Zeus Botnet Sting Lead by Microsoft

The good guys are always happy to see when there's any positive action towards stopping a botnet--particularly when the action is strong, like Microsoft's "Operation b71."

SecurityWeek.com has a great story of the Microsoft Zeus Botnet Sting. As you might expect, there's a lot of cooperation between different companies and agencies needed to take out this kind of thing.

Here's the guts of the takedown story,
Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois.

"The move, which Microsoft said was its 'most complex effort to disrupt botnets to date,' was to seize and preserve data and evidence from the botnets to use in a case against multiple botnet operators.

"In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus.
What caught my eye here was the scope of the botnet operation. Eight HUNDRED domains.

Figure if the domains cost $5-$10 each, the domain names alone cost $4,000 - $8,000, so there's no doubt if the bad guys are spending that kind of dough just on the domain names, they're making real cash from the botnet.

As much as most people would hate to admit it, it is a business. (It's a business most of us wouldn't touch with the proverbial ten foot pole, but it is a business.)

Unfortunately, it's not the end of Zeus. Not even close. Was it a setback for the operators? Yes. The end? No.

Just how nasty is the Zeus Botnet? Here's a quote from the current Wikipedia page:
While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain - stealing online credentials such as FTP, email, online banking, and other online passwords.
In other words, the bad news is, it's meant to give the bad guys total control of your PC.

The good news is, antivirus programs are able to prevent, detect, and remove the threat.

The one other bit of bad news though is that even though antivirus software can detect and remove the bot, it's very, very hard to tell if you've been infected without the latest software and signatures.

In other words, because it's such a well-designed bot, if you're not running up-to-date antivirus protection, chances are you'd never even know your PC had been infected. To the bad guys credit, it's a very well designed piece of software and is known for its clever design and stealth.

If you're so inclined to learn about the legal proceedings, full details are at: www.zeuslegalnotice.com.


More Details Emerging about R2D2 Backdoor Trojan

First reported by the Chaos Computer Club (CCC), which claims to be the largest European Hacker club, this malware, they claim, is used by German police forces, and
...can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
Is it legal? It appears not, despite being state sponsored.

And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Significant design and implementation flaws make all of the functionality available to anyone on the internet. [Editor's Note: Emphasis mine.]
Their analysis isn't just hot air. Further in their report, they go on to say,
The analysis also revealed serious security holes that the trojan is tearing into infected systems.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.

"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.

"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?

Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:


In their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,
And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.


The Kaspersky blog details their own analysis which uncovered some other interesting details, including:
...there are six components in total – each with a different purpose – all of which have been analyzed by us.

"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.

"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.

"The number of applications infected by the various components is 15 in total.
So what's the point of this trojan? Good question.

The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
  1. VOIP software (like Skype)
  2. web browsers
  3. chat software
Here's the complete list uncovered by Kaspersky antivirus in their analysis:
Software Monitored by R2D2 Backdoor Trojan
Program Purpose
explorer.exe Internet Explorer web browser
firefox.exe Mozilla Firefox web browser
icqlite.exe Chat software
lowratevoip.exe VOIP software
msnmsgr.exe Chat software
opera.exe Opera web browser
paltalk.exe Video chat software
simplite-icq-aim.exe Chat software
simpro.exe Chat software
sipgatexlite.exe VOIP software
skype.exe VOIP software
skypepm.exe VOIP software
voipbuster.exe VOIP software
x-lite.exe VOIP software
yahoomessenger.exe Chat software

So now, the question is are the antivirus software companies detecting the trojan?

Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.

F-secure says, The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created. And Kaspersky says, All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.

So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.

And, if you're not, why not?


Keep Malware on Your PC, Get Jailed?!

In what sounds too hard to believe to be true, Japanese police have arrested their first victim suspect in the controversial Japanese anti-malware law.
The revised Penal Code... bans storage of a computer virus for the purpose of infecting other computers. Violators can be sentenced to a maximum of two years in prison or fined up to 300,000 yen.
Now, let's think this through here.

There are really four types of people that fall into this category:
  1. malware writers
  2. malware distributors
  3. malware researchers
  4. malware infected
Clearly, those folks that fall into the first two categories are up to no good, but what about those of us the fall into the third category? Legitimate researchers like we are?

And, what about the average individual or business owner whose computer(s) have been infected by a virus or other malware and whose computer(s) are now infecting others without their knowledge.

I'm not talking about someone claiming they had no knowledge of something when in fact they did; nor am I talking about someone who's claiming ignorance of the law.

I'm talking about someone like your brother, sister, uncle, aunt, father, mother... like YOU. Your computer is infected, and you don't know it. Now your PC is infecting other people's PCs.

Where does someone like this end up in the eyes of the law?

For those of you out there who're smugly thinking, "Pffft... I'd know if my computer we're infected. Pfft... These people are stupid."

You sure about that, smart guy? So sure you're willing to bet the next two or three years of your life on it? Literally?

As for researchers like us, we here, obviously, store malware explicitly for the purpose of infecting other computers. Granted in our case it's only our own computers we're infecting, but regardless, this law really seems good intent that's terribly misplaced and extremely easy to get around for someone who's arrested under its provisions.

Here are several possible scenarios, all of which start with, "Yes, your honor, I did have this malware on my computer, and...
  • "I've been trying to get rid of it, and it keeps coming back."
  • "I didn't even know it was there."
  • "Many people use my computer. It could belong to any number of people, it certainly wasn't mine.
  • "I'm an antivirus researcher. How else do I do my job without real viruses on my computer?"
How stiff are the penalties?

According to a piece at TheNextWeb on the Japanese antivirus legislation,
the legislation makes the creation or distribution of a computer virus without a reasonable cause punishable by up to three years in prison or 500,000 yen in fines, and the acquisition or storage of one punishable by up to two years in prison or 300,000 yen in fines.
Create or distribute a virus: 3 years or 500,000 yen (about $6,500 USD).
Store a virus: 2 years or 300,000 yen (about $4,000 USD).

There are so many crappy things to this law I don't know where to begin.

So many people who've had their computers infected by malware--particularly a worm or trojan spambot--may be infecting other computers without their knowledge.

And, what about those people who aren't running antivirus software when their PCs get infected?

What about someone who knows their PC is infected but who can't get rid of the infection while it propagates to infecting other PCs on its own.

Rationally, we may say to ourselves, "Oh, but c'mon, they can't be jailed for that!"

Would you be willing to stake the next two or three years of your life on that assumption?


The Latest on the PSN Break-in and Service Restoration

There has been a whooooole lot that has gone on since the original news broke on the Sony Playstation Network data breach.

Among other things, there's been Congressional testimony, which should give some indication as to the seriousness of what has happened. In these testimonies, the Consumerist reports in a piece on the PSN breach that,

Dr. Gene Spafford of Purdue University [who in his testimony before Congress] said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

And, that's not the least of it. It gets much worse. Spafford, the Consumerist piece goes on to say,

...Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.'

"The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches, said Spafford.

These accusations raise even more questions, like,


Reuters in their article on the Playstation Network data theft, Sony points the finger at the hacktivist group Anonymous, who, they say, bears indirect responsibility.

Daily Kos has posted the official, lengthy and articulate response from Anonymous about the PSN Break-in, wherein it says in part,

Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history.

"No one who is actually associated with our movement would do something that would prompt a massive law enforcement response.

 "On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track.  

 "The framing of others for crimes has been a common practice throughout history. 

In other words: Anonymous didn't do it.

So, back to the PSN and when it's coming back online.

Initially, there was discussion--and ultimately success--in bringing part of the Playstation network back online starting on May 14th, as reported by Joystiq.

It was short-lived though, when a lot of users (again as reported by Joystiq in a posted called PSN website sign-ins disabled) were greeted with a message on May 18th, telling them, The server is currently down for maintenance.

Perhaps most interestingly of all was that Sony wasn't given permission to restart services for the Playstation Network in Japan (where Sony is headquartered) 'til it met two conditions,

  1. Preventative measures
  2. Steps taken "..."regain consumer confidence over personal data such as credit card information."

Where does it stand now?

Accordingly to Engadget, which appears to have the latest as of May 18th, the PSN had to be taken offline again.

According to Sony's official blog response on the outage,

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved.

"In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

"Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3.

"Otherwise, they can continue to do so via the website as soon as we bring that site back up.

We're glad service has been restored and sorry to see it came to this.

All-in-all, the whole thing is ugly.

100 million accounts appear to've been compromised, Sony appears it may've been negligent, and definitely bears some blame here, and it has reached a point where both U.S. and Japanese agencies are getting involved at a high level.

What should consumers do? Is this even worth thinking about?

For starters, yes, it's worth thinking about.

Security experts are definitely very concerned about phishing--and more targeted spear-phishing--attacks coming from all the confidential data cleaned from the break-in.

The most obvious step would be to change your email address and close the old account, but let's be honest, that's impractical.

Short of that, the next smartest thing to do is to make sure your antivirus software is updated and your realtime protection and anti-phishing filters are turned on.

I certainly expect this data to be exploited. Practically speaking, it's a gold mine, and I for one don't believe it's a question of "if" attacks will happen but a question of "when."


Major Data Breach: 70 Million PSN Accounts Stolen

On the heels of the Epsilon data breach comes one of equal, and perhaps greater, severity: Sony's PSN (PlayStation Network) had what they're calling, an illegal and unauthorized intrusion into our network.

The gang at GamrFeed have more on the PSN Data Breach Details, including that, There is a laundry list of compromised personal information, including the loss of logins, passwords, street addresses, and purchase histories. Even credit card information could be at risk


Being a gamer myself, and a PlayStation owner, too, my first reaction was a sigh and a feeling of resignation. "This kind of stuff happens," I thought to myself.

Then, I read deeper into the PSN Blog about the Data Breach.

[Editor's Note: the following is a verbatim quote from Sony's blog that has been re-formatted for easier readability than their multi-line lawyereese. Bold added for emphasis is ours.]

We believe that an unauthorized person has obtained the following information that you provided:
  • name
  • address
    • city
    • state
    • zip
    • country
  • email address
  • birthdate
  • PlayStation Network/Qriocity password
  • [PlayStation Network/Qriocity] login
  • handle/PSN online ID
"It is also possible that your profile data, including
  • purchase history
  • billing address
    • city
    • state
    • zip
  • your PlayStation Network/Qriocity password security answers
may have been obtained.

"If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained

Now why the heck does any of this matter?

It's just a gaming network, right? Who cares what games I've bought or when!

Not so fast there, Sparky.

The real danger here isn't even in the possibility of the credit card info having been stolen. (Look, if there's a possibility it was stolen, just call it what it is and say the data was stolen, ok?)

The real danger is for those folks who use the same usernames and passwords in multiple places, like at PSN and for their Hotmail account--or any other, for that email account for that matter. Now with that, cyber thief can dig into your email account and from there easily spring board to bank accounts and all sorts of other places.

How will they find me amongst 70 million accounts?

Forget about digging through them by hand. Think of it happening programmatically. Just trust me on this one: it's easy to do.

It's trivial for a skilled programmer to grab the information they've gleaned from your PSN account and use it to try to login to your email account. From there, getting to your bank accounts and whatnot isn't all that hard. (Who hasn't used a "reset password" link at a website that gets sent to your email?)

Alright, what-if's aside, aside from Sony's recommendations, which only take part of the problem into account, here's what you should do immediately if you're on the Sony PSN:

1. Change username and password especially on bank and email accounts where they're the same as on PSN Keep the bad guys out of your email... and bank.
2. Change your security questions/answers anywhere else you use the same questions/answers as on PSN Make it harder for someone to reset your bank/email/other password and steal from you (or steal your info.)
3. Change your PSN security questions/answers on PSN Make it harder for someone to reset your PSN account and gain access to it.
4. Change username and password on PSN Make it harder for someone to reset your PSN account and gain access to it.

The last important take-away from this data breach is that you should already assume the data is in the hands of a spammer and cyberthief. 

As such, you need to expect that you'll receive many extremely targeted spearphishing emails. After all, according to Sony's own statement on the breach, the thieves probably have your name, email, credit card billing address, and date of birth.

What's to stop them from sending, "Happy Birthday!" emails offering to give you something free in exchange for your credit card info (for age verification only, of course...)?

Or for that matter from sending you, "Your data was stolen. Please click this link to reset it. Oh, and enter your new payment information while you're there, too?"

Or, how about, "Your data was stolen. We need your social security number now to ensure you're who you say you are."

The number of different ways this information can be abused is just about limitless, and while your antivirus software or Internet security suite can help you avoid a phishing attack to some extent, the best way to avoid them is to be smart about the links you're clicking and to look and really read the web site addresses you're going to.

The age of the spearphishing attack is upon us. Your information's security is, ultimately, no one's responsibility but your own.


For Crying out Loud... Password Protect Your Wireless Router!

A debate that somehow always seems to pop up in my own life is the importance of securing your WiFi / wireless router. My friends have all gotten my lecture. My family has all gotten my lecture.

My friends-of-friends have all gotten it, too. Over the years, I've dialed it down from, Leave now. Just leave. Go home. Password protect your router before you do anything else, to something like, Oh no, it's fiiiiiine. The only thing you risk is some jailtime and a few phone calls to the ACLU. Otherwise, it's fine to run an open router.

And somehow despite stories showing up in MSN like this one about the Buffalo man who didn't secure his wireless router, people still think I'm exaggerating the risk and/or that, "it won't happen to me... I know my neighbors!"

Right. Ok. Copy that. Roger. Gotchya. You can leave yours open then. Really. It's fine.

For the record, once and for all: being lazy is never a valid excuse in the eyes of the law. Being inept seldom works either. Same goes for ignorance.

The single biggest thing YOU need to understand about wireless security is this:

Just because you can't see someone else using your wireless connection doesn't mean it isn't happening.

The same thing goes for PC security, too:

Just because you can't see the person who's infected your PC with some sort of spyware or trojan doesn't mean it hasn't happened.

Now let's talk about the poor guy in Buffalo, NY. According to the MSN piece,

For two hours that March morning in Buffalo, agents tapped away at the homeowner's desktop computer, eventually taking it with them, along with the iPads and iPhones belonging to him and his wife.

"Within three days, investigators determined that the homeowner had been telling the truth: If someone was downloading child pornography through his wireless signal, it wasn't him. About a week later, agents arrested a 25-year-old neighbor and charged him with distribution of child pornography.

"The case is pending in federal court.

All this because, again according to the piece, That new wireless router. He'd gotten fed up trying to set a password.

How many other people have had similar things happen is anyone's guess. Here are a couple of more stories the MSN article mentions specifically,

  1. A Sarasota, Florida, man, got a similar visit from the FBI last year after someone on a boat docked in a marina outside his building used a potato chip can as an antenna to boost his wireless signal and download an astounding 10 million images of child porn.
  2. A North Syracuse, New York, man who... opened his door to police who'd been following an electronic trail of illegal videos and images. The man's neighbor pleaded guilty April 12.

The fact of the matter is, yes, it can be tricky, but it's not that hard. In fact, we have a simple six-step article at our site on, "How to Secure Your Wireless Connection."

You could read it and take the steps to secure your connection. Or you could spend the time thinking of what your excuse is going to be when someone steals your Internet connection and does terrible things with it.


DOJ and FBI flex muscles: Takedown of international botnet

Paul Roberts from Threat Post brings news in the battle against botnets: The Coreflood Trojan botnet takedown.

The U.S. Department of Justice stated Wednesday that they'd taken steps to disable an international botnet of over 2 million infected PCs. What's significant about this botnet is that it was stealing corporate data including user names and passwords and other financial data.

According to a statement from the U.S. Attorney's office for the District of Connecticut, thirteen defendants were charged in a civil complaint. A total of 29 domain names were seized in a raid connected to malware--code named "coreflood" --on machines attempting to communicate with the command and control servers.

The "coreflood" malware is believed to have been originated out of Russia and has been active for  ten years, which is staggering and unbelievable in-and-of itself. The DOJ said it had received a temporary restraining order allowing it to disable the malware.

This crackdown is considered to be one of the largest actions taken by U.S. law enforcement against an international botnet Trojan virus. In the past year, a similar botnet takedown was driven by the private sector (Micrsoft and FireEye).

[Editor's Note: See our prior post: Microsoft Working to Take Down Win32/Rustock Botnet. This crackdown against the "coreflood" malware and command and control servers mirrored the efforts by Dutch authorities that disabled Bredolab botnet back in October.]

According to the U.S. Attorney's office, five command and control servers were halted, plus the 29 domain name sites that communicated to these C&C servers.

The government replaced the C&C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. While the infected machines were not disinfected of the malware, of course, the hope is that security software providers will develop tools to remove the coreflood malware and that victims will update their antivirus definitions.


Epsilon Break-In... What's the Lowdown?

By now you've probably gotten notice, as I have, from at least one bank / credit card company / financial institution that, Epsilon, the company they use to send email messages to you had a network breach.

Looking at even a short list of affected firms, Epsilon, a company most consumers have never heard of, appears to have (or to have had) a sizable portion of top banks in the U.S. amongst its client base.

But, it wasn't just banks that were hit.

It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies. (Major hat tip to Brian Krebs of Krebs on Security who has been doing a stellar job keeping atop this list as more companies are added to the growing list of companies affected by the Epsilon break-in.)

Companies Affected by the Epsilon Break-In (So Far)
  • 1800-Flowers
  • Abe Books
  • Air Miles CA
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Beachbody
  • Bebe Stores Inc.
  • Benefit Cosmetics
  • BestBuy
  • Brookstone
  • Capital One
  • Charter Communications (Charter.com)
  • Chase
  • Citibank
  • City Market
  • The College Board
  • Crucial.com
  • Dell Australia
  • Dillons
  • Disney Vacations
  • Eurosport/Soccer.com
  • Eddie Bauer
  • Food 4 Less
  • Fred Meyer
  • Fry’s
  • Hilton Honors
  • The Home Shopping Network
  • Jay C
  • JP Morgan Chase
  • King Soopers
  • Kroger
  • LL Bean
  • Marks & Spencer (UK)
  • Marriott Rewards
  • McKinsey Quarterly
  • Moneygram
  • New York & Co.
  • QFC
  • Ralphs
  • Red Roof Inns Inc.
  • Ritz Carlton
  • Robert Half
  • Smith Brands
  • Target
  • TD Ameritrade
  • TiVo
  • US Bank
  • Verizon
  • Viking River Cruises
  • Walgreens
  • World Financial Network National Bank

Alright, so what's the big deal?

Well, for starters, it means spear-phishing risk for Y-O-U if you've ever had dealings with any of these firms.

While it's not yet perfectly clear what personal information was stolen from Epsilon, it's definitely clear names and email addresses were. What also isn't clear is if the companies with whom you have the relationships were stolen.

And, that's where a part of this becomes especially tricky.

If the spammers know you're a Target customer, for instance, and they know your name, and of course, your email, they can send you an email that looks perfectly like legitimate email from Target.

(N.B. We use Target only for illustrative purposes in this piece, not for any other reason. You can replace "Target" with the name of any of the other companies above with whom you've personally done business.)

Now image your email sent to [email protected] addressed to YOU in the email and looking and sounding like it's coming from Target.

Imagine something like the following:

Subject: Get a $100 Target gift card... on us!
From: Target Stores <"[email protected]">
Date: April 7, 2011
To: Nicole Campbell <"[email protected]">
Hi Nicole,

Thanks again for your recent Target purchase!

We're writing from the customer satisfaction division with a brief survey of your online or in-store shopping experience.

As a way of saying, "Thank you!" all survey participants will receive a free $100 gift card from Target for use anytime.

Click here to get started.

Thanks again,
Your friends at Target and Target.com

And, here's where the scam is just unfolding.

Kroger, for instance, recently saw its customers lured by spams apparently from the Epsilon breach.

Quoting Krebs from his piece, he says, In most cases, the spam sent to customers of these companies pushed recipients to buy dodgy services and software.

In at least one attempt email recipients were pushed to buy Adobe Reader, which is free software.

Why? How are they making money if the software is free?

There's the catch: in most cases like these, you're not really buying anything, and here's what has happened:

You've just given the spammers/cyberthieves your credit card number and "permission" to charge your card. If you're lucky, they only charge your card for as much as you've given them permission to. If you're really lucky, they don't give you a virus or spyware to download instead of the real software.

Whatever the case, you may be facing a hefty credit card bill and some serious phone calls and letters to your credit card company to get them to absolve you of the charges.

Now, back to our Target example.

There are countless ways the spammers could spin things to get you to (a) give them your credit card number and/or (b) download a virus or spyware

  1. You need our special free "survey software"
  2. Your browser needs a special free plug-in to take the survey
  3. You need to upgrade your Adobe Reader for $10 to take the survey to get the $100 gift card

The list could go on-and-on.

So here are the take home messages from the Epsilon break-in:

  1. Use your head when it comes to messages emailed to you
  2. Just because something is addressed to you and addresses you by your name, doesn't make it legit
  3. Does the email have "free" offers or ways to earn gifts or money for very little work
  4. Were you expecting to receive the message? (If you just signed up to get coupons, and a coupon email comes five minute later, it's probably safe.)
  5. How are the grammar and spelling in it? Commonly the bad guys are overseas and their English is often imperfect, and other conventions are often different from ours.

    Commonly you'll see a price in a scam email written as 35$ instead of $35 as is the convention here in the U.S.
  6. Are they asking you to "verify" anything. Let me tell you something: companies don't need you to verify anything. Ever. You got their email, they know who you are. An email asking for verification is almost definitively a scam.

These are just a few things to be on the lookout for. Most importantly of all, especially given the number of banks and credit card companies involved is: never, ever, EVER put your social security number into a link that you clicked on in an email.

I cannot even once think of a legitimate bank or credit card email requiring this.

And lastly, lest it go unsaid, use an Internet security suite. The best ones include good anti-phishing and malicious website filters.

While nothing is perfect, between the filters built into today's top web browsers and top Internet security software, you can offset the threat posed by scammers, the emails they send, and the sneaky websites they setup.


Hacker Gang Leader Sentenced to 9 Years for Hospital Computer Attacks

Thanks to a piece by Kevin Poulsen at Wired Magazine, we learned about a successful prosecution of a hacker gang leader, who was convicted of installing malware on PCs in a Texas hospital.

Self video of hacker McGraw carrying out hospital computer attack.
(Video: YouTube)

The ringleader of a former online anarchist group called the Electronik Tribulation Army was sentenced on Thursday to over nine years in prison for installation of malware at a Texas hospital.

Hacker Jesse William McGraw, 26, also known as "GhostExodus", was fined $31,881 and ordered to serve three years of supervised release after serving time in prison.

He came to the attention of the FBI in 2009 after shooting and posting a YouTube video of himself "infiltrating" computers by installing RxBot at a medical office building.

According to the government, the Electronik Tribulation Army was creating a botnet to attack rival hacker gangs, which included Anonymous--known more at the time for hardcore pranks than the 'hacktivism' they've been known for since.

Security Researcher McGrew
Computer security researcher Wesley McGrew.
(Photo: Kristen Hines Baker, courtesy Mississippi State University)

In another video, McGraw showed off his personal infiltration gear, which included items such as lock picks, a cellphone jammer device, and falsified credentials portraying the FBI. The videos were shot at the Norther Central Medical Plaza in Dallas, TX.

McGraw was able to do so easily since he was a night security watchman and had unresricted access to the hospital.

He plead guilty last May to computer-tampering charges for installation of malware on a dozen machines which included a nurse's station with medical records. McGraw also installed a remote-access program called LogMeIn on the hospital's MS Window's-controlled HVAC system.

R. Wesley McGrew of McGrew Security in Mississippi, initially contacted the FBI after seeing screenshots of the HVAC access online. McGrew says,

I think the sentence is appropriate. He jeopardized public health and safety with his actions and I think its important to take a really strong stance against that,"

In the wake of McGraw’s arrest, other members of ETA have campaigned to harrass McGrew, which led to FBI raids of three suspected members, but there were no reported charges.

Although the YouTube videos suggest McGraw wasn't necessarily a critical threat to cyberspace, the FBI took note when it was discovered he'd installed a backdoor in the HVAC unit.

They noted that any failure of the unit--which controlled the first and second floors of the North Central Surgery Center--could have adversely affected patients in the hot summer time or caused refrigerated drugs or medical supplies to go bad.

There are a couple of important lessons here:

  1. Never, ever leave a workstation unlocked when you step away from it. Ever. If you give someone physical access to your computer, all bets are off.
  2. Audit your PCs regularly. The most dangerous phrase in security is, "It's not like...."

    Rather than thinking to yourself, "It's not like someone could ever put a virus on my computer without me knowing!" Assume there are people smarter than you, and they will if they can.
  3. Keep your antivirus software updated, set it up to run automatic scans, and run a manual scan, too, every now-and-again just to be on the safe side.


Microsoft Working to Take Down Win32/Rustock Botnet

Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.

Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to  take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)

A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.

Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.

Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily

In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.

What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.

That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.

This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.

All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.

On Microsoft's side, the efforts are represented by a partnership between Microsoft's Digital Crimes Unit, the Microsoft Malware Protection Center, and Microsoft Trustworthy Computing.

We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.