Keylogger virus infects drone plane command centre

The hot news on the blogosphere at the moment is the revelation that a Keylogger virus has infected the drone plane command centre at Creech air force base in Nevada.

Keylogging (or Keystroke logging) is the action of tracking (or logging) the keys struck on the keyboard, typically in a covert manner so that the person using the keyboard is unaware. The Keylogger virus is used to capture users’ passwords, credit card details and bank account numbers as people type them in. The data is then sent over the web to fraudsters. Security officials are currently unable to completely remove the virus, as it keeps reinstalling itself, suggesting that the attack vector has not been plugged.

Creech air force base in Nevada is the command centre for the remotely piloted aircraft used in Afghanistan including the Predator drone spyplane-bomber. The Predator is a medium-altitude, long-endurance unmanned aircraft system which is used in Afghanistan and, more controversially, across the border in Pakistan.

This is the latest security breach for the hi-tech remotely piloted vehicle system; the US military has previously found out that Iraqi insurgents were able to capture and record the footage being sent to troops and back to the airbase by cameras on the drones. The insurgents hacked into video feeds, which were not encrypted, using a $26 piece of Russian software named SkyGrabber. Apparently The encryption for the feeds were removed for performance reasons.

ACH Spam With Malware Attachment

The spam filters have been busy over the last couple of days, with a number of Emails with the title of ACH NOTIFICATION and ACH Payment [Number] Rejected. In each case the email contains an attachment purporting to be a self extracting PDF file.

Of course, on closer examination the supposed self extracting PDF file is a malware down-loader, no doubt ready and waiting to connect you to one or more bot nets. This is a common scenario with a spammed-out trojan down-loader triggering the execution of multiple pieces of malware on the unwitting user’s computer. In this case, Sophos anti virus detects the file and identifies it as Mal/BredoZp-B. For a detailed analysis of the activities of the spam payload, see the article on the ACH spam campaign by M86 security labs via the link below.

Automated Clearing House (ACH) is an electronic network for financial transactions in the United States. As usual with this type of spam and associated malware, ACH have no connection with the email, so there is little point in blocking the sender’s address, in our case ach.01 at nacha.org.

Once again our advice is that you should not open any unexpected emails, or unsolicited attachments, as in this case it will attempt to infect your Windows computer. Just press delete and double check that your anti-virus software is up to date.

Resources relating to ACH Spam With Malware Attachment:

Uniform Traffic Ticket Malware Spam

If you live anywhere except the City of New York you may have been surprised to receive an email recently, which claims to come from the New York State Department of Motor Vehicles. Even if you aren’t based in the United States, or even don’t drive a car, you may well see the posting which poses as a “Uniform Traffic Ticket” and says that you are charged with speeding at 7:25 AM on the 5th July 2011.

People may be tempted to open the attachment out of curiosity, or even alarm if they have been driving in New York City, but do not, or you may end up with a computer infected with malware.

However, the message is certainly not from New York State Police and the attachment does not contain a speeding ticket. In fact, the attachment contains a trojan that, if opened, can install itself on the user’s computer. Typically, such trojans are able to contact a remote server and download further malware that can steal information from the infected computer and allow criminals to control it from afar.

The email sender address has been reported as automailer.nnn, no-reply.nnn and info.nnn, all purportedly at nyc.gov. It goes without saying that the New York State Police and the New York State Department of Motor Vehicles have nothing to do with this email, and this should be treated as all Viruses and Spyware. The New York State Police Computer Crime Unit has issued a Hoax E-mail Alert dealing with the Uniform Traffic Ticket Malware Spam.

The attached file, which is called something like Ticket-O64-211.zip, Ticket-728-2011.zip, or just Ticket.zip, is designed to download further malicious code onto your computer and compromise your security. Sophos anti-virus products detect the malware payload as Mal/ChepVil-A, while the CyberCrime & Doing Time Blog identifies that the malware connects to a Russian domain and downloads files called “/ftp/g.php” and “pusk3.exe”.

The Uniform Traffic Ticket Malware Spam email is probably the work of a Botnet, which is a group of computers infected with malicious software and controlled as a group without the owners’ knowledge. The network of private computers, sometimes known as zombies or robots, run autonomously and automatically to send out spam emails to encourage users to open virus or Trojan infected attachments. This means that it is pointless blocking the sender, as the sender address is forged, and unrelated to the actual computer used to send the email.

We recommend that you delete the e-mail it and not forward it to anyone else. Make sure that you have active anti-virus software, and have your firewall switched on. Of course you should only open e-mails from familiar and trusted sources; if you really have been speeding in New York City, the New York State Department of Motor Vehicles will certainly find a way to let you know!

For further information on this subject:

Google Data Protection Audit Report Published

Have you ever seen the the ICO auditers? If your company was to receive a call from them, how well do think you would fare?

This week the UK Information Commissioner’s Office (ICO) has published an Executive Summary of its Data Protection Audit Report on Google, following the revelation that Google were inadvertently collecting wi-fi signals while mapping the country. According to their website, the ICO carries out consensual audits with data controllers to assess their processing of personal information.

Last year the ICO became aware that that Google Street View vehicles, which had been adapted to collect publicly available wi-fi radio signals, had mistakenly collected a limited amount of payload data, likely to include a very limited quantity of emails, URLs and passwords. Google agreed to facilitate a consensual audit by the ICO.

The framework that was included in the audit scope is as follows:

Framework: Google will conduct an internal assessment and provide a confidential written report (“Privacy Report”) to the Commissioner. This Privacy Report will analyze Google’s implementation of the privacy process changes it outlined on October 22, 2010 as it applies to Google’s UK operations. The Information Commissioner’s Office may then validate the Privacy Report’s accuracy and findings via an in-person meeting to review the Privacy Report at Google’s U.S. headquarters or at the offices of Google’s UK subsidiary. Google shall provide the Privacy Report to the Commissioner before such meeting.

Google has responded to the ICO report citing that the findings provided “reasonable assurance that Google have implemented the privacy process changes outlined in the Undertaking.” This was posted on the European Public policy Blog by Alma Whitten, Director of Privacy, Product and Engineering, whose appointment was announced on 22 October 2010.

While there are a few areas for improvement noted in the executive summary, there are none that would warrant the description of Earth shattering proportions. We would consider that any company that had been subject to a consensual audit by the Information Commissioner’s Office would be quite satisfied with the report. Knowing how good Google are at marketing, they will probably want to make capital out of it too.

Before we leap to judge Google, it is worth pointing out that in UK, the Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify the ICO, unless they are exempt. Failure to notify is a criminal offense, and entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offense. Do you need to register?

If your company was to receive a visit from the Information Commissioner’s auditors, even with nine months notice like Google, how well do think you would fare? How many pieces of personal data has your company inadvertently collected over the years, and are still retaining for no legitimate purpose? Perhaps it would be worth a visit to the ICO website to find out if you need to do something now?

For more on the story:

Beware of Emails Bearing Gifts

Have you seen an email entitled UPS notification? Have you received an unexpected email telling you about a parcel sent your home address, when you have nothing on order? Do you feel excited at the thought of getting an unexpected gift?

Unfortunately, that is not a mysterious present in the post, but a piece of malicious software, or malware, called the UPS Notification Virus. This is an automated attempt to install a Trojan on your computer, which is a piece of software that would connect to a medium risk domain in Russia and subsequently download all manner of undesirable additions to your computer.

If you are fortunate enough to operate behind a corporate firewall and email gateway this will be intercepted by the mail scanning software, and all you will get is an email with the subject line something like: WARNING. Someone tried to send you a potential virus or unauthorized code. If you see this message you need to do nothing further; the threat has been eliminated by the software.

At home, if you have up to date anti-virus software installed, you may see the email with an additional marker like [Quarantined], or a message from the anti-virus software manufacturers indicating that the threat has been removed. In this event you need to do nothing further except keep your anti-virus software current.

However, if you access your email by a webmail client, and do not subscribe to an anti virus service, then you may see an email in your inbox with the subject of UPS notification. Preview of the email will show you something like this:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

In this event, DELETE the email and do not attempt to open the attachment. UPS may sometimes send emails, but generally does not include attachments. If you see this email on a company computer then please additionally inform the local ICT helpdesk, to alert them so that they can investigate how the message reached you.

Remember

  • Only disclose your email address to known individuals and organizations
  • Only open email and attachments from known and trusted sources
  • If in doubt, check with your local IT department or support person if you are not sure that an email is genuine

Microsoft Offers Reward for Information on Rustock Botnet

In a further move against international cyber criminals, Microsoft has offered a reward of $250,000.00 reward for information that results in the identification, arrest and criminal conviction of those responsible for controlling the notorious Rustock bot-net.

Microsoft says that IP address infections of Rustock have reduced by more than 50% worldwide since the company took action in March. Microsoft took the infamous Rustock botnet down earlier this year alongside U.S. enforcement agents, and claims that it remains dead.

The Rustock botnet was the largest source of spam in the world, consisting of around 150,000 machines sending around 30 billion spam messages a day. The take down was part of Microsoft’s fight against illegal botnets, designed to stop the spread of malware and spam mail.

Anyone with information on the Rustock botnet or its operators should contact Microsoft at avreward@microsoft.com.

To find out more about Microsoft Offering a Reward for Information on Rustock Botnet, click here to see the post on the Official Microsoft Blog.

If you have missed previous TechCo Support posting about the fight against the menace of Botnets and the progress of the Microsoft Digital Crimes Unit please see:

Microsoft Reward Document

Microsoft Floors The Coreflood Botnet

With headlines like “More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme”, the U.S. Department of Justice (DoJ) and Federal Bureau of Investigation announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications.

The Coreflood botnet is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server.

Interestingly, the US Government also obtained a temporary restraining order (TRO), granting authorization to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers.

Essentially the DoJ was allowed to impersonate the commanding servers and send a Stop command to the botnet agents that were tethered to the 5 illegal computers, known as a command and control (C&C or CnC) servers. This is believed to be a precedent, and opens the door for more active countermeasures against these criminal money-making machine networks.

Following on from the earlier successes against the Rustock botnet in March, and the Waledac botnet in February, this action takes the war against these cyber crimanls a stage further.

Other links on the subject:

Microsoft Claims Rustock Botnet Takedown

Have you missed your daily dose of spam emails advertising everything from Viagra to fake pharmaceuticals and watches this week? According to a link spotted on eWeek, Microsoft is claiming responsibility for the takedown of the massive Rustock botnet, which stopped sending out spam midmorning on 16 March 2011.

This operation, known as Operation B107, is the second high-profile takedown in Microsoft’s joint effort between Microsoft Digital Crimes Unit (DCU), Microsoft Malware Protection Center and Trustworthy Computing – known as Project MARS (Microsoft Active Response for Security) – to disrupt botnets and begin to undo the damage the botnets have caused.

The previous operation against the Waledac botnet (B49) followed a judgement by the US District Court of Eastern Virginia, that upheld a recommendation to grant Microsoft’s motion for the transfer of the domains behind the Waledac botnet to Microsoft.

The Rustock Botnet is estimated to have infected up to 1.7 million computers worldwide, and up to the end of 2010 may have been responsible for almost 50% of the spam sent worldwide. At times Rustock was capable of sending 30 billion spam e-mails per day.

The Rustock Botnet was identified as being more complicated than the Waledac botnet, using hard coded IP addresses rather than domain names, and peer-to peer command and control servers. To combat this Microsoft obtained a court order allowing them to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis.

The amount of computers which can be linked in a botnet is mind boggling, and because the bots are so versatile their use is limited only be the imagination of their controller, or bot-herder.

In order to combat botnets, Microsoft encourage every computer owner to make sure their machine isn’t doing a criminal’s dirty work. If you believe your computer may be infected by Rustock or other type of malware, we encourage you to visit support.microsoft.com/botnets for free information and resources to clean your computer.

Further links and resources

Finally, for everyone who likes comics, check out the Microsoft comic strip Terrifying Tales of Digital Delivery

Microsoft Takes Down The Waledac Botnet

In a post on the Official Microsoft blog, entitled Cracking Down on Botnets, Microsoft announced the takedown of the Waledac botnet, one of the 10 largest botnets in the United States and a major distributor of spam globally. Microsoft achieved this after a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals.

In a complaint filed in the Eastern District of Virginia on the 22 February against John Does 1-27 et al, Microsoft alleged that the “Doe defendants have undertaken the forgoing acts with the knowledge that such acts would cause harm through the .com domains located in Virginia and through user computers located in Verginia, therby injuring Microsoft, its customers and others both in Virginia and elsewhere in the United States”. This argues that the Virginia Court has jurisdiction over the case regardless where the perpetrator reside.

The takedown of the Waledac botnet, or Operation B49 as it was known internally in Microsoft, was the result of months of investigation. The Waledac botnet is believed to have had the capacity to send over 1.5 billion spam emails per day. From Microsoft’s analysis, between 3-21 December 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone.

This legal and industry operation against Waledac is the first of its kind, but hopefully it won’t be the last. Microsoft has acted with experts from the international security communication to combat this menace to computer users everywhere. However, taking down the botnet is not the end of the story.

Thousands of computers are still infected with the Waledac computer worm, a self-replicating malware computer program. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware. Microsoft advise users people running Windows machines to visit the Microsoft Security Web site, where they can find Microsoft’s Malicious Software Removal Tool, which removes Waledac.

Links and resources relating to Microsoft Takes Down The Waledac Botnet:

Important WordPress Security Update Announced

In a direct email from Matt Mullenweg via the WordPress.org announcement list, news has reached our ears about an important WordPress Security Update, WordPress version 3.0.4.

Apparently, they have fixed a critical vulnerability in WordPress’ core HTML sanitation library, and because this library is used lots of places it’s important that everyone update as soon as possible.

We have already been busy updating dozens of WordPress sites we support, mostly without incident. We recommend you back up your site before upgrading, but upgrade soon.

We would like to wish all our readers, supporters and colleagues a merry Christmas break and a Happy New Year. Blog On!