Cyber Warfare, Not Just a Theory Anymore?

Last week, the news of a cyber attack by Russia against Georgia made this type of warfare become a chilling reality. According to an article in the LA Times, it also revealed how ill-prepared most of the world is to deal with this new threat.

Most of the experts now agree that cyber attacks started well before lead started flying and were not very sophisticated by current standards. Most of the attacks were run of the mill DDOS (Distributed Denial of Service) type events designed to deface and shut down government sites.

One of the problems is that no one can actually pin the attacks to the Russians. As usual, botnets of zombie computers were used to facilitate the assault on the sites in question. Since these zombie computers are taken over by malicious software -- normally after an unsuspecting user clicks on a link in a spam e-mail -- the computers used in the attack probably resided in locations all over the world. Botnets are also used to send out the spam e-mails with the malicious links that turn systems into what are known as zombie computers, which add to the power of the botnet.

Researchers at Shadowserver, a volunteer group monitoring cyber attacks, have traced the attacks against Georgia as starting in July and being based out of the United States, according to an article in the New York Times. The Times article suggested that there might be ties in this attack to Russian organized cyber criminals.

It should be noted that the words Russia and cyber crime bring up pages of results on most search engines. Russian organized crime is also known to have a global reach so it is no surprise that some of the current DDOS attacks were traced to a server in the United States. Simply stated, these attacks can be made to appear as if they are coming from just about anywhere.

While this is one the first times cyber warfare has actually occurred, it's starting to become a topic of concern in government circles. As a matter of fact, in April it was a hot topic at the NATO summit and an EU conference. China is also known to be actively seeking a cyber warfare capability and gets accused of hacking into other government's websites all the time.

Last year, Estonia suffered cyber attacks, which were allegedly facilitated by Russian Hackers, also. In an interesting development, Network World reported that they are sending cyber defense advisors to assist the Georgians.

Wikipedia has an interesting article (Wiki) on cyber warfare. It cites that McAfee stated in their 2007 annual report that approximately 120 countries have been developing cyber warfare capabilities designed to disrupt financial markets, government computer systems and utilities. The article also lists several examples of attacks, which many suspect were facilitated by the Russians or the Chinese, that have recently occurred.

The McAfee report surmised that cyber attack capabilities are becoming a global issue as well as a threat to national security. Current events seem to be making that prediction turn into reality.

Your computer will not love this Valentine

The Storm Worm, which turns systems into spam spewing zombies without their owner's knowledge is taking a predicted twist and using Valentine's Day as a lure.

Websense is reporting:

Websense® Security Labs™ has received reports and confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Valentine's Day twist in its attempts to infect users with malicious code. For more details on how we protect against Storm attacks, see http://www.websense.com/securitylabs/blog/blog.php?BlogID=141.

Websense (full) alert with screenshots, here.

Most recently, we've seen the Storm Botnet leased by the phishermen to steal people's personal and financial details.

CNet (Robert Vamosi) did a good write-up on this latest Storm phenomenon, here.

The best way to protect your computer from this (besides having good security software) is to simply "just say delete" to any unsolicited Valentines you receive!

Previous posts I've written about the Storm Worm can be seen, here.

DOJ charges 11 in pump and dump stock spamming operation

The Department of Justice has just announced the arrests of 11 spammers involved in a pump and dump stock spam scheme.

Pump and dump schemes victimize people -- lured by the expectation of too good to be true money -- who buy the stocks at artificially inflated prices. They normally lose money when the value suddenly drops because the people behind the scheme sell off their artificially inflated shares.

One of those arrested, an Alan Ralsky is considered one of the biggest spammers around by Spamhaus, which is an organization dedicated to tracking spam.

From the press release:

A federal grand jury indictment was unsealed today in Detroit charging 11 persons, including Alan M. Ralsky, his son-in-law Scott K. Bradley, and Judy M. Devenow, of Michigan, and eight others, including a dual national of Canada and Hong Kong and individuals from Russia, California, and Arizona, in a wide-ranging international fraud scheme involving the illegal use of bulk commercial e-mailing, or "spamming."

This investigation was conducted over a three year period conducted by the FBI, Postal Inspectors and the Internal Revenue Service. The people involved used all the standard spam diversions including falsified domains and e-mail headers, social engineering lures and good old false advertising.

The release also states that they (tried?) to use botnets to send the spam:

The indictment also alleges that the defendants tried to send their spam by utilizing a cybercrime tool known as a “botnet,” which is a network of “robot” computers that have been infected with malicious software code that in turn would instruct the infected computers to send spam. The indictment charges that the defendants earned profits when recipients responded to the spam and purchased the touted products and services. Hui’s primary role in the scheme was to act as a conduit for Chinese companies who wanted their stocks pumped by the scheme. Ultimately, investigators estimate that the defendants earned approximately $3 million during the summer of 2005 alone as a result of their illegal spamming activities.

Recently, the FBI arrested a lot of Internet misfits in what they termed Operation Bot Roast and Operation Bot Roast II.

Botnets have become a major vehicle in which spam is circulated using zombie computers taken over using spam e-mail containing malicious software. Because the owner of the computer normally isn't aware their computer has been turned into a "spam spewing zombie," it also confuses investigative efforts to track the spam to it's source.

It should also be noted that here again, we see another "Chinese connection" in cybercrime. It's pretty interesting that publically held Chinese companies were working with these spammers to have the price of their stock artifically inflated.

Russian nationals were also arrested in this recent case. Eastern European types seem to be heavily involved in the world of cybercrime.

Here are a list of the laws the government is using to bring the spammers to justice:

The 41-count indictment covers three distinct, but interrelated, conspiracies to capture this evolution in their business practices. The indictment charges the defendants with the commission of several federal criminal offenses, including conspiracy, fraud in connection with electronic mail (CAN SPAM), computer fraud, mail fraud, wire fraud, and money laundering. It also charges the defendants with criminal asset forfeiture, as well as charging one defendant with making false statements to law enforcement.

Sadly enough, spammers have been bold enough to spoof all three investigative agencies involved in this case in the recent past. These spamming incidents normally are what are known as phishing attempts, where the intent of the spammer is to steal personal and financial information using social engineering techniques or malicious software.

The FTC released a report on spam a few days ago. One of the findings was that the people behind this activity are best addressed by agencies that have go after criminal activity.

This action and Operation Bot Roast indicate that these actions are already underway.

On the DOJ site right below the header on this press release is a warning about the DOJ itself being impersonated (spoofed).

A lot of people view spam as an annoying phenomenon in their inbox. If you really examine it, spam is the vehicle for just about every annoying and illegal activity on the Internet.

The full press release, including all the names of the spammers being charged can be seen, here.

FTC issues report on Malicious Spam and Phishing

The Federal Trade Commission just released it's report on the current state of malicious spam and phishing in today's electronic world.

Interestingly enough, it points out that spammers are criminals.

While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?

Here is what the press release had to say:

During the workshop, panelists confirmed that spam has increasingly become a significant global vector for the dissemination of malware and the propagation of financial crimes. Panelists opined that, in most instances, the acts of malicious spammers are inherently criminal, and criminal law enforcement agencies are best suited to shut down their criminal operations.

The report discusses the problem of botnets at length and refers to a 2006 report stating that an estimated 12 million bot infected computers are being used to send spam. The report also states that most of these computers are physically located outside the United States.

Going deeper into the problem the report discusses a phenomenon called fast flux:

With fast flux, infected bot computers serve as proxies or hosts for malicious websites. The IP addresses for these sites are rotated regularly to evade discovery. For example, a phisher can deploy numerous and different IP addresses for a single phishing campaign, foiling the efforts of ISPs and law enforcement seeking to stop these campaigns by dismantling a single web site. Despite these challenges, the record reflects that at least one ISP does take proactive measures to detect and disconnect “fast flux” web sites from a portion of its network.

The report also acknowledges that DIY (do it yourself) crimeware kits are making it easy for just about anyone to mount a phishing campaign. One kit described sells for as little as $17.

Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.

The report also give some statistical information on what this is costing all of us:

A survey by Consumer Reports reveals that viruses, phishing, and spyware resulted in over $7 billion in costs to U.S. consumers in 2007. The survey revealed further that computer infections prompted 850,000 U.S. households to replace their computers. The costs to businesses also are high. One panelist reported that 80 percent of 639 businesses it studied experienced cybercrime-related losses, totaling $130 million.

Also included in the report is information on Operation Bot Roast conducted by the FBI and Department of Justice.

Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.

Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:

Consumer and business education can have a significant impact in the fight against spam and phishing. Because spam is an ever-evolving problem, stakeholders should revitalize efforts to educate consumers about how to protect their computers from online threats and improve methods for disseminating educational materials to consumers and businesses. In addition, the Summit identified consumer-interfacing tools such as spam reporting buttons as valuable tools for ISPs and reputation service providers. Accordingly, staff will encourage industry to continue to develop and fine-tune such tools.

In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.

The full report can be viewed, here.

Storm Worm bot-herders use scantily clad women in Santa attire to recruit zombies!

Here is a warning from Dancho Danchev about a site that might leave your computer with a worm.

The site invites a person to watch a bunch of scantily clad women in Santa attire for "free."

From the Mindstreams of Information blog:

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

In case you are less than technically astute (a lot of us are) the storm worm has been around for awhile. Wikipedia offers a good explanation of how it will trash a Windows system, here.

Downloading it normally leads to your computer becoming a spam spewing zombie controlled by a bot-herder. Of course, becoming infected also poses certain information theft risks, also.

Full post from Dancho, here.


(Screen shot courtesy of the Mindstreams of Information blog)

Update:

Found some more information on this on the SANS Internet Storm Center, which can be seen, here.

And apparently some splogs have been set up on blogspot to support this current storm on the Internet:

If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)

Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.

IT also appears that the hackers behind this are moving on to New Years lures and a new domain.

Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL) NOTE: Please do not blindly go to this URL -- there is malware behind it.

Also reported SANS Internet Report Center, here.

Operation Bot Roast II snares bot herders, worldwide!

Official FBI photo for Bot Roast II (Globe in a laptop)

This morning I read that a teenager in New Zealand had been arrested for allegedly being the kingpin behind an international cyber-crime network.

Because he was a juvenile when the crimes were being committed, the authorities aren't releasing his real name, but on the Internet he is known as "AKILL."

The Associated Press is reporting:

Police arrested the suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said.

Working with the FBI and police in the Netherlands, New Zealand police arrested the 18-year-old in the North Island city of Hamilton, said Martin Kleintjes, head of the police electronic crime center. The suspect's name was not immediately available.

Kleintjes charged that the ring was responsible for stealing at least $20 million using bank account and login details detected by their illegal spyware.

I decided to do a little digging on this and the FBI announced on their site that this is part of Operation Bot Roast II.

It appears that more than a teenager is being taken down for victimizing millions of people, worldwide.

From the announcement on the FBI site:

In June, we announced the first phase of Operation Bot Roast, which pinpointed more than a million victimized computers and charged a number of individuals around the country with various cyber-related crimes.

Today, we’re announcing part two of this operation, with more results:

Three new indictments, including two this past month. In one case, we uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.

Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.

The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.

I discovered more information on Operation Bot Roast II in a FBI press release:

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

FBI Director Robert S. Mueller, III said, "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users."

The press release also has detail on the most current arrests:

1. Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet's ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

2. Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

3. Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

4. Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

5. Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

6. John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

7. Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

8. Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey's targets of DDoS often resided on shared servers which contained other customer's data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.

Recently, I did a post, Botnet owner faces 60 years in prison and a $1.75 million fine, which is about about John Schiefer (above).

The amount of damage bot herders have caused millions of people on the Internet is astounding. Even when you consider the amount of spam, the average Internet user has to deal with on a daily basis, these current arrests are good news for the Internet community. Spam is the vehicle in which most scams, misleading advertising and counterfeit goods are spread in the electronic world.

The FBI press release mentioned some great resources where the average person can learn how to avoid becoming the victim of a bot herder.

In closing, I would like to pass them on:

http://www.fbi.gov/
http://www.onguardonline.gov/
http://www.lookstoogoodtobetrue.com/
http://www.uscert.gov/
http://www.ic3.gov/

One not mentioned that is great (my opinion) is http://www.fakechecks.org/. A lot of the scams involving counterfeit checks start with a spam e-mail AND most spam is spread using botnets.

AP article on New Zealand teenage bot herder, here.

FBI press release on Bot Roast II, here.

DOJ is the latest badge of authority phishermen are using to net victims

This is the DOJ banner used in the screenshot of the phishy e-mail Websense is reporting. Please note, in this instance, I merely copied it right from the DOJ website. With minimal knowledge, just about anyone can do this with any picture from a website.

Apparently, Websense deserves credit for discovering a Trojan downloader pretending to be a e-mail from the Department of Justice (DOJ). Clicking on this attachment is likely to turn your computer into a zombie (part of a botnet) used to send more spam, or even worse used to steal information stored on your computer.

This might turn you into an identity theft statistic, depending what personal and financial information you store on your computer.

Here is the alert from Websense:

Websense® Security Labs™ has discovered a new email attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them on our site.

The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email.

The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f.

None of the major anti-virus vendors detected the malicious code.

Websense Security customers are protected from this threat.

In the e-mail Websense used as an example, it refers to a specific company. This means that this attack is possibly directly targeting people, who are associated with this company. This type of more directed attack has is now being referred to as spear phishing.

Spoofing (impersonating) government agencies is nothing new. The Phishermen use the badge of authority the name of these agencies invoke to trick people into clicking on the attachments in their spam e-mails.

The warning from Websense mentions that the IRS (Internal Reveue Service),BBB (Better Business Bureau) and many others have had had their badges of authority used to lure victims into the Phishermen's web.

I was unable to find a recent press release on this directly from DOJ, however a press release on a similiar attack using DOJ's name was released in June.

In it they speak to the fact that DOJ would never send a communication of this nature via e-mail:

The Department of Justice did not send these unsolicited email messages—and would not send such messages to the public via email. Similar hoaxes have been recently perpetrated in the names of various governmental entities, including the Federal Bureau of Investigation, the Federal Trade Commission, and the Internal Revenue Service. Email users should be especially wary of unsolicited warning messages that purport to come from U.S. governmental agencies directing them to click on file attachments or to provide sensitive personal information.

These spam email messages are bogus and should be immediately deleted. Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by “double-clicking” on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Do not open any attachment to such messages. Delete the e-mail. Empty the deleted items folder.

If you have received this, or a similar hoax, please file a complaint at http://www.ic3.gov/.

In this memo, they also offered some educational resources, which I highly recommend if you are unfamiliar with how the dark side of the Internet works:

Consumers can learn more about protecting themselves from malicious spyware and bogus e-mails at OnGuardOnline.gov, a Web site created by the Department of Justice in partnership with other federal agencies and the technology industry to help consumers stay safe online. The site features modules on spyware and phishing, at http://onguardonline.gov/spyware.html and http://onguardonline.gov/phishing.html.

Current Websense alert, here.

June alert from DOJ on similar attack, here.

One Bot herder facing 60 years is a small dent in the overall problem!

(Screen shot of botnets for rent courtesy of the Mind Streams of Information Security Knowledge blog)

While John Schiefer a.k.a. "acid and "acidstorm," is facing 60 years in prison and $1.75 million in fines for operating a botnet, the problem isn't likely to disappear anytime soon.

Schiefer was part of a hacker group known as Defonic, who gained a lot of notoriety for hacking Paris Hilton's cell phone and breaking into Lexis Nexis. Lexis Nexis is an information broker used by a lot of investigative and collection types to find people they are looking for.

Besides Paris, Defonic seemed to have a penchant for celebrity information, a lot of which they gathered by hacking Lexis Nexis, according to Brian Krebbs of the Washington Post.

While I knew this already, I ran into a very interesting blog written by Dancho Danchev that illustrates the problem that botnets have become, worldwide.

In his own words, Dancho describes how botnets can be bought, or rented fairly cheaply by spammers, phishermen and corporate spies, alike:

What about the prices? Differentiated pricing on a per country is an interesting pricing approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 infected hosts in the U.S go for half the price $110. It doesn't really feel very comfortable knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What's worth discussing is the fact that the service isn't marketed as a DIY DDoS service, but as a simple acccess to a botnet one, where the possibilities for abuse are well known to everyone reading here. Spamming and phishing mailings, hosting and distribution of malware using the rented infrastructure, OSINT through botnets, corporate espionage through botnets, pretty much all the ugly practices you can think of.

The bottom line is that although Mr. Schiefer and some of his friends have been taken down, there are a lot of hackers ready to fill the small void he may have left in the botnet market.

Very INTERESTING read from Dancho on his blog, "Mind Streams of Information Security Knowledge," here.

A lot was written about John Schiefer when he pled guilty. Brian Krebs of the Washington Post deserves a "hat-tip" for giving everyone a lot of insight about Mr. Schiefer's previous dealings.

The post, he wrote about this in his blog, Security Fix can be read, here.

The best way to avoid having your computer becoming a zombie (botnet member) is to avoid clicking on any links in a spam e-mail, or downloading additional software that is presented to you after visiting a questionable website.

Most of the time, social engineering lures (trickery) is used to get a human being to put malicious software on their system.

Of course, trying to make sure your system is bulletproof (protected by reputable security software) is recommended, also.

Botnet owner faces 60 years in prison and a $1.75 million fine

Until recently, botnet owners seemed to be able to trash people's systems without having to face very many consequences. And in a lot of instances, more than a system gets trashed when it is compromised by a botnet owner.

Friday, the Central California U.S. Attorney's office announced the prosecution of one of these botnet owners. Of interest, the botnet owner, John Schiefer admitted to compromising up to 250,000 computers with malware (malicious software).

In the first prosecution of its kind in the nation, a well-known member of the “botnet underground” was charged today with using “botnets” – armies of compromised computers – to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications.

The criminal information and plea agreement filed this morning in United States District Court in Los Angeles outline a series of schemes in which Schiefer and several associates developed malicious computer code and distributed that code to vulnerable computers. Schiefer and the others used the illicitly installed code to assemble armies of up to 250,000 infected computers, which they used to engage in a variety of identity theft schemes. Schiefer also used the compromised computers to defraud a Dutch advertising company.

According to the press release, Schiefer and crew seemed to prefer harvesting eBay and PayPal information:

In his plea agreement, Schiefer acknowledged installing malicious computer code, or “malware,” that acted as a wiretap on compromised computers. Because the users of those compromised computers were unaware that their computers had been turned into “zombies,” they continued to use their computers to engage in commercial activities. Schiefer used the malware, which he called a “spybot,” to intercept electronic communications being sent over the Internet from those zombie computers to www.paypal.com and other websites. Once in possession of those intercepted communications, Schiefer and the others sifted through the data to mine usernames and passwords. With Paypal usernames and passwords, Schiefer and the others accessed bank accounts to make purchases without the consent of the true owners. Schiefer also acknowledged in the plea agreement that he transferred both the wiretapped communications and the stolen Paypal information to others. It is the first time in the nation that someone has been charged under the federal wiretap statute for conduct related to botnets.

It appears that the FBI's Cyber Division might have had something to do with catching Mr. Schiefer and crew.

In June, they announced a nationwide initiative against botnet owners called Operation Bot Roast.

Mr. Schiefer isn't mentioned in the release about Operation Bot Roast, but it appears that the FBI is starting to take this activity seriously and is making it more dangerous for botner owners to operate.

When Schiefer pleads guilty to all of this on November 28th, he will face a statutory maximum sentence of 60 years in federal prison and a fine of $1.75 million.

Full press release from the United States Attorney's Office Central District of California, here.

If you have been a victim of a botnet owner, who turned your computer into a zombie you can assist the FBI by reporting the matter at the Internet Crime Complaint Center.

They also have some information on how to avoid having your computer turned into a zombie, here.

Blogger fights back against the storm worm

Since Blogger has been kind enough to host this blog for about two years now, I thought I should do a post about the recent reports concerning malware and Blogger.

Blogger itself, wasn't compromised, but a lot of bloggers individual blogs were. Most people are compromised by malware after clicking on a link they shouldn't have.

This was posted on Blogger Buzz:

You may have seen stories in the news recently about malware on Blogger, such has this one from the BBC or this one from Committee to Protect Bloggers. Blogger was not compromised. Instead, the blog posts are from bloggers whose machines were compromised by a Trojan horse.

These bloggers had their mail2blogger email addresses in their computers' address books (a perfectly legitimate use case), so when the malicious software spammed every address in their address book with its content, a copy of that email was posted to their blog.

We are in the process of notifying impacted bloggers and recommending that they scan their computers and run current anti-virus software, available in the GooglePack. This is also good advice for all computer users, especially those who may have clicked the links in the emails sent by the virus. For more information about computer security, check out upenn.edu and us-cert.gov.

The BBC article mentions that Alex Eckelberry, who blogs at the Sunbelt blog was the first to discover the problem on Blogger. Please note, Alex himself is a Blogger user and the CEO of Sunbelt Software, a computer security company.

Alex has even been kind enough to help me, when I ran into a problem, or two doing this blog.

Alex has a pretty visual post (lot's of screenshots), which show exactly how the worm would be encountered in the wild.

Of interest, Alex also discovered that Blogger wasn't the only place, where people are being lured into downloading the storm worm.

From what I understand the intent of the storm worm is to turn a computer into a zombie, which becomes part of a botnet. Botnets are networks of zombie computers.

Botnets are used to send out spam e-mail and sometimes attack other systems in what are known as DOS (denial of service) attacks. They are also used to commit click fraud.

Of note, most Internet fraud can be traced to a spam e-mail.

Besides running a scan with good anti-virus software (to see if you've been compromised) -- the best defense is to learn how to spot the lures that are designed to trick people into clicking on them. In most instances, this will stop the problem before it happens!

FBI roasts a few Bot-Herders, which will free up to a million Zombies

Sick and tired of all the spam filling up your inbox, despite filtering technology that doesn't seem to work very well? If you are, Operation Bot Roast is a story that might catch your interest, or if you are like me, is chicken soup for the soul.

Botnets are a primary cause for the ever increasing levels of spam. Botnets are infected computers that their masters (bot-herders) turn into zombies, spewing out spam e-mails by the millions.

These bot-herders cause a lot of us, a whole lot of grief.

The FBI press release announced yesterday:

They’re called “bot-herders:” hackers who install malicious software on computers through the Internet without the owners’ knowledge. Once the software is loaded, they can control the computer remotely. And once they’ve compromised enough computers, they have a robot network or botnet.

Some botnets are huge: tens of thousands of infected computers. Or more. As a result of Operation Bot Roast, an ongoing and coordinated initiative to disrupt and dismantle these bot-herders, we’ve identified about 1 million computers across the country that have been compromised.

According to the press release, several people have been arrested, including three of the big-time "masters."

Full story from the FBI, here.

Also contained are a lot of useful links on protect yourself -- and of course your computer -- and what to do if you think your computer was turned into a zombie.

Bot-herders have been reported to rent out their illicit networks to organized criminals by the hour.



What your computer must feel like after being turned into a zombie (Courtesy of Wikipedia).

While a nation mourns, cyber criminals are on the attack

Earlier in the week, I blogged about how cyber criminals (ghouls) would likely use the Virginia Tech disaster to line their pockets.

According to Jeremy Kirk, IDG News Service, this prediction is becoming true -- and according to experts -- fake domains are being set up at a faster rate than after the Katrina hurricane.

Even malicious software a.k.a (crimeware) is being circulated via spam e-mails, claiming to have a link to cam phone footage of the incident.

Clicking on this filth can turn your computer into a zombie (normally used in a botnet to send more spam) -- or even log your personal and financial details -- which might be later sold in a carder forum (used for identity theft).

Very interesting and sad commentary on how cyber criminals are on the attack, while a lot of people are in mourning, here.

One place, I recommend to send any of this (trash) you spot on this is to Castlecop's:

Phishing Incident Reporting and Termination Squad (PIRT)

They make sure this garbage gets reported to all the appropriate parties!

Fake e-mail claiming U.S. has attacked Iran contains Trojan

If you receive a e-mail that Iran has been toasted by a U.S. strike, be careful of clicking on the attachment. Doing so, might toast your computer system.

John McDonald posted this information on the Symantec blog:

Over the weekend Security Response received samples of the latest variants of Trojan.Peacomm and W32.Mixor doing the rounds. The social engineering trick employed this time is in appealing to people's sense of fear as well as natural curiosity of a possible Middle East war involving the United States, Iran and Israel.

Subjects include "USA Just Have Started World War III" / "Missle Strike: The USA kills more then 20000 Iranian citizens" / "Israel Just Have Started World War III" / "USA Missile Strike: Iran War just have started". From the sample emails that we have seen to date, the actual email body is blank, and the attached files have various names such as "video.exe", "movie.exe", "click here.exe", "clickme.exe", "readme.exe" and "read more.exe".

More on this on the Symantec blog, here.

An unprotected computer might be turned into a zombie, which becomes part of a botnet (used to harass the rest of us with lots of more spam) if one of these attachments is clicked on.

Spam is often used to facilitate financial crimes, such as identity theft.

It pays be to EXTREMELY careful before clicking on any (unknown) attachments received via e-mail.

Valentine's Day Virus moving quickly across the Internet

Sophos is reporting a nasty virus, which if downloaded, sends more e-mail to everyone in your address book.

They suspect that the worm opens a gateway, which will allow your computer to be turned into a zombie and be used to send more spam e-mails.

Here is a portion of the alert from Sophos:

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread worm posing as a St Valentine's Day greeting which is spreading fast across the internet

The W32/Dref-AB worm has been deliberately spread via email in readiness for office workers and home computer users to find the malicious Valentine email in their inbox first thing in the morning. Since midnight GMT the Dref-AB worm has accounted for 76.4% of all malware sighted at Sophos's global network of virus monitoring stations.

Subject lines used in the attack are many and varied, but all pose as a romantic message. Some of them include "A Valentine Love Song", "Be My Valentine", "Fly Away Valentine", "For My Valentine", "Happy Valentine's Day", "My Lucky Valentine", "My Valentine", "My Valentine Heart", "My Valentine Sunshine", "Send Love On Valentines", "The Valentine Love Bug", "The Valentines Angel", "Valentine's Love", "Valentine's Night", "Valentine Letter", "Valentine Love Song", "Valentine Sweetie", "Valentines Day Dance", "Valentines Day is here again", and "Your Love on Valentine's".

Sophos alert, here.

Spam is getting out of control and seems to be defeating spam filters (too often). Here is more evidence of this problem:

2006 was the Year of Internet Crime - 2007 is predicted to be even worse

Spoofed (counterfeit) BBB e-mails contains virus

If you get an e-mail from the Better Business Bureau stating you have received complaints don't click on the link to view them.

Annys Shinn (Washington Post) is reporting:

The Better Business Bureau network was the target of a "spoofing" scam yesterday in which thousands of businesses in the United States and Canada received e-mails encouraging them to download what is thought to be a computer virus.

The e-mails, using the name of the 95-year-old network of nonprofit groups that looks into consumer complaints, told businesses that they were the subject of a complaint and included a link to view related documents. Clicking on the link, however, accessed the address book of an infected computer and distributed the counterfeit e-mail to more recipients, said Steve Cox, spokesman for the Council of Better Business Bureaus.

Washington Post article, here.

Wandering to the BBB site to see what they had to say, I found a little more information. Apparently, if you click on the link, it downloads an executable file, believed to contain a virus.

The BBB and others are calling this a phishing attempt, but in phishing the intent is normally to get the user to provide personal, and or financial information to the sender. Since this doesn't seem to be the case, and no one is saying exactly what the executable file (virus) is, this doesn't appear to be phishing.

It will be interesting to see exactly what this executable file does, but some computer viruses (crimeware and malware) download keyloggers, which log a person's keystrokes and are used to steal personal and financial information.

Other computer viruses might turn a computer into a zombie, which allows someone else to use it for their own purposes (sending spam or denial of service attacks). Zombie computers are formed into what is known as botnets (groups of zombie computers), which are used for illicit purposes by their "controller."

You can download a lot of nasty things by clicking on something from someone you don't know. And the people behind it like to spoof well known entities, such as the BBB. Organizations from eBay to the FBI have been spoofed in the past.

Example of spoofed e-mail from the BBB site:

From: operations@bbb.org [mailto:operations@bbb.org]
Sent: Tuesday, February 13, 2007 6:06 AM To: XXXX
Subject: BBB Case #263621205 - Complaint for XXXX

Dear Mr./Mrs. XXXX

You have received a complaint in regards to your business services. The complaint was filled by Mr. XXXX on 02/05/2007/

Use the link below to view the complaint details:

DOCUMENTS FOR CASE #263621205

Complaint Case Number: 263621205
Complaint Made by Consumer Mr. XXXX Complaint
Registered Against: Company XXXX
Date: 02/05/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint can be obtained using the link below:

DOCUMENTS FOR CASE #263621205

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.