I spent the past few days in Mexico City participating in the annual meeting of the Honeynet Project, an international group dedicated to developing and deploying technologies that collect intelligence on the methods malicious hackers use in their attacks. The event brought in experts from around the globe, and our hosts — the National Autonomous University of Mexico (in Spanish, UNAM) were gracious and helpful.

As it happens, honeynets and other “deception technologies” are among the approaches discussed in the following document, written by the National Security Agency‘s Information Assurance Directorate.  A source of mine passed it along a while back, but I only rediscovered it recently. I could not find a public version of this document that was published online previously, so it has been uploaded here.

The 605-page PDF document reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks. Of particular interest to me was the section on deception technologies, which discusses the use of honeynet technology to learn more about attackers’ methods, as well as the potential legal and privacy aspects of using honeynets. Another section delves into the challenges of attributing the true origin(s) of a computer network attack.

The document is a final draft from back in 2004, although I’m told the final version of the document varies little from this copy. In any event, it may be surprising to some to see how many of the techniques, technologies and challenges detailed in this document remain relevant and timely six years later. It is embedded in this blog as a Scribd file, viewable after the jump (the document is > 5mb, so please be patient). I removed the Scribd embedded PDF, because it was causing problems for too many readers. The full PDF is available at this link here.

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

The e-mails urge recipients to download a copy of a report named “2020 Project.” Another variant is spoofed to make it look like the e-mail came from admin@intelink.gov. The true sender, as pulled from information in the e-mail header, is nobody@sh16.ruskyhost.ru

My source told me that a significant discussion going on within the U.S. Computer Emergency Readiness Team (US-CERT) suggests that this attack was leveled only at governments, and that a relatively large number of recipients were taken in by the ruse and infected their PCs. For example, the state government agency that my source works at has already confirmed “a couple hundred” infections at their site. US-CERT officials could not be immediately reached for comment, and the organization’s Web site currently does not feature any information about this attack.

The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.”

Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan, a program designed to steal passwords from infected systems and give attackers remote control over sickened PCs.

Another source who asked not to be named said the version of Zeus being distributed in the e-mails is rather dated, but that it includes a configuration utility that allows the malware to be updated with the capability to upload PDF files and other interesting information from infected PCs.

The Zeus Trojan is the primary tool that organized criminals have been using to steal banking information from countless small businesses, as well as dozens of state and local government organizations. In each attack, the thieves use the stolen credentials to siphon the victim organization’s bank accounts, and funnel the money through accomplices in the United States, who then wire the cash overseas to Ukraine and other Eastern European nations.

Earlier this week, the New York town of Poughkeepsie reported that thieves had broken into the town’s bank account and stolen $378,000 in municipality funds. Poughkeepsie officials said $95,000 was recovered from a Ukrainian bank.