Wednesday, April 13, 2011

Bold FBI Move Shutters COREFLOOD Bot

In February 2005, John Leyden told the story of Joe Lopez a 42 year old businessman in Miami Florida who sued his bank after having $90,348 wired out of his account to Parex Bank in Riga, Latvia. The US Secret Service examined his computer and found that his system was infected with the Coreflood trojan.

Where did the money go? According to USA Today's Byron Acohido, someone named Yanson Arnold withdrew $20,000 of the money three days later.

The story was featured on NBC Nightly News on December 14, 2004, in a story called The Fleecing Of America which indicated the money had been stolen via the CoreFlood Virus.

In June of 2008, Joe Stewart, International Grandmaster of Malware Reverse Engineering, released a report called Coreflood/AFcore Trojan Analysis. He started his report by calling attention to five highlights:

1. One of the oldest botnets in continuous operation (+6 years)
2. Motive turned from DDoS to selling anonymity services to full-fledged bank fraud
3. Entire Windows domains infected at once (thousands of computers at some organizations)
4. Over 378,000 computers infected during 16-month time frame
5. Infected businesses, hospitals, government organizations, and even a state police agency

When Joe worked with Spamhaus back then to investigate an active C&C they found FIFTY GIGABYTES of compressed data, stolen over the course of two years, with a MySQL database that the criminal was using to track which information it had stolen from 378,758 unique bots over a period of 16 months. At one point, Joe's report shows "a major hotel chain" with over 7,000 infected computers, and a State Police agency with over 110 infected computers! Among the data stolen were 8,485 bank passwords, 3,233 credit card passwords, 151,000 email passwords, and 58,391 social networking site passwords. At that time, in 2008, the controller domains were: mcupdate.net, joy4host.com, and antrexhost.com.

Here we are in April 2011 -- almost three years later, and "antrexhost.com" is still an active C&C for the domain, which is still stealing money, despite being featured on NBC Nightly News, USA Today, and discussed by name by the White House's Howard Schmidt.

All of that may have come to an end today, as announced by today's FBI Press Release headline was Department of Justice Takes Action to Disable International Botnet. The botnet in question is known as Coreflood, and according to court papers released by the FBI's New Haven Field Office, a pair of Command & Control servers, located at 207.210.74.74 and 74.63.232.233 were controlling 2,336,542 infected computers as of February 2010. Of those, 1,853,005 were located in the United States.

207.210.74.74 is a server on the Global Net Access system, that hosted a domain called jane.unreadmsg.net. vaccina.medinnovation.org was the C&C name on 74.63.232.233


From the request for a Temporary Restraining Order filed by Assistant US Attorney Edward Chang:

12. The Coreflood Botnet was used, among other things,
to commit financial fraud. Infected computers in the Coreflood
Botnet automatically recorded the keystrokes and Internet
communications of unsuspecting users, including online banking
credentials and passwords. The stolen data was then sent to one
or more Coreflood C&C servers, where it was stored for review by
the Defendants and their co-conspirators. The Coreflood C&C
servers also stored the network and operating system
characteristics of the infected computers. The Defendants and
their co-conspirators used the stolen data, including online
banking credentials and passwords, to direct fraudulent wire
transfers from the bank accounts of their victims.

13. The victims of the fraud scheme described above
included, inter alia:

a. A real estate company in Michigan, from whose bank
account there were fraudulent wire transfers made in a
total amount of approximately $115,771;

b. A law firm in South Carolina, from whose bank account
there were fraudulent wire transfers made in a total
amount of approximately $78,421;

c. An investment company in North Carolina, from whose
bank account there were fraudulent wire transfers made
in a total amount of approximately $151,201; and

d. A defense contractor in Tennessee, from whose bank
account there were fraudulent wire transfers attempted
in a total amount of approximately $934,528, resulting
in an actual loss of approximately $241,866.

The full extent of the financial loss caused by the Coreflood
Botnet is not known, due in part to the large number of infected
computers and the quantity of stolen data.



Here are some of the hostnames that were used by Coreflood -- some dates are in the future, indicating that the bot had the ability to change to new names over time, to prevent just the sort of shutdown that occurred today:


C&C SERVER ASSIGNED 207.210.74.74
MonthPrimary Domain Alternate Domain
1/2011 a-gps.vip-studions.net old.antrexhost.com
2/2011 dru.realgoday.net marker.antrexhost.com
3/2011 brew.fishbonetree.biz spamblocker.antrexhost.com
4/2011 jane.unreadmsg.net ads.antrexhost.com
5/2011 exchange.stafilocox.net cafe.antrexhost.com
6/2011 ns1.diplodoger.com coffeeshop.antrexhost.com
7/2011 a-gps.vip-studions.net old.antrexhost.com
8/2011 dru.realgoday.net marker.antrexhost.com
9/2011 brew.fishbonetree.biz spamblocker.antrexhost.com
10/2011 jane.unreadmsg.net ads.antrexhost.com
11/2011 exchange.stafilocox.net cafe.antrexhost.com
12/2011 ns1.diplodoger.com coffeeshop.antrexhost.com

C&C SERVER ASSIGNED 74.63.232.233

Month Primary Domain Alternate Domain
1/2011 taxadvice.ehostville.com taxfree.nethostplus.net
2/2011 ticket.hostnetline.com accounts.nethostplus.net
3/2011 flu.medicalcarenews.org logon.nethostplus.net
4/2011 vaccina.medinnovation.org imap.nethostplus.net
5/2011 ipadnews.netwebplus.net onlinebooking.nethostplus.net
6/2011 acdsee.licensevalidate.net imap.nethostplus.net
7/2011 wellness.hostfields.net pop3.nethostplus.net
8/2011 savupdate.licensevalidate.netschedules.nethostplus.net
9/2011 wiki.hostfields.netmediastream.nethostplus.net
10/2011taxadvice.ehostville.com taxfree.nethostplus.net
11/2011 ticket.hostnetline.com accounts.nethostplus.net
12/2011 flu.medicalcarenews.org logon.nethostplus.net


In addition to the affidavit for the TRO, FBI Special Agent Kenneth Keller got a most unusual Seizure Warrant. With the warrant, they requested that the court compel the Registrars of the 24 domain names posted above to change the DNS settings for the servers, so that they would resolve to SINKHOLE-00.SHADOWSERVER.ORG and SINKHOLE-01.SHADOWSERVER.ORG.

To maximize the difficult of taking down this bot, the criminal spread his domain registrations all over the world. He used Wild West Domains (US-AZ), Above.com (of Australia), Big Rock Solutions (of Mumbai), LiquidNet (UK), Network Solutions (US-Virginia), Active Registrar (SIngapore), 1&1 Internet (Germany), TuCows (Toronto), Dotster (US-Washington), MyDomain, Inc (US-Washington), DomainRegistry.com (US-New Jersey), and Melbourne IT (which is Yahoo!'s registrar of choice), Mesh Digital (UK), Misk.com (US-NY), Moniker (US-Florida), and Directi (India).

Obviously a US court order has little impact in Mumbai or Singapore, so it was important to get this done when the "active" domains were US-based.

A "SinkHole" in the cyber security world is a trick that is invoked to cause botnets who are trying to talk to a criminal server to instead talk to a computer owned by a researcher or investigator. Its a great way for both measuring levels of infection and also for preventing the bad guy from being able to talk to his bots.

In this case, the sinkhole went beyond this though. Here comes the cool part from this Temporary Restraining Order issued by the Honorable (and very smart!) Vanessa L. Bryant.

WHEREAS the Government has shown good cause to believe: (a) that hundreds of thousands of computers are infected by Coreflood, known collectively as the "Coreflood Botnet"; (b) that the computers infected by Coreflood can be remotely controlled by the
Defendants, using certain computer servers known as the "Coreflood C&C Servers" and certain Domains"; (c) that, on or about April 12, 2011, the Government will execute seizure warrants for the Coreflood C&C Servers and the Coreflood Domains; (d) that the Government's seizuer of the Coreflood C&C Servers and the Coreflood Domains will leave the infected computers still running Coreflood; (e) that allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions; and (f) that it is feasible to stop Coreflood from running on infected computers by establishing a substitute command and control server;

WHEREAS the Coreflood Domains are listed in Schedule A, together with the corresponding registry, registar, and domain name service ("DNS") provider (collectively, the "Domain Service Providers") used by the Defendants with respect to each of the Coreflood Domains;

WHEREAS the Government has shown good cause to believe that: (a) it is reasonably likely that the Government can show that the Defendants are committing wire fraud and bank fraud and are engaging in unauthorized interception of electronic communications, as alleged; (b) it is reasonably likely that the Government can show a continuing and substantial injury to a class of persons, viz., the owners and users of computers infected by Coreflood; and (c) it is reasonably likely that the Government can show that the requested restraining order will prevent or ameliorate injury to that class of persons;

(etc...)

Pursuant to the authority granted by 28 U.S.C. $ 566, the United States Marshal for the District of Connecticut ("USMS") shall execute and enforce this Order, with the assistance of the Federal Bureau of Investigation ("FBI") if needed, by establishing a substitute server at the Internet Systems Consortium...that will respond to requests addressed to the Coreflood DOmains by issuing instructions that will cause the Coreflood software on infected computers to stop running, subject to the limitation that such instructions shall be issued only to computers reasonably determined to be in the United States.


The Restraining Order gave blanket permission for anything that was using the DNS servers "NS1.CYBERWATCHFLOOR.COM" (204.74.66.143) or "NS1.CYBERWATCHFLOOR.COM" (204.74.67.143) to instead point to Special Agent Kenneth Keller's server 149.20.51.124.




Of course, some people may not want the Department of Justice telling their computer what to do. Because of that possibility, the FBI Press Release offers the option:

The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood. Identified owners of infected computers will also be told how to "opt out" from the TRO, if for some reason they want to keep Coreflood running on their computers.

Friday, April 08, 2011

The Epsilon Phishing Model

There is a saying "if you give a man a fish, he'll eat for a day, but if you teach a man to fish, he can feed himself for a lifetime."

In the case of the Epsilon email breach the saying might be "if you teach a man to be phished, he'll be a victim for a lifetime."

In order to illustrate my point, let's look at a few of the security flaws in the business model of email-based marketing, using Epsilon Interactive and their communications as some examples.

NOTE: Epsilon has released another Press Release to assure the public that no Personally Identifiable Information was released. The point of this article is not to argue that point, but rather to say there is something flawed in training users to click on links in emails.

Targeted Mailing Lists Help Avoid Detection



One of the advantages to phishers in using destination email addresses from the Epsilon Breach is that it helps keep their emails out of the hands of the security research and anti-phishing communities. Phishers, especially the less-skilled ones, tend to buy or steal large email address lists. Many researchers and anti-phishers (including us!) have managed to get their "spam-trap" email addresses onto those lists, which gives us visibility to spam campaigns. At UAB, as an example, we receive more than a million spam email messages each day. Some of these emails are phishing emails, which we then share with law enforcement and our strategic partners. Using a combination of automated and manual tools, we review tens of thousands of URLs each day to learn the addresses of the criminals new phishing sites. But what if a phisher only sends his phishing email to "confirmed" customer email addresses? This greatly reduces the ability of the anti-phishing community to respond to these phishing sites.


Guaranteed Delivery "From:" Addresses



Another thing a phisher would like to accomplish is to make sure that his message arrives without being blocked. Perhaps his victim is running spam filtering software. What is the first things that would be desirable? He would like his email to be sent from an address that will guarantee delivery. The easiest way to make sure that spam is delivered is to make sure that the "From:" address is in the potential victim's address book. This is why so many email messages arrive with the "from" and "to" addresses being the same. The spammers assume that you will have your own address in your address book, and therefore spam-filtering rules will not be applied to that address.

How else could they do that? Epsilon helpfully instructs their customers to add their email addresses to their address book. If a phisher now imitates those addresses, their email will bypass many phishing filters:



This email was sent to you by Ethan Allen.
Please add ethanallenstyle@email.ethanallen.com to your address book. This will ensure delivery to your inbox.


You are receiving this e-mail because you have requested information about CRESTOR(R) (rosuvastatin calcium) Tablets. Add CRESTOR@email.CRESTOR.com to your address book so future e-mails from us will not be marked as spam.


Add citicards@info.citibank.com to your address book to ensure delivery.


To ensure delivery to your inbox, please add Walgreens@email.walgreens.com to your address book.


This e-mail was sent to you by Eddie Bauer Friends. To ensure delivery to your inbox (not junk or bulk), please add info@eddiebauerfriends.com to your address book.


To ensure receipt of your Red Roof RediCard emails, please add redicard@redroofinn.bfi0.com to your address book.


To ensure receipt of our emails, please add targetdailydeals@targetnewsletter.bfio.com to your Contacts or Address Book.


etc . . .

So if the phisher makes his "from" address one of these "trusted" addresses, what happens?

Teach a man (or woman) to Click



One of the main pieces of advice that security professionals give to audiences and readers when they are speaking or writing about the topic of phishing is DO NOT CLICK ON LINKS IN YOUR EMAIL!

This is exactly the opposite advice that customers in the Epsilon databases receive. Epsilon and other email senders work on the theory of full-visibility communications. They know which email messages they send to which users, and they prove their value to the companies they represent by providing deep intelligence on the "click behavior" of the customers they email on behalf of those companies. Each link in an Epsilon email is customized with a URL that tells Epsilon who clicked on the link.

The whole point of emails from Epsilon is to get customers to click on links! I've truncated the URLs to protect privacy, but here's an example of one from Target. Clicking on this one takes me to their "Daily Deals. One Day Only. Always Free Shipping."

http://target.bfi0.com/145d56598layfousibljoi2iaaaaaaq5mirqsi2bcpuyaaaaa/C?V=bF9pbmRleAEBcHJvZmlsZV9pZAExMTM1MzYzMTY5AXppcF9jb2RlAQFfV0FWRV9JRF8BNjEwODA0MzQ5AV9QTElTVF9JRF8BMjE1NDI2MjUBZ19pbmRleAEBZW1haWxfYWRkcgFnYXJAYXNrZ2FyLmNvbQFfU0NIRF9UTV8BMjAxMTA0MDMxMjAwMDABcHJvZmlsZV9rZXkBMjU4NTkyMDM%3D&k2hXe6YFbcPUoDxGzFz1FA

which means I can get "juniors" denim skinny jeans for $12.49 today only! (which also means my daughter probably gave my email account to Target....hmmmm.....)

Here's a few examples:



Greetings from the National Geographic Online Store!

You are invited to join an exclusive community of individuals interested in National Geographic. As a member, you will...
* Help us choose catalog covers.
* Get sneak peeks at new products we=92re considering.
* Give valuable advice to people at National Geographic who decide what products we should offer.
* Get an insider=92s view of how our catalog and online store help fund the Society's Mission programs in the areas of research,

conservation, exploration, and education.

Click here to join the NG Store Insider panel. http://newsletters.nationalgeographic.com/1####....



Now through April 10, 2011

$50 OFF YOUR PURCHASE OF $250 OR MORE*
ENTER CODE > =

Txx3-4xxxxx-xx3xx2

HAUTE SALE
HURRY, ENDS TODAY!
40% OFF select styles. In-store & online.

http://bebeonline.bebe.com/#####...


Introducing the NY DEAL of the DAY! Extra savings on a must have style! In stores & online. Today only! The Hudson wide leg pant,
only $14.99 today only! Check our homepage every day of this sale for our new DEAL!

Shop now >
http://email.nyandcompany.com/1####...



Today Only! Save 30% at Gap Outlet

To get this coupon, copy and paste this url:
http://mail.goAAA.com/1#####...


------------------------
DAILY DEALS. ALWAYS FREE SHIPPING.
------------------------

Fun, cool stuff at amazing prices, available for one day only.


Shop Now:
http://targetenewsletter.bfi0.com/####...


BBC AMERICA NEWSLETTER
Doctor Who in America for the Very First Time
April 6, 2011
Doctor Who: Brand New Season
The Tardis is hopping the pond and the stakes have never been higher. =

WATCH THE EXTENDED TRAILER
http://bbcamerica.bfi0.com/1####...


The statement for your account ending in 4616 is now available online.
Log in to Online Banking to view your statement and pay your bill.
Please visit
http://email.capitalone.com/1####...



The point of every one of those emails is HEY YOU! CLICK ON THIS LINK!!!


The Warnings & The Future



If you live in the United States and you have ever used a credit card, your inbox is already flooded with Epsilon notices, so I hesitate to show you very many. We've heard of warnings from more than fifty companies, and personally seen the warnings from at least:

1-800-Flowers begin_of_the_skype_highlighting              1-800-Flowers      end_of_the_skype_highlighting
Abe Books
AIR MILES Reward Program
Ameriprise Financial
Barclays Bank of Delaware (US Airways Dividend Miles MasterCard, DIRECTV Rewards, iTunes Rewards, LLBean etc... )
Beachbody
Brookstone
Capital One
Citibank (AT&T Universal Card, Exxon Mobile, Home Depot, Shell)
Disney Destinations
Eddie Bauer
Ethan Allen
Hilton Honors
Krogers
Lacoste USA
Marriott
McKinsey Quarterly
M&T Bank
New York & Company
Red Roof Inn
Soccer.com
Target
Tastefully Simple
TD Ameritrade
TIAA-CREF
Tivo
Verizon
World Financial Network National Bank (WFNNB) (Ann Taylor, Catherine's, Chadwick's, Eddie Bauer, Gander Mountain, HSN, Maurice's, Newport News, Peeble's, The RoomPlace, United Retail Group, Victoria's Secret, Woman Within)
Walgreens

The warnings are missing the point of MY warning. All of them assure you that they aren't going to ask you for your personal information, and that your personal information hasn't been lost, "only your email address."

They tell you though NOT TO OPEN EMAILS FROM PEOPLE YOU DON'T KNOW. I don't know anyone named "shellcreditcard@info.accountonline.com" and I certainly don't know anyone named "TargetNews@target.bfio.com"



Of course that also misses entirely the fact that ANYONE can make their "From:" email anything they would like it to be! Email is not a form of trusted communication! So, how does the end-user know that the email really came from a real sender? Its a growing problem. Certain vendors have had luck with certain large mail providers -- for example eBay and Gmail. Because eBay signs all of their outbound email with a "digital signature" and Gmail knows what digital signature eBay uses, Gmail will reject any email that claims to be from eBay but really isn't.

There is a whole association, The Online Trust Alliance, filled with great companies dedicated to trying to fix this problem, but where they stand right now is that acceptance has been limited, and "traditional" email solutions don't come out of the box with the ability to interact richly with these forms of signatures and authentications.

Imagine for example that you are a global brand with more than 500,000 employees. In order to "turn on" digital authentication, you have to make sure that every single email sent by any of your 500,000 employees has a valid "digital signature" that proves the email really came from you! On the other end of the spectrum, if everyone locks down their email clients to only allow emails that are signed and certified, emails from individuals like you and me are likely to be thrown away!

In the meantime, we're stuck with imperfect solutions -- the need of the corporation to get their messages delivered and clicked on -- and the need of the consumer to NOT CLICK on messages that may lead to malware infections.

One-Click Malware - Drive-By Infections



Kaspersky Labs had a recent headline on this topic: Malware in February: Cybercriminals Perfect Drive-By Tactics.

In most of the top reported malware for February, the infection method was to convince a user to click on a link which took them to a "poisoned" webpage -- one on which some hostile code was present that could take advantage of security flaws in the webpage visitor's browser, PDF reader, flash player, or other code to place malware on the visitor's computer. Kasperky's February Report showed more than 70 million times where a Kaspersky customer had tried to visit a website that would have infected their computer if they had not been blocked!

The Warnings in the Epsilon Breaches can't warn you of that though. If they gave you the advice I would give you, they would be saying "Please don't click on the things our marketing department sends you!" which would result in them losing their jobs.

I have to say that the Citibank group of warnings do have a form that I appreciate.



As a means of proving email is REALLY from them, they provide the final four digits of your account number, your name, and the year you joined their card program on all of their official emails. I have to say that I find this very effective.

Unfortunately, yet another problem at Bigfoot/Epsilon ruined my joy on this one for today:



The error tells me "Secure Connection Failed" "images.bigfootinteractive.com:443 uses an invalid security certificate ... This could be a problem with the server's configuration or it could be someone trying to impersonate the server."




It's probably just something wrong as they try to re-issue security certificates related to tightening up their shop, but still it sends the wrong message at a critical time for their company!