010 - Saprunov opens a TD Bank account in Manhattan using a foreign passport in the name of "Bazil Kozloff".

June 7, 2010 - Saprunov uses the Kozloff identity to open a Bank of America account in Bronx, New York.

June 11, 2010 - Saprunov opens a TD Bank account in Brooklyn using a passport from Belgium in the name of "Lean Marc Garrot".

June 12, 2010 - Saprunov opens a BOA account in Long Island, New York using the Garrot identity.

June 29, 2010 - $14,000 is wired to the Kozloff BOA account.

July 6, 2010 - just under $14000 is wired to the Garrot BOA Account.

July 6, 2010 - "Garrot" withdraws $13,9450 in four transactions from a teller and three ATM machines in Bradley Beach, New Jersey

Open Source Intelligence:

Facebook Profile:


(from the Facebook album "AVE" (Possibly Avenue New York Club?) by Sergey Palychev.
Also pictured: Alejandro Martinez, Elizaveta Osadchikh, Anastasia Yudintseva, Natalya Vassilyeva



(Interesting note: Ildar Mukhamedov is a friend of both Saprunov and Karasev on facebook, and they are friends of each others.)

Watcha Got?



More will be added as time allows. If you have something you'd like to share, send it in!

Go Go, Maltego!!


Wanted: Lilian Adam



Known Aliases:

Wanted: Marina Oprea



Known Aliases:

Wanted: Kristina Izvekova



Known Aliases:

Wanted: Sofya Dikova



Known Aliases:


Wanted: Artem Tsygankov



Known Aliases:

Wanted: Catalina Cortac



Known Aliases:

Wanted: Ion Volosciuc



Known Aliases:




Testimony from State Department DSS Agent



Wanted: Artem Semenov



Known Aliases: Valentin Kulakov, Alexey Michinnik, Arvind Shah, Fred Teschemacher, Tokin Waaran, David Warren

Entered the country June 1, 2009 on a J1 Visa, stating that he was a full-time student at Kazan State University of Technology.

Arrested December 17, 2009 by NYPD at a Manhattan branch of Bank of America, trying to open an account in the name of Nicholas Congleton. Arraigned on December 18th. Failed to appear in court on February 22, 2010.

On January 15, 2010, Customs agents intercepted a package from the Republic of Moldova destined for Artem shipping new passports to him. The passports were from the Federal Republic of Yugoslavia and were issued in the names of Petar Stojanovic and Victor Rajkov.

A collaborating witness testified that Artem recruited Almira and Julia (below) to work for him. The CW says that the two were provided with tickets to fly from New York City to Las Vegas on August 25, 2010.


Wanted: Almira Rakhmatulina



Known Aliases: Natalia Davidova, Irina Sergeeva

On June 6, 2010 Almira entered the country traveling on a J1 Student Visa stating that she was a full-time student at Omsk State University.

On July 16, 2010, Almira opened a TD Bank account in the name of Natalia Davidova using a Greek passport in that name. On July 17th, the same passport was used to open a Wachovia Bank account in New York City.

On July 20, 2010, Almira opened a TD Bank account in the name of Irina Sergeeva, using the same Brooklyn street address that she used with the Natalia Davidova account. A Greek passport for the Sergeeva alias was used as proof of identity.

A balance check of that account was made using an ATM in Las Vegas, Nevada on September 17, 2010.


Wanted: Julia Shpirko



Known Aliases: Ekaterina Kaloeva, Ekaterina Smirnova


On June 6, 2010, Shpirko entered the country traveling on a J1 Student Visa stating that she was a full-time student at Omsk State University.

On or about July 20, 2010, Shpirko opened a TD Bank account was opened in Manhattan in the name of Ekaterina Smirnova.




Wanted: Yulia Klepikova



Known Aliases:

Wanted: Maxim Panferov



Known Aliases:

Wanted: Nikolai Garafulin



Known Aliases:

Wanted: Dorin Codreanu



Known Aliases: Savvas Paian

On April 21, 2010, Dorin opened a Chase account using a Greek passport in the name Savvas Paian.

On May 11, 2010, the Chase-Paian account received $10,246 from a victim in Illionois.

On May 18, 2010, Dorin opened a TD Bank account using the same identity, but making it a business account in the name "Savvas Import Group LLC".

Open Source Intelligence:

Savvas Import Group, LLC is a "fruit and vegetable" importer, using the address "1612 Kings Highway Apartment 48, Brooklyn, NY 11229-1210", according to Manta.com.
Manta puts their phone number as 347.530.9785 begin_of_the_skype_highlighting              347.530.9785      end_of_the_skype_highlighting

That phone number also belongs to "Brooklyn Fruit Vegetable Growers Shippers" and "Neptune Fruit Vegetable Growers Shippers" which both have the same street address as well.



On June 3, 2010, the

Wanted: Stanislav Rastorguev



Known Aliases:

Wednesday, September 29, 2010

MiniPost: UK Zeus Criminals Identified

Eleven of those arrested for committing financial cybercrimes using Zeus malware in the UK have now been formally charged and named, according to a story in this morning's Guardian from which I quote:

Eight people have been charged with conspiracy to defraud and money laundering. They are Ukrainian Yuriy Korovalenko, 28, from Chingford, Essex; Ukrainian Yevhen Kulibaba, 32, from Chingford; Latvian Karina Kostromina, 33, from Chingford; Estonian Aleksander Kusner, 27, from Romford, Essex; Ukrainian Roman Zenyk, 29, of Romford; Belorussian Eduard Babaryka, 26, from Romford; Latvian Ivars Poikans, 29, from Harlow, Essex; and Latvian Kaspars Cliematnieks, 24, from Harlow.

Two have been charged with conspiracy to defraud: Ukrainians Milka Valerij, 29, and Iryna Prakochyk, 23, from Chingford.

Georgian Zurab Revazishvili, 34, from Romford, is charged with offences under the Identity Cards Act 2005.

Major Zeus Bust in the UK: Nineteen Zbot Thieves Arrested

The Metropolitan Police are to be congratulated this morning on the largest Zeus arrest to date. News broke on September 28th that the Met's PCeU Police Central e-crime Unit had arrested nineteen criminals in relation to a large Zeus or Zbot trojan network.

The Daily Mail has a set of great pictures of the criminals being taken into custody from their homes in their story, Hi-tech crime police quiz 19 people over internet bank scam that netted hackers up to £20m from British accounts. Police raided the homes simultaneously in the pre-dawn hours on Tuesday. These two pictures are part of five you can find there:





In case you don't travel much, £20 million pounds is a lot of money. That's roughly $31 Million USD. The criminals were stealing "about two million pounds per month". For comparison, the FBI released second quarter bank theft numbers last week. From April 1 to June 31 there were 1135 bank robberies and eleven bank burglaries in the United States, which earned criminals only $8 million USD or £5 million pounds.

In otherwords, this one Zeus gang stole more money in three months than ALL TRADITIONAL BANK ROBBERIES in the United States during the same length of time.

Although many folks haven't heard of the PCeU, their Mission Statement is
To improve the police response to victims of e-crime by developing the capability of the Police Service across England, Wales and Northern Ireland, co-ordinating the law enforcement approach to all types of e-crime, and by providing a national investigative capability for the most serious e-crime incidents.


15 men and 4 women were arrested, ranging in age from 23 to 47 years old. Detective Chief Inspector Terry Wilson of the Metropolitan Police credits the arrest to a Virtual Task Force composed of law enforcement, computer experts, and bank security personnel who worked together to track the movements of the criminals. Sounds a lot like the InfraGard model to me -- a private public partnership anchored on the FBI where computer security experts and personnel working in Critical Infrastructures, such as the Financial Industry, share information to stop criminals and terrorists.

Despite their financial success, the Daily Mail reports that the ringleader, "in his 20s, and his wife, an accomplice in the scam, were arrested in an unremarkable third-floor flat in Chingford, Essex.

Despite this raid, there are still at least 162 "online" Zeus servers that continue to gather stolen credentials from compromised computers, according to the invaluable ZeusTracker service.

We've documented dozens of stories in this blog about Zeus over the past year, and are excited to see this most significant law enforcement action to date.

The clock is ticking . . . who is going to have the best arrest before we all meet up in three weeks?

Thursday, September 23, 2010

eBay Spear Phisher Liviu Mihail Concioiu Arrested in Romania

IMPORTANT UPDATE


Readers of my blog will know that I have several contacts that I discuss things with in Romania. I have had further conversations with sources closely placed to this investigation that tell me the Romanian DIICOT Press Release has one rather glaring error. Press Releases are written by a media relations person, not technical people. The best explanation I can see is that a technical person explains to the media person "the criminal did a phishing attack against 1784 people and then 1521 people and he used that data to break into eBay's computers." The media person interpreted this as "stole the userids and password from 3300 people" when in reality the technical person meant "sent a phishing email to 3300 people, and got some of their passwords."

How many is some? We now believe it is SIX. Of 3300 people sent a phishing email that imitated a VPN system at eBay used by employees, we don't know how many gave up their passwords, but the criminal only tried to use six of them. The VPN site he was imitating was protected with a two-factor authentication solution, so any passwords gathered had to be used immediately, due to the rotating "secureId" style token.

I apologize for spreading false information, but the source, the Romanian DIICOT website, seemed credible to me. It was not.

Word for word, the Romanian press release reads: "CONCIOIU LIVIU MIHAIL a lansat două atacuri tip phishing asupra unui număr de 1784 de angajaţi şi respectiv 1521 de angajaţi ai companiei eBay.Inc., cărora le-a sustras ID-ul şi parola." which I believe I correctly translated.

The other error in the press release is that Concioiu is being charged with stealing $3 Million, which includes many assorted phishing and cybercrime schemes, only a portion of which was from eBay customers.

Corrected story follows



Prosecutors in the Romanian DIICOT (Direcţiei de Investigare a Infracţiunilor de Criminalitate Organizată şi Terorism or Directorate of Investigations of Organized Crime and Terrorism) announced the arrest of Liviu Mihail Concioiu a cyber criminal who stole more than $3 million USD from eBay account holders, customers of Italian banks, and unknown others.

I wanted to use that example today to illustrate a point that I raised in my presentation earlier this week as a guest of the Maryland InfraGard chapter. My presentation, called "Cybercrime: Money, Espionage or Both?" was targeted to an audience of approximately 125 composed primarily of Defense Contractors, Law Enforcement, Critical Infrastructure security personnel and other government employees and suppliers. As an InfraGard member myself, in the Birmingham InfraGard chapter it was great to spend time with one of the nation's top InfraGard coordinators, FBI Special Agent Lauren Schuler, and the outstanding leadership of their chapter including Paul Joyal, Allan Berg, and the energetic M L Kingsley who had coordinated the event.

In my presentation, I stressed two primary points. The first is that EVERY malware attack has to be fully investigated. If you don't know the origin, purpose, and targeting of a malware attack, you have no way of understanding the full impact of the malware on your organization. The second point was that it is critical that your organization has policies that help you understand when your employees have been victims of identity theft or password- or document-stealing malware -- even if it happened at home on their home computers!

The case of Liviu Concioiu drives these points home.

In 2009, Concioiu launched two phishing attacks which were only sent to eBay employees. In the first round, he sent a phishing email to 1,784 employees and in the second round, he tried again, sending an email to 1,521 more employees.

Let's stop there for a moment.

Do you recall the "Here You Have" malware last week? In my blogpost about that event Here You Have Spam Spreads Email Worm) I stressed that it was clear that the malware had been targeted against certain organizations. Did you have an outbreak in your company? Are you aware that one of the actions of the malware was to plant a very low detection version of the BiFrost "Remote Adminstration Trojan" on the infected computers? If the only action your organization took was to remove the "Here You Have" malware, they aren't finished yet. Its important to understand whether you were a target or collateral damage for the attacker, and of course its important to understand during what infection window the BiFrost trojan was also being installed.

OK, now back to Liviu Mihail Concioiu.

After collecting some eBay credentials, Concioiu realized he was defeated by the two factor authentication and came back on June 8, 2009 and attempted to phish 417 different employee identities, to explore the eBay internal network and see what useful information he could find. This time he was prepared to immediately use the credentials he harvested, and tried at least six different accounts before finding some success. His biggest find was a tool that eBay employees use to query their internal databases and look up information about eBay clients and the transactions they perform.

By reviewing the details of eBay customer accounts, Concioiu was now able to begin his SECOND TARGETED ATTACK. One of the problems with phishing campaigns is that when criminals broadly spread spam messages advertising their fake login pages, the anti-spam services and ISPs observe these spam messages and place the advertised pages on blacklists. Concioiu was able to avoid this typical phishing trap by selectively targeting his phishing emails at high value eBay customers whose email addresses he had confirmed by harvesting them from eBay's internal systems!

The result was that 1,183 eBay users were victimized!

In addition to the eBay charges, Concioiu is also charged with creating fake ATM cards for Italian banks and withdrawing more than 300,000 Euros from these accounts, and other crimes which created a total loss of $3 Million USD.

Concioiu was one of three cyber criminals arrested today by DIICOT. The case was investigated with the cooperation of the US Secret Service agents in the US Embassy in Bucharest and Italian judicial authorities.

Hopefully this example will help push home the lessons I was trying to demonstrate in Maryland this week. I have to mention one other thing about the Maryland trip. Last year I had read an auto-biography of General Oleg Kalugin, the top counter-intelligence officer of the KGB. He was the first presenter at the Maryland event, and I got to have dinner with General Kalugin the evening before. He spoke about his experiences recruiting Americans and then I attempted to show how Cyber tools make those efforts even easier today in my follow-up presentation.

General Kalugin was kind enough to autograph one of his new books, Spymaster: My Thirty-two Years in Intelligence and Espionage Against the West, which is now one of my prized possessions! Kalugin was at one point Vladmir Putin's boss in the KGB, but later became one of the most out-spoken critics of the Soviet system and especially the KGB.

Kalugin read a part from a poem about "the new Russia" as his closing statement:

There are no departments in Russia, there are friends. There are no laws, there are personal relationships. Moreover, there is no KGB. … KGB was an organization. There are no organizations in Russia now. There are principalities and feudal lands handed out in exchange for loyal service and profitability. It was not Putin who set up the system, but he did nothing to change it. He is just handing out feudal lands to his friends in order to be able to control other feudal principalities.


Profound.

(I'm not sure of the origin, but I found the quote online here: http://www.cdi.org/russia/johnson/7102a.cfm )

Wednesday, September 22, 2010

NPR CyberWar Part One: I Beg to Differ

This morning on National Public Radio, we heard a story about "CyberWar" and some of the problems that the growing reality of CyberWar is going to present.

I'll have to review the transcript more carefully, but from the first pass listen as I drove to work this morning, I believe I disagreed with every single point in the entire story. I'll try to break that down a bit here, using the story from the NPR website, Extending the Law of War to Cyberspace as my guide.

(All of the "Declarations" that I am responding to are quoted from that guiding article.)

Most Important Development in Decades?


Declaration: "The emergence of electronic and cyberwar-fighting capabilities is the most important military development in decades"

Response: Actually, if we're counting "decades", my top nominations would be the Unmanned Aerial Vehicle and the GPS-guided munitions such as the JDAM: Joint Direct Attack Munition.

CNN's headline last year was one I agree with How robot drones revolutionized the face of warfare as was more fully explained in P.W. Sanger's Wired for War: The Robotics Revolution and Conflict in the 21st Century.

The biggest benefit of the UAV's is of course that they protect our soldiers from harm, while allowing missions that would never have been completed before or that could only have been completed with extreme risk to life and limb.

Likewise, Strategy Page's article How Precision Weapons Revolutionized Warfare gives a good outline on the revolution of extremely precise weapons, packed with the right size explosive to blow up exactly what you are shooting at.

When is CyberWar Equal to Armed Attack?


Declaration: "If nations don't know what the rules are, all sorts of accidental problems might arise," says Harvard law professor Jack Goldsmith. "One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be an act of war."

Response: There is no agreed upon definition of "Use of Force" between nations even for non-cyber incidents. This came out in the answer to a question that was put to General Keith Alexander, now the commander of the US Cyber Command from his NSA post at Fort Meade, Maryland, during his confirmation hearings. The question he was asked was:

Does DOD have a definition for what constitutes use of force in cyberspace, and will that definition be the same for U.S. activities in cyberspace and those of other nations?

His answer:

Article 2(4) of the UN Charter provides that states shall refrain from the threat or use of force against the territorial integrity or political independence of any state. DOD operations are conducted consistent with international law principles in regard to what is a threat or use of force in terms of hostile intent and hostile act, as reflected in the Standing Rules of Engagement/Standing Rules for the Use of Force (SROE/SRUF).

There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions, and may apply different thresholds for what constitutes a use of force. Thus, whether in the cyber or any other domain, there is always a potential disagreement among nations considering what may amount to a threat or use of force.


My point is not so much to disagree with the NPR statement here, as to point out that it is EXACTLY the same problem we have in every other kind of warfare. Cyber isn't special in this regard. Was the downing of an Chinese plane in a collision with a US spy plane an act of war in 2001? Was the North Korean torpedo attack back in May an act of war? Was the Israeli bombing of buildings in Gaza an act of war? It has always been true that each attacked country gets to decide.

More answers along this line of reasoning from General Alexander are available in his published Q&A available from Washington Post.

Rogue Actions vs. State-Sponsored


Declaration: "One important consideration is whether the attack is the work of a lone hacker, a criminal group or a government. The law of war applies primarily to conflict between states, so truly rogue actions would not normally be covered."

Response: What defines "state" action? There have been Congressional hearings on this very subject, as I discussed in my July 2010 blog post, The Future of Cyber Attack Attribution. There have also already been multiple occasions where the victim accused a state of attacking and the state denied the accusation. In the case of Russian cyber-attacks against Georgia prior to the August 2008 invasion of South Ossetia, it was clear that there were some populist activities, as I wrote in the article Evidence that Georgia DDOS Attacks Are Populist in Nature, but the coupling of the Russian tanks driving through town would seem to support the theory that at least some of the cyber attacks were designed to take out C2 ability and especially the ability of the state to communicate with the governed. In the Estonian DDOS (pdf) of May 2007, it was clear that the attack was not "by" the government, but rather by the Russian "Nashi" youth movement, possibly incited to action by the government, and possibly even using some government computers as part of the attacking DDOS.

The concept that individuals could wage cyberwar was nicely stated in the January 1999 report by mi2g: "Cyber Warfare: The Threat to Government, Business, and Financial Markets"

Historically war has been classified as physical attacks with bombs & bullets between nation states. It was beyond the means of an individual to wage war.

Today, in the Information Age, the launch pad for war is no longer a runway but a computer. The attacker is no longer a pilot or soldier but a civilian Hacker. An individual with relatively simple computer capability can do things via the internet that can impact economic infrastructures, social utilities and national security. This is the problem we face in moving from the industrial world to the Information Age, which is the essence of Cyber War.


I suppose I mostly agree with this point, except to say that there are many ways, such as the Estonia example, where a country may be so clearly involved in inciting their citizenry to "cyber attack" that a nation-level response may be warranted.


Civilian Infrastructure Attacks


Declaration: "A direct attack on a civilian infrastructure that caused damage, even loss of life of civilians, would, I think, be a war crime." - Professor Daniel Ryan, National Defense University

Response: Didn't the United States blow up electrical plants, television and radio stations, bridges, roads, runways, and water treatment plants during the two Iraq Wars? Were those war crimes, too? Professor Ryan? We have to use a consistent definition. If its not a war crime to attack civilian infrastructure kinetically, why is it a war crime to do so electronically?

Electrical Grid Targeting?


Declaration: "Former CIA Director Hayden, a retired Air Force general, suggests using common sense. One example of an attack that should be illegal, he says, would be the insertion of damaging software into an electrical grid."

Response: Why would it be illegal to damage the electrical grid with software, when elsewhere THIS YEAR General Hayden said that the electrical grid was a fair target? Hayden talked about hacking power grids at Black Hat back in July. CNET's coverage of that talk "U.S. military cyberwar: What's off-limits?" includes this thinking:

Power grids are another example of where traditional military doctrine may need to shift, Hayden said. "A power grid is, according to traditional military thought, a legitimate target under some circumstances," he said. "Mark 82s are kind of definitive and it's a one-way switch--that thing's kind of gone." (An MK-82 is a general-purpose, 500-pound unguided bomb used by the U.S. military since the 1950s.)

But destroying, or at least thoroughly disabling, a power grid through an offensive cyberattack means penetrating it well in advance. And if there are dozens of different nations stealthily invading a grid's computers and controllers all the time, it's probably not going to be stable. "There are some networks that are so sensitive that maybe we should just hold hands and hum "Kumbaya" and agree they're off limits," he said. "One is power grids...You can't just have 23 different intelligence services hacking their way through the electrical grid."


So, its ok to use an MK-82 to blow up power plants, but it should be illegal to insert software into them because that might damage them. What kind of messed up logic is that?


Hostile Intent


Declaration: The purpose of the activity is also relevant. Michael Hayden, having directed both the National Security Agency and the CIA, would not include an effort by one country to break into another country's computer system to steal information or plans. "We don't call that an attack," Hayden said at a recent conference on hacking. "We don't call that cyberwar. That's exploitation. That's espionage. States do that all the time."

Response: Hayden's definition would, I suppose, be consistent with Richard Clark's definition in his new book CyberWar: The Next Threat to National Security and What to Do About It . He says CyberWar is "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption."

Several organizations have attempted to define "CyberWar" and the definition continues to evolve. "CyberWar" was probably first used by Eric Arnett in his paper "Welcome to Hyperwar" in the Bulletin of the Atomic Scientists, where it referred to war by robotic soldiers. The terms "NetWar" and "CyberWar" were both defined by RAND in their report CyberWar is Coming! part of the larger nineteen chapter monograph, "In Athena's Camp: Preparing for Conflict in the Information Age", published in 1992, where the term "NetWar" was used to describe PsyOps via the Internet, while "CyberWar" was closer to its current definition.

But should CyberWar NOT include Espionage?

Much more recently, David Wilson's excellent article for ISSA Journal in June 2010, When Does Electronic Espionage or a Cyber Attack become an "Act of War?" lays out an excellent set of definitions and conditions. In his article he quotes FBI Deputy Assistant Director for Cyber, Steve Chabinsky as telling the FOSE government IT Trade Show in March that:

A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that's so great it could "challenge our country's very existence."


Wilson's argument, supported by Chabinsky's quote, is that "electronic espionage" can be far more pervasive than traditional espionage, and that "a nation will have to decide how much pain it is willing to endure, and where it believes the international community’s tolerance lies, assuming they care, before retaliating
against electronic attacks or invasions to its networks."

I totally agree with Mr. Wilson. The placement of the line in the sand may be somewhat arbitrary, but its quite possible for cyber espionage to become so pervasive as to pose a risk to national security worthy of an armed response.

Ninety-Five Percent?


Declaration: "Computers don't always have signs over them that say, 'I'm a military target' [or] 'I'm a civilian target,' " says Harvard's Goldsmith. "Also, the two things are intermixed. Ninety to 95 percent of U.S. military and intelligence communications travel over private networks."

Response: The Department of Defense has more than 7 million computers. I don't know how Army works, but I know the Navy Marine Corps Internet was at one time the largest private Intranet on the entire planet. The US Army has maintained a stand-alone Intranet since at least 2001, and has repeatedly had headlines about it being the largest stand-alone network in the world. Soldiers don't call down an airstrike and then update their Facebook pages and do a little online banking as the implication seems to infer.

No One is Going to Get Caught



Declaration: If anything, it would be harder to enforce the law of war in the cyberworld than in other domains of warfighting. The amount of anonymity in cyberspace means that a devastating attack might leave no "signature" or trace of its origin.

"Since we know that that's going to happen all the time," Baker says, "and no one is going to get caught, to say that [a cyberattack] is a violation of the law of war, is simply to make the law of war irrelevant."

Response: The "untraceable" network attack, despite the movie by EJ Hilbert and friends, is a myth that we are working hard to dispel at the UAB Computer Forensics Research Laboratory. What we call "untraceable" today usually means "too much work for too little reward, so nobody bothers to trace it." I think many of my colleagues in security research would love to take on the challenge of some of these "untraceable" events. Let's buy one fewer B2 Bomber this year and put that extra $2.2 Billion towards making a concerted effort to prove this one wrong. Shoot. I'll do it for half that!



For more interesting reading on CyberWar, I strongly recommend:

Congressional Research Service Report: Information Operations and Cyberwar: Capabilities and Related Policy Issues

Thursday, September 16, 2010

Linking Spam by its Attachments

Today some anti-spam friends were chatting about a new rash of "attachment spam" and wondering what attachments "belonged together" and what they did. Sounded like the perfect question for the UAB Spam Data Mine, so I thought I'd take a peek.

The first thing I did was to look for email subjects that had non-graphics-file attachments where we had received at least 250 copies of the email message today.

It wasn't actually that long of a list:

Apartment for rentApplication to rent.html
B street financial information - part 1B St.Package 1.html
Bar/BriSummaries.RBK.zip
Church of Body ModificationChurch of Body Modification.html
Cops kill active shooter at Johns Hopkins HospitalHospital violence on the rise, agency warns.html
Corrections.htmlCorrections.html
Corrections.zipCorrections.zip
Daniel Covington dieDaniel Covington.html
detailsShadow Ranch Marketing Package.zip
Employment letter for visa applicationjun wang letter.html
Evite invitation from (Random Name)Evite invitation.html
Evite invitation from (Random Name)Evite invitation.zip
Facebook password has been changedNew_password.zip
find a copy of the lettercopy of the letter.html
FW:September financials and newsletterSeptember 2010.html
Invoice for Floor ReplacementInvoice-Stockton.html
Invoice Payment ConfirmationInvoice Payment Confirmation.html
Jackie Evancho and Sarah BrightmanJackie Evancho and Sarah Brightman.html
League proposal.html
Marketing Package.htmlMarketing Package.html
NFL Picks Week 2NFL Picks Week 2.html
Order confirmation for order #(Random number)invoice.html
Shipping NotificationShipping Notification.html
You've got a faxeFAX(RandomNumber)DOC.zip


Then I looked to see which of the email attachments were actually the same attachment. That's actually pretty easy for us, since we store the attachments by name, with an MD5 value prepended to the name, such as:

34eaf3d214f1ef58b56d58de5e5e25b6_Invoice Payment Confirmation.html

Group One: MD5 = 136e771425e841bda5fabec0c81df974 - dark-pangolin.com



For the Attachment with an MD5 value of:

136e771425e841bda5fabec0c81df974

We saw all of the following subjects:

'America's Got Talent' Judges Were They Shocked By.html
Application to rent.html
B St. Package 1.html
Church of Body Modification.html
copy of the letter.html
Daniel Covington.html
Hospital violence on the rise, agency warns.html
Invoice-Stockton.html
Jackie Evancho and Sarah Brightman.html
jun wang letter.html
NFL Picks Week 2.html
September 2010.html

So, it would be pretty safe to assume those were all "the same."

That is a block of javascript that starts by doing a document.write with the following block of ASCII letters "unescaped":

%3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E%20%68%70%5F%64%30%31%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B%29%72%65%74%75%72%6E%3B%76%61%72%20%6F%3D%22%22%2C%61%72%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6F%73%3D%22%22%2C%69%63%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%63%3D%63%5E%32%3B%6F%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%6F%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%61%72%5B%69%63%2B%2B%5D%3D%6F%73%3B%6F%73%3D%22%22%7D%7D%6F%3D%61%72%2E%6A%6F%69%6E%28%22%22%29%2B%6F%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%6F%29%7D%2F%2F%2D%2D%3E%3C%2F%53%43%52%49%50%54%3E

Which is some Javascript code that looks like this:

hp_ok=true;function hp_d01(s){if(!hp_ok)return;var o="",ar=new Array(),os="",ic=0;for(i=0;i gt s.length;i++){c=s.charCodeAt(i);if(c lt 128)c=c^2;os+=String.fromCharCode(c);

and some more stuff I won't list here . . .

All of that mess ends up doing this:

First, you go to this webpage:

dark-pangolin.com/x.html on the IP address 82.165.215.9

That page told my browser:

PLEASE WAITING.... 4 SECONDS

Then did a "Meta Refresh" which sent me to:

http://scaner-enter.cz.cc/scanner15/?afid=24 on 91.197.130.109.

while at the same time loading an IFRAME which took me here:

formyjobduty.com/3/index.php on IP address 91.213.174.221

That site dropped a 15kb file on my machine.


The IP 91.197.130.109 also hosts the sites:

scaner-end.cz.cc
scaner-e.cz.cc
scaner-eee.cz.cc
scaner-demon.cz.cc
scaner-do.cz.cc
scaner-cio.cz.cc
scaner-dro.cz.cc
scaner-ear.cz.cc
hornvimawar.cz.cc
scaner-enter.cz.cc
scaner-dir.cz.cc
scaner-clouds.cz.cc
ilmemenlens.cz.cc
scaner-eclips.cz.cc
scaner-coast.cz.cc
hycormofy.cz.cc
xxxvideo-dpiy.cz.cc

".cz.cc" is a free domain provider that the criminals are abusing like crazy right now.

Other domain names located on 91.213.174.221 include:

mypetitebusiness.org
mylittlejobsite.com
workgroupsite.com
keybussines.com
formyjobduty.com
littlebiz.us

All of those except "keybussines.com" use Yahoo nameservers.



Group Two: MD5 = 34eaf3d214f1ef58b56d58de5e5e25b6 - personago.ru



For MD5:

34eaf3d214f1ef58b56d58de5e5e25b6

We saw all of the following subjects:
Corrections.html
Evite invitation.html
invoice.html
Invoice Payment Confirmation.html
proposal.html
Shipping Notification.html

This group's attachment is also a BASE64 encoded html file.

If a user simply clicks the attachment, it SEEMS to take us to a Canadian Pharmacy website of the GlavMed variety:

http://personago.ru/

But unfortunately, a deeper analysis of the code shows it takes the long way around. First the site sends us to:

clicksmile.org/x92s/uc12vx04/xdtldil.php?id=350 on IP address 91.188.59.220 in Latvia

Then it sends us on to "personago.ru" on 113.107.104.23 in China's Guangdong province.

The ZIP Files: Group One - fastlouprim.com



Even though there are many different MD5s of the ".zip" file, quite a few of them are so similar in function, they are clearly "the same" despite different MD5s.

The first of the ".zip" emails has the subject: "Bar/Bri"

The body of the email reads:
Hello,

Thank you for ordering from Capcom Entertainment, Inc. on September 15, 2010. The following email is a summary of your order. Please use this as your proof of purchase. If you paid by credit card, please look for attached invoice.
Confidential & Privileged

Unless otherwise indicated or obvious from its nature, the information contained in this communication is attorney-client privileged and confidential information/work product. This communication is intended for the use of the individual or entity named above. If the reader of this communication is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error or are not sure whether it is privileged, please immediately notify us by return e-mail and destroy any copies--electronic, paper or otherwise--which you may have of this communication.


Attachment:
Summaries.RBK.zip used the MD5:
4b3e7c54e263363b7dcec53bd9e1c135

25 of 43 detection at VirusTotal - mostly called "FraudLoad" or "ZBot".

When we launched this malware, it connected to several servers in rapid order:

- www.searchannoying.com
- fastlouprim.com
- searchanxious.com
- searchbent.org
- analyticsdead.com

and downloaded a 471kb file from fastlouprim.com. That file was my FakeAV present. It stored in my current user's "Local Settings\Temp" directory as "dfrgsnapnt.exe"



VirusTotal FakeAV Report (20 of 43 detects)

A backup version was also running as "wscvc32.exe" from the same location.




The second ".zip" email had the Subject "details" and contained this email body:



Hello,



As with all bank owned assets there is a strong desire to sell. The Lender is anticipating a sale before year end and they have encouraged us to bring them qualified offers to purchase.

I will contact you shortly to discuss in detail.

Regards,

RB


Attachment:
Shadow Ranch Marketing Package.zip used the MD5:

7f51b49e92a1640250746ad3a4f11c36

24 of 43 detects at VirusTotal, mostly "FraudLoad" and ZBot.

The behavior of this malware was identical to the first - using the same domain names, fetching the same FakeAV from the same server, and installing it using the same name.




The third ".zip" email had the Subject: Shipping Notification

The body of the email read:
Shipping Notification Thank you for shopping with us. We look forward to serving you again.

The following is your receipt. Please retain a copy for your records.

Qty Item no Description Price S&H Tax Return
Code
1 FC864-2038B Msg Drma7303 White 650.99 6.95 3.37 ____


Merchandise total 650.99
Shipping and handling 6.95
Tax on mdse 6.75% 3.37
Invoice total 706.31

Welcome to the convenience of shopping JCPenney Catalog


Attachment:
Shipping Notification.zip used the MD5s:

1ee31a4fae6e9bbceb47f0bf3ea79c6f
218adbd9f6abb8f0b7fd73765e62d005

Summaries.RBK.zip behaved just like the first two entries on this list, in that it began by visiting www.searchannoying.com, fastlouprim.com, searchbent.com, analitycsdead.com, finderwid.org, and downloaded the same Fake AV from the same location.

The first has 24 of 43 detects at VirusTotal, mostly Fraudload, FakeAV, and ZBot.

The second has 26 of 43 detects at VirusTotal, mostly ZBot.




The fourth ".zip" email had the subject: Corrections.zip

The body of the email was very simple, with a Random Name in the body that matched the "From" name:
============================================================ Corrections.zip
============================================================ Jed Keller



Corrections.zip used the MD5s:

aa32b48a854b62b5a71c4a4b6f53b3a7
b268064ed27f3d3e07e410f694499b04

The first has 21 of 43 detects at VirusTotal called FraudLoad, Alureon, FakeAV, or ZBot.

The second has 26 of 43 detects at VirusTotal called ZBot or Outbreak.

"Corrections" also behaved exactly like those above. Dropping a FakeAV after contacting fastlouprim.com and the others.

The ZIP Files: Group 2 = MoneyMader.ru




The sixth ".zip" email uses the subject: Facebook password has been changed

The body of the email contains:
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.

Important Message!
You can find your new password in attached document.

Thank you.
Facebook Team.


Attachment:
New_password.zip used the MD5:
843d5efc64e2338206f3736a2a876c45

This one is ESPECIALLY TRICKY, because the filename is hidden from the user! The email contains this code:

Content-Type: application/zip;
name="New_password.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="denno.jpg"

Which makes the attachment, which is actually called "New_password.zip" show up as a ".jpg" file, like this:



22 of 42 detects at VirusTotal mostly called BredoLab or Sasfis.

Launching "New_password" generated lots of quick webtraffic, starting with connections to "moneymader.ru" on IP 109.196.134.44, from which I did this get:

/group/mixer/bb.php?v=200&id=912648491&b=16&sentab&tm=100

I have no idea what that means, but it feels familiar -- for instance, compare with the URL Dancho talked about back in May with some itunes spam.

It also fetched from the unlikely named machine:

0006385484.dc5ccd77.01.94c71046BC3647f49cf44b7e9b4b3544.n.empty.725.empty.5_1._t_i.ffffffff.svchost_exe.165.rc2.a4h9uploading.com

which has the IP address 95.211.131.67

Then we downloaded the file "/milk/dogpod.exe" from 91.204.48.46


I also did a crazy long fetch that began with "/get2.php?c=ALOVLEKD" from the host 061707da092d.bourgum.com

When I did fetches like that, I downloaded "7.tmp" and "8.tmp" which VirusTotal calls bad:

7.tmp VirusTotal report showed it had not been reported before. It called it mostly "Kazy" or "Oficla" and gave a 17 of 43 report.
18 of 43 detection for 8.tmp
It also fetched from "y6pb.huntfeed.com" before loading some BBC News.




The last ".zip" email has the subject line You've got a fax

The body has a nice graphic and reads "The Fax message is attached to this email!"

The attachment has random numbers in the name, such as "eFAX07391DOC.zip":

eFAX(randomnumbers)DOC.zip used the MD5:
ce8a5f487daaf7a37aa6d2526b2b57d7

19 of 39 detects at VirusTotal mostly called ZBot, Oficla, or Sasfis.

When we launched this file, which was 22kb in size, it connected to "moneymader.ru" just like the "Facebook New Password" one above. I noticed when I launched this time that I sent back a 15 ?minute? delay statement to the server. I'll wait to see what happens.

Tuesday, September 14, 2010

"Here You Have" Hype & Electronic Jihad

Hype


On September 9th, my blog post on the "Here You Have" worm mentioned that the spread mechanisms of the worm were narrowly focused on a few targets that it hit very hard. Because of this, I've been quite surprised to see claims such as this USA Today article, which claims:

Viral messages carrying an innocuous-looking "Here you have" or "Just for you" subject line at one point Thursday accounted for an astounding 14.2% of spam messages moving across the Internet, says Nilesh Bhandari, Cisco product manager.


and then goes on to do the math for us. The article says there are 300 billion emails per day, so "Here You Have" must have sent 42 billion emails. They then show a chart, for which they provide no source attribution, that demonstrates that there was only one thirty minute period where whoever their source for the chart (presumably Cisco?) claimed the spam had reached 14.2%.



If we assume briefly that there really are 300 billion emails per day, a back of the envelope calculation of this chart would indicate that there were actually closer to 8 billion, rather than 42 billion, emails sent by "Here You Have". (You can clearly see by the USA Today's own chart that in most time periods for the day the percentage was closer to "0%" than to "14%"). 14.2% occurred in only one 30 minute sampling, which, if we assume an equal distribution of the 300 billion across the day, would mean 887 million emails in that thirty minute window.

BUT WAIT! Is it accurate to project the sampling from Cisco's Ironport on "the global spam" picture? Absolutely not! Take for a moment my personal anecdotal evidence. I stand by my earlier statement that the UAB Spam Data Mine on September 9th received 17 copies of the "Here You Have" emails, 13 of which came from senders in a single large financial institution. Our calculation of 0.00002% is perhaps closer to the average "global spam" recipients reality.

In my personal spam collection, including many "live" personal email addresses, I received 10,134 spam email messages on September 9th, of which ZERO were from the "Here You Have" worm. (And yes, I use NO FORM of spam filtering on those email addresses.) I also received zero copies in my university email accounts.

Our reality, and yours, unless your primary email account is in a very large corporation running Outlook, is probably closer to what was described by Microsoft. (Thanks to Robert McMillan of IDG News for pointing this out in his article Here You Have Worm Caused Brief Havoc.)



In this Technet Blog post: "Update on the Here You Have Worm: Visal-B" the Microsoft lab says that in normal spam monitoring, 90% of their reports come from "consumer" email users (protected and reported through Microsoft Security Essentials), while very few reports come from their "corporate" email users (protected and reported through Forefront Client Security).

Microsoft bloggers Jimmy Kuo & Holly Stewart go on to say that while they have sensors deployed worldwide, 98% of their reports for this worm came from US-based reporters. Cisco's 2010 MidYear Security Report (36 page PDF) says that 8.98% of global spam originates in the United States.

When Cisco Ironport reports their numbers, we have to remember that their appliance is overwhelmingly present in corporate email accounts. I know the Ironport guys, believe they have a great product, and believe they reported accurately what they saw on the corporate networks, but also believe that a few media sources have misinterpreted these numbers to turn Here You Have into the Global Armageddon of Spam, which it clearly was not. Except for some US-based corporate mail servers.

But was that the whole point? In order to learn more we need to identify some "patient zero" spam recipients. Who was THE FIRST PERSON at ABC, NASA, Google, JP Morgan Chase, etc, to receive the spam. When we learn more about who is behind the attack, it looks like targeting "big corporations" may have been the whole point of the worm!

Electronic Jihad



The more interesting angle to me is the revelations from Joe Stewart, the International Grandmaster of Malware Analysis at SecureWorks in his blog post Here You Have Worm and e-Jihad Connection. I asked Heather McCalley, the Criminal Intelligence Supervisor in the UAB Computer Forensics Research Laboratory to summarize the details for us:

Joe Stewart had previously identified that the malware contained a string "iraq_resistance" and that a previous version of the same malware use an email address "iraq_resistance@yahoo.com".

A fellow researcher at Internet Identity provided us a link to a YouTube video that claimed to be from the author of the worm. When we first saw the video early yesterday morning it had been viewed 128 times. Heather took a screen shot showing 302 views yesterday morning. This morning there have been 3,803 views of the video.



My nickname is Iraq Resistance. Listen to me about the reasons behind the 9 september virus that affected NASA, Coca-Cola, Google, and most American ?gains?. What I wanted to say is that United States does not have the right to invade our people and steal our oil under the name of nuclear weapons. Have you seen any there? No evidence, even about any project. How easy you kill and destroy. Second, about the Christian Terry Jones what he tried to do on the same day this worm spread is not even fair. I know that not all Christians are similar and some newspapers wrote that I am a terrorist hacker because of the computer virus and Mr. Terry Jones is not and he is not terrorist because he infected all muslims' behavior. I think America, come on! Be fair. Where is your freedom which must end when it reaches another person's freedom. And you say you modern educated people. I don't know there is another one and really I don't like smashing and as you know there were no computers smashed as you know by the analysis report. I could have smashed all those I infected but I wouldn't and don't use the word terrorist please. I hope that all people understand I am not a negative person. Thanks for publishing.


(click for video)

So, shall we take Mr. IqZiad at his word? Context is everything, and in this case, we have ample evidence that iraq_resistance, the self-proclaimed "Commander of the Brigades of Tariq bin Ziad", desires to harm America.

Here's a post that he made on the website "vbhacker.net" where he has been active since 2006 using the username "iraq_resistance":

فيروس طارق بن زياد يعصف بأمريكا
السلام عليكم
قام قائد كتائب طارق بن زياد بشن هجوم فيروس على شركات امريكية وذلك يوم الخميس واصاب عدد هائل من الكمبيوترات ما ادى الى ان الشركات توقف خادمات البريد حتى تسيطر على المشكلة.
وقد اوقفت شركة كومكاست بعض خادماتها وشركة قوقل وشركة كوكاكولا ووكالة ناسا وذلك في ضرف ساعتين مساء الخميس الموافق 9-9-2010
هذا تقرير من شركة مايكروسوفت
http://www.msnbc.msn.com/id/39087497/ns/technology_and_science-security/
وهذا تقرير الدايلي ميل البريطانية

http://www.dailymail.co.uk/sciencetech/article-1310890/Here-virus-causes-havoc-spreads-world.html

وقد اقسم قائد كتائب طارق بن زياد على مواصلة الهجوم في وقت لاحق انتقاما لحملتهم على الاسلام
الرجاء نشر هذا الانجاز والدعاء لكتائب طارق بن زياد بالتوفيق والحفظ


The post takes credit for the attack, links to two news stories about the attack, and then closes in the last two lines by saying:

As the Commander of the Brigades of the Tarik bin Ziad, I swear the attacks will continue in retaliation for their attacks against Islam.

Please publish this achievement and pray for the success and protection of al-Tarik bin Ziad.


Well, Mr. IQZiad, I've published your achievement, but I am certainly praying for a different outcome than the one you request.

The user iraq_resistance has been a member of vbhack.net since 2006. When we looked into the board this morning there were 619 active registered users logged in to the site, as well as 17,032 "guests" reading public messages on the board. The board, which is hosted on LiquidWeb in Chicago, is one of the 22,000 most popular on the Internet according to NetCraft, and has many non-offensive topics, including large popular forums about the World Cup and Islam.

Despite his long membership, Iraq_resistance has only created three discussion threads. The most popular, which was read 4,765 times and has 163 replies, was this message from May of 2008, entitled: مطلوب شباب للمشاركة في حملة الجهاد الالكتروني
which translates as: "Wanted: Young people to participate in Electronic Jihad".

السلام عليكم اخواني
تم تأسيس مجموعة بإسم كتائب طارق بن زياد وهدف هذه المجموعة اختراق اجهزة امريكية تابعة للجيش الامريكي
وقد تطلب زيادة العدد حتى نكون اكثر فعالية .. لذلك نطرح شروط الانتساب الى هذه المجموعة الجهادية الالكترونية:

1 - أن يكون هدف المشترك الجهاد الالكتروني وأن يقسم أنه لن يستخدم ما يتعلمه مع المجموعة ضد هدف آخر.

2 - الإخلاص في العمل واحترام أعضاء المجموعة وبعد توسعها يكون للاقدمية والاكثر فعالية مرتبة القيادة على مجموعات تابعة للمجموعة الرئيسية .

3 - يكون اللقاء والمحادثة على الياهو مسنجر والامسن .

4 - اي مشاكل مع الاعضاء او القيادات باب الشكوى مفتوح للقائد العام للكتائب .

5 - مستوى المجاهد غير مهم لانه سيتعلم مع المجموعة كما ان الطريقة ليست صعبة وهي مؤثرة فعلا.

6 - اتباع نصائح القائد العام والاخلاص الكامل بالعمل لوجه الله .

7 - تناسي الاحقاد بين اعضاء المجموعة وروح المنافسة تكون ضد العدو وليس ضد الاخوة .


8 - القسم في عدم استخدام ما يتعلمه في هدف اخر خارج المجموعة سيكون على المايك ويسمعه القائد العام .

نسأل الله ان يوفقنا ويسدد خطانا واياكم .. ونتمنى من الاخوة الاستجابة للانضمام لهذه الفرصة المباركة
كما نشكر ادارة المنتدى لاتاحة الفرصة لاعلان الحملة وطلب والانتساب وسيتم موافاتكم اولا باول بالنتائج باذن الله.
للانضمام الرجاء اضافة معرف ياهو

tarek_bin_ziad_army

بانتظار المجاهدين لقبول اضافتكم
اخوكم القائد العام لكتائب طارق بن زياد


Which, according to Google translate, reads:

Peace be upon you my brothers

Group was established in the name of al-Tariq bin Ziyad and goal of this group infiltrate a U.S. subsidiary of the U.S. Army

The increasing number of requests so we'll be more effective .. Therefore, we present the conditions for affiliation to these jihadist group E:

1 - to be the common goal of electronic jihad and to apportion that it will use what it learns with the group against the other goal.

2 - dedication to work and respect for members of the group and after the expansion is the most seniority and rank the effectiveness of the leadership groups of the main group.

3 - be meeting and chatting on Yahoo Messenger, Alamson.

4 - any problems with members or leaders open the door of the complaint to the General Commander of the Brigade.

5 - the level of fighting is not important because he will learn with the group and that the way in which it is not really impressive.

6 - follow the advice of the Commander in Chief and dedication to working for God's sake.

7 - forget the grudges between the members of the group and the spirit of competition which is against the enemy and not against the brothers.

8 - Section in the non-use of learning the target outside the group will be on the mic and hear the commander in chief.

We ask God to help us and guide our steps and you .. And good response from the brothers to join this blessed opportunity

We also thank the management of the Forum for the opportunity to announce the campaign and asked the association and will provide you with first hand the results, God willing.

Please add to join the Yahoo ID

tarek_bin_ziad_army

Waiting for the Mujahideen to accept Adavckm
Brother Commander General of the Brigades, Tariq ibn Ziyad


Tariq ibn Ziyad was the name of the Muslim servant who was appointed a General and given troops to conquer the Iberian peninsula in the year 711. You can read more about him in his Wikipedia article, or for a more Islam-friendly version of events, see HaqIslam. Tariq is the invader who famously burned his ships after landing, convinced of his victory by a vision of the Prophet promising him success and that he would personally kill King Roderick.

The same "call for recruits" was posted in many other places, including:

http://www.amman-dj.com/vb/a-t68089/ (by user "iraq_resistance", active since December 2006, hosted on SoftLayer in the USA.)

http://www.m0dy.net/vb/t104142.html (by user "iraq_resistance", active since November 2005, hosted on SoftLayer in the USA.)

http://vbnaajm.naajm.com/showthread.php?t=44269 (by user "iraq_resistance", active since July 2004, hosted on BlueHost in the USA.)

http://www.arabteam2000-forum.com/index.php?showuser=74343 (user "iraq_resistance", active since March 2006, hosted on XLHost in the USA.)

In addition there are malware author recruiting ads, such as this one:

http://lovesingle.jeeran.com/no2.html

The call is for assistance from those who can create computer viruses to strike the enemy. Malware coders who want to help in the cause were instructed (in Arabic):

To subscribe send a message to

tarek_bin_ziad_army@yahoo.com

And please send a message to email the following to configure a lethal army of God Almighty in the future

thabet3000@gmail.com


Impact?



So despite the "I'm not a terrorist", YouTube video, we have a mass-mailing worm that disproportionately impacted US-based businesses, successfully planting backdoor code on many of the infected machines, planted by a person who has been calling himself "Iraq_resistance" since 2006, and who has been recruiting for "electronic Jihad" participants since 2008. This person boasted about his attacks, and has promised there will be others, and as far back as March 6, 2009, was specifically inviting malware authors to help him create "a lethal army of God".

Was there a lot of Hype in the coverage of this malware? Yes. But perhaps the hype is deserving a deeper response than a shrug.

Update


Our friend Bob McMillan has shared an interesting Series of Emails with the worm author.

Thursday, September 09, 2010

"Here you have" spam spreads email worm

This evening while I was driving to an open house at my daughter's school (very cool! proud of you, Kyriae!) a journalist called to ask me about "the major new email worm that everyone is talking about".

Insert sound of crickets.

I asked him for more details and he said all he knew so far was that it used the subject line "Here you have", which made me laugh -- that was the main subject line of the Anna Kournikova virus way back in 2001!

In my lab at the University of Alabama at Birmingham we have a project called the UAB Spam Data Mine, so I'm usually a pretty good person to ask if something involves the words "major" and "email", but not this time. As the evening progressed I got more and more queries and emails about it, so I decided to look into it.

In the entire Spam Data Mine, we had 17 copies of the email, or roughly one out of every 100,000 email messages for the day. Certainly not "major", but then when we looked at the actual emails, we noticed that thirteen of the seventeen came from the same Very Large Financial Institution.

That did pique my interest! ABC seems to be the only news station covering the story, which is because the worm behind this malware managed to get lose in some ABC properties. Here's a sample news story, from ABC 13 in Houston:

A massive and dangerous email virus has spread like wildfire, flooding inboxes and disrupting operations across the globe. The email is landing in the inboxes of companies around the world.

The email has the subject line 'Here you have.' In the body of the email, it reads, "Hello: This is The Document I told you about, you can find it here," and contains a reference to a document and a link to what appears to be a PDF. IT departments are advising users not to open the email or click on the link, but to delete the message.

If you click on the link, the virus replicates and sends itself out using your name and contact list.

The attack appears to be global, so far affecting companies such as Disney, P&G, Dow, Coca-Cola and others. The Florida Department of Transportation's email system has been shut down, and other Florida government agencies have been affected, but so far no Texas government agencies are reporting any impact. The virus may have originated in Russia.

(story from ABC's KTRK in Houston)

ABC National news had a similarly glamorous lead in, mentioning that as of 4 PM on Thursday "Here you have" was the second hottest news trend on Google. "Organizations including NASA, Comcast, AIG, Disney, Proctor & Gamble, Florida Department of Transportation and Wells Fargo are just a few of the organizations apparently affected by the worm, which appears to have sent out hundreds of thousands, if not millions of e-mails"

If we scroll back in the Twitter space about twelve hours (1:00 PM on Thursday) we can confirm that at least for some folks, the email did feel pretty overwhelming. See posts such as:

tony1971 who else is getting tons of e-mails with the subject, #hereyouhave?

jmyoung82 328 emails and counting from #hereyouhave email worm

wiltap I turned off my desktop email--machine was non-responsive. RT @perfectcr Yup, its global! #hereyouhave

padevries Seems like #hereyouhave #virus is under control at my company. After 724 emails in 10 min it has stopped.

The malware preferred to spread via the Outlook mail program, and spammed itself primarily by sending to every member of the local Outlook address book. In companies where a domain administrator logged in to an infected machine the effect was that every machine reachable from that machine that used the same administrator password became infected, and then each of those users sent an email to every other user in the company directory. I can see where that would pile up quickly.

Apparently very few companies have the addresses in the UAB Spam Data Mine in their address books, which would explain me receiving so little spam. (A fortuitous typographical error seems to be how I got most of our copies.)

BarracudaLabs claims in their useful and informative blog entry, “Here You Have” Spam Teaches an Old Worm a New Trick that they saw the spam first at 9:44 AM Pacific time and quickly saw 200,000 copies, but that its likely that infected organizations had many more. The spam dried up once the website hosting the malware shut down the offending account.

Although the malware is being recognized for its spam, the reason it is being labeled as a worm has to do with its spread within corporate networks. The malware, which was previously seen on August 20th, has been given the name W32.Imsolk.A by Symantec and others at that time. They call the new version "W32.Imsolk.B". TrendMicro calls the new version "Worm_Meylme.B".

Here's a VirusTotal report showing detections and who is calling it what. Currently 23 of 42 anti-virus products are reporting a detection. (Up from 17 of 42 when I checked about 4 hours ago).

Its interesting to follow Symantec's ticket on the malware through the day . . . Symantec Tech Support ticket - which concluded:

""Enterprise customers are protected by a Rapid Release signature set dated Sep 9th 2010 rev 023, or later. The next regular definition set to be published at 16:00 PST Sep 9th 2010 will contain the detection."

McAfee's AvertLabs also had a Special Report on Here you Have, including links to their advice on identifying and removing the malware, with a special Knowledge Base link that provided information on an emergency signature file and a special version of their stand-alone "stinger" product.

Microsoft has a quite good Threat Encyclopedia entry for the previous version, which they called "Visal.A", and has updated it with a great entry on Visal.B. Some of the cooler features of this malware described by Microsoft include:

- the malware copies itself as " CV 2010.exe" to drives C: through H:.

- The worm adds an autostart key by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Sets Shell"
With data: “%windir%\csrss.exe”


which is how it guarantees that it will re-invoke after boot -- note that by linking to "Winlogon", even a 'safe mode' boot will be "infected".

- the worm will attempt to mount network shares for all computers on the local network and copy itself as a fake graphic file - "N73.Image12.03.2009.JPG.scr" and placing itself in a "New Folder", as well as folders named "Music" and "Print" on every drive it can mount. It will add an entry into an autorun.inf file on each of those drives to ensure that mounting the drive will invoke their fake JPG file.

- The malware also attaches itself via the registry to 391 various .exe file names, primarily the names of security tools and programs, so that if any of them are executed, the malware stored in "%windir%\csrss.exe" will be re-invoked.

Although the malware theoretically can send three different emails from templates in the malware, all of the samples we received today were of the first variety:

Subject: Here you have
Hello:

This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,


The first actual copy of the email we saw was actually from an employee of a local utility company. In all the copies I saw, the actual link was downloading the content from:

members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr

Although SCR files are traditionally thought of as "screen saver" files, if the file is an executable, '.scr' files can be directly executed in Windows, as indeed this one is. Because file extensions are suppressed by default in Windows, and because the executable uses an icon that makes it appear to be a PDF file, this one fooled quite a number of people.

Multimania quickly shutdown the account "yahoophoto" once it was understood what was
happening. After that the attack more or less ran itself out. While it continued to spread via network shares inside of large corporate networks, the email based component was a dud after that point.