What is this graphic about? Read on, Gentle Reader!

Malcovery: Email Based Threat Intelligence and GameOver Zeus

• How would one of my users likely be infected by this malware?
• What email subjects or messages may have sent this malware?
• Did that spam campaign deliver other malicious attachment or malicious URLs?
• If one of my users were compromised by this malware, what network activity may result?
• What additional malicious files might be downloaded by a computer compromised with this malware?
• . . . and other questions, depending on the nature of the malware

GameOver Zeus's Encrypted Drop Sites

Since that initial post, we've seen GameOver Zeus-related encrypted files drop from more than 200 different internet locations, get decrypted by the Dropper malware, and execute themselves to begin communicating with the Peer to Peer GameOver Zeus infrastructure. The full list of many of those URLs, with the date on which we saw the spam campaign, the brand, item or company being imitated in that spam campaign, and the URLs where the GOZ binary were accessed, is available at the end of this article. Here is a sampling of some of the most recent ones for now to help understand the process...

For each of the campaigns above, Brendan, Wayne, and J, our malware analysis team, pushed out both an XML and STIX version of the machine readable T3 reports so that our customers could update themselves with information about the spam campaign, the IP addresses that sent that spam to us, the hashes of the spam attachment, the hostile URLs, and the IP addresses associated not only with the GameOver Zeus traffic, but whatever other malware was dropped in the same campaign. As the FBI indicated, it was extremely common for GameOver Zeus infected computers to ALSO become infected with CryptoLocker.

T3: Protection for Today and Tomorrow

First - I isolated network activity for the 92 distinct spam campaigns illustrated above. (There were many more GameOver Zeus campaigns than that, but I was sticking to those samples that used the "encrypted file decrypted by the dropper" version that I had written about in February, so this is a sampling ...)

For each IP address that showed up in network traffic within those 92 campaigns, ranging from February 6, 2014 to May 30, 2014, I counted how many distinct campaigns that indicator had been seen in. Fifty-six IP addresses showed up in ten or more of those campaigns.

I took those IP addresses, and asked the Malcovery Threat Intelligence Database "which spam campaigns delivered malware that caused traffic to those IP addresses?" and was surprised to see not just the original 92 campaign I started with, but 360 distinct spam campaigns!! I culled that down by eliminating the campaigns that only touched ONE of those 56 IP addresses of high interest. The remaining 284 campaigns could be placed into 103 groups based on what they were imitating. Most of the top brands should be familiar to you from Malcovery's Top 10 Phished Brands That Your Anti-Virus is Missing report.

I threw the data into IBM's i2 Analyst Notebook, my favorite tool for getting a quick visualization of data, and did some arrangement to try to show the regionality of the data. I know the graph is too dense to see what is in the interior, but let me explain it here:

On the left are IP addresses that are owned by Microsoft. They are arranged by Netblock, with the size of the Computer icon representing how many malware campaigns that IP was linked to. Top to bottom numerically by Netblock, these are from the 23.96 / 23.98 / 137.116, 137.135, 138.91, 168.61, 168.63, 191.232 blocks. The Microsoft traffic only started appearing in late April, so it is possible this is traffic related to "sinkholing" or attempting to enumerate the botnet as part of the investigation. I have no insider knowledge of any such activity, just stating what we observed. We *DID* go back and look at the packet captures for these runs (we keep all of our PCAPs) and the traffic was exactly like the other Peer to Peer chatter for GameOver Zeus.

On the top are IP addresses in APNIC countries. Flag test: Japan, Hong Kong, China

On the right are IP addresses in ARIN countries. (Canada, USA)

In the bottom right corner is one LACNIC IP. (Venezuela)

And on the bottom are RIPE countries. (Netherlands, Moldova, Switzerland, Great Britain, Ukraine, Sweden, Belgium, France, and Austria)

The IP addresses on the chart above are also included here in tabular form:

Prominent IP addresses Associated with GameOver Zeus and associated malware

Encrypted GameOver Zeus URLs seen by Malcovery

Naser Al Mutairi, a Kuwait City resident known to be the author of njRAT through his varias aliases, njq8, xnjq8x, njq8x, and njrat

Mohamed Benabdellah, an Algerian living in or near Mila, Algeria, who uses the aliases Houdini, houdinisc, and houdini-fx

and Vitalwerks Internet Solutions, LLC, d/b/a No-IP.com, with offices at 5905 South Virginia Street, Suite 200, Reno, Nevada 89502.

The lawsuit is also filed against "John Does 1-500" who are supposedly the 500 priniciple operators of njRAT and H-Worm malware. (H-Worm is a closely related RAT software, likely based off the same source code). Because they do not yet know the identities of these RAT operators, the are assigned "John Doe" aliases, in hopes that the power of discovery granted by the lawsuit can help to reveal their true identities.

On the other side of this Internet battle is Vitalwerks and their literally millions of service users. Vitalwerks provides the capability to host an Internet service despite the fact that your computer may be using DHCP-assigned IP address. Normally a webserver has to have a permanently assigned IP address which is listed by a DNS service so that computers on the Internet can find the service you are offering. With Dynamic DNS services, your computer can link to the service and constantly update its IP address so that even if your IP changes many times per day, your service users can find you. In Microsoft's lawsuit, they agree that "Dynamic DNS is a vital part of the Internet because it allows anyone to have a domain name even though they have a changing IP address." Their accusation is found in the next sentence, "However, if not properly managed, a Dynamic DNS service can be susceptible to abuse."

The lawsuit points out that in April 2013, OpenDNS published an article online detailing its investigation into Dynamic DNS abuse. In that study,On the Trail of Malicious Dynamic DNS Domains by my friend Dhia Mahjoub, OpenDNS collected resolutions of various Dynamic DNS domains, and concluded that during their study some domains, such as "hopto.org" were used for malicious purposes as often as 56% of the time! Other highly malicious URLs included:

hopto.org - 56.71%
us.to - 49.45%
myftp.org - 37.50%
myvnc.com - 33.33%
myftp.biz - 20.20%
dlinkddns.com - 12.22%
no-ip.info - 10.70%
no-ip.org - 4.57%

This blogger confirmed the complaint firsthand that is made by No-IP themselves. Although Microsoft was supposedly going to ensure that "legitimate" no-ip customers were not impacted, for a significant part of the day on June 30, 2014, large portions of the Internet (including three linux servers that this blogger uses on three separate networks) had no idea how to find the no-ip domains. The nameservers were not propagated in such a way that the changes were seamless. No-IP's Formal Statement on Microsoft Takedown can be found on their website. In that statement, No-IP claims that "billions of queries" from "millions of innocent users" were dropped "because of Microsoft's attempt to remediate hostnames associated with a few bad actors" and implies that Microsoft did not dedicate enough resources to handle the traffic.

The primary purpose of the court orders was in fact to allow Microsoft to take matters into their own hands and filter the traffic for 130 pages worth (more than 18,000 3LDs) that were hosted by NO-IP and were associated with criminal activity and malware, primarily related to the two RATs, njRAT and H-Worm.

Of course on the other side of that is the fact that Microsoft documents that in the past twelve months MORE THAN SEVEN MILLION WINDOWS USERS were impacted by malware hosted on NO-IP domains! If someone's infrastructure is routinely abused to harm seven million of your customers, don't you have a right to do something about it? While NO-IP can claim that they have an active abuse desk that deals with these complaints, dozens of criminal tutorials would not recommend that you host your malware by setting up a NO-IP address, many of which have lived on consistent names for MANY MONTHS (as in the names mentioned in the above Symantec link) unless there was a clear pattern of NOT terminating offending 3LD (third level domains).

Cisco's fabulous cybercrime fighter, Levi Gundert, who I first worked with while he was working on the LA Electronic Crimes Task Force, as one of the most effective U.S. Secret Service cybercrime agents, and who later worked for Team Cymru, recently wrote a piece for Cisco's blog on Dynamic Detection of Malicious DDNS. Levi says that Free DDNS services "check all of the necessary attack boxes" that make the service desirable for criminals. As he explains:

Free DDNS services, by comparison, check all of the necessary attack boxes. Sub-domains can be quickly and easily generated and DNS records are trivially changed. For the remote access Trojan (RAT) crowd that are typically attempting to spy on female victims and running servers from home, DDNS is a natural fit. In fact, searching the web for tutorials on using freely available RATs like Black Shades, Dark Comet, or Poison Ivy returns results that all instruct RAT attackers to first create DDNS sub-domains in order to properly configure the RAT, specifically enabling a “back connect” to the attacker. Naturally, one segment of RAT users tend to be less technical, relying on tutorials and point and click interfaces to actually launch the RAT, which likely contributes significantly to the overall metrics of malicious DDNS use.

Levi provides this graph showing how often Cisco's Cloud Web Security blocks Dynamic DNS third level domains based on the reputation of that service in the following graph:

zapto.org, one of the NO-IP domains, is blocked 100% of the time by users of Cisco's Cloud Web Service. no-ip.info, no-ip.org, and no-ip.biz are also all blocked between 50% and 100% of the time based on reputation. Levi next goes on to show of all the DDNS base domains, "what do the corresponding malware numbers look like for the DDNS domains most abused by threat actors?"

Even after such widespread and published reports of NO-IP being used for malware abuse, Microsoft observed no significant change in their abuse practices, based on the malware analysis they performed. Following the February 2014 Cisco report, Microsoft "continues to see 2,000-3,000 new unique malware samples per month that are supported by No-IP."

But that doesn't mean No-IP is not responsive. Brian Krebs reported on this conflict in his article today Microsoft Darkens 4mm Sites in Malware Fight where he quotes No-IP's Natalie Gogun as saying that of the 18,000 sites mentioned in the Temporary Restraining Order, only about 2,000 of them were actually still live. Krebs quotes Crowdstrike's Dmitri Alperovitch mentioning that No-IP has always been very responsive, and I've seen the same. In fact, immediately following the Cisco blog above, a member of the No-IP security team was observed by this blogged on a security researcher mailing list asking if anyone could help him get the full list so he could make sure they killed all of the domain names mentioned. (Hi, Kurt!)

The problem here may be the nature of the malware used on these sites. While the security community regular sees and reports on financial crimes malware, such as Zeus, or malware that has significant and widespread distribution, in most cases njRat no-ip domains are being used by small-time botmasters to allow themselves to spy on a few dozen webcams. In fact, a review of more than 1800 recent URLs associated with delivering financial crimes malware observed by Malcovery Security's T3 product, NONE of the No-IP domains were seen to be used. Financial crime malware does not seem to be heavily associated with No-IP. While njRat certainly has the capability to be used for more significant crimes (including installing any additional malware desired by the criminals, and famously being used by the Syrian government to spy on the rebels) its primary reputation is as a tool for online perverts. Their typical victims tend to lack the Internet-savvy that allows corporate, industry, and government malware victims to report malware victimization to No-IP to receive a response. Sophisticated financial crimes malware criminals are very unlikely to link their malware back to dynamic DNS hosts that they personally control and are much more likely to use "more permanent" hosting in the form of hacked or leased servers.

The Microsoft complaint mentions YouTube, and we were able to quickly find many similar njRAT tutorials. There were also njRAT groups hosted on Facebook where botmasters were openly trading photographs of victims and offering to "trade slaves" (as they refer to the pretty girls whose webcams they control.) We reported three such groups to Facebook Security who took quick action to kill the groups which had a combined membership of more than 16,000 users!

Some examples of these creeps work might help illustrate the type of crimes committed by the typical njRat botmaster:

Farid shows a screenshot boasting of 200 simultaneously online njRAT victims.

Farid frequently posts photos of his conquests:

Others do the same:

Here's the Before and After of Farid's njrat group . . .

and after we reported the group to Facebook Security . . .

Conclusions?

I can't really take sides on this one. Do we need to do something more to help the victims of this kind of malware? Absolutely. Was it necessary to seize 22 domains at No-IP? I can't argue with Microsoft wanting to prevent infections to more than 7 million Windows victims, but I certainly can understand the great frustration experienced by the No-IP folks.

June 16 - Disk57.com first sighted

Subject: USPS - Missed package delivery
Subject: You have received a new fax
Subject: Scanned Image from a Xerox WorkCentre

The files attached to those messages included:

USPS1758369.zip - (22,331 bytes) - MD5: 73c4758a84c4a0e24e4f34db69584d26
(VirusTotal results at report time: 3/54)

Scan.zip - (22,329 bytes) - MD5: cbfb3f1e40b30d01f4dda656d7f576e7
(VirusTotal results at report time: 3/54)

IncomingFax.zip - 22,329 bytes - MD5: 048dcc8c9639d2e8ccea362fdb5f7d3e
(VirusTotal results at report time: 3/54)

All three of those .zip files contained the same binary, with the varying names, USPS06162014.scr, Scan.scr, and IncomingFax.scr.

(40,960 bytes) - MD5: 36e264de2cb3321756a511f6c90510f5

(VirusTotal results at report time: 0/54)

By a week later, the detection rate was up to 38 of 46 AV products detecting this as malware, but at the time of the spam campaign, only Sophos and K7 had signature-based detection for the malware, though some vendors may have offered other types of protection.

Whichever of the three versions you downloaded, the SCR file was actually a PE-executable which would contact the site "disk57.com" in order to "check in" by hitting the file "gate.php" on that server. The Ukrainian server in question, 188.190.117.93, (AS197145, Kharkiv Infium LLC) had been seen previously communicating with malware on March 26 and March 27 using the domain name "malidini.com".

The registry was modified so that a copy of the .scr file (now named as an .exe) would be executed on the next start up due to a Policy statement located in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\818107311"

This resulted in the downloaded of a 7200 byte ".mod" file

More Disk57.com sightings

June 16 - Wells Fargo 
June 17 - USPS
June 18 - HSBC
June 18 - Xerox
June 18 - New Fax
June 30 - HSBC - Subject: Avis de Paiement
June 30 - New Fax - Subject: You have received a new fax message
June 30 - Scanned Document - Subject: Scan de 
July 1 - BanquePopulaire
July 1 - French government
July 3 - Xerox
July 3 - UPS
July 3 - Wells Fargo

As on June 16th, executing the .scr file resulted in an exchange with the "gate.php" file on disk57.com on 188.190.117.93, resulting in a 7200 byte ".mod" file being downloaded.

On June 30th, however, this exchange resulted in a copy of the Cutwail binary, b02.exe, being downloaded from jasongraber.com on the path /css/b02.exe. (IP 192.64.181.14). b02.exe had a file size of 41,472 bytes - MD5: 84822121b11cce3c8a75f27c1493c6bb with a VirusTotal report of 2/54 at report time.

Upatre Updated

Subject: Scan from a Xerox WorkCentre - seen 1209 times by Malcovery
Subject: New Fax: # pages - seen 288 times by Malcovery
Subject: IMPORTANT - Confidential documents - seen 88 times by Malcovery
Subject: UPS - Credit Card Billing Adjustment. Ref#(random) - seen 178 times by Malcovery

1,941 messages were sent to our Spam Data Mine from 1,037 different sending IP addresses.

The .zip files still contained .scr files that were all the same
file size (23,040 bytes) MD5: 870c63c4420b6f187066a94ef6c56dc6 - VirusTotal report: 1/53 at report time.

However this time there were three very different URLs downloaded as a result of the initial click. The downloaded malware behaved almost exactly like the UPATRE samples that were used to distribute the encrypted version of GameOver Zeus that we wrote about back in February. (See: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security.)

UPATRE Update

Three touches to the OVH (AS16276) IP address 94.23.247.202 resulted in three files so-called PDF files being downloaded from repele.net on IP address 82.220.34.132, each with the name "css/agreement.pdf". UPATRE did its magic, converting each of these files into another binary executable:

agreement.pdf = 131,173 bytes - MD5: 354283b80cc9e63d872475175d20f14d

(became CryptoWall Encryption ransomware, (in our case, named 09acd07.exe and located in a directory 09acd07 - 183,296 bytes - MD5: 6238af3e78f3316ea5f0192cb8cf3167 - VirusTotal reports detection of 14/53 at report time

which made connection to three C&C servers:
- vivatsaultppc.com - 194.58.101.96 in Russia (AS39134)
- bolizarsospos.com - 194.58.101.3 in Russia (AS39134)
- covermontislol.com - 31.31.204.59 in Russia (AS12695)

After encrypting files, the victim is shown the following text, with a timer counting down from 168 hours:

Your files are encrypted. To get the key to decrypt the files you have to pay 750 USD/EUR. If payment is not made before 10/07/14 - 15:37 the cost of decrypting files will increase 2 times and will be 1500 USD/EUR

(Other files found in that subdirectory included, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT, and DECRYPT_INSTRUCTION.URL.)

agreement-2.pdf = 51,266 bytes - MD5: 06a16a7701c748467a0b8bc79feb7f35

(became Cutwail spamming botnet malware, mshvsk.exe (random file name) - 39,936 bytes - MD5: c1cc8b5eaf7f25449cfda0c6cd98b553 - VirusTotal reports detection of 1/54 at report time.

which then began communications to seven separate C&C servers:
- 91.217.90.125 in Russia (AS48031)
- 93.171.172.129 in Russia (AS29182)
- 93.170.104.81 in Netherlands (AS50245)
- 148.251.94.182 in Germany (AS24940)
- 91.237.198.93 in Russia (AS198681)
- 91.234.33.125 in Ukraine (AS56485)
- 91.221.36.184 in Russia (AS51724 - FLYNET)

agreement-3.pdf = 27,811 bytes - MD5: 19a1986f6fd0f243b02bba6cb77e9522

(became Andromeda botnet malware: gqxse.exe (random file name) - 23,150 bytes - MD5: 8e6c9e794739e67969c6f81a5786d9e7 VirusTotal reports detection of 0/54.

which then called out to disk57.com / gate.php)

What to do?

In the meantime, we need to begin smashing their infrastructure at every chance we can get. Seize the hardware if we can, disable the routing of the traffic if we can't, and DEFINITELY block that infrastructure within our homes and companies!

Do yourself and your company a favor by sharing a link to this blog and recommending that your IT Security staff block the addresses shared above. If you live in a country where you can help, please do so!

Jump to bottom for update list of malicious URLs

    date    |                subject                |           sender_name           
------------+---------------------------------------+---------------------------------
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Collection Agency
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Customer Service Center
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Collection Agency
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Customer Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Info
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
 2014-07-08 | Pay for driving on toll road          | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info

          machine          |                               path                                
---------------------------+-------------------------------------------------------------------
 www.federalparts.com.ar   | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
 www.fiestasnightclub.com  | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
 www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
 www.fleavalley.com        | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
 www.frazeryorke.com       | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
 www.fsp-ugthuelva.org     | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
 www.fyaudit.eu            | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
 www.giedrowicz.pl         | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
 www.gostudy.ca            | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
 www.graphiktec.com        | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
 www.h2oasisinc.com        | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
 www.habicher.eu           | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
 www.grupoancon.com        | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
 www.happymaree.com.au     | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
 www.headspokerfest.com    | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
 www.headspokerfest.com    | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll

Both are conveniently named for the City and ZIP Code from which we are connected.

For example:

76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080

Thanks to some updates from new friends on Twitter, we wanted to give an update on what we are seeing in the Malcovery Spam Data Mine. Because every advertised URL is unique, we have taken the approach of replacing the "unique stuff" with "...STUFF..." in the URLs below. The important part is that we realize that anything that you see in your logs that includes either "tmp/api" or "wp-content/api" or "components/api" and then some "STUFF" and then "=/toll" is going to be one of these URLs that is part of the current E-Z Pass spam, which began on July 8th and is still continuing here on July 12th. If you have access to Very Large Logs, we'd love to get YOUR URLs of this pattern to see if we can help webmasters identify and shut this stuff down. Note the alphabetical progression through compromised domain names? These are sorted by timestamp, not by domain name. It just so happens those are the same thing. We believe the criminals have a very large list of pre-compromised domains that they can use at will. Possibly these are just harvested passwords from other malware campaigns.

This malware is the ASProx malware. If anyone has more details on the "what happens next?" part of the malware, please do share. What we have observed and been told is that infected machines are primarily used for advertising click-fraud, but happy to learn more about those aspects and share what we learn.

In the Kilobit/Las Vegas indictment, the charges are that Seleznev did "Participate in a Racketeer Influenced Corrupt Organization [RICO]" and "Participated in a Conspiracy to Engage in a Racketeer Influenced Corrupt Organization."

The whole group are described in the indictment like this:

"The defendants herein, and others known and unknown, are members of, employed by, and associates of a criminal organization, hereafter referred to as "the Carder.su organization," whose members engage in acts of identity theft and financial fraud, including, but not limited to, acts involving trafficking in stolen means of identification; trafficking in, production and use of couterfeit identification documents; identity theft; trafficking in, production and use of unauthorized and counterfeit access devices; and bank fraud; and whose members interfere with interstate and foreign commerce through acts of identity theft and financial fraud. Members and associates of the Carder.su organization operate principally in Las Vegas, Nevada, and elsewhere.

The important thing to understand about RICO is that as PART OF THE CORRUPT ORGANIZATION all of the charged members are sentenced as if the whole group did all of the crimes.

What does that mean to Seleznev? In Las Vegas, Nevada, Seleznev is being charged with being part of a RICO group that is credited with directly causing, in actual measured and aggregated fraudulent transaction losses, $50,893,166.35!!

But before Vegas gets their hands on him, Seleznev will face charges in the Western District of Washington for Case # 2:11-cr-0070-RAJ-1.

In that case, Roman Seleznev, AKA TRACK2, AKA Roman Ivanov, AKA Ruben Samvelich, AKA nCuX, AKA Bulba, AKA bandysli64, AKA smaus, AKA Zagreb, AKA shmak is charged with:

(Counts 1-5) Bank Fraud 18:1344 & 2
(6-13)  Intentional Damage to a Protected Computer 18:1030(a)(5)(A) & 1030(c)(4)(B)(i) & 2
(14-21) Obtaining InformationFrom a Protected Computer 18:1030(a)(2) & 1030(c)(2)(ii) & 2
(22) Possession of Fifteen or More Unauthorized Access Devices 18:1029(a)(3) & 1029(c)(1)(A)(i) & 2 
(23-24) Trafficking in Unauthorized Access Devices 18:1029(a)(2) & 1029(c)(1)(A)(i) & 2  
(25-29) Aggravated Identity Theft 18:1028(a)(1) & 2

Washington charges that Seleznev "knowingly and willfully devised and executed and aided and abetted a scheme and artifice to defraud various financial institutions, including, but not limited to, Boeing Employees' Credit Union, Chase Bank, Capital One, Citibank, and Keybank, and to obtain moneys, funds, and credits under the custody and control of the banks by means of material false and fraudulent pretenses, representations and promises, as further described below."

Seleznev would:

1. hack into retail businesses,
2. install malicious computer code onto those hacked computers,
3. and use the malware to steal credit card numbers from the victim businesses' customers
4. market and sell the stolen credit card numbers on "criminally inspired" websites
5. thus allowing these cards and the associated accounts to be used for fraudulent purposes by the customers of his service.

Seleznev's websites for selling cards were primarily bulba.cc, secure.bulba.cc, Track2.name, and secure.Track2.name.

The targeted businesses usually had several "point of sale" terminals "up front" and a "back of the house computer" which may have been a server or perhaps even just the manager's computer.

Some of Seleznov's victims included:

The Broadway Grill - 32,000 unique credit card numbers from Dec 1, 2009 to Oct 22, 2010

Grand Central Baking Company in Seattle, WA

four Mad Pizza restaurants (three in Seattle, one in Tukwila, WA)

Village Pizza in Anacortes, WA

Casa Mia Italian in Yelm, WA.

Schlotsky's Deli in Coeur d'Alene, Idaho

Active Networks in Frostburg, MD

Days Jewelry in Waterville, Maine

Latitude Bar and Grill, NY, NY

Mary's Pizza Shack in Sonoma, CA

City News Stand in Chicago and Evanston, IL

Bulba would advertise when he had new cards for sale, claiming as many as 17,000 "Fresh Dumps" (newly stolen and never before used for fraud) cards and offering guarantees, including free card replacement for cards that were declined. Seleznev/Bulba had such high quality, that the owners of the popular crdsu.su and carder.biz allowed Seleznev and others to assume Monopoly status as the preferred card vendors for their boards, which were extremely prevalent in the underground.

According to the newly unsealed indictment, Seleznev personally stole (through his malware) more than 200,000 cards, and succesfully sold over 140,000 of those cards through his websites bulba.cc and Track2.name between November 15, 2010 and February 22, 2011, generating direct illicit profits in excess of $2,000,000 USD.

Just the cards stolen by Seleznev at the Broadway Grill have been associated with $79,317 in fraudulent charges, and all of the cards stolen by Seleznev are responsible for actual fraud charges of at least $1,175,217.37.

November 15-16, 2010, $83,490 in charges were made against Boeing Employees Credit Union cards.

Jan 31-Feb 1, 2011, $30,716 in charges against BECU.

Seleznev will have a hearing in Guam on July 22, and then be transferred to the Seattle courts.

Seleznev Diplomatic Spat with Russia?

Who are these others who are mentioned? Viktor Bout (Виктор Анатольевич Бут) was arrested in Thailand in 2008 and extradited in 2010 to stand trial for terrorism charges for delivering anti-aircraft missiles to FARC in Colombia. He was convicted by a jury in Manhattan (More from The Guardian) Konstantin Yaroshenko was arrested in May 2010 in Liberia as a cocaine smuggler pilot when he landed his plane in Monrovia, Liberia and was arrested by the DEA as he tried to negotiate a contract for $4.5 million to deliver 5 tons of cocaine from Colombia to West Africa. Yaroshenko was knowingly working with smugglers who were raising funds for the Colombian terror group FARC. (See Superseding Indictment

I wanted to geek that a bit deeper for those who want more details on both of those subjects. First, let's look at the Fast Flux.

Fast Flux Command & Controlled Botnet

Sometimes there are additional "tiers" or levels of misdirection. We don't yet know how many layers there are in this newGOZ botnet.

(click to enlarge)

Here's the flow . . .

1. the newGOZ criminal pays the Cutwail spammers to send out emails to infect new victims
2. the Cutwail spammer sends out his emails. On July 10th, they were "Essentra Past Due" and emails imitating M&T Bank and NatWest Bank
3. while many people delete the emails, ignore the emails, or have them blocked by spam, SOME people click on the emails
4. the ".scr" email attachment infects their computer and starts generating "Domain Generation Algorithm" domains.
5. each domain is queried for. the Bot computers say "Hey, Internet! Does this domain exist?"
6. on July 10th, cfs50p1je5ljdfs3p7n17odtuw.biz existed ... "the Internet" said "Yes, this exists and NS1.ZAEHROMFUY.IN is the Nameserver that can tell you where it is."
7. When most nameservers tell the address of a computer, they give a "Time To Live" that says "The answer I'm giving you is probably good for 24 hours" or 2 days, or a week, or whatever. But the Nameserver used in a FastFlux Bot, like, NS1.ZAEHROMFUY.IN, usually gives a "Time To Live" answer that says "The answer I'm giving you is only good for about 5 minutes. After 5 minutes, you need to ask me again in case the address has changed."
8. NS1.ZAEHROMFUY.IN receives constant updates from "newGOZ Criminal" of servers all over the world (but mostly in Ukraine) that have been hacked. Almost every time you ask the nameserver "Where is the newGOZ domain?" it will give you a different answer.
9. the "FastFlux C&C" boxes are now running nginx proxy software that says "Whatever you ask me, I will ask the servers at the Evil Lair of newGOZ. Whatever the Evil Lair of newGOZ wants to say, I will pass back to you.
10. Updates from the Evil Lair get passed back THROUGH the FastFlux Proxy and give the newGOZ bots new malware or commands
11. All traffic to and from the newGOZ bot, whether it is the bot "checking in" or the criminal pushing an "update" goes through one of the proxies, which are constantly changing.

Fast Flux newGOZ resolutions

Subjects like these:

• Hearing of your case in Court No#
• Notice of appearance
• Notice of appearance in court No#
• Notice to Appear
• Notice to Appear in Court
• Notice to appear in court No#
• Urgent court notice
• Urgent court Notice No#

(click to enlarge)

As normal, the spammers for these "Court Appearance" spam campaigns have just grabbed an innocent law firm to imitate. No indication of any real problem at Green Winick, but I sure wish one or more of these abused law firms would step up and file a "John Doe" lawsuit against these spammers so we could get some civil discovery going on!

These are the same criminals who have Previously imitated other law firms including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com), and many more! Come on! Let's go get these spammers and the malware authors that pay them!

We've seen 88 destination hosts between July 10th and this morning (list below) but it is likely there are many more!

When malware spammers use malicious links in their email instead of attachments, they tend to have a much better success rate if they deliver unique URLs for every recipient. That is what is happening in this case, and what always happens in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in the path portion of the URL, which is combined with rotating through hundreds of 'pre-compromised' websites to host their malicious content.

Four patterns in the path portion of the URL are better indicators as we believe there will be MANY more destination hosts.

• tmp/api/…STUFF…=/notice
• components/api/…STUFF…=/notice
• wp-content/api/…STUFF…=/notice
• capitulo/components/api/…STUFF...=/notice

http:// arhiconigroup.com / wp-content / api / pwCYg4Ac5gk0WlQIVFEkRSPGL2E7vZhP8Qh4LMGbbAk= /notice

(to protect the spam donor, the pwCYg... string above has been slightly altered. If you want to work on de-coding, let me know and I'm happy to provide a couple hundred non-altered strings.)

Just like with last week's E-Z Pass spam campaign, visiting the destination website results in a uniquely geo-coded drop .zip file that contains a .exe file.

As an example, when downloading from my home in Birmingham Alabama where my zip code is 35242, the copy I received was named:

Notice_Birmingham_35242.zip

which contained

Notice_Birmingham_35242.exe, which is icon'ed in such a way that it appears to be a Microsoft Word document.

The MD5 of my '.exe' was: 5c255479cb9283fea75284c68afeb7d4

The VirusTotal report for my .exe is here:

VirusTotal Report (7 of 53 detects)

Extra credit points to Kaspersky and Norman for useful and accurate naming !

Kaspersky = Net-Worm.Win32.Aspxor.bpyb
Norman = Kuluoz.EP

Each of the 88 destination websites that we observed was likely compromised to host the malware. We do not believe these are necessarily "Bad Websites" but they either have a vulnerability or have had the webmaster credentials stolen by criminals.

If these are YOUR website - look for one of those directories I mentioned ...

/tmp/api/
/components/api/
/wp-content/api/
/capitulo/components/api/

www.metcalfplumbing.com
www.mikevanhattum.nl
www.mieszkaniaradomsko.pl
www.millionairemakeovertour.com
www.mkefalas.com
www.moldovatourism.ro
www.mobitrove.com
www.modultyp.com
www.mommyabc.com
www.monsterscalper.com
www.myconcilium.de
www.nellalongari.com
www.northsidecardetailers.com.au
www.parasitose.de
www.paulruminski.eu
www.petitecoach.com
www.phasebooks.net
www.plr-content.com
www.profimercadeo.com
www.propertyumbrellablueprint.com
www.proviewhomeservices.com
www.puntanews.com.uy
www.qifc.ir
www.rado-adventures.com
www.rantandraveweddingplanning.com
www.registrosakasicos.es
www.rimaconsulting.com
www.romiko.pl
www.saffronelectronics.co.uk
www.sasregion.com
www.saxonthewall.com
www.sealscandinavia.se
www.stkatharinedrexel.org
www.tecza.org
www.theanimationacademy.com
www.thehitekgroup.com
www.tusoco.com
www.urmasphoto.com
www.vicmy.net
www.viscom-online.com
www.vtretailers.com
www.warp.org.pl
www.webelonghere.ca
www.weihnachten-total.de
www.wesele.eu
www.whistlereh.com
www.wicta.nl
www.widitec.com.br
www.wonderlandinteractive.dk
www.wpprophet.com
www.xin8.org
www.zabytkowe.net
www.zeitgeistportugal.org
www.zmianywpodatkach.pl
www.znamsiebie.pl
www.zuidoost-brabant.nl
www.zs1grodzisk.pl
yourmentoraffiliatemarketing.com
atenea.edu.ec
comopuedoblanquearmisdientes.com
arhiconigroup.com
chris-coupe.com
drnancycooper.com
ian-mcconnell.com
izkigolf.com
kalemaquil.com
kingdommessengernetwork.com

.PIF files are like those organs we are said to have for some reason that are not necessary in these modern times. If you still remember the pain of migrating from DOS 5.0 to Windows 3.0, you will remember that we had .PIF files because DOS binaries did not have all the niceties of Windows programs, such as embedded icons and a place to store the default start-up path. Back when Ugg the Caveman was discovering fire and Bill Gates was leading a development team, you could make your DOS Executables APPEAR to be Windows files by sticking a .PIF file of the same name in the same directory. Windows knew that it should associate the .PIF file with the .EXE or .COM file of the same name, and suddenly we had icons! Of course the malware authors have done some sneaky things with this in the past. When Sality was a young pup, browsing a directory that contained the ".pif" format of Sality was enough to get Windows to execute the malware -- because "Active Desktop" knew that if it saw a .PIF file, it should load it so it would know what graphical icon to associate with which programs in the directory listing. Unfortunately, that was all Sality needed to launch itself! So many people were victimized thinking that the AUTORUN=OFF on their thumb drive had failed without realizing it was just what .PIF files did back then.

So, this morning in the Malcovery Spam Data Mine we saw 1,440 copies of a spam message claiming to be from "orange.pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names based on the SCMag / WebSense articles, I was surprised to see that the file was actually TinBa or "Tiny Banker"!

Late last week I was one of the many folks trying to get a friend to get me a copy of the Tinba source code that had been leaked, as Peter Kruse over at CSIS told us on July 10, 2014 (See Tinba/Hunterz source code published. Peter shared a talk The Hunterz Inside Tinba at the recent Cyber Threat Summit, and, with Trend Micro's Robert McArdle and Feike Hacquebord, released a paper called "W32.Tinba, The Turkish Incident" (a 24-page PDF that gives great insights into the malware family).

Tinba: The Polish Incident

Jeżeli Twój telefon nie obsługuje wiadomości multimedialnych, możesz je wysyłać i odbierać korzystając ze Skrzynki MMS lub Albumu MMS. Wystarczy, że zalogujesz się na www.orange.pl. O każdym otrzymanym na skrzynkę MMS-ie powiadomimy Cię E-mail.

Jeśli odbiorca wiadomości nie ma telefonu z obsługą MMS będzie mógł ją odebrać logując się w portalu www.orange.pl, a następnie wybierając Multi Box i zakładkę MMS. Wiadomości multimedialne możesz też wysyłać na dowolny adres e-mail.

In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:

If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www.orange.pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www.orange.pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.

The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange.com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal. But the email body was much simpler. The message, still in Polish, was:

Witamy,

Przesyłamy fakturę Telekomunikacji Polskiej w wersji elektronicznej za czerwiec 2014.

Welcome,

We send an invoice Polish Telecom in the electronic version for June 2014.

But of course it was more malware, disquised as an invoice but actually a .pif file.

The current detection at VirusTotal for that campaign is 33 of 53 detections.

Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message.

This phish has been especially popular this year. Malcovery's PhishIQ service has seen more than 1,000 SFR phish on more than 330 hacked servers so far this year, including dozens just in the month of July 2014. More importantly though, the attackers are growing more sophisticated! The attack described below is one of the most sophisticated phish we've seen to date, employing "man-in-the-middle" logins where SFR credentials are tested before the victim is allowed to proceed, and nearly a dozen customized bank security procedure questions being processed.

In a typical example of these phish, the victim receives an email that appears to be from SFR informing them that an error was made in their bill, "Ce mail vous a été envoyé dans le but de vous informer qu une erreur est survenue lors de l établissement de la dernière facture" and to "Cliquer ici pour ouvrir le formulaire de remboursement" (Click here to open the refund form). The victim is also warned that they need to fill out the form completely, or they won't get their refund (in some cases 95 Euros!):

Veuillez accepter nos excuses par cette erreur comptable. SFR : Service comptabilité de SFR Toute omission, mauvaise saisie, ou non réponse a ce mail entrainera automatiquement une amputation de la somme de quatre-vingt-quinze (95) euros sur votre compte, et aucune réclamation de sera acceptée.

Vos coordonnées n'ont polo été reconnues. -- Your details have not been recognized.
Veuillez recommencer. -- Please try again.
Suite à 5 erreurs sur votre mot de passe, -- After 5 errors on your password
votre compte est bloqué. -- Your account will be blocked.

So, with a little incentive to not lie to the criminal, and a fairly strong reason to believe they are really speaking with SFR, the victim continues to page two after providing true login credentials.

On the second page, the victim is invited to choose their bank from a long list of French banks. Depending on which bank they choose, they will be prompted for appropriate additional verification details used by that bank. Banks on the list include:

• AXA Banque
• Banque AGF / Allianz
• Banque de Savoie
• Banque Dupuy de Parseval
• Banque Marze
• Banque Palatine
• Banque Populaire
• Banque Postale
• Barclays
• BforBank
• Binck.fr
• BNP
• BNP Paribas La NET Agence
• Boursorama Banque
• BPE
• Caisse d'Epargne
• CIC
• Coopabanque
• Crédit Agricole
• Crédit Cooperatif
• Crédit du Nord
• Crédit Mutuel
• Crédit Mutuel de Bretagne
• Crédit Mutuel Massif Central
• Crédit Mutuel Sud-Ouest
• e.LCL
• Fortis Banque
• Fortuneo Banque
• Groupama Banque
• HSBC
• ING Direct
• LCL
• Monabanq
• Societe Generale
• Société Marseillaisle de Crédit
• Autre Banque

• Quel est le prénom de l'aîné(e) de vos cousins et cousines ?
• Quel était le prénom de votre meilleur(e) ami(e) d'enfance ?
• Quel était votre dessin animé préféré ?
• Quel a été votre lieu de vacances préféré durant votre enfance ?

After seeing this message briefly, the visitor is forwarded to the true www.SFR.fr website.

Today a friend mentioned that they had seen several ASProx messages being distributed by domains that looked like law firm names warning of court appearances. I was a bit surprised that this was news to him, as we've been seeing this for some time. I thought it might be interesting to try to identify when the campaign began.

First, I was fairly certain that the campaign my friend referred to was the "Notice to appear" spam that we've written about so many times at Malcovery, but this does seem to be a bit different than the "law firm of the day" notice to appear campaigns we've seen imitating groups like Green Winick and many others including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com). Those campaigns were all examples of the ASProx malware. But how are those different than the "truck lawyer" campaigns? It seemed worth taking a look.

For the month of August 2014, so far the daily count on these spam messages has looked like this:

 count |    date    
-------+------------
  1528 | 2014-08-01
   204 | 2014-08-02
  1375 | 2014-08-04
  1670 | 2014-08-05
  1571 | 2014-08-06
  1967 | 2014-08-07
  1541 | 2014-08-08
   129 | 2014-08-09
     1 | 2014-08-10
  1182 | 2014-08-11
  1399 | 2014-08-12
   191 | 2014-08-13
    58 | 2014-08-14
    25 | 2014-08-15
     1 | 2014-08-16
    21 | 2014-08-18
(16 rows)

11727  Urgent court notice
11693  Hearing of your case in Court
11182  Notice to appear
9935  Notice of appearance in court
8424  Notice to Appear
7433  Notice of appearance
7108  Notice to appear in court
6612  Notice to Appear in Court
 643  Court hearing notice
 568  Pretrial notice
 441  Mandatory court appearance

  count |                            sender_domain                            
-------+---------------------------------------------------------------------
     7 | accidentlawyers505.com
     1 | addictionrecoverylawyers.com
   328 | alabamatruckaccidentlawyers.com
   375 | alaskatruckaccidentlawyers.com
   352 | albanycountyelderlawyers.com
    11 | americanaccidentlawyers.com
     8 | anewgenerationoflawyers.com
    17 | arizonaspecialedlawyers.com
   363 | arizonatruckaccidentlawyers.com
   358 | arkansastruckaccidentlawyers.com
    12 | auburnbankruptcylawyers.com
    11 | aviationlawyersnetwork.com
   387 | az-lawyersadvice.com
     6 | bellevuebankruptcylawyers.com
   379 | bensonlawyers.com
     1 | bestlawyersinphoenix.com
     8 | bestlosangeleslawyers.com
   355 | best-ontario-lawyers.com
   361 | biofuelawyers.com
   360 | bronx-injury-lawyers.com
   316 | bronx-personal-injury-lawyers.com
    15 | brooklynelderlawyers.com
   371 | brooklyn-lawyers.com
    12 | bvslawyers.com
   326 | calgarydependentadultlawyers.com
   356 | californiatruckaccidentlawyers.com
   299 | californiaviolentcrimeslawyers.com
     5 | canadianduilawyers.com
   362 | capeannlawyers.com
   311 | caraccidentlawyerskc.com
     8 | career-lawyers.com
   318 | childsupportlawyerslosangeles.com
    13 | colobklawyers.com
   409 | coloradotruckaccidentlawyers.com
   395 | columbus-dui-lawyers.com
     9 | commoninterestlawyers.com
   326 | compasslawyers.com
   390 | connecticuttruckaccidentlawyers.com
    14 | contracosta-caraccident-lawyers.com
    17 | criminalcourtlawyers.com
   334 | criminaldefenselawyers360.com
     4 | crownpointindianawilltrustsprobateestatelderlawattorneyslawyers.com
     9 | csduilawyers.com
     5 | deferredstatuslawyers.com
   401 | delawaretruckaccidentlawyers.com
     1 | divorcelawyersinjacksonvillefl.com
     8 | drugcrimedefenselawyers.com
     5 | dubairealestatelawyers.com
     4 | easternnclawyers.com
    11 | employmentlawyersfortlauderdale.com
    10 | ernestolawyers.com
    10 | escortdefenselawyers.com
     1 | estateprotectionlawyers.com
    12 | falveylawyers.com
   354 | familylawyersoforangecounty.com
    10 | fla-injury-lawyers-blog.com
     9 | fl-criminal-defense-lawyers.com
    10 | fl-criminal-lawyers-blog.com
     7 | fllawyersonline.com
    11 | florida-criminal-defense-lawyers.com
     9 | floridaseniorlawyersassoc.com
   370 | floridatruckaccidentlawyers.com
    15 | fortmyersrealestatelawyers.com
    12 | garzalawyers.com
     9 | gatewaylawyers.com
   388 | georgiatruckaccidentlawyers.com
    12 | gofindlawyers.com
    13 | greatnecklawyersassociation.com
    10 | hartfordctlawyers.com
   361 | hawaiitruckaccidentlawyers.com
     9 | hcvlawyers.com
   351 | highdesertlawyers.com
     7 | hounslowlawyers.com
   372 | houstonmesotheliomalawyers.com
     6 | hphlawyersonbloor.com
     9 | huntingtonaccidentlawyers.com
   385 | idahotruckaccidentlawyers.com
    13 | illinoisbicyclelawyers.com
   347 | illinoistruckaccidentlawyers.com
   308 | immlawyers.com
   330 | indianatruckaccidentlawyers.com
     7 | indy-lawyers.com
     5 | institutionalinvestorlawyers.com
   352 | iowatruckaccidentlawyers.com
   340 | kansastruckaccidentlawyers.com
   300 | kentuckytruckaccidentlawyers.com
     9 | kentuckyyounglawyers.com
   337 | lakelanddivorcelawyers.com
    12 | lancasterautoaccidentlawyers.com
     1 | lawusa.com
     6 | lawyeringforlawyers.com
   311 | lawyersadviceinarizona.com
   350 | lawyersadviceinphoenix.com
     8 | lawyersandloans.com
    14 | lawyersbankruptcysolutions.com
     9 | lawyersbocaraton.com
    11 | lawyerscaringforamerica.com
     7 | lawyerscaringforarizona.com
     8 | lawyerscfo.com
   393 | lawyers-connecting.com
     7 | lawyersforeclosuresolutions.com
     8 | lawyers-germany.com
     8 | lawyersinbalance.com
    15 | lawyersinthecloud.com
     3 | lawyerslawfirms.com
     7 | lawyerslongisland.com
    14 | lawyersonlineguide.com
    13 | lawyerstaxsolutions.com
     1 | lawyersthatrock.com
     5 | lawyersvirtualbookkeeper.com
    10 | lawyerswithdepression.com
    11 | loan-modification-lawyers.com
   364 | long-island-lawyers.com
   356 | louisianatruckaccidentlawyers.com
    11 | mailfrauddefenselawyers.com
   376 | mainetruckaccidentlawyers.com
    10 | malpracticelawyersnewyorkcity.com
   329 | manhattan-injury-lawyers.com
   362 | manhattan-personal-injury-lawyers.com
   318 | marylandtruckaccidentlawyers.com
   807 | massachusettstruckaccidentlawyers.com
    10 | medicalmalpraticelawyers.com
   388 | mesotheliomalawyersonline.com
   402 | michigantruckaccidentlawyers.com
     8 | millbrooklawyers.com
   398 | minnesotatruckaccidentlawyers.com
   374 | mississippitruckaccidentlawyers.com
   361 | missouritruckaccidentlawyers.com
     8 | mitpatentlawyers.com
    11 | mittrademarklawyers.com
     7 | mmspersonalinjurylawyers.com
   374 | montanatruckaccidentlawyers.com
    12 | mylawyersolicitors.com
    14 | myreallawyers.com
     7 | naplesbusinesslawyers.com
   373 | nassau-county-lawyers.com
   329 | nebraskaboatinjurylawyers.com
   315 | nebraskatruckaccidentlawyers.com
     1 | nebraskatruckaccidentlawyers.com.com
   351 | nevadatruckaccidentlawyers.com
   384 | newhampshiretruckaccidentlawyers.com
   398 | newjerseytruckaccidentlawyers.com
   370 | newmexicotruckaccidentlawyers.com
   365 | new-york-city-lawyers.com
     9 | newyorkscaffoldlawyers.com
   393 | newyorktruckaccidentlawyers.com
   339 | njlandlordtenantlawyers.com
   351 | northcarolinatruckaccidentlawyers.com
   377 | northdakotatruckaccidentlawyers.com
   284 | nyautoaccidentlawyers.com
   312 | nycaraccidentlawyers.com
    14 | ohadoptionlawyers.com
   383 | ohiotruckaccidentlawyers.com
   344 | oklahomatruckaccidentlawyers.com
   404 | oregon-lawyers.com
   373 | oregontruckaccidentlawyers.com
    11 | palmbayinjurylawyers.com
     8 | panamacitysocialsecuritydisabilityclaimlawyers.com
   321 | phoenixlawyersadvice.com
     8 | pittsburgaccidentlawyers.com
    12 | poptodorova-lawyers.com
     1 | portstlucie-duilawyers.com
    11 | prescriptiondiversiondefenselawyers.com
    17 | probateadministrationlawyers.com
   314 | productsliabilitylawyers360.com
     9 | refineryfirelawyers.com
   356 | rhodeislandtruckaccidentlawyers.com
    13 | robberydefenselawyers.com
   361 | rockland-county-lawyers.com
   343 | saintpaulinjurylawyers.com
    11 | seattlesbestduilawyers.com
     9 | seattle-trial-lawyers.com
    11 | sfmesolawyers.com
   401 | southcarolinatruckaccidentlawyers.com
   396 | southdakotatruckaccidentlawyers.com
     6 | southfloridaworkerscompensationlawyers.com
   316 | southhamptoninjurylawyers.com
   368 | staten-island-lawyers.com
   358 | stentinjurylawyers.com
    14 | success4lawyers.com
   324 | suffolk-county-lawyers.com
     7 | tacomabankruptcylawyers.com
   386 | tennesseetruckaccidentlawyers.com
    13 | thebusinessgrowthlawyers.com
   362 | thechicago-deportationlawyers.com
   307 | the-consumer-lawyers.com
    12 | thelawyerscfo.com
    12 | themauilawyers.com
   333 | thenationstoplawyers.com
     8 | topmultimilliondollartriallawyers.com
   294 | trivalleylawyers.com
   325 | tuscaloosa-lawyers.com
   359 | utahtruckaccidentlawyers.com
   326 | vermonttruckaccidentlawyers.com
   338 | villanuevalawyers.com
     6 | virginia-non-compete-lawyers.com
     7 | virginianoncompetelawyers.com
   395 | virginiatruckaccidentlawyers.com
   361 | washingtontruckaccidentlawyers.com
   338 | westchester-county-lawyers.com
   379 | westvirginiatruckaccidentlawyers.com
     1 | westvirginiatruckaccidentlawyers.com.com
     1 | whsbf-law.com
   386 | wisconsintruckaccidentlawyers.com
    12 | wolfegrouplawyers.com
     8 | wrongfulldeathlawyers.com
   377 | wyomingtruckaccidentlawyers.com
   283 | yourvegaslawyers.com
(208 rows)

([account|answer|confirmation|customer|customercare|customersupport|
customerservice|custservice|custsupport|details|dontreply|help|
identdep|infonum|login|mail|no-reply|noreply|onlinesupport|operate|
operator|reference|reply|security|support|supprefnum|time|update|
verification|][0-9]{3})

From June 1, 2014 to August 18, 2014 more than 25,000 different combinations of the above were used in emails that sent email to the Malcovery Spam Data Mine.

The attached .zip files during that period of time, when unpacked, revealed 39,571 distinct executables, all of which are variants of the "Kuluoz" or "DoFoil" malware.

Because of the apparent polymorphic nature of many of the samples, where each binary is unique, I've only shared the hashes of the non-polymorphic versions - where the same binary was used many times. If the final column is clickable, the link shows the VirusTotal detection rate at the time of our original reporting.

A recent trend in these file names is that the first character, which looks like the letter "C" is actually the Russian "S", a cyrillic look alike for our "C", expressed with the characters: С (ampersand, pound sign, 1057, semicolon). When the word "Court" is spelled with the Cyrillic S instead, a search for the word "Court" will not find it! Here is the word Court twice, first with a "C" and then with the cyrillic equivalent: Court Сourt

Johan Gudmunds / Mafi

Image from ArrestTracker

• intentionally accessing a computer without authorization and exceeding authorized access to a protected computer, committing the offense for purposes of commercial advantage and private financial gain in furtherance of a criminal and tortious act in violation of the Constituion and the laws of the United States to obtain a thing of value exceeding $5,000 -- 18 USC Sections 1030(a)(2)(C) and (c)(2)(B)(i)-(iii).
• knowingly and with intent to defraud accessed a protected computer and by means of such conduct intended to commit fraud or obtain something of value -- 18 USC Section 1030(a)(4) and (c)(3)(A)
• knowingly caused the transmission of a program, information, code, and commands that as a result of such conduct intentionally caused damage affecting 10 or more protected computers during a 1-year period -- 18 USC Sections 1030(a)(5)(A) and (c)(4)(B).
• knowingly and with intent to defraud trafficked in passwords and similar information through which a computer may be accessed without authorization affecting interstate and foreign commerce -- 18 USC Sections 1030(a)(6)(A) and (c)(2)(A).

Daniel Placek / Loki

Eric Croker AKA Phastman

Phillip Fleitz, AKA Strife

Phillip Fleitz photo from ArrestTracker

• Naveed Ahmed (AKA "Nav" AKA "Semaph0re")
• Phillip R. Fleitz (AKA "Strife")
• Dewayne Watts (AKA "m3t4lh34d" AKA "metal"

• "Congratulations, your 4th place code is H7G0 - BestBuyVouchers.com"
• "Congratulations! You've finished Fifth!  Your code is: WM154 - FreeBestBuyCards.net"
• "Your entry placed 8 out of 10!  Claim the prize with this Code: U0V2 - BBCodeTexts.net"

Still to Come

•     Johan Anders Gudmunds - see above
•     Morgan C Culbertson - the "FireEye Intern" / Carnegie Mellon student
•     Naveed Ahmed -
•     Dewayne Watts - M3t4lh34d / metal
•     Murtaza Saifuddin
•     Matjaz Skorjanc - rzor from Pakistan
•     Florencio Carro Ruiz - NetK, Netkairo from Spain
•     Mentor Leniqi - Iceman from Slovenia
•     Rory Stephen Guidry - selling botnets, k@exploit.im

The Spamford Wallace Indictment

July 6, 2011 Original Charges

What's Happened Since?

• 04AUG2011 - the indictment was unsealed
• 04AUG2011 - notice of related cases was received.  These included:

1. the case of Facebook v. Sanford Wallace, Adam Arzoomanian, Scott Shaw, and John Does 1 through 25, for Violation of the CAN-SPAM ACT, violation of the Computer Fraud and Abuse Act, Violation of the California Business Code Section 229489 AKA the California Anti-Phishing Act, and Violation of California Penal Code section 502, the California Comprehensive Data Access and Fraud Act.  That case describes:  "At least one of the Defendants, Sanford (aka "Spamford") Wallace, is a notorious Internet scam artist who has been involved in various illegal spamming and malware activities since the mid 90s.  Indeed, Mr. Wallace has both Federal Trade Commission and civil judgements against him for these activities that total in excell of $235 million."  Myspace, Inc. v. Wallace; FTC v. Seismic Entertainment Prod., Inc; CompuServe v. CyberPromotions, Inc (Ohio, 1997)
2. This case resulted in a Default Judgement in favor of Facebook signed by Judge Jeremy Fogel on 29OCT2009. 

• 22AUG2011 - bail hearing
• 28SEP2011 - case reassigned to a new Judge (Judge D. Lowell Jensen)
• 30SEP2011 - Order to Waive Appearance proposed )amd gramted_
• 03OCT2011 - Status hearing held
• 04OCT2011 - case reassigned to Judge Edward J. Davila
• 31OCT2011 - Pretrial services form 8 submitted.
• 28NOV2011 - Status hearing held
• 09JAN2012 - "Fair and Speedy Trial Act" exemption requested due to AUSA Attorney being engaged in another trial, and for additional time for the defendant's need for effective preparation of counsel. "The ends of justice served by granting the requested continuance outweight the best interest of the public and the defendant in a speedy trial." - extension granted until 09APR2012.
• 02APR2012 - extended to 07MAY2012 by mutual consent.
• and again to 06AUG2012, and again to 01OCT2012, and again to 19NOV2012
• Status hearings held 14JAN2013, 11MAR2013
• 11MAR2013 - hearing grants a modification to pretrial release conditions to allow Spamford to travel to Albuquerque, New Mexico for work.
•  More delays 31MAY2013, 08AUG2013, 20SEP2013, in each case ordering that time be "excluded" from consideration in the Fair and Speedy Trial Act to allow for effective preparation for the case.
• 02NOV2013 - Sanford's attorney (K.C. Maxwell) files a sealed document asking to be relieved from the case 09DEC2013.
• Extension granted to 03FEB2014
• 17MAR2014 set as the date to hear the Motion to Withdraw as Counsel.
• Continued to 31MAR2014, when Wallace assigns his new counsel, William W. Burns, Esquire.
• 25JUN2014 new counsel asks for more time to prepare
• 18JUL2014 William Burns petitions the court to withdraw as counsel
• 21JUL2014 Burns Relieved
• 21JUL2014 a Financial affidavit is delivered to the court pertaining to Spamford Wallace
• 01AUG2014 - "The individual named above as defendant, having testified under oaht or having otherwise satisfied this court that he or she (1) is financially unable to employ counsel and (2) does not wish to waive counsel, and because the interests of justice so require, the Court finds that the defendant is indigent, therefore, IT IS ORDERED that the attorney whose name, address and telephone number are listed below is appointed to represent the above defendant." (Wm. Michael Whelan, Jr. / 95 South Market St, Ste 300 / San Jose, CA 95113 / (650) 319-5554 cell)
• 19AUG2014 - time extended to allow Whelan to prepare
• 22SEP2014 Status conference held, Jury Trial date set for 05MAY2015 through 22MAY2015.
• 29SEP2014 Whelan petitions the court that drug testing no longer be required since Sanford has never tested positive. (Granted 15OCT2014)
• 02MAR2015, status hearing extends case until an 08JUN2015 status hearing
• 12JUN2015 - new financial affidavit entered under seal
• 30JUN2015 - a change of plea hearing is requested for 27JUL2015
• 24AUG2015 - Sanford Wallace pleas guilty to a single count - Count 3.  Sentencing scheduled for 07DEC2015 at 1:30 PM

Guilty of Count Three

Russia-linked hackers tried at least five times in August 2011 to trick Hillary Rodham Clinton into infecting her computer systems while she was secretary of state, according to newly released emails from the State Department.

Still, the evidence that Mrs. Clinton's personal account had been on the receiving end of a "spear phishing" attempt, revealed in a batch of her emails released by the State Department on Wednesday, raises the same question the F.B.I. is trying to answer as it combs through the forensic evidence from the server that was once in Mrs. Clinton's basement.

A headline on Friday with an article about Hillary Rodham Clinton's email server overstated what is known about an investigation into the server's security. As the article correctly noted, Mrs. Clinton received spam email that was intended to place malware on her computer network; the investigation has not yet determined that the malware effort was successful.

What is ChepVil?

But What COULD the Malware Do? 

The Daily Malware Report

count |        mbox         
-------+---------------------
   326 | 2011-08-17 03:30:00
   264 | 2011-08-17 03:45:00
  1880 | 2011-08-17 04:00:00
   756 | 2011-08-17 04:15:00
  1930 | 2011-08-17 04:30:00
  2608 | 2011-08-17 04:45:00
  5982 | 2011-08-17 05:00:00
  4364 | 2011-08-17 05:15:00
  3544 | 2011-08-17 05:30:00
  2418 | 2011-08-17 05:45:00
  2262 | 2011-08-17 06:00:00
   999 | 2011-08-17 06:15:00
   870 | 2011-08-17 06:30:00
   972 | 2011-08-17 06:45:00
   643 | 2011-08-17 07:00:00
   277 | 2011-08-17 07:15:00
   354 | 2011-08-17 07:30:00
   200 | 2011-08-17 07:45:00
  4571 | 2011-08-17 08:00:00
  3974 | 2011-08-17 08:15:00
  3109 | 2011-08-17 08:30:00
  2047 | 2011-08-17 08:45:00
  1617 | 2011-08-17 09:00:00
(23 rows)

For comparison, here is the count of the other high malware volumes for that day:

count |             md5_hex              
-------+----------------------------------
 45377 | 1c2b06a9fbbea641ae09529e52f29b96 <= the "Uniform traffic ticket" malware
  3484 | e7b48c4421a68740dfd321dade6fd5e6 <= "End of July Statement" malware
  2627 | c1f67a7542359397544bd0af0b546166 <= "Your credit card has been blocked" malware
  1021 | d22eadfda41fcbeb692c600c97d10ff5 <= "Money Transfer Information" malware

But how did Spammers learn Mrs. Clinton's email address?

Thanks, Foreign Policy, for getting it right! 

How Often to Change Passwords

• any time you feel that someone may have observed you enter your password 
• any time you have been exposed to malware or phishing
• any time you have a change in administrative/trusted computing personnel (people who may know 'shared passwords' or passwords to routers/switches/servers)
• whenever you are changing hardware or lose control of your devices (lost/stolen/sold computer/laptop/phone)

Classes of Password Problems

• 000Webhost - Just this week a major provider of free webhosting services had 13 million userids and passwords stolen (See story in Forbes or from Troy Hunt).
• Ashley Madison - 11 million passwords have been cracked! CNN Ashley Madison passwords cracked, including the most popular passwords: 123456, password, 12345, 2345678, and qwerty. Other common passwords were "helpme", "midnight", and "yamaha".
• Adobe - in 2013 150 million Adobe software users (that is YOU if you have ever downloaded Adobe's PDF Reader or Flash Player) had their userids, password hashes, and password "hints" leaked. Crackers soon made short work of millions of those passwords by matching hashes of leaked passwords and combining multiple hints to determine the underlying password.
• LinkedIn - in 2012, hackers revealed that they had stolen 6.5 million userids and passwords from LinkedIn!

`~!@#$%^&*() -_=+[{]}\|;:'",<.>/?

Pass Phrases = 15 characters? How will I remember!?!?!

• 02JUL2008 - 7-11 ATM Hackers - More Details
• 07SEP2008 - Is the Analyzer Really Back? (The return of Ehud Tenenbaum) 
• (Tenenbaum was transferred to the US, pled guilty to two other cases, sentenced in July 2012 to Time Served and ordered to pay $503,129 restitution) 
• 11NOV2009 - The $9 Million World-Wide Bank Robbery
• 09MAY2013 - ATM Cashers in 26 Countries Steal $40   

The Trump Spam

Other Spam From Same IP Addresses (Walgreens, Google, Amazon)

The Redirection

Trump Pills / Trump $100 Gift Cards?

 

  

The Spamming IPs?

(image source: www.auburn.edu/oit/news/article.php?id=422 )

Gao and Wong are "junket operators" who are among the many small boat captains who are thought to ferry gamblers between the casinos in Macau and the Philippines.

In a series of quick financial operations, the funds were transferred from the Philippines to three large local casinos: Midas Hotel and Casino, City of Dreams, and Solaire Resort and Casino, and then wired back to various international accounts, using the common trick of laundering the money by claiming it as gambling proceeds. Fortune magazine reported that in the case of Solaire, the $29 Million was credited to the account of a Macau-based high-rolling gambler. Somehow I don't think this is what Solaire was thinking of when they advertise "The Great Exchange":

RCBC & Maia Santos-Deguito

The Epoch Times reports that in at least one of these transfers, $22 Million was placed into the Jupiter Street branch of Philippines RCBC and $427,000 of those funds were withdrawn in cash and loaded into the car of Maia Santos Deguito, the brand manager. The withdrawal was handled by Deguito's assistant, Angela Torres, who had the money delivered by armored car, took the money and placed it in a box, which was then transferred to a paper bag and placed in the branch manager's car. GMA News picks up the story of testimony from bank employees ... A bank employee said in testimony that Deguito told him, "I would rather do this than me being killed or my family," claiming that her life had been threatened if she refused to participate in the illegal activity. But when deposed herself, Deguito says her life was never threatened. The transfers from the Federal Reserve Bank of New York came to RCBC accounts under the names Michael F. Cruz, Jessie C. Lagrosas, Alfred S. Vergara, and Enrico T. Vasquez. From there, $66M was withdrawn and consolidated into an account in the name of William So Go. Deguito claims that Kim Wong, the front man for the Chinese pair, was a "friend of bank President and CEO Lorenzo V. Tan." Tan denies this, although he admits having seen Wong on a number of occasions.

The Treasurer of RCBC, Raul Victor Tan, has resigned"out of decency and honor, and despite his lack of involvement." Branch Manager Deguito reported to him and is largely believed to be the main point of contact between the bank and Gao Shu Hua. RCBC's president was also placed on leave from March 23rd. The Central Bank Governor in Bangladesh, Atiur Rahman, has been forced to resign as well.

My security is so bad that I'm suing you!

In much the same way that small businesses have attempted to file lawsuits against their banks when their lack of security has led to malware infections that drained their accounts, the Bank of Bangladesh announced through Finance Minister AMA Muhith that they would sue the Federal Reserve Bank of New York. In Al-Jazeera, Muhith is quoted as saying "We've heard that Federal Reserve Bank of New York has completely denied their responsibility. They don't have any right."

But much like the small businesses who have lost those lawsuits once their ineptitude was put on display, Bank of Bangladesh may have trouble claiming the problem resided at the Fed. On Friday, April 22nd, Reuters and BBC both released stories exposing the horrible security at Bank of Bangladesh. The Reuters' headline read "Bangladesh Bank exposed to hackers by cheap switches, no firewall: police" while the BBC headline pronounced "$10 router blamed in Bangladesh bank hack". A forensic investigator working on the Bangladesh team, Mohammad Shah Alam, says the investigation was complicated by the lack of log files available on these discount routers, but the larger problem is the illustrated lack of any care about security that choosing such a device indicates in the first place. (It should be acknowledged that this contradicts the bank's statement that their firewall was penetrated by a sophisticated cyber attack:

"The central bank had put “zero tolerance security” and robust firewalls in place in the back office of its foreign currency division. But the cyber gang used a powerful malware to break the firewall and managed to send fake payment orders to the US bank, added the official." -- source: www.asianews.network/content/bangladesh-bank-installing-monitoring-software-11440

Who can Join Our Network?

So if my Hospital is not allowed to exchange patient data with an insurance company before checking the security of their networks, systems, and applications, and my Grocery Store is not allowed to exchange credit card information with a financial services company before checking the security their networks, systems, and applications, why would SWIFT and the Federal Reserve Bank system be allowed to move billions of dollars on behalf of banks that don't have a firewall and have $10 routers bought second hand off the Internet? SWIFT has announced they would be issuing "written guidance" to ensure their members are practicing proper security methods. Hopefully these are more robust than those in their 2012 Whitepaper "CPSS-IOSCO's Principles for Financial Market Infrastructures">. (To learn more see: SWIFT: Information Security)

Probably because we are trying to lower the barriers of entry to banks from depressed economies. "Is it fair" to require one of the poorest nations in the world to have to spend the same type of money that western nations spend on Internet security? Perhaps not. But until we do, these emerging economies are going to be a continual and growing target of the cyber criminals that are willing to invest "western-style" funds to accomplish heists that are truly worthy of a Hollywood movie.

Update 25APR2016 - BAE Analysis of SWIFT malware