Posts Tagged: Joe Stewart


26
Sep 12

Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent

A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts say digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests.

The attack comes as U.S. policymakers remain gridlocked over legislation designed to beef up the cybersecurity posture of energy companies and other industries that maintain some of the world’s most vital information networks.

In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.

The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.

“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” the company said in a letter mailed to customers this week, a copy of which was obtained by KrebsOnSecurity.com. “Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent.”

The incident is the latest reminder of problems that can occur when corporate computer systems at critical networks are connected to sensitive control systems that were never designed with security in mind. Security experts have long worried about vulnerabilities being introduced into the systems that regulate the electrical grid as power companies transferred control of generation and distribution equipment from internal networks to so-called “supervisory control and data acquisition,” or SCADA, systems that can be accessed through the Internet or by phone lines. The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely, but experts say it also exposes these once-closed systems to cyber attacks.

Telvent did not respond to several requests for comment. But in a series of written communications to clients, the company detailed ongoing efforts to ascertain the scope and duration of the breach. In those communications, Telvent said it was working with law enforcement and a task force of representatives from its parent firm, Schneider Electric, a French energy conglomerate that employs 130,000 and has operations across the Americas, Western Europe and Asia. Telvent reportedly employs about 6,000 people in at least 19 countries around the world.

The disclosure comes just days after Telvent announced it was partnering with Foxborough, Mass. based Industrial Defender to expand its cybersecurity capabilities within Telvent’s key utility and critical infrastructure solutions. A spokesperson for Industrial Defender said the company does not comment about existing customers. Continue reading →


19
Sep 12

Malware Dragnet Snags Millions of Infected PCs

Last week, Microsoft Corp. made headlines when it scored an unconventional if not unprecedented legal victory: Convincing a U.S. court to let it seize control of a Chinese Internet service provider’s network as part of a crackdown on piracy.

I caught up with Microsoft’s chief legal strategist shortly after that order was executed, in a bid to better understand what they were seeing after seizing control over more than 70,000 domains that were closely associated with distributing hundreds of strains of malware. Microsoft said that within hours of the takeover order being granted, it saw more than 35 million unique Internet addresses phoning home to those 70,000 malicious domains.

First, the short version of how we got here: Microsoft investigators found that computer stores in China were selling PCs equipped with Windows operating system versions that were pre-loaded with the “Nitol” malware, and that these systems were phoning home to subdomains at 3322.org. The software giant subsequently identified thousands of sites at 3322.org that were serving Nitol and hundreds of other malware strains, and convinced a federal court in Virginia to grant it temporary control over portions of the dynamic DNS provider.

Microsoft was able to do that because – while 3322.org is owned by a firm in China — the dot-org registry is run by a company based in Virginia. Yet, as we can see from the graphic above provided by Microsoft, Nitol infections were actually the least of the problems hosted at 3322.org (more on this later).

To learn more about the outcome of the seizure, I spoke with Richard Boscovich, a senior attorney with the company’s digital crimes unit (DCU) who helped to coordinate this action and previous legal sneak attacks against malware havens. Our interview came just hours after Microsoft had been cleared to seize control over the 70,000+ subdomains at 3322.org. I asked Boscovich to describe what the company was seeing.

“The numbers are quite large,” he said. “Just a quick view of what we’ve been seeing so far is upwards of 35 million unique IP [addresses] trying to connect with the 70,000 subdomains.”

Certainly IP addresses can be very dynamic — a single computer can have multiple IP addresses over a period of a few days, for example. But even if there were half as many infected PCs than unique IPs that Microsoft observed reporting to those 70,000 domains, we’d still be talking about an amalgamation of compromised PCs that is far larger than any known botnet on the planet today.  So how certain was Microsoft that these 35 million unique IPs were in fact infected computers?

“We started identifying what our AV company blocks,” Boscovich explained. “We saw a lot of different types of malware, from keyloggers to DDoS tools and botnets going back there. Our position would be if you’re reaching out to these 70,000 subdomains, that the purpose would be you’re directed there to be infected or you are already infected with something. And that something was up to 560 or so malware strains we identified [tracing back] to 3322.org.”

COLLATERAL DAMAGE?

Microsoft’s past unilateral actions against malware purveyors and botnets have engendered their share of harsh reactions from members of the security community, and I fully expected this one also would be controversial. I wasn’t disappointed: Writing for Internet policy news site CircleID, longtime antispam activist Suresh Ramasubramanian warned that Microsoft’s action would cause “extremely high collateral damage,” both to innocent sites and to ongoing investigations.

“So, in the medium to long term run …all that Microsoft DCU and Mr. Boscovich have achieved are laudatory quotes in various newspapers and a public image as fearless and indefatigable fighters waging a lone battle against cybercrime,” Ramasubramanian wrote. “That manifestly is not the case. There are several other organizations (corporations, independent security researchers, law enforcement across several countries) that are involved in studying and mitigating botnets, and a lot of their work just gets abruptly disrupted (jeopardizing ongoing investigations, destroying evidence and carefully planted monitoring).”

Continue reading →


13
Sep 12

Microsoft Disrupts ‘Nitol’ Botnet in Piracy Sweep

Microsoft said Thursday that it convinced a U.S. federal court to grant it control over a botnet believed to be closely linked to counterfeit versions Windows that were sold in various computer stores across China. The legal victory also highlights a Chinese Internet service that experts say has long been associated with targeted, espionage attacks against U.S. and European corporations.

Source: Microsoft.com

Microsoft said it sought to disrupt a counterfeit supply-chain operation that sold knockoff versions of Windows PCs that came pre-loaded with a strain of malware called “Nitol,” which lets attackers control the systems from afar for a variety of nefarious purposes.

In legal filings unsealed Thursday by the U.S. District Court for the Eastern District of Virginia, Microsoft described how its researchers purchased computers from various cities in China, and found that approximately 20 percent of them were already infected with Nitol.

It’s not clear precisely how many systems are infected with Nitol, but it does not appear to be a particularly major threat. Microsoft told the court that it had detected nearly 4,000 instances of Windows computers infected with some version of the malware, but that this number likely represented “only a subset of the number of infected computers.” The company said the majority of Nitol infections and Internet servers used to control the botnet were centered around China, although several U.S. states — including California, New York and Pennsylvania — were home to significant numbers of compromised hosts.

Dubbed “Operation b70” by Microsoft, the courtroom maneuvers are the latest in a series of legal stealth attacks that the software giant has executed against large-scale cybercrime operations. Previous targets included the Waledac, Rustock, Kelihos and ZeuS botnets.

Continue reading →


30
Jul 12

Tagging and Tracking Espionage Botnets

A security researcher who’s spent 18 months cataloging and tracking malicious software that was developed and deployed specifically for spying on governments, activists and industry executives says the complexity and scope of these cyberspy networks now rivals many large conventional cybercrime operations.

Joe Stewart, senior director of malware research at Atlanta-based Dell SecureWorks, said he’s tracked more than 200 unique families of custom malware used in cyber-espionage campaigns. He also uncovered some 1,100 Web site names registered by cyberspies for hosting networks used to control the malware, or for “spear phishing,” highly targeted emails that spread the malware.

Although those numbers may seem low in the grand scheme of things (antivirus companies now deal with many tens of thousands of new malware samples each day), almost everything about the way these cyberspying networks are put together seems designed to mask the true scope of the operations, he found. For instance, Stewart discovered that the attackers set up almost 20,000 subdomains on those 1,100 domain names; but these subdomains were used for controlling or handing out new malware for botnets that each only controlled a few hundred computers at a time.

“Unlike the largest cybercrime networks that can contain millions of infected computers in a single botnet, cyber-espionage encompasses tens of thousands of infected computers spread across hundreds of botnets,” Stewart wrote in a paper released at last week’s Black Hat security convention in Las Vegas. “So each botnet…tends to look like a fairly small-scale operation. But this belies the fact that for every [cyber-espionage] botnet that is discovered and publicized, hundreds more continue to lie undetected on thousands of networks.”

Once you get past all the technical misdirection built into the malware networks by its architects, Stewart said, the infrastructure that frames these spy machines generally points in one of two directions: one group’s infrastructure points back to Shanghai, the other to Beijing.

“There have to be hundreds of people involved, just to maintain this amount of infrastructure and this much activity and this many spear phishes, collecting so many documents, and writing this much malware,” Stewart said. “But when it comes time to grouping them, that’s when it gets harder. What I can tell from the clustering I’m doing here is that there are two major groups in operation. Some have dozens of different malware families that they use, but many will share a common botnet command and control infrastructure.”

Domains connected to different cyber-espionage botnets typically trace back to one of two destinations in China, according to Dell SecureWorks.

Continue reading →


1
Feb 12

Who’s Behind the World’s Largest Spam Botnet?

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released –  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!” Continue reading →


5
Jan 12

Pharma Wars: Mr. Srizbi vs. Mr. Cutwail

The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

Reactor Mailer Terms of Service, 2005

Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

BOTMASTER BATTLE

SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

Continue reading →


21
Nov 11

DDoS Attack on KrebsOnSecurity.com

Last week, not long after I published the latest installment in my Pharma Wars series, KrebsOnSecurity.com was the target of a sustained distributed denial-of-service (DDoS) attack that caused the site to be unavailable for some readers between Nov. 17 and 18. What follows are some details about that attack, and how it compares to previous intimidation attempts.

The DDoS was caused by incessant, garbage requests from more than 20,000+ PCs around the globe infected with malware  that allows criminals to control them remotely for nefarious purposes. If you’ve noticed that a few of the features on this site haven’t worked as usual these past few days, now you know why. Thanks for your patience.

I shared the log files of the attack with Joe Stewart, director of malware research at Dell SecureWorks. Stewart discovered that the botnet responsible for hitting my site appears to have been created with Russkill, a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground. Russkill, sometimes called Dirt Jumper, does its dirty work by forcing infected systems to rapidly request the targeted site’s homepage.

Stewart said he suspects — but can’t prove – that the control center for this botnet is noteye.biz, based on traffic analysis of Internet addresses in the logs I shared with him.

“I did not already have [noteye.biz] under monitoring so it is impossible to say for sure what targets were hit in the past,” Stewart wrote in an email. He noted that the same attacker also apparently runs a Dirt Jumper botnet at xzrw1q.com, which also is currently attacking Ukrainian news site genshtab.censor.net.ua, and kidala.info (“kidala” is Russian slang for “criminal,” and kidala.info is a well-known Russian crime forum).

“According to my logs this botnet did attack your site back in April, so this is some additional circumstantial evidence that suggests the noteye.biz [control network] may have been involved in the recent attack on your site,” Stewart wrote.

As Stewart notes, this is not the first time my site has been pilloried, although it was arguably the most disruptive. In October 2010, a botnet typically used to spread spam for rogue Internet pharmacies attacked krebsonsecurity.com, using a hacked Linux server at a research lab at Microsoft, of all places.

I’ve spoken at more than a dozen events this year, and the same question nearly always comes up: Do you ever get threatened or attacked? For the most part, the majority of the threats or intimidation attempts have been light-hearted.

Yes, occasionally crooks in the underground will get a bit carried away – as in these related threads from an exclusive crime forum, where I am declared the “enemy of carding;” or in the love I received from the guys at Crutop.nu, a major Russian adult Webmaster forum (the site now lives at Crutop.eu).

Continue reading →


23
Jun 11

$72M Scareware Ring Used Conficker Worm

Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime.

Image courtesy fbi.gov

The Security Service of Ukraine (SBU) said today that it had seized at least 74 pieces of computer equipment and cash from a criminal group suspected of running a massive operation to steal banking information from consumers with the help of Conficker and scareware, a scam that uses misleading security alerts to frighten people into paying for worthless security software. A Google-translated version of an SBU press release suggests that the crime gang used Conficker to deploy the scareware, and then used the scareware to launch a virus that stole victims’ financial information.

The Ukrainian action appears to be related to an ongoing international law enforcement effort dubbed Operation Trident Tribunal by the FBI. In a statement released Wednesday, the U.S. Justice Department said it had seized 22 computers and servers in the United States that were involved in the scareware scheme. The Justice Department said 25 additional computers and servers located abroad were taken down as part of the operation, in cooperation with authorities in the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom.

On Tuesday, The New York Times reported that dozens of Web sites were knocked offline when FBI officials raided a data center in Reston, Va. and seized Web servers. Officials from an affected hosting company told the Times that they didn’t know the reason for the raid, but the story suggested it may have been related to an ongoing investigation into a string of brazen intrusions by the hacktivist group “Lulzsec.” Sources close to the investigation told KrebsOnSecurity that the raid was instead related to the scareware investigation.

The FBI’s statement confirms the SBU’s estimate of $72 million losses, estimating that the scam claimed at least 960,000 victims. Although the FBI made no mention of Conficker in any of its press materials, the Ukrainian SBU’s press release names and quotes Special Agent Norman Sanders from the FBI’s Seattle field office, broadly known in the security industry as the agency’s lead in the Conficker investigation. Conficker first surfaced in November 2008. The SBU said the FBI has been investigating the case for three years. [Update, June 24, 9:37 a.m.: Not sure whether this was an oversight or a deliberate attempt to deceive, but the picture showing the stack of PCs confiscated in this raid is identical to the one shown in an SBU press release last fall, when the Ukrainian police detained five individuals connected to high-profile ZeuS Trojan attacks.]

Continue reading →


16
Mar 11

Rustock Botnet Flatlined, Spam Volumes Plummet

The global volume of junk e-mail sent worldwide took a massive nosedive today following what appears to be a coordinated takedown of the Rustock botnet, one of the world’s most active spam-generating machines.

Rustock spam volumes, from M86 Security Labs

For years, Rustock has been the most prolific purveyor of spam — mainly junk messages touting online pharmacies and male enhancement pills. But late Wednesday morning Eastern Time, dozens of Internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously.

Such an action suggests that anti-spam activists have succeeded in executing possibly the largest botnet takedown in the history of the Internet. Spam data compiled by the Composite Spam Blocklist, the entity that monitors global junk e-mail volumes for the anti-spam outfit Spamhaus.org, shows that at around 2:45 p.m. GMT (10:45 a.m. EDT) spam sent via the Rustock botnet virtually disappeared. The CBL estimates that at least 815,000 Windows computers are currently infected with Rustock, although that number is more than likely a conservative estimate.

“This is a truly dramatic drop,” said one anti-spam activist from Ottawa, Canada, who asked not to be named because he did not have permission from his employer to speak publicly about the spam activity spike. “Normally, Rustock is sending between one to two thousands e-mails per second. Today, we saw infected systems take an abrupt dive to sending about one to two emails per second.”

Joe Stewart, director of malware research with Atlanta-based Dell SecureWorks, said none of the 26 Rustock command and control networks he’s been monitoring were responding as of Wednesday afternoon.

“This looks like a widespread campaign to have either these [Internet addresses] null-routed or the abuse contacts at various ISPs have shut them down uniformly,” Stewart said. “It looks to me like someone has gone and methodically tracked these [addresses] and had them taken out one way or another.”

Update, Mar. 18, 10:04 a.m. ET: As many readers have pointed out, the Wall Street Journal is reporting that the takedown of Rustock was engineered by Microsoft, which used the legal process to shutter the botnet’s control networks at various U.S.-based hosting providers. For more on how Microsoft did that, check out my latest story, Homegrown: Rustock Botnet Fed by U.S. Firms.

Original story:

Continue reading →


24
Feb 11

SpamIt, Glavmed Pharmacy Networks Exposed

An organized crime group thought to include individuals responsible for the notorious Storm and Waledac worms generated more than $150 million promoting rogue online pharmacies via spam and hacking, according to data obtained by KrebsOnSecurity.com.

In June 2010, an anonymous source using the assumed name “Despduck” began an e-mail correspondence with a key anti-spam source of mine, claiming he had access to the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet.

Source: M86 Security Labs

If you received an unsolicited email in the past few years pimping male enhancement or erectile dysfunction pills, chances are extremely good that it was sent compliments of a Glavmed/Spamit contractor or “affiliate.” According to M86 Security Labs, the sites advertised in those Glavmed/Spamit emails — best known by their “Canadian Pharmacy” brand name — were by far the most prevalent affiliate brands promoted by spam as of June 2010.

Despduck said he could deliver data on hundreds of thousands of consumers who purchased pills through Glavmed’s sizable stable of online pharma shops, as well as detailed financial records of Glavmed/SpamIt affiliates who earned thousands of dollars of month promoting pharmacy sites using spam and hacked Web sites.

After many months of promising the information, Despduck finally came through with a 9-gigabyte database file that contained three years worth of financial books for the massive illicit pharmacy network. My source shared the data with several U.S. law enforcement agencies, and ultimately agreed to share it with me.

The database reads like a veritable rogues gallery of the Underweb; In it are the nicknames, ICQ numbers, email addresses and bank account information on some of the Internet’s most notorious hackers and spammers. This huge cache of information shows that over the course of three years, more than 2,500 “affiliates” earned hefty commissions promoting Glavmed’s pharmacy sites.

In total, these promoters would help Glavmed process in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010. All told, Glavmed generated revenues of at least $150 million.

Continue reading →