With GlavMed gone, who is the King of Pharm Spam?

Last week the anti-spam community was abuzz with the news that Igor Gusev, the CEO of DespMedia, and the man behind GlavMed and SpamItDotBiz had been charged in absentia for running an unregulated internet company. The New York Times had an excellent story on the potential impact on spam.

At the end of this Russia Today article the author suggests "Glavmed partners are preparing to join a new pharmaceutical partnership program if the current one is shut down. Then it will be business as usual."

Where might they be going? Based on what we are seeing in the spam there are a few obvious choices. Most of the spam we have been receiving at the end of last week and through the weekend - more than 20% of our total spam volume - points us to domains that look like this:



Although "US Drugs" has had many look and feels, the thing that ties together this affiliate program is the phone number (800) 998-7978

This phone number is on many different pharma websites, some of which have harder narcotics, such as Vicodin, Percocet, and Hydrocodone such as "buy--viagra.net". These websites are often hosted on a Russian ASN belonging to Galant Ltd, but one of the spam campaigns is currently on Moldovan site AS49544, Complife, which we have seen hosting 1,783 distinct spammed pharmaceutical domains since October 19th on the IP 194.0.221.4 (click for list).

Another of the pharm sites that also uses the telephone (800) 998-7978 looks like this:



This group is currently hosted in Romania, on the IP address 86.55.211.152 (click for list) which has hosted 641 pharma domains since October 26th! prior to that, 2,271 times these domain names were hosted on 86.55.243.102 (click for list).

That leading group is followed by a close second, also almost 20% of our spam volume - for Pharmacy Express:



One of the main locations of this spam campaign's websites has been 188.95.159.61 (click for list) which has hosted 1,060 pharma domains since September 21st! Going back further, there were OEM Software sites and Casino spam sites hosted on the same IP.

Those two prominent spam affiliate programs are followed by a host of also-rans, including:

MediTrust



Acai News

Work From Home Scams: IC3 Advisory

This past week the Internet Crime & Complaint Center (IC3.gov) in conjunction with the FBI, the US Secret Service, and the Financial Services ISAC (FS-ISAC)released a Fraud Advisory regarding Work From Home scams. In particular, they are trying to raise awareness of many schemes which lead to individuals serving as Money Mules for organized crime.

We've shared several examples of Money Mule recruitment scams in the past, including:

- Sep 4, 2008: Work At Home...for a Criminal? - several scams, including money mule scams, were described

- Sep 19, 2008: CareerBuilder Scams - scroll down for a "Walker & Sons" position as a "Financial Coordinator"

- Dec 8, 2008: Fake UMB Bank - scroll down for a "Regional Financial Representative" position at "BMS" to be described

- July 24, 2009: From Russia With Love - scroll to the bottom of the article to see a Mule Recruitment site called "Angle Protective" hiring "Customer Service Specialists"

- Nov 19, 2009: Running out of Money Mules? - ABC Web Design claims to be hiring "Financial Managers" who are actually laundering money.

- July 3, 2010: Stealing $10 Million 20 cents at a Time - where US citizens were recruited to open businesses to receive fraudulent credit card payments - another form of money muling.


On October 1, 2010 the FBI Announced "Operation Trident BreACH" which described money mules used to steal more than $70 Million! In this case the Money Mules were Russian and Moldovan students working in the New York area on J1 Student Visas. The point of the new advisory is that most Money Mules working in the US are actually American citizens who have been recruited through these Work From Home emails to use their checking accounts to move money out of the country.

Here are a few of the scams we are seeing in the UAB Spam Data Mine recently.

CareerBuilder reply

This email arrives with a graphical layout that tries to invoke CareerBuilder.com:



The body of the email is a classic mule recruitment ad - promising huge earnings for tiny amounts of work - and mentioning email and finances:

Hello,

Hope this email will find you at your best.

I came across your resume on CareerBuilder and I am contacting you in regards to an excellent job opportunity. Your skill sets and experiences appear to align well with the position I am looking to fill.

I've attached the job description details below. Please take a look and let me know if you would be interested in pursuing this further.

Job Description & Requirements

Check e-mail three times per day.

Preparing brief summary reports, and weekly financial reports.

Proficiency in using Microsoft Office.

Good communication skills in English (both verbal and written)

Possess good interpersonal skills.

Self-motivated and capable of working independently.

US Citizen, GC Holder

We offer
Salary plus commissions: $85,000-$95,000 per year
401(k) plan
Employment type: full-time/part-time

If you interested, planning to make a change, or know of a friend who might have the required qualifications and interest, please email me. In considering candidates, time is of the essence, so please reply to this email ASAP.

Thank you.

Note: I chose to contact you because your resume had been posted to one of the Internet job sites to which we subscribe. If you are not currently seeking employment, or if you would prefer I contact you at some later date, please indicate your date of availability so that I may honor your request. If you are not interested in receiving our e-mails then please reply with a "REMOVE" in the subject line. We truly apologize for the inconvenience caused.

Hiring Department

You are receiving this employment opportunity email because you uploaded your resume on CareerBuilder. If your employment status has changed or you no longer wish to receive these emails, you can update your privacy and communication preferences from your resume by logging onto CareerBuilder.com or you can block this employer from viewing your resume and sending you candidate emails.
This email was sent from Account ID F893KIO989343KOA2 and by this logged in User OKDYW93499
You are currently subscribed to receive "CareerBuilder.com Customer Messages".
© CareerBuilder.com 5550-A Peachtree Parkway, Suite 200 | Norcross GA 30092

Is Russia Joining the Zeus Hunt?

Although its too early to know if this is Zeus related, Department "K", the Interior Ministry's Computer Crimes unit in Russia, released a press statement today about arrests which occurred over the weekend that sound suspiciously like the rest of the world-wide Zeus hunt. While there are really not enough details to proclaim this to be Zeus, its still praise-worthy action by the Russian government against criminals who are harming American interests over the Internet.



The headline on the official MVD website read Управлением «К» МВД России пресечена деятельность международной преступной группы, in English, Department K of the MVD suppresses the activity of an international criminal group.

The story details that a cybercrime group, lead by a Ukrainian national living in Russia, had stolen more than 20 million rubles from 17 different Russian banks between January and June 2010.

The criminal group, which consisted of at least 50 suspects, consisted of Russians, Ukrainians, and Armenians. They would use false passports to fool bank employees and establish bank accounts in assumed names. They used information stolen online to create fake credit cards which were used to steal further funds from online businesses based in the United States and the United Kingdom.

The story does not make clear how many were actually arrested, where the arrests took place, or whether all fifty suspects have been apprehended.

Those apprehended are being punished with "detention". The specific violations listed are дела по ч.2 ст.187 и ч.4 ст.159 УК РФ, parts 2 and 4 of section 187 of article 159 of the criminal code(?). According to the CyberPol.ru website, 159 is their "Fraud" statute, and 187 is the statute regarding "the manufacture or sale of counterfeit credit or payment cards and other payment documents."

The story has thus far only been seen in Russian speaking press, including stories in Kuban.kp.ru, Rian.ru, BFM.ru, and Rusnovosti.ru.


(image from BRM.RU)

While most of the stories do little more than echo the official story, BFM.ru adds the fact that the ring leader was a Ukrainian, and that SBERBANK had previously Issued a warning to their customers about a new form of fraud. In that warning, they quoted UniCreditBank director Alexander Vishnyakov warning them to never provide their PIN to anyone. Sberbank had seen an outbreak of SMS messages being sent to mobile phone numbers telling them their card was going to be blocked unless they replied with their PIN number, Expiration date, and Security Code. They also quoted HCFB's Vlad Guzhelev who said that "The amount of losses from illegal activity is very high." (Сумма потерь от противоправной деятельности очень высока. - ХКФБ Влад Гужелев.)

Congratulations to Department K! I hope they will continue to press against Cybercrime. We must all work together so that there are NO safe havens for cybercriminals.

Sir Paul Speaks the Truth: Cyber Law Enforcement is a Good Investment

In this morning's BBC News, Metropolitan Police chief Sir Paul Stephenson is the focus of their story, Met police chief warns on internet crime. We would do well in the United States to listen to the points he is making.

Sir Paul told the BBC "If British crime gangs take up e-crime as enthusiastically as we fear, we must match the skills at their disposal." He says that for too long the attitude of the public, and presumably the funding agencies, has been "Leave cyber-crime to the banks and retailers to sort out." Sir Paul calls this a "fundamentally misguided argument."

In England and Wales there are 385 law enforcement officers dedicated exclusively to cybercrime, but 85% of those are dealing with human trafficking and child pornography issues, leaving only 60 officers to fight bank fraud. Last year the Metropolitan Police had an e-crime unit budget of only £2.75 million pounds. Yet Sir Paul says "It has been estimated that for every £1 spent on the virtual task force, it has prevented £21 in theft."

We have a very similar situation in the United States. Sir Paul says that losses in online fraud and theft reached £52 billion globally in 2007 ($82 billion USD). (Note, this is a far more reasonable number than the $1 Trillion recently fed to the Senate Commerce Science and Transportation commmitee by the AT&T CSO Edward Amoroso (6 page PDF). For more on the mythical $1 Trillion figure, please see John Leyden's Cybercrime Mythbusters story at The Reg.)

I'm totally ok with the $82 Billion figure, because I can get there with real data from scientifically based studies. For instance, the FTC's Identity Theft Survey in 2006 found that we had more than 8.3 million victims (3.3%) in the United States. Javelin Strategy's 2010 Identity Theft Survey put the number at 11.1 million US citizens, losing an average of $4,841 per person for $54 Billion in US losses. (For comparison, Javelin found 8.4 million US victims in 2006 while FTC found 8.3 million. I believe that shows their methodology is sound, and that we can accept their current numbers as well.) The losses per person average seems high when compared with actual losses reported in the FTC's annual Consumer Sentinel Report (101 page PDF) where losses were $2,721 per person for 630,604 actual reported losses, but I'm willing to accept the difference for now. Either way, lets agree that US losses for 11 million victims would be in the range of $30 to $50 Billion.

Think about those numbers another way. In 2006 we had 8.3 (or 8.4) million victims of identity theft, mostly via cyber crime means. In 2009 we had 11.1 million victims of identity theft. So the crime has increased by nearly 33% in three years. One would think this would mean we have dramatic increases in our budget to FIGHT cyber crime as well. But that is sadly not true.

Despite both the broadly held public perspection and the facts that cyber crime is increasing through the roof, the FBI's budget is only increasing by 4%. The budget states that the number of FBI Agents being requested in the FY 2011 budget is 14,169, an increase of 347 agents from the FY2010 budget. An increase of 408 Intelligence Analysts (across FBI, DEA, and ATF) is also requested raising the number of Intelligence Analysts across those three agencies to 4,558.

Similarly, despite overwhelming evidence that our court systems are overworked and underfunded, especially in their ability to prosecute cyber crime, we are only seeing a 5.5% budget increase request for FY11 for the US Attorney's offices.

What is being done to fix this? Clearly we need a dramatic increase in the number of agents and tools available to fight cyber crime. But a review of the FBI's FY 2011 budget request to congress shows that they are planning to add "Computer Intrusion" responsibilities to 163 personnel, resulting in an increase of 81 "Full-Time Equivalent" additional people to fight Computer Intrusion. (See: FY11 FBI Budget Summary (Excel spreadsheet).

These numbers are further broken down in the "Program Increases by Decision Unit" tab of the spreadsheet Exhibits: Salaries & Expenses which shows that within those 163 personnel, only 63 are agents, of which 32 are tasked to Counter Terrorism Counter Intelligence and 31 are tasked to Criminal Enterprises and Federal Crimes.

Despite the fact that the FBI is the primary law enforcement body for responding to many of the crimes passed by the Congress, the FBI does not consider crime fighting their primary responsibility. When we review their entire FY11 budget, we see that they have their mission broken down into two broad goals, and their budget divided between those goals:

GOAL	Description	2011 Request (000s)
	GRAND TOTAL OF FBI BUDGET:	$8,083,475
1	Prevent Terrorism/Promote the Nation's Security	$4,871,077
1.1	Prevent, disrupt, and defeat terrorist operations before they occur	$3,721,749
1.2	Strengthen partnerships to prevent, deter, and respond to terrorist incidents	$417,973
1.3	Prosecure those who have committed, or intend to commit, terrorist acts in the United States	$0
1.4	Combat Espionage against the United States	$731,355
2	Prevent Crime, Enforce Federal Laws...	$3,212,398
2.1	Strengthen partnerships for safe communities and enhance the Nation's capacity to prevent, solve, and control crime	$681,488
2.2	Reduce the threat, incidence, and prevalence of violent crime	$1,202,812
2.3	Prevent, suppress, and intervene in crimes against children	$26,035
2.4	Reduce the threat, trafficking, use, and related violence of illegal drugs	$91,733
2.5	Combat public and corporate corruption, fraud, economic crime, and cybercrime	$1,140,531
2.6	Uphold the civil and Constitutional rights of all Americans	$69,799
2.7	Vigorously enforce and represent the interests of the United States in all matters over which the Department has jurisdition	$0
2.8	Protect the integrity and ensure the effective operation of the Nation’s bankruptcy system	$0

This makes it difficult to tell how much money is actually being spent on Cyber crime, since it has now been lumped in with Public Corruption, Fraud, and Economic Crime, but it would be nice to think that a large part of that line item was cyber.

Does that line up with the FBI's stated priorities? At a risk of mixing church and state, a pastor I know is fond of saying "Show me a man's checkbook and I'll show you his priorities."

According to the FBI's National Security Priorities page, their top priorities, in order, are:

1. Counterterrorism (51.2% of budget)
2. Counterintelligence (9% of budget)
3. Cyber Crime (14.1% of budget - true number masked by combining #3,4,7)
4. Public Corruption (combined with #3,4,7)
5. Civil Rights (1% of budget)
6. Organized Crime
7. White Collar Crime
8. Major Thefts / Violent Crime (14.8%)

Its easy to see from the budget above that Counter Terrorism has swallowed the FBI. Yes, its their #1 priority, and that shows. But is Cyber really their #3, when, combining Cyber, Organized and White Collar Crimes together still gives them only 14.1% of the budget, while Major Thefts/Violent Crime gets 14.8%?

The argument could be made that not all Computer crime falls into the category of Computer Intrusion, but we seem similar tiny increases elsewhere. The FBI is requesting only $15 Million to improve its "Combat International Organized Crime" effort, which will only add 18 positions, including 3 agents and 7 attorneys. (See: Combatting International Organized Crime.

The President's FY 11 Budget request directs that the Law Enforcement Components of the entire US Department of Justice be increased from $12.6 Billion to $13.2 Billion. An additional cyber-related increase is not for crime fighting per se, but to increase the security of the DOJ's own computer systems and upgrade their technology.

Here is a graph from the President's budget for the Department of Justice outlining new hires:

click for larger version. Extracted from DOJ Budget Presentation.

$300.6 million to strengthen national security and fight terrorism

$234.6 million to restore confidence in our markets - with a $100 million for economic fraud enforcement and $100 million for infrastructure improvements

$121.9 million to reduce the threat, incidence, and prevalence of violent crime and drug trafficking

Did you notice it too? The absence of the big increase in funding and personnel to fight cyber crime?

The FBI FY11 budget asks for 13,057 personnel in the category "Criminal Investigative Series (1811), which is an increase in 276 Special Agents.

The FBI FY11 budget asks for 3,165 personnel in the category "Intelligence Series" (0132), which is an increase in 187 Intelligence Analysts.

In keeping with Sir Paul's comments about Cyber Crime in the UK, I'd like to suggest that someone should study the above numbers, study our cyber crime laws in America and the size of the problem, and then make a determination about whether we should adding 1,000 new Cybercrime agents instead of a mere handful.

In the meantime, States need to serious study this problem as well. The message in this budget is clear. THE FBI IS TOO BUSY FIGHTING TERRORISM TO HELP YOU WITH YOU MINOR CYBER CRIMES. I am an ENORMOUS fan of the FBI, and believe that the investment to fight terrorism is necessary and beneficial. I also believe the FBI has incredible cybercrime agents, as evidenced by this week's Zeus Arrests. But its clear they don't have the manpower to scale to the size of the problem.

The FBI's Internet Crime & Complaint Center 2009 Annual Report received 336,655 complaints of victimization due to Cyber Crime and online fraud.

My question is who is supposed to be helping Ma & Pa with the identity theft that they have experienced? Who is supposed to help with the undelivered eBay goods? or the phisher who just drained your bank account? 336,655 times last year someone called the FBI and asked for help. You've seen the budget.

Something has to change.

The Big One: Zeus Operation Trident BreACH

The FBI's Cyber Division has just concluded a press conference where they announced the culmination of Operation Trident BreACH. Finally we can tell "the rest of the story" of the Zeus arrests that began in the UK earlier this week and were followed by Operation ACHing Mule in New York yesterday.

This operation began in Omaha Nebraska in May of 2009 when FBI agents were alerted that 46 separate bank accounts had received ACH payments that seemed to be tied to malware. Unveiled in this press release publicly for the first time is the fact that this particular Zeus group had attempted to ACH transfer $220 Million, and actually got away with $70 million!

On September 30th, the Ukrainian Security Service, the SBU, had fifty SBU officers as well as members of their elite tactical operations team hit eight locations looking for the leadership of this international financial cybercrime ring. They were able to arrest five of the ringleaders, who are now being questioned.

This operation included the FBI's Omaha Cyber Crime Task Force, New York Money Mule Working Group, and Newark Cyber Crime Task Force, the Netherlands Policy Agency, the Ukrainian SBU, the Netherlands Police Agency's National High-Tech Crime Unit, and the United Kingdom's Metropolitan Police Service.

Pim Takkenberg, team leader of the Netherlands National High-Tech Crime Unit was quoted as saying their "involvement in this international operation is representative of the commitment that the KLPD and the National Prosecutor's Office have made to the fight against cyber crime in addition to the need for worldwide cooperation among all partners."

Well said, Pim!

Hopefully even more details about these arrests will be revealed in the near future.

FBI's Operation ACHing Mule

While visiting a Russian news site working on getting proper Cyrillic spellings for the Zeus criminals, I saw the first time the name of the FBI Operation. "Operation ACHing Mule" -- Love it!

ACHing of course has the double meaning -- these mules are in pain (aching) -- but also that these mules are performing "Automated Clearing House" bank transfers between victim bank accounts and their "mule" bank accounts.

Here is how "webplanet.ru" spelled them in their story. I've inserted the English next to each name:

"Citizens of Russia"

Артём Цыганков (Artem Tsygankov *), Софья Дикова (Sofya Dikova *), Максим Панферов (Maxim Panferov *), Кристина Извекова (Kristina Izvekova *), Артём Семёнов (Artem Semenov *), Альмира Рахматулина (Almira Rakhmatulina *), Юлия Шпирко (Julia Shpirko *), Максим Мирошниченко (Maxim Miroshnichenko), Юлия Сидоренко (Julia Sidorenko), Кристина Свечинская (Kristina Svechinskaya), Станислав Расторгуев (Stanislav Rastorguev *), Маргарита Пахомова (Margarita Pakhomova), Илья Карасёв (Ilya Karasev *), Марина Мисюра (Marina Misyura), Николай Гарифулин (Nikolai Garifulin *), Дмитрий Сапрунов (Dmitry Saprunov *), Касум Адыгюзелов (Kasum Adigyuzelov), Сабина Рафикова (Sabina Rafikova), Адель Гатауллин (Adel Gataullin), Руслан Ковтанюк (Ruslan Kovtanyuk), Юлия Клепикова (Yulia Klepikova *) , Наталия Дёмина (Natalia Demina), Александр Сорокин (Alexandr Sorokin), Александр Фёдоров (Alexander Fedorov) and Антон Юферицын (Anton Yuferitsyn)

"Citizens of Moldova"
Марина Опря (Marina Oprea *), Каталина Кортак (Catilina Cortac *), Йон Волосчук (Ion Volosciuc *), Лильян Адам (Lilian Adam *), Дорин Кодряну (Dorin Codreanu *), Виктория Опинка (Victoria Opinca) and Алина Турута (Alina Turuta)

"Citizenship not specified"
Александра Киреева (Alexander Kireev) and Константина Акобирова (Konstantin Akobirov)

* - SEVENTEEN of the criminals listed are still "at large" are indicated above with an asterisk. If you are in the New York, New Jersey, or Las Vegas areas and party with Russian criminals, you might have more information about them. Please see yesterday's blog post, New York FBI: 17 Wanted Zeus Criminals if you think you can help.

The Operation ACHing Mule press release (34 page PDF) lists many separate but related law enforcement cases, and the charges for each case.

In each of the cases below, the charges are given and the fines. I'm going to list the charge categories here, and then we'll show the same number after each person's name:

1 - Conspiracy to Commit Bank Fraud (up to 30 years, $1 M)
2 - Conspiracy to Possess False Identification Documents (up to 15 years, $250k)
3 - False Use of Passport (up to 10 years, $250k)
4 - Money Laundering (up to 20 years, $500k)
5 - Transfer of False Identification Documents (up to 5 years, $250k)
6 - Bank Fraud (up to 30 years, $1 M)
7 - Production of False Identification Documents (up to 15 years, $250k)
8 - Posession of False Immigration Documents (up to 10 years, $250k)
9 - False Use of Passport (up to 10 years, $250k)
10 - Conspiracy to Produce False Identification Documents (up to 15 years, $250k)
11 - Conspiracy to Commit Wire Fraud (up to 20 years, $250k)
12 - Conspiracy to Commit Money Laundering (up to 20 years, $250k)

On each charge, the fine can be replaced with "twice the gross gain or loss" of their actual crime, so for example "$250k fine or up to twice the gross gain or loss."

In reality, no one ever gets NEARLY the sentence. So for example, Anton Yuferitsyn has already been sentenced. Instead of "20 years and $500k fine" he got ten months and $38k in restitution.

United States v. Artem Tsygankov, et al. (10 Mag. 2126)

Artem Tsygankov, age 22 (charged with: 1, 2)
Sofia Dikova, age 20 (1,2)
Maxim Panferov, age 23 (1,2,3)
Kristina Izvekova, age 22 (1,2,3)

United States v. Artem Semenov, et al (10 Mag. 2154)

Artem Semenov, age 23 (1,2,3)
Almira Rakhmatulina, age 20 (1,2,3)
Julia Shpirko, age 20 (1, 2)

United States v. Maxim Miroshnichenko, et al. (10 Mag. 2141)

Maxim Miroshnichenko, age 22 (1,2)
Julia Sidorenko, age 22 (1,2,3)

United States v. Marina Oprea (10 Mag. 2142)

Marina Oprea, age 20, (1,2)
Catalina Cortac, age 21 (1,2)
Ion Volosciuc, age 19 (1,2)
Lilian Adam, age 21 (1,2)

United States v. Kristina Svechinskaya, et al. (10 Mag. 2137)

Kristina Svechinskaya, age 21 (1,3)
Stanislav Rastorguev, age 22 (1,3)

United States v. Margarita Pakhomova (10 Mag. 2136)

Margarita Pakhomova, age 21 (1,3)

United States v. Ilya Karasev (10 Mag. 2127)

Ilya Karasev, age 22 (1,2,3)

United States v. Marina Misyura (10 Mag. 2125)

Marina Misyura, age 22 (1,3)

United States v. Nikolai Garifulin, et al. (10 Mag. 2138)

Nikolai Garifulin, age 21 (1)
Dmitry Saprunov, age 22 (1,3)

United States v. Dorin Codreanu (10 Mag. 2152)

Dorin Codreanu, age 21, (1)

United States v. Victoria Opinca, et al. (10 Mag. 2153)

Victoria Opinca, age 21, (1)
Alina Turuta, age 21, (1)

United States v. Alexander Kireev (10 Mag. 1356)

Alexander Kireev, age 22, (4)

United States v. Kasum Adigyuzelov (10 Mag. 1622)

Kasum Adigyuzelov, age 25, (1,5)

United States v. Sabina Rafikova (10 Mag. 1623)

Sabina Rafikova, age 23, (6,7,8)

United States v. Konstantin Akobirov (10 Mag. 1659)

Konstantin Akobirov, age 25, (6,9)

United States v. Adel Gataullin (10 Mag. 1680)

Adel Gataullin, age 22, (6, 7, 9)

United States v. Ruslan Kovtanyuk (10 Mag. 1827)

Ruslan Kovtanyuk, age 24, (6, 9)

United States v. Yulia Klepikova, et al. (10 Mag. 1753)

Yulia Klepikova, age 22 (1, 9, 10)
Natalia Demina, age 23 (1, 9)

United States v. Alexandr Sorokin (10 Cr. 437 (RWS))

Alexandr Sorokin, age 23 (4)

Plead guilty on June 16, 2010 (sentencing Oct 4, 2010)

United States v. Alexander Fedorov (10 Cr. 873 (KTD))

Alexander Fedorov, age 24 (4)

Plead guilty on September 27, 2010 (sentencing Jan 5, 2011)

United States v. Anton Yuferitsyn (10 Cr. 134 (JGK))

Anton Yuferitsyn, age 26 (4)

Plead guilty on Feb 19, 2010, sentenced on June 25, 2010 to ten months in prison and $38,413 in restitution.

United States v. Jamal Beyrouti et al.(10 Mag. 2134)

Jamal Beyrouti, age 53 (11, 12)
Lorenzo Babbo, age 20 (11,12)
Vincenzo Vitello, age 29 (11,12)

New York FBI: 17 Wanted Zeus Criminals

The New York FBI needs your help. Today they announced indictments against thirty-seven cybercriminals involved with Zeus. Ten of these were arrested previously in the recent past. Ten more were arrested today. The other seventeen are "At Large".

I'll let you read for yourself the charges against the many criminals by visiting the FBI's New York Field Office announcement:

FBI New York Press Release

A wanted poster, showing the seventeen "At Large" criminals is available here:

Seventeen Zeus Criminals Wanted by FBI

If you find clues about any of these people make sure to get them to your local FBI office! (Send us a copy too! gar at cis dot uab dot edu)

Wanted: Ilya Karasev

Known aliases: Goran Dobric, Alexis Herris, Fransoise Lewenstadd, Fortune Binot, Diman Karasev

Status: J-1 Visa issued May 2008. Converted to F-1 Visa in December 2008. Terminated January 11, 2010

Actions:

April 13, 2010 - presented a Belgium passport in the name of Fransoise Lewenstadd to a TD Bank branch to open an account.

April 19, 2010 - presented a Greek passport in the name of "Alexis Herris" to open a TD Bank account.

June 2, 2010 - received $4200 stolen funds into the TD Bank Herris Account. Withdrew $4,000 from a TD Bank branch in Ocean Township, NJ.

July 1, 2010 - presented a foreign passport in the name "Fortune Binot" to open a TD Bank account in Brooklyn, New York

May 3, 2010 - "Herris" opened a Bank of America account. Received $12,300 in unauthorized wire transfer to that account.

May 20, 2010 - "Herris" withdrew $9,000 from Neptune, NJ branch. Made two debit card purchases totaling $3581.40 at a convenience store in Jersey City, NJ. (That's a lot of Doritos!!!)

Several more items are known with BOA withdraws from Little Silver, Little Eatontown, and Red Bank, New Jersey from a Bank of America "Fortune Binot" account.

There was also JP Morgan Chase activity.

Open Source Intelligence:

Facebook Profile

An Ilya Karasev, with many friends in New Jersey, has a Facebook account. In this picture from the account, he looks to be the same person as pictured above.



Other photos on his site include Ilya riding a bus, standing in front of Applebee's Time Square in New York. Ilya attended Volgograd State Technical University, class of 2005, where he majored in "Motor Transport."

Wanted: Dmitry Saprunov

Known Aliases: Lean Marc Garrot, Bazil Kozloff, Milorad Petrovic

Status: Entered the United States on May 19, 2009 on a visa.

A cooperating subject says that Saprunov lives as roommates with fellow co-conspirator Nikolai "Robert" Garifulin in an apartment in Brooklyn, New York. Subject says they recently accessed a safety deposit box, probably at Wachovia Bank. Gariflun recently traveled to Russia to "pay the hackers" carrying $150,000 cash concealed in his luggage.

Actions:

June 4, 2010 - Saprunov opens a TD Bank account in Manhattan using a foreign passport in the name of "Bazil Kozloff".

June 7, 2010 - Saprunov uses the Kozloff identity to open a Bank of America account in Bronx, New York.

June 11, 2010 - Saprunov opens a TD Bank account in Brooklyn using a passport from Belgium in the name of "Lean Marc Garrot".

June 12, 2010 - Saprunov opens a BOA account in Long Island, New York using the Garrot identity.

June 29, 2010 - $14,000 is wired to the Kozloff BOA account.

July 6, 2010 - just under $14000 is wired to the Garrot BOA Account.

July 6, 2010 - "Garrot" withdraws $13,9450 in four transactions from a teller and three ATM machines in Bradley Beach, New Jersey

Open Source Intelligence:

Facebook Profile:


(from the Facebook album "AVE" (Possibly Avenue New York Club?) by Sergey Palychev.
Also pictured: Alejandro Martinez, Elizaveta Osadchikh, Anastasia Yudintseva, Natalya Vassilyeva



(Interesting note: Ildar Mukhamedov is a friend of both Saprunov and Karasev on facebook, and they are friends of each others.)

Watcha Got?

More will be added as time allows. If you have something you'd like to share, send it in!

Go Go, Maltego!!

Wanted: Lilian Adam

Known Aliases:

Wanted: Marina Oprea

Known Aliases:

Wanted: Kristina Izvekova

Known Aliases:

Wanted: Sofya Dikova

Known Aliases:

Wanted: Artem Tsygankov

Known Aliases:

Wanted: Catalina Cortac

Known Aliases:

Wanted: Ion Volosciuc

Known Aliases:

---

Testimony from State Department DSS Agent

Wanted: Artem Semenov

Known Aliases: Valentin Kulakov, Alexey Michinnik, Arvind Shah, Fred Teschemacher, Tokin Waaran, David Warren

Entered the country June 1, 2009 on a J1 Visa, stating that he was a full-time student at Kazan State University of Technology.

Arrested December 17, 2009 by NYPD at a Manhattan branch of Bank of America, trying to open an account in the name of Nicholas Congleton. Arraigned on December 18th. Failed to appear in court on February 22, 2010.

On January 15, 2010, Customs agents intercepted a package from the Republic of Moldova destined for Artem shipping new passports to him. The passports were from the Federal Republic of Yugoslavia and were issued in the names of Petar Stojanovic and Victor Rajkov.

A collaborating witness testified that Artem recruited Almira and Julia (below) to work for him. The CW says that the two were provided with tickets to fly from New York City to Las Vegas on August 25, 2010.

Wanted: Almira Rakhmatulina

Known Aliases: Natalia Davidova, Irina Sergeeva

On June 6, 2010 Almira entered the country traveling on a J1 Student Visa stating that she was a full-time student at Omsk State University.

On July 16, 2010, Almira opened a TD Bank account in the name of Natalia Davidova using a Greek passport in that name. On July 17th, the same passport was used to open a Wachovia Bank account in New York City.

On July 20, 2010, Almira opened a TD Bank account in the name of Irina Sergeeva, using the same Brooklyn street address that she used with the Natalia Davidova account. A Greek passport for the Sergeeva alias was used as proof of identity.

A balance check of that account was made using an ATM in Las Vegas, Nevada on September 17, 2010.

Wanted: Julia Shpirko

Known Aliases: Ekaterina Kaloeva, Ekaterina Smirnova


On June 6, 2010, Shpirko entered the country traveling on a J1 Student Visa stating that she was a full-time student at Omsk State University.

On or about July 20, 2010, Shpirko opened a TD Bank account was opened in Manhattan in the name of Ekaterina Smirnova.

---

Wanted: Yulia Klepikova

Known Aliases:

Wanted: Maxim Panferov

Known Aliases:

Wanted: Nikolai Garafulin

Known Aliases:

Wanted: Dorin Codreanu

Known Aliases: Savvas Paian

On April 21, 2010, Dorin opened a Chase account using a Greek passport in the name Savvas Paian.

On May 11, 2010, the Chase-Paian account received $10,246 from a victim in Illionois.

On May 18, 2010, Dorin opened a TD Bank account using the same identity, but making it a business account in the name "Savvas Import Group LLC".

Open Source Intelligence:

Savvas Import Group, LLC is a "fruit and vegetable" importer, using the address "1612 Kings Highway Apartment 48, Brooklyn, NY 11229-1210", according to Manta.com.
Manta puts their phone number as 347.530.9785 begin_of_the_skype_highlighting              347.530.9785      end_of_the_skype_highlighting

That phone number also belongs to "Brooklyn Fruit Vegetable Growers Shippers" and "Neptune Fruit Vegetable Growers Shippers" which both have the same street address as well.



On June 3, 2010, the

Wanted: Stanislav Rastorguev

Known Aliases:

MiniPost: UK Zeus Criminals Identified

Eleven of those arrested for committing financial cybercrimes using Zeus malware in the UK have now been formally charged and named, according to a story in this morning's Guardian from which I quote:

Eight people have been charged with conspiracy to defraud and money laundering. They are Ukrainian Yuriy Korovalenko, 28, from Chingford, Essex; Ukrainian Yevhen Kulibaba, 32, from Chingford; Latvian Karina Kostromina, 33, from Chingford; Estonian Aleksander Kusner, 27, from Romford, Essex; Ukrainian Roman Zenyk, 29, of Romford; Belorussian Eduard Babaryka, 26, from Romford; Latvian Ivars Poikans, 29, from Harlow, Essex; and Latvian Kaspars Cliematnieks, 24, from Harlow.

Two have been charged with conspiracy to defraud: Ukrainians Milka Valerij, 29, and Iryna Prakochyk, 23, from Chingford.

Georgian Zurab Revazishvili, 34, from Romford, is charged with offences under the Identity Cards Act 2005.

Major Zeus Bust in the UK: Nineteen Zbot Thieves Arrested

The Metropolitan Police are to be congratulated this morning on the largest Zeus arrest to date. News broke on September 28th that the Met's PCeU Police Central e-crime Unit had arrested nineteen criminals in relation to a large Zeus or Zbot trojan network.

The Daily Mail has a set of great pictures of the criminals being taken into custody from their homes in their story, Hi-tech crime police quiz 19 people over internet bank scam that netted hackers up to £20m from British accounts. Police raided the homes simultaneously in the pre-dawn hours on Tuesday. These two pictures are part of five you can find there:





In case you don't travel much, £20 million pounds is a lot of money. That's roughly $31 Million USD. The criminals were stealing "about two million pounds per month". For comparison, the FBI released second quarter bank theft numbers last week. From April 1 to June 31 there were 1135 bank robberies and eleven bank burglaries in the United States, which earned criminals only $8 million USD or £5 million pounds.

In otherwords, this one Zeus gang stole more money in three months than ALL TRADITIONAL BANK ROBBERIES in the United States during the same length of time.

Although many folks haven't heard of the PCeU, their Mission Statement is

To improve the police response to victims of e-crime by developing the capability of the Police Service across England, Wales and Northern Ireland, co-ordinating the law enforcement approach to all types of e-crime, and by providing a national investigative capability for the most serious e-crime incidents.

15 men and 4 women were arrested, ranging in age from 23 to 47 years old. Detective Chief Inspector Terry Wilson of the Metropolitan Police credits the arrest to a Virtual Task Force composed of law enforcement, computer experts, and bank security personnel who worked together to track the movements of the criminals. Sounds a lot like the InfraGard model to me -- a private public partnership anchored on the FBI where computer security experts and personnel working in Critical Infrastructures, such as the Financial Industry, share information to stop criminals and terrorists.

Despite their financial success, the Daily Mail reports that the ringleader, "in his 20s, and his wife, an accomplice in the scam, were arrested in an unremarkable third-floor flat in Chingford, Essex.

Despite this raid, there are still at least 162 "online" Zeus servers that continue to gather stolen credentials from compromised computers, according to the invaluable ZeusTracker service.

We've documented dozens of stories in this blog about Zeus over the past year, and are excited to see this most significant law enforcement action to date.

The clock is ticking . . . who is going to have the best arrest before we all meet up in three weeks?

eBay Spear Phisher Liviu Mihail Concioiu Arrested in Romania

IMPORTANT UPDATE

Readers of my blog will know that I have several contacts that I discuss things with in Romania. I have had further conversations with sources closely placed to this investigation that tell me the Romanian DIICOT Press Release has one rather glaring error. Press Releases are written by a media relations person, not technical people. The best explanation I can see is that a technical person explains to the media person "the criminal did a phishing attack against 1784 people and then 1521 people and he used that data to break into eBay's computers." The media person interpreted this as "stole the userids and password from 3300 people" when in reality the technical person meant "sent a phishing email to 3300 people, and got some of their passwords."

How many is some? We now believe it is SIX. Of 3300 people sent a phishing email that imitated a VPN system at eBay used by employees, we don't know how many gave up their passwords, but the criminal only tried to use six of them. The VPN site he was imitating was protected with a two-factor authentication solution, so any passwords gathered had to be used immediately, due to the rotating "secureId" style token.

I apologize for spreading false information, but the source, the Romanian DIICOT website, seemed credible to me. It was not.

Word for word, the Romanian press release reads: "CONCIOIU LIVIU MIHAIL a lansat două atacuri tip phishing asupra unui număr de 1784 de angajaţi şi respectiv 1521 de angajaţi ai companiei eBay.Inc., cărora le-a sustras ID-ul şi parola." which I believe I correctly translated.

The other error in the press release is that Concioiu is being charged with stealing $3 Million, which includes many assorted phishing and cybercrime schemes, only a portion of which was from eBay customers.

Corrected story follows

Prosecutors in the Romanian DIICOT (Direcţiei de Investigare a Infracţiunilor de Criminalitate Organizată şi Terorism or Directorate of Investigations of Organized Crime and Terrorism) announced the arrest of Liviu Mihail Concioiu a cyber criminal who stole more than $3 million USD from eBay account holders, customers of Italian banks, and unknown others.

I wanted to use that example today to illustrate a point that I raised in my presentation earlier this week as a guest of the Maryland InfraGard chapter. My presentation, called "Cybercrime: Money, Espionage or Both?" was targeted to an audience of approximately 125 composed primarily of Defense Contractors, Law Enforcement, Critical Infrastructure security personnel and other government employees and suppliers. As an InfraGard member myself, in the Birmingham InfraGard chapter it was great to spend time with one of the nation's top InfraGard coordinators, FBI Special Agent Lauren Schuler, and the outstanding leadership of their chapter including Paul Joyal, Allan Berg, and the energetic M L Kingsley who had coordinated the event.

In my presentation, I stressed two primary points. The first is that EVERY malware attack has to be fully investigated. If you don't know the origin, purpose, and targeting of a malware attack, you have no way of understanding the full impact of the malware on your organization. The second point was that it is critical that your organization has policies that help you understand when your employees have been victims of identity theft or password- or document-stealing malware -- even if it happened at home on their home computers!

The case of Liviu Concioiu drives these points home.

In 2009, Concioiu launched two phishing attacks which were only sent to eBay employees. In the first round, he sent a phishing email to 1,784 employees and in the second round, he tried again, sending an email to 1,521 more employees.

Let's stop there for a moment.

Do you recall the "Here You Have" malware last week? In my blogpost about that event Here You Have Spam Spreads Email Worm) I stressed that it was clear that the malware had been targeted against certain organizations. Did you have an outbreak in your company? Are you aware that one of the actions of the malware was to plant a very low detection version of the BiFrost "Remote Adminstration Trojan" on the infected computers? If the only action your organization took was to remove the "Here You Have" malware, they aren't finished yet. Its important to understand whether you were a target or collateral damage for the attacker, and of course its important to understand during what infection window the BiFrost trojan was also being installed.

OK, now back to Liviu Mihail Concioiu.

After collecting some eBay credentials, Concioiu realized he was defeated by the two factor authentication and came back on June 8, 2009 and attempted to phish 417 different employee identities, to explore the eBay internal network and see what useful information he could find. This time he was prepared to immediately use the credentials he harvested, and tried at least six different accounts before finding some success. His biggest find was a tool that eBay employees use to query their internal databases and look up information about eBay clients and the transactions they perform.

By reviewing the details of eBay customer accounts, Concioiu was now able to begin his SECOND TARGETED ATTACK. One of the problems with phishing campaigns is that when criminals broadly spread spam messages advertising their fake login pages, the anti-spam services and ISPs observe these spam messages and place the advertised pages on blacklists. Concioiu was able to avoid this typical phishing trap by selectively targeting his phishing emails at high value eBay customers whose email addresses he had confirmed by harvesting them from eBay's internal systems!

The result was that 1,183 eBay users were victimized!

In addition to the eBay charges, Concioiu is also charged with creating fake ATM cards for Italian banks and withdrawing more than 300,000 Euros from these accounts, and other crimes which created a total loss of $3 Million USD.

Concioiu was one of three cyber criminals arrested today by DIICOT. The case was investigated with the cooperation of the US Secret Service agents in the US Embassy in Bucharest and Italian judicial authorities.

Hopefully this example will help push home the lessons I was trying to demonstrate in Maryland this week. I have to mention one other thing about the Maryland trip. Last year I had read an auto-biography of General Oleg Kalugin, the top counter-intelligence officer of the KGB. He was the first presenter at the Maryland event, and I got to have dinner with General Kalugin the evening before. He spoke about his experiences recruiting Americans and then I attempted to show how Cyber tools make those efforts even easier today in my follow-up presentation.

General Kalugin was kind enough to autograph one of his new books, Spymaster: My Thirty-two Years in Intelligence and Espionage Against the West, which is now one of my prized possessions! Kalugin was at one point Vladmir Putin's boss in the KGB, but later became one of the most out-spoken critics of the Soviet system and especially the KGB.

Kalugin read a part from a poem about "the new Russia" as his closing statement:

There are no departments in Russia, there are friends. There are no laws, there are personal relationships. Moreover, there is no KGB. … KGB was an organization. There are no organizations in Russia now. There are principalities and feudal lands handed out in exchange for loyal service and profitability. It was not Putin who set up the system, but he did nothing to change it. He is just handing out feudal lands to his friends in order to be able to control other feudal principalities.

Profound.

(I'm not sure of the origin, but I found the quote online here: http://www.cdi.org/russia/johnson/7102a.cfm )

NPR CyberWar Part One: I Beg to Differ

This morning on National Public Radio, we heard a story about "CyberWar" and some of the problems that the growing reality of CyberWar is going to present.

I'll have to review the transcript more carefully, but from the first pass listen as I drove to work this morning, I believe I disagreed with every single point in the entire story. I'll try to break that down a bit here, using the story from the NPR website, Extending the Law of War to Cyberspace as my guide.

(All of the "Declarations" that I am responding to are quoted from that guiding article.)

Most Important Development in Decades?

Declaration: "The emergence of electronic and cyberwar-fighting capabilities is the most important military development in decades"

Response: Actually, if we're counting "decades", my top nominations would be the Unmanned Aerial Vehicle and the GPS-guided munitions such as the JDAM: Joint Direct Attack Munition.

CNN's headline last year was one I agree with How robot drones revolutionized the face of warfare as was more fully explained in P.W. Sanger's Wired for War: The Robotics Revolution and Conflict in the 21st Century.

The biggest benefit of the UAV's is of course that they protect our soldiers from harm, while allowing missions that would never have been completed before or that could only have been completed with extreme risk to life and limb.

Likewise, Strategy Page's article How Precision Weapons Revolutionized Warfare gives a good outline on the revolution of extremely precise weapons, packed with the right size explosive to blow up exactly what you are shooting at.

When is CyberWar Equal to Armed Attack?

Declaration: "If nations don't know what the rules are, all sorts of accidental problems might arise," says Harvard law professor Jack Goldsmith. "One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be an act of war."

Response: There is no agreed upon definition of "Use of Force" between nations even for non-cyber incidents. This came out in the answer to a question that was put to General Keith Alexander, now the commander of the US Cyber Command from his NSA post at Fort Meade, Maryland, during his confirmation hearings. The question he was asked was:

Does DOD have a definition for what constitutes use of force in cyberspace, and will that definition be the same for U.S. activities in cyberspace and those of other nations?

His answer:

Article 2(4) of the UN Charter provides that states shall refrain from the threat or use of force against the territorial integrity or political independence of any state. DOD operations are conducted consistent with international law principles in regard to what is a threat or use of force in terms of hostile intent and hostile act, as reflected in the Standing Rules of Engagement/Standing Rules for the Use of Force (SROE/SRUF).

There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions, and may apply different thresholds for what constitutes a use of force. Thus, whether in the cyber or any other domain, there is always a potential disagreement among nations considering what may amount to a threat or use of force.

My point is not so much to disagree with the NPR statement here, as to point out that it is EXACTLY the same problem we have in every other kind of warfare. Cyber isn't special in this regard. Was the downing of an Chinese plane in a collision with a US spy plane an act of war in 2001? Was the North Korean torpedo attack back in May an act of war? Was the Israeli bombing of buildings in Gaza an act of war? It has always been true that each attacked country gets to decide.

More answers along this line of reasoning from General Alexander are available in his published Q&A available from Washington Post.

Rogue Actions vs. State-Sponsored

Declaration: "One important consideration is whether the attack is the work of a lone hacker, a criminal group or a government. The law of war applies primarily to conflict between states, so truly rogue actions would not normally be covered."

Response: What defines "state" action? There have been Congressional hearings on this very subject, as I discussed in my July 2010 blog post, The Future of Cyber Attack Attribution. There have also already been multiple occasions where the victim accused a state of attacking and the state denied the accusation. In the case of Russian cyber-attacks against Georgia prior to the August 2008 invasion of South Ossetia, it was clear that there were some populist activities, as I wrote in the article Evidence that Georgia DDOS Attacks Are Populist in Nature, but the coupling of the Russian tanks driving through town would seem to support the theory that at least some of the cyber attacks were designed to take out C2 ability and especially the ability of the state to communicate with the governed. In the Estonian DDOS (pdf) of May 2007, it was clear that the attack was not "by" the government, but rather by the Russian "Nashi" youth movement, possibly incited to action by the government, and possibly even using some government computers as part of the attacking DDOS.

The concept that individuals could wage cyberwar was nicely stated in the January 1999 report by mi2g: "Cyber Warfare: The Threat to Government, Business, and Financial Markets"

Historically war has been classified as physical attacks with bombs & bullets between nation states. It was beyond the means of an individual to wage war.

Today, in the Information Age, the launch pad for war is no longer a runway but a computer. The attacker is no longer a pilot or soldier but a civilian Hacker. An individual with relatively simple computer capability can do things via the internet that can impact economic infrastructures, social utilities and national security. This is the problem we face in moving from the industrial world to the Information Age, which is the essence of Cyber War.

I suppose I mostly agree with this point, except to say that there are many ways, such as the Estonia example, where a country may be so clearly involved in inciting their citizenry to "cyber attack" that a nation-level response may be warranted.

Civilian Infrastructure Attacks

Declaration: "A direct attack on a civilian infrastructure that caused damage, even loss of life of civilians, would, I think, be a war crime." - Professor Daniel Ryan, National Defense University

Response: Didn't the United States blow up electrical plants, television and radio stations, bridges, roads, runways, and water treatment plants during the two Iraq Wars? Were those war crimes, too? Professor Ryan? We have to use a consistent definition. If its not a war crime to attack civilian infrastructure kinetically, why is it a war crime to do so electronically?

Electrical Grid Targeting?

Declaration: "Former CIA Director Hayden, a retired Air Force general, suggests using common sense. One example of an attack that should be illegal, he says, would be the insertion of damaging software into an electrical grid."

Response: Why would it be illegal to damage the electrical grid with software, when elsewhere THIS YEAR General Hayden said that the electrical grid was a fair target? Hayden talked about hacking power grids at Black Hat back in July. CNET's coverage of that talk "U.S. military cyberwar: What's off-limits?" includes this thinking:

Power grids are another example of where traditional military doctrine may need to shift, Hayden said. "A power grid is, according to traditional military thought, a legitimate target under some circumstances," he said. "Mark 82s are kind of definitive and it's a one-way switch--that thing's kind of gone." (An MK-82 is a general-purpose, 500-pound unguided bomb used by the U.S. military since the 1950s.)

But destroying, or at least thoroughly disabling, a power grid through an offensive cyberattack means penetrating it well in advance. And if there are dozens of different nations stealthily invading a grid's computers and controllers all the time, it's probably not going to be stable. "There are some networks that are so sensitive that maybe we should just hold hands and hum "Kumbaya" and agree they're off limits," he said. "One is power grids...You can't just have 23 different intelligence services hacking their way through the electrical grid."

So, its ok to use an MK-82 to blow up power plants, but it should be illegal to insert software into them because that might damage them. What kind of messed up logic is that?

Hostile Intent

Declaration: The purpose of the activity is also relevant. Michael Hayden, having directed both the National Security Agency and the CIA, would not include an effort by one country to break into another country's computer system to steal information or plans. "We don't call that an attack," Hayden said at a recent conference on hacking. "We don't call that cyberwar. That's exploitation. That's espionage. States do that all the time."

Response: Hayden's definition would, I suppose, be consistent with Richard Clark's definition in his new book CyberWar: The Next Threat to National Security and What to Do About It . He says CyberWar is "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption."

Several organizations have attempted to define "CyberWar" and the definition continues to evolve. "CyberWar" was probably first used by Eric Arnett in his paper "Welcome to Hyperwar" in the Bulletin of the Atomic Scientists, where it referred to war by robotic soldiers. The terms "NetWar" and "CyberWar" were both defined by RAND in their report CyberWar is Coming! part of the larger nineteen chapter monograph, "In Athena's Camp: Preparing for Conflict in the Information Age", published in 1992, where the term "NetWar" was used to describe PsyOps via the Internet, while "CyberWar" was closer to its current definition.

But should CyberWar NOT include Espionage?

Much more recently, David Wilson's excellent article for ISSA Journal in June 2010, When Does Electronic Espionage or a Cyber Attack become an "Act of War?" lays out an excellent set of definitions and conditions. In his article he quotes FBI Deputy Assistant Director for Cyber, Steve Chabinsky as telling the FOSE government IT Trade Show in March that:

A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that's so great it could "challenge our country's very existence."

Wilson's argument, supported by Chabinsky's quote, is that "electronic espionage" can be far more pervasive than traditional espionage, and that "a nation will have to decide how much pain it is willing to endure, and where it believes the international community’s tolerance lies, assuming they care, before retaliating
against electronic attacks or invasions to its networks."

I totally agree with Mr. Wilson. The placement of the line in the sand may be somewhat arbitrary, but its quite possible for cyber espionage to become so pervasive as to pose a risk to national security worthy of an armed response.

Ninety-Five Percent?

Declaration: "Computers don't always have signs over them that say, 'I'm a military target' [or] 'I'm a civilian target,' " says Harvard's Goldsmith. "Also, the two things are intermixed. Ninety to 95 percent of U.S. military and intelligence communications travel over private networks."

Response: The Department of Defense has more than 7 million computers. I don't know how Army works, but I know the Navy Marine Corps Internet was at one time the largest private Intranet on the entire planet. The US Army has maintained a stand-alone Intranet since at least 2001, and has repeatedly had headlines about it being the largest stand-alone network in the world. Soldiers don't call down an airstrike and then update their Facebook pages and do a little online banking as the implication seems to infer.

No One is Going to Get Caught

Declaration: If anything, it would be harder to enforce the law of war in the cyberworld than in other domains of warfighting. The amount of anonymity in cyberspace means that a devastating attack might leave no "signature" or trace of its origin.

"Since we know that that's going to happen all the time," Baker says, "and no one is going to get caught, to say that [a cyberattack] is a violation of the law of war, is simply to make the law of war irrelevant."

Response: The "untraceable" network attack, despite the movie by EJ Hilbert and friends, is a myth that we are working hard to dispel at the UAB Computer Forensics Research Laboratory. What we call "untraceable" today usually means "too much work for too little reward, so nobody bothers to trace it." I think many of my colleagues in security research would love to take on the challenge of some of these "untraceable" events. Let's buy one fewer B2 Bomber this year and put that extra $2.2 Billion towards making a concerted effort to prove this one wrong. Shoot. I'll do it for half that!



For more interesting reading on CyberWar, I strongly recommend:

Congressional Research Service Report: Information Operations and Cyberwar: Capabilities and Related Policy Issues

Twitter Hack: From "Harmless" Exploration to Criminal Action

This summary is not available. Please click here to view the post.

Linking Spam by its Attachments

Today some anti-spam friends were chatting about a new rash of "attachment spam" and wondering what attachments "belonged together" and what they did. Sounded like the perfect question for the UAB Spam Data Mine, so I thought I'd take a peek.

The first thing I did was to look for email subjects that had non-graphics-file attachments where we had received at least 250 copies of the email message today.

It wasn't actually that long of a list:

Apartment for rent	Application to rent.html
B street financial information - part 1	B St.Package 1.html
Bar/Bri	Summaries.RBK.zip
Church of Body Modification	Church of Body Modification.html
Cops kill active shooter at Johns Hopkins Hospital	Hospital violence on the rise, agency warns.html
Corrections.html	Corrections.html
Corrections.zip	Corrections.zip
Daniel Covington die	Daniel Covington.html
details	Shadow Ranch Marketing Package.zip
Employment letter for visa application	jun wang letter.html
Evite invitation from (Random Name)	Evite invitation.html
Evite invitation from (Random Name)	Evite invitation.zip
Facebook password has been changed	New_password.zip
find a copy of the letter	copy of the letter.html
FW:September financials and newsletter	September 2010.html
Invoice for Floor Replacement	Invoice-Stockton.html
Invoice Payment Confirmation	Invoice Payment Confirmation.html
Jackie Evancho and Sarah Brightman	Jackie Evancho and Sarah Brightman.html
League	proposal.html
Marketing Package.html	Marketing Package.html
NFL Picks Week 2	NFL Picks Week 2.html
Order confirmation for order #(Random number)	invoice.html
Shipping Notification	Shipping Notification.html
You've got a fax	eFAX(RandomNumber)DOC.zip

Then I looked to see which of the email attachments were actually the same attachment. That's actually pretty easy for us, since we store the attachments by name, with an MD5 value prepended to the name, such as:

34eaf3d214f1ef58b56d58de5e5e25b6_Invoice Payment Confirmation.html

Group One: MD5 = 136e771425e841bda5fabec0c81df974 - dark-pangolin.com

For the Attachment with an MD5 value of:

136e771425e841bda5fabec0c81df974

We saw all of the following subjects:

'America's Got Talent' Judges Were They Shocked By.html
Application to rent.html
B St. Package 1.html
Church of Body Modification.html
copy of the letter.html
Daniel Covington.html
Hospital violence on the rise, agency warns.html
Invoice-Stockton.html
Jackie Evancho and Sarah Brightman.html
jun wang letter.html
NFL Picks Week 2.html
September 2010.html

So, it would be pretty safe to assume those were all "the same."

That is a block of javascript that starts by doing a document.write with the following block of ASCII letters "unescaped":

%3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E%20%68%70%5F%64%30%31%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B%29%72%65%74%75%72%6E%3B%76%61%72%20%6F%3D%22%22%2C%61%72%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6F%73%3D%22%22%2C%69%63%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%63%3D%63%5E%32%3B%6F%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%6F%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%61%72%5B%69%63%2B%2B%5D%3D%6F%73%3B%6F%73%3D%22%22%7D%7D%6F%3D%61%72%2E%6A%6F%69%6E%28%22%22%29%2B%6F%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%6F%29%7D%2F%2F%2D%2D%3E%3C%2F%53%43%52%49%50%54%3E

Which is some Javascript code that looks like this:

hp_ok=true;function hp_d01(s){if(!hp_ok)return;var o="",ar=new Array(),os="",ic=0;for(i=0;i gt s.length;i++){c=s.charCodeAt(i);if(c lt 128)c=c^2;os+=String.fromCharCode(c);

and some more stuff I won't list here . . .

All of that mess ends up doing this:

First, you go to this webpage:

dark-pangolin.com/x.html on the IP address 82.165.215.9

That page told my browser:

PLEASE WAITING.... 4 SECONDS

Then did a "Meta Refresh" which sent me to:

http://scaner-enter.cz.cc/scanner15/?afid=24 on 91.197.130.109.

while at the same time loading an IFRAME which took me here:

formyjobduty.com/3/index.php on IP address 91.213.174.221

That site dropped a 15kb file on my machine.


The IP 91.197.130.109 also hosts the sites:

scaner-end.cz.cc
scaner-e.cz.cc
scaner-eee.cz.cc
scaner-demon.cz.cc
scaner-do.cz.cc
scaner-cio.cz.cc
scaner-dro.cz.cc
scaner-ear.cz.cc
hornvimawar.cz.cc
scaner-enter.cz.cc
scaner-dir.cz.cc
scaner-clouds.cz.cc
ilmemenlens.cz.cc
scaner-eclips.cz.cc
scaner-coast.cz.cc
hycormofy.cz.cc
xxxvideo-dpiy.cz.cc

".cz.cc" is a free domain provider that the criminals are abusing like crazy right now.

Other domain names located on 91.213.174.221 include:

mypetitebusiness.org
mylittlejobsite.com
workgroupsite.com
keybussines.com
formyjobduty.com
littlebiz.us

All of those except "keybussines.com" use Yahoo nameservers.

Group Two: MD5 = 34eaf3d214f1ef58b56d58de5e5e25b6 - personago.ru

For MD5:

34eaf3d214f1ef58b56d58de5e5e25b6

We saw all of the following subjects:
Corrections.html
Evite invitation.html
invoice.html
Invoice Payment Confirmation.html
proposal.html
Shipping Notification.html

This group's attachment is also a BASE64 encoded html file.

If a user simply clicks the attachment, it SEEMS to take us to a Canadian Pharmacy website of the GlavMed variety:

http://personago.ru/

But unfortunately, a deeper analysis of the code shows it takes the long way around. First the site sends us to:

clicksmile.org/x92s/uc12vx04/xdtldil.php?id=350 on IP address 91.188.59.220 in Latvia

Then it sends us on to "personago.ru" on 113.107.104.23 in China's Guangdong province.

The ZIP Files: Group One - fastlouprim.com

Even though there are many different MD5s of the ".zip" file, quite a few of them are so similar in function, they are clearly "the same" despite different MD5s.

The first of the ".zip" emails has the subject: "Bar/Bri"

The body of the email reads:

Hello,

Thank you for ordering from Capcom Entertainment, Inc. on September 15, 2010. The following email is a summary of your order. Please use this as your proof of purchase. If you paid by credit card, please look for attached invoice.
Confidential & Privileged

Unless otherwise indicated or obvious from its nature, the information contained in this communication is attorney-client privileged and confidential information/work product. This communication is intended for the use of the individual or entity named above. If the reader of this communication is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error or are not sure whether it is privileged, please immediately notify us by return e-mail and destroy any copies--electronic, paper or otherwise--which you may have of this communication.

Attachment:
Summaries.RBK.zip used the MD5:
4b3e7c54e263363b7dcec53bd9e1c135

25 of 43 detection at VirusTotal - mostly called "FraudLoad" or "ZBot".

When we launched this malware, it connected to several servers in rapid order:

- www.searchannoying.com
- fastlouprim.com
- searchanxious.com
- searchbent.org
- analyticsdead.com

and downloaded a 471kb file from fastlouprim.com. That file was my FakeAV present. It stored in my current user's "Local Settings\Temp" directory as "dfrgsnapnt.exe"



VirusTotal FakeAV Report (20 of 43 detects)

A backup version was also running as "wscvc32.exe" from the same location.

---

The second ".zip" email had the Subject "details" and contained this email body:

Hello,



As with all bank owned assets there is a strong desire to sell. The Lender is anticipating a sale before year end and they have encouraged us to bring them qualified offers to purchase.

I will contact you shortly to discuss in detail.

Regards,

RB

Attachment:
Shadow Ranch Marketing Package.zip used the MD5:

7f51b49e92a1640250746ad3a4f11c36

24 of 43 detects at VirusTotal, mostly "FraudLoad" and ZBot.

The behavior of this malware was identical to the first - using the same domain names, fetching the same FakeAV from the same server, and installing it using the same name.

---

The third ".zip" email had the Subject: Shipping Notification

The body of the email read:

Shipping Notification Thank you for shopping with us. We look forward to serving you again.

The following is your receipt. Please retain a copy for your records.

Qty Item no Description Price S&H Tax Return
Code
1 FC864-2038B Msg Drma7303 White 650.99 6.95 3.37 ____


Merchandise total 650.99
Shipping and handling 6.95
Tax on mdse 6.75% 3.37
Invoice total 706.31

Welcome to the convenience of shopping JCPenney Catalog

Attachment:
Shipping Notification.zip used the MD5s:

1ee31a4fae6e9bbceb47f0bf3ea79c6f
218adbd9f6abb8f0b7fd73765e62d005

Summaries.RBK.zip behaved just like the first two entries on this list, in that it began by visiting www.searchannoying.com, fastlouprim.com, searchbent.com, analitycsdead.com, finderwid.org, and downloaded the same Fake AV from the same location.

The first has 24 of 43 detects at VirusTotal, mostly Fraudload, FakeAV, and ZBot.

The second has 26 of 43 detects at VirusTotal, mostly ZBot.

---

The fourth ".zip" email had the subject: Corrections.zip

The body of the email was very simple, with a Random Name in the body that matched the "From" name:

============================================================ Corrections.zip
============================================================ Jed Keller

Corrections.zip used the MD5s:

aa32b48a854b62b5a71c4a4b6f53b3a7
b268064ed27f3d3e07e410f694499b04

The first has 21 of 43 detects at VirusTotal called FraudLoad, Alureon, FakeAV, or ZBot.

The second has 26 of 43 detects at VirusTotal called ZBot or Outbreak.

"Corrections" also behaved exactly like those above. Dropping a FakeAV after contacting fastlouprim.com and the others.

The ZIP Files: Group 2 = MoneyMader.ru

---

The sixth ".zip" email uses the subject: Facebook password has been changed

The body of the email contains:

Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.

Important Message!
You can find your new password in attached document.

Thank you.
Facebook Team.

Attachment:
New_password.zip used the MD5:
843d5efc64e2338206f3736a2a876c45

This one is ESPECIALLY TRICKY, because the filename is hidden from the user! The email contains this code:

Content-Type: application/zip;
name="New_password.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="denno.jpg"

Which makes the attachment, which is actually called "New_password.zip" show up as a ".jpg" file, like this:



22 of 42 detects at VirusTotal mostly called BredoLab or Sasfis.

Launching "New_password" generated lots of quick webtraffic, starting with connections to "moneymader.ru" on IP 109.196.134.44, from which I did this get:

/group/mixer/bb.php?v=200&id=912648491&b=16&sentab&tm=100

I have no idea what that means, but it feels familiar -- for instance, compare with the URL Dancho talked about back in May with some itunes spam.

It also fetched from the unlikely named machine:

0006385484.dc5ccd77.01.94c71046BC3647f49cf44b7e9b4b3544.n.empty.725.empty.5_1._t_i.ffffffff.svchost_exe.165.rc2.a4h9uploading.com

which has the IP address 95.211.131.67

Then we downloaded the file "/milk/dogpod.exe" from 91.204.48.46


I also did a crazy long fetch that began with "/get2.php?c=ALOVLEKD" from the host 061707da092d.bourgum.com

When I did fetches like that, I downloaded "7.tmp" and "8.tmp" which VirusTotal calls bad:

7.tmp VirusTotal report showed it had not been reported before. It called it mostly "Kazy" or "Oficla" and gave a 17 of 43 report.
18 of 43 detection for 8.tmp
It also fetched from "y6pb.huntfeed.com" before loading some BBC News.

---

The last ".zip" email has the subject line You've got a fax

The body has a nice graphic and reads "The Fax message is attached to this email!"

The attachment has random numbers in the name, such as "eFAX07391DOC.zip":

eFAX(randomnumbers)DOC.zip used the MD5:
ce8a5f487daaf7a37aa6d2526b2b57d7

19 of 39 detects at VirusTotal mostly called ZBot, Oficla, or Sasfis.

When we launched this file, which was 22kb in size, it connected to "moneymader.ru" just like the "Facebook New Password" one above. I noticed when I launched this time that I sent back a 15 ?minute? delay statement to the server. I'll wait to see what happens.

"Here You Have" Hype & Electronic Jihad

Hype

On September 9th, my blog post on the "Here You Have" worm mentioned that the spread mechanisms of the worm were narrowly focused on a few targets that it hit very hard. Because of this, I've been quite surprised to see claims such as this USA Today article, which claims:

Viral messages carrying an innocuous-looking "Here you have" or "Just for you" subject line at one point Thursday accounted for an astounding 14.2% of spam messages moving across the Internet, says Nilesh Bhandari, Cisco product manager.

and then goes on to do the math for us. The article says there are 300 billion emails per day, so "Here You Have" must have sent 42 billion emails. They then show a chart, for which they provide no source attribution, that demonstrates that there was only one thirty minute period where whoever their source for the chart (presumably Cisco?) claimed the spam had reached 14.2%.



If we assume briefly that there really are 300 billion emails per day, a back of the envelope calculation of this chart would indicate that there were actually closer to 8 billion, rather than 42 billion, emails sent by "Here You Have". (You can clearly see by the USA Today's own chart that in most time periods for the day the percentage was closer to "0%" than to "14%"). 14.2% occurred in only one 30 minute sampling, which, if we assume an equal distribution of the 300 billion across the day, would mean 887 million emails in that thirty minute window.

BUT WAIT! Is it accurate to project the sampling from Cisco's Ironport on "the global spam" picture? Absolutely not! Take for a moment my personal anecdotal evidence. I stand by my earlier statement that the UAB Spam Data Mine on September 9th received 17 copies of the "Here You Have" emails, 13 of which came from senders in a single large financial institution. Our calculation of 0.00002% is perhaps closer to the average "global spam" recipients reality.

In my personal spam collection, including many "live" personal email addresses, I received 10,134 spam email messages on September 9th, of which ZERO were from the "Here You Have" worm. (And yes, I use NO FORM of spam filtering on those email addresses.) I also received zero copies in my university email accounts.

Our reality, and yours, unless your primary email account is in a very large corporation running Outlook, is probably closer to what was described by Microsoft. (Thanks to Robert McMillan of IDG News for pointing this out in his article Here You Have Worm Caused Brief Havoc.)



In this Technet Blog post: "Update on the Here You Have Worm: Visal-B" the Microsoft lab says that in normal spam monitoring, 90% of their reports come from "consumer" email users (protected and reported through Microsoft Security Essentials), while very few reports come from their "corporate" email users (protected and reported through Forefront Client Security).

Microsoft bloggers Jimmy Kuo & Holly Stewart go on to say that while they have sensors deployed worldwide, 98% of their reports for this worm came from US-based reporters. Cisco's 2010 MidYear Security Report (36 page PDF) says that 8.98% of global spam originates in the United States.

When Cisco Ironport reports their numbers, we have to remember that their appliance is overwhelmingly present in corporate email accounts. I know the Ironport guys, believe they have a great product, and believe they reported accurately what they saw on the corporate networks, but also believe that a few media sources have misinterpreted these numbers to turn Here You Have into the Global Armageddon of Spam, which it clearly was not. Except for some US-based corporate mail servers.

But was that the whole point? In order to learn more we need to identify some "patient zero" spam recipients. Who was THE FIRST PERSON at ABC, NASA, Google, JP Morgan Chase, etc, to receive the spam. When we learn more about who is behind the attack, it looks like targeting "big corporations" may have been the whole point of the worm!

Electronic Jihad

The more interesting angle to me is the revelations from Joe Stewart, the International Grandmaster of Malware Analysis at SecureWorks in his blog post Here You Have Worm and e-Jihad Connection. I asked Heather McCalley, the Criminal Intelligence Supervisor in the UAB Computer Forensics Research Laboratory to summarize the details for us:

Joe Stewart had previously identified that the malware contained a string "iraq_resistance" and that a previous version of the same malware use an email address "iraq_resistance@yahoo.com".

A fellow researcher at Internet Identity provided us a link to a YouTube video that claimed to be from the author of the worm. When we first saw the video early yesterday morning it had been viewed 128 times. Heather took a screen shot showing 302 views yesterday morning. This morning there have been 3,803 views of the video.

My nickname is Iraq Resistance. Listen to me about the reasons behind the 9 september virus that affected NASA, Coca-Cola, Google, and most American ?gains?. What I wanted to say is that United States does not have the right to invade our people and steal our oil under the name of nuclear weapons. Have you seen any there? No evidence, even about any project. How easy you kill and destroy. Second, about the Christian Terry Jones what he tried to do on the same day this worm spread is not even fair. I know that not all Christians are similar and some newspapers wrote that I am a terrorist hacker because of the computer virus and Mr. Terry Jones is not and he is not terrorist because he infected all muslims' behavior. I think America, come on! Be fair. Where is your freedom which must end when it reaches another person's freedom. And you say you modern educated people. I don't know there is another one and really I don't like smashing and as you know there were no computers smashed as you know by the analysis report. I could have smashed all those I infected but I wouldn't and don't use the word terrorist please. I hope that all people understand I am not a negative person. Thanks for publishing.

(click for video)

So, shall we take Mr. IqZiad at his word? Context is everything, and in this case, we have ample evidence that iraq_resistance, the self-proclaimed "Commander of the Brigades of Tariq bin Ziad", desires to harm America.

Here's a post that he made on the website "vbhacker.net" where he has been active since 2006 using the username "iraq_resistance":

فيروس طارق بن زياد يعصف بأمريكا
السلام عليكم
قام قائد كتائب طارق بن زياد بشن هجوم فيروس على شركات امريكية وذلك يوم الخميس واصاب عدد هائل من الكمبيوترات ما ادى الى ان الشركات توقف خادمات البريد حتى تسيطر على المشكلة.
وقد اوقفت شركة كومكاست بعض خادماتها وشركة قوقل وشركة كوكاكولا ووكالة ناسا وذلك في ضرف ساعتين مساء الخميس الموافق 9-9-2010
هذا تقرير من شركة مايكروسوفت
http://www.msnbc.msn.com/id/39087497/ns/technology_and_science-security/
وهذا تقرير الدايلي ميل البريطانية

http://www.dailymail.co.uk/sciencetech/article-1310890/Here-virus-causes-havoc-spreads-world.html
وقد اقسم قائد كتائب طارق بن زياد على مواصلة الهجوم في وقت لاحق انتقاما لحملتهم على الاسلام
الرجاء نشر هذا الانجاز والدعاء لكتائب طارق بن زياد بالتوفيق والحفظ

The post takes credit for the attack, links to two news stories about the attack, and then closes in the last two lines by saying:

As the Commander of the Brigades of the Tarik bin Ziad, I swear the attacks will continue in retaliation for their attacks against Islam.

Please publish this achievement and pray for the success and protection of al-Tarik bin Ziad.

Well, Mr. IQZiad, I've published your achievement, but I am certainly praying for a different outcome than the one you request.

The user iraq_resistance has been a member of vbhack.net since 2006. When we looked into the board this morning there were 619 active registered users logged in to the site, as well as 17,032 "guests" reading public messages on the board. The board, which is hosted on LiquidWeb in Chicago, is one of the 22,000 most popular on the Internet according to NetCraft, and has many non-offensive topics, including large popular forums about the World Cup and Islam.

Despite his long membership, Iraq_resistance has only created three discussion threads. The most popular, which was read 4,765 times and has 163 replies, was this message from May of 2008, entitled: مطلوب شباب للمشاركة في حملة الجهاد الالكتروني
which translates as: "Wanted: Young people to participate in Electronic Jihad".

السلام عليكم اخواني
تم تأسيس مجموعة بإسم كتائب طارق بن زياد وهدف هذه المجموعة اختراق اجهزة امريكية تابعة للجيش الامريكي
وقد تطلب زيادة العدد حتى نكون اكثر فعالية .. لذلك نطرح شروط الانتساب الى هذه المجموعة الجهادية الالكترونية:

1 - أن يكون هدف المشترك الجهاد الالكتروني وأن يقسم أنه لن يستخدم ما يتعلمه مع المجموعة ضد هدف آخر.

2 - الإخلاص في العمل واحترام أعضاء المجموعة وبعد توسعها يكون للاقدمية والاكثر فعالية مرتبة القيادة على مجموعات تابعة للمجموعة الرئيسية .

3 - يكون اللقاء والمحادثة على الياهو مسنجر والامسن .

4 - اي مشاكل مع الاعضاء او القيادات باب الشكوى مفتوح للقائد العام للكتائب .

5 - مستوى المجاهد غير مهم لانه سيتعلم مع المجموعة كما ان الطريقة ليست صعبة وهي مؤثرة فعلا.

6 - اتباع نصائح القائد العام والاخلاص الكامل بالعمل لوجه الله .

7 - تناسي الاحقاد بين اعضاء المجموعة وروح المنافسة تكون ضد العدو وليس ضد الاخوة .


8 - القسم في عدم استخدام ما يتعلمه في هدف اخر خارج المجموعة سيكون على المايك ويسمعه القائد العام .

نسأل الله ان يوفقنا ويسدد خطانا واياكم .. ونتمنى من الاخوة الاستجابة للانضمام لهذه الفرصة المباركة
كما نشكر ادارة المنتدى لاتاحة الفرصة لاعلان الحملة وطلب والانتساب وسيتم موافاتكم اولا باول بالنتائج باذن الله.
للانضمام الرجاء اضافة معرف ياهو

tarek_bin_ziad_army

بانتظار المجاهدين لقبول اضافتكم
اخوكم القائد العام لكتائب طارق بن زياد

Which, according to Google translate, reads:

Peace be upon you my brothers

Group was established in the name of al-Tariq bin Ziyad and goal of this group infiltrate a U.S. subsidiary of the U.S. Army

The increasing number of requests so we'll be more effective .. Therefore, we present the conditions for affiliation to these jihadist group E:

1 - to be the common goal of electronic jihad and to apportion that it will use what it learns with the group against the other goal.

2 - dedication to work and respect for members of the group and after the expansion is the most seniority and rank the effectiveness of the leadership groups of the main group.

3 - be meeting and chatting on Yahoo Messenger, Alamson.

4 - any problems with members or leaders open the door of the complaint to the General Commander of the Brigade.

5 - the level of fighting is not important because he will learn with the group and that the way in which it is not really impressive.

6 - follow the advice of the Commander in Chief and dedication to working for God's sake.

7 - forget the grudges between the members of the group and the spirit of competition which is against the enemy and not against the brothers.

8 - Section in the non-use of learning the target outside the group will be on the mic and hear the commander in chief.

We ask God to help us and guide our steps and you .. And good response from the brothers to join this blessed opportunity

We also thank the management of the Forum for the opportunity to announce the campaign and asked the association and will provide you with first hand the results, God willing.

Please add to join the Yahoo ID

tarek_bin_ziad_army

Waiting for the Mujahideen to accept Adavckm
Brother Commander General of the Brigades, Tariq ibn Ziyad

Tariq ibn Ziyad was the name of the Muslim servant who was appointed a General and given troops to conquer the Iberian peninsula in the year 711. You can read more about him in his Wikipedia article, or for a more Islam-friendly version of events, see HaqIslam. Tariq is the invader who famously burned his ships after landing, convinced of his victory by a vision of the Prophet promising him success and that he would personally kill King Roderick.

The same "call for recruits" was posted in many other places, including:

http://www.amman-dj.com/vb/a-t68089/ (by user "iraq_resistance", active since December 2006, hosted on SoftLayer in the USA.)

http://www.m0dy.net/vb/t104142.html (by user "iraq_resistance", active since November 2005, hosted on SoftLayer in the USA.)

http://vbnaajm.naajm.com/showthread.php?t=44269 (by user "iraq_resistance", active since July 2004, hosted on BlueHost in the USA.)

http://www.arabteam2000-forum.com/index.php?showuser=74343 (user "iraq_resistance", active since March 2006, hosted on XLHost in the USA.)

In addition there are malware author recruiting ads, such as this one:

http://lovesingle.jeeran.com/no2.html

The call is for assistance from those who can create computer viruses to strike the enemy. Malware coders who want to help in the cause were instructed (in Arabic):

To subscribe send a message to

tarek_bin_ziad_army@yahoo.com

And please send a message to email the following to configure a lethal army of God Almighty in the future

thabet3000@gmail.com

Impact?

So despite the "I'm not a terrorist", YouTube video, we have a mass-mailing worm that disproportionately impacted US-based businesses, successfully planting backdoor code on many of the infected machines, planted by a person who has been calling himself "Iraq_resistance" since 2006, and who has been recruiting for "electronic Jihad" participants since 2008. This person boasted about his attacks, and has promised there will be others, and as far back as March 6, 2009, was specifically inviting malware authors to help him create "a lethal army of God".

Was there a lot of Hype in the coverage of this malware? Yes. But perhaps the hype is deserving a deeper response than a shrug.

Update

Our friend Bob McMillan has shared an interesting Series of Emails with the worm author.