IT Security Blog

It's 10pm.  Do you know where your data is?

One of the strengths of Web 2.0 applications is also one of its greatest weaknesses.  As information sharing has become all the rage on Web 2.0 social networking and, blogging, and micro-blogging sites like Facebook, MySpace, and Twitter (and the subsequent mining of that data by search engines like Google), we need to be aware not only of the data that we are sharing about ourselves, but also be more diligent about qualifying what we read. 

Case in point: a Twitter user going by the name of @officethemovie started posting content about an upcoming Zune/Windows phone to rival the iPhone.  As one would guess, word started to spread quickly and @officethemovie quickly gathered over 1,000 followers.  Some of the major technology publications, like PC Magazine (@pcmag on Twitter) understandably became interested as well.  Come to find out @officethemovie had only created the post on Twitter in an effort to raise iPhone piracy visibility to Apple via his blog and that the Zune/Windows phone wasn't real.  I feel that I've given enough publicity to @officethemovie already via his numerous mentions throughout this post, so I won't link to his blog here.  Trying to drive traffic to your blog through deception is lame and basically ruins all of your credibility.

No matter what the communication medium information is traveling quicker and is more distributed than ever before.  What's the saying?  "If it is on the internet, it must be true" ?  Obviously that is meant tongue-in-cheek, and maybe I am paraphrasing a bit, but the moral of the story is that misleading information can run rampant very quickly.  Misleading information is the basis behind most of the social engineering attacks employed by cyber criminals today so it is of the utmost importance that whether it is something reasonably benign like a phony phone announcement or something more serious like a scam that can lead to identity theft that we don't take the risks associated with Web 2.0 technologies lightly.  Perhaps what we are dealing with is the Web 2.0 version of hacktivism?

....or so spammers would have you believe.

A couple of days before the inauguration of president-elect Barack Obama spammers are sending out political propaganda that would have you believe that Barack Obama no longer wishes to be President of the United States. 

Spam emails are being sent out with subject lines such as "Haven't you heard latest news about our president-elect?" (Funny enough, one of these samples originated in Brazil.  Is Obama about to be President down there too? :) ), "End-time for USA", and "Who will be our president now?".  The messages are single line spam messages with phrases of only a few words followed by a link to a barackobama.com look-alike site.  Some of the phrases being used in the emails that we have observed are "Barack Obama abandoned sinking ship" and "Obama doesn't wany anymore to be a president".

The site that users are lured to if they click the link in the email looks like this:




All of the links on the site link to a file named pdf.exe which McAfee is calling part of the Waledec family of malware.  Waledec is widely considered to be the new incarnation of the Storm Worm based on its similarities in behavior to the original Storm which has been eradicated. 

As is often the case with these new outbreaks, AV detection is scarce so be aware of this new tactic.  Taking a brief opportunity to toot our own horn, we predicted this type of attack in the January edition of our Threat Forecast and Report.

Volumes are currently averaging about 4,000 per hour hitting the MX Logic systems.  We will continue to monitor this over the weekend and update as necessary.


*** UPDATE 1/19/2009 3:30pm MST *** Volumes have averaged between 5-16k messages per hour over the weekend and into Monday with today's average hovering around 10,000 per hour.  No new significant variants have been observed.  Below is an updated volume graph:



As you can see, there are still significant peaks and valleys in Obama email message flow which means that this campaign is still actively sending out spam.  With Tuesday's inauguration we will continue to monitor for either another resurgence of this tactic or the emergence of another new variant from the PCs responsible for sending out this current spam wave.  As soon as anything crops up, we will be sure to make you all aware.

According to this RWW (Read Write Web) article posted on Saturday, a recent cyber war simulation revealed that the United States is not equipped to handle a major attack against its computer networks. 

This news is not new. 

Other articles have been published (example from Signal Online here) about the vulnerability of the United States to a cyberterrorism attack, but we are not alone. 

Be sure to understand that this is not potentially just a United States issue, it could be a world-wide issue.  South-East Asia is vulnerable according to this article from DarkNet.  Microsoft claims that Europe is also a likely target for attack.  Siliconindia.com wrote last Thursday that India is also vulnerable to cyberterrorism.  Many other countries surely are as well.

If such an attack were to happen (and to be honest, I am not entirely convinced that this would actually happen, but I am certainly not discounting the need for increased security awareness regardless of its potential effects either) on any of the major economies, its effects would be experienced at a global level. 

One of the many items that Obama is being pressed on as he puts together his new administration is the creation of a National Office for Cyberspace that is headed by a new Cybersecurity Czar.  I believe that this is a good idea if the right appointment is made, but neither that person nor the Cyberspace Office can act in a silo.  They need to coordinate with other nations and create uniformity in establishing policies and procedures.  An obvious question that then arises out of all of this is "Are the policies enacted by the National Office for Cyberspace going to be compulsory for Government Agencies or on the Finance, Telecom, and Energy industries only?"  Secondarily, if these policies will also be required for small businesses and enterprises, what will be the cost to them? 

The RWW article also asks the question on whether or not the White House is the right entity to be coordinating this effort for the United States.  A good question considering their track record in addressing issues like spam via the CAN-SPAM act, which just celebrated its fifth birthday.  Despite that negative mark though, I'll ask the question for discussion as to who else could coordinate this effort and achieve the necessary involvement from the EU, India, South-East Asia, et al?  If there is such a group, let them step forward.

There are clearly a lot of questions that are as of yet unanswered and likely will not be answered for the foreseeable future.  Here's to hoping that the Obama administration will be taking the cybersecurity initiative as a whole (not just from the cyberterrorism angle) seriously and that he also solicits the opinions and ideas of the security industry when making any decisions.  We have a lot of ideas and recommendations that should be seriously considered.

According to this PC World Article, spammers have started using political hacktivism by reaching out to keep voters from going to the polls during this election season.  Emailed warnings have been sent to people in Maryland telling them that they cannot vote in the election if their homes have been foreclosed on.  There have also been reports in Florida that emails have been circulating that your driver's license and social security information will need to match up with federal records in order to be able to vote. 

I am certainly no political guru, but the thing that interests me the most about this is what is intended to be gained by spammers by employing this tactic?  These emails have been sent out en masse and have not been targeted towards a particular party affiliation.  So, it isn't like they are going out and trying to specifically keep Democrats or Republicans from voting in an attempt to steer the vote towards one candidate or the other.  Either way, in this financially motivated underground economy, it isn't clear to me what a spammer would have to gain by spreading these types of messages.  There is no proof at this time that these emails are in any way associated with either the Obama or McCain campaigns. 

This certainly isn't the first time that email has been used to spread false political messages, but in many of those cases there has been a target or some kind of agenda associated with it.  Barack Obama has been the social engineering lure used in a couple of spam and malware campaigns since the Democrating National Convention concluded, but those have been attempts to discredit Obama by associating him with non-existent online sex videos. 

The long and short of all of this is, with one week to go until the election there are likely to be more email campaigns with similar political themes.  It is also entirely possible that as users are visiting more and more political web sites to ensure that they are informed about all of the local issues that they will be voting on that some of those web sites may become compromised by cyber criminals.  Compromise of legitimate web sites is becoming more and more common.  So, be sure that your computer is up to date with all of its latest security updates and patches. 

Every few months another story comes out that talks about the vulnerability of the United States to a cyber-terrorism/warfare/attack.  Today, CNN.com posted another one of these stories.

The fact of the matter is that cyber-warfare is occurring every day.  Every day the network infrastructures of internet service providers, organizations, and every connected network node in the United States and around the world are under siege from network attacks.  Could they all be the type of attack that could bring down a network and cause hundreds, thousands, or millions of dollars in lost productivity?  To some degree, yes.  Botnets hold enormous distributed computing power that, when fully harnessed, are capable of launching distributed denial of service attacks that could overwhelm any network and bring it to its knees.  Everywhere infrastructures are overbuilt in part to manage growth, but in larger part to attempt to protect server farms from becoming overloaded and unresponsive in the event of an attack. 

Spam (the most popular use for botnets) costs in the United States alone are estimated to be in the $200B (with a B) realm for 2008.  That's just email!  That doesn't take into account the number of web sites that are now hosting malware (both sites that were setup for the sole purpose of malware hosting and now legitimate web sites also) with keylogger payloads which leads to problems like identity theft
and corporate espionage which only add to that $200B figure. 

The cyber war is being fought every day with attacks originating from all over the globe aimed at equally dispersed targets.  Although it is true that many of the networks and service providers in the United States can better handle an attack than some in the former Soviet republic of Georgia, bandwidth is still finite and if a botnet launches an attack against you that is larger than your pipes and servers can handle, you have problems and that isn't just a United States issue.

I was forwarded this article this morning regarding an FBI sting operation using fake web links in an effort to catch people who surf to child porn sites.  I am all for prosecuting people who are breaking the law, particularly in relation to offenses relating to child porn, but the method described in the article has an uncomfortably high potential for false positives.

For starters, web sites are in the public domain and are accessible by anyone, anywhere, and at anytime regardless of how they got there.  How is the FBI to know that you found the web site as a result of one of their email lures and didn't stumble upon it some other way having no original intention to visit a child porn site?  Have you ever found yourself on a porn site or some other site that you weren't expecting as a result of a mistyped URL, unintended mouse click, or deceptive web site?  Sure you have! 

The article mentions another real possibility of accessing the site via an unsecured wireless connection.  Could you frame your neighbor with the dog that barks all day that you don't like by jumping on his open wireless network and surfing to this mousetrap site?  What if a bot on your PC was emulating clickthroughs to the site in an attempt to throw authorities on a wild goose chase?

I agree with the author where he states that this potentially sets a dangerous precedent if this type of surveillance continues to be allowed to stand up as evidence.  Granted, we've all heard the "someone must have been using my wireless network" and "I must have had malware on my PC" defenses before, but this situation could have some serious federal level consequences.  Sounds dangerous to me!

I came across an article this morning on the SC Magazine site talking about a new virus called "MonaRonaDona" which takes a bit of a different twist when put next to most strains of malware released over the past couple of years. 

As we know malware made the move from a vehicle used to achieve fame or notoriety to a method used to make large amounts of money a few years ago.  Similar to how MBR rootkits are a bit of a throwback to a time when attacking the MBR was a popular method of virus infection, the MonaRonaDona worm is a throwback to the time when worms were written mostly for recognition.  Granted, there is a financial component to MonaRonaDona as well, it is not likely to be very successful.

MonaRonaDona appears to be spreading via malicious advertisements being posted on web sites.  The user will not know they are infected until they reboot their machine when they will receive a popup that states: "Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity."  This malware will also prevent the user from opening common programs on their PC such as Microsoft Office and Adobe applications.

Very noble, but I fail to see how preventing me from opening Word does anything to remedy crimes against humanity in places like Darfur.

Part of the intention of the worm author as well is to socially engineer the user of the infected PC to perform a search in the Google search engine for the name of the worm.  Among other fake sites engineered by the malware authors is a site to purchase a product named Unigray.  For $40 Unigray alleges that it can clean your PC of MonaRonaDona.  Of course, all it really cleans is your wallet out of $40 :)

Personally, this worm seems like a lot of work for what will likely be very little reward.  It is different though, especially with the hacktivism angle, from most other malware which makes it interesting. 

We've discussed before that we expect to see more political based spam as the presidential election year wears on, especially closer to Democratic and Republican convention times.  Expect to see more political based hacktivism type malware lures as the year progresses and as the race for the White House intensifies.  As we saw with the Ron Paul spam last November, the stage has been set to use spam as a method for propaganda distribution pertaining to the upcoming election!