Eideard

Inside DHS Classified Cyber Coordination Headquarters

U.S. authorities claimed one of their biggest victories against cyber crime as they shut down a ring they said used malicious software to take control of more than 2 million PCs around the world, and may have led to theft of more than $100 million.

A computer virus, dubbed Coreflood, infected more than 2 million PCs, enslaving them into a “botnet” that grabbed banking credentials and other sensitive data its masters used to steal funds via fraudulent banking and wire transactions, the U.S. Department of Justice…

The government shuttered that botnet, which had operated for a decade, by seizing hard drives used to run it after a federal court in Connecticut gave the go-ahead.

“This was big money stolen on a large scale by foreign criminals. The FBI wanted to stop it and they did an incredibly good job at it,” said Alan Paller, director of research at the SAN Institute, a nonprofit group that helps fight cyber crime.

The vast majority of the infected machines were in the United States, but the criminal gang was likely overseas…

A civil complaint against 13 unnamed foreign nationals was also filed by the U.S. district attorney in Connecticut. It accused them of wire and bank fraud. The Justice Department said it had an ongoing criminal investigation.

The malicious Coreflood software was used to infect computers with keylogging software that stole user names, passwords, financial data and other information, the Justice Department said…

U.S. government programmers shut down the Coreflood botnet on Tuesday. They also instructed the computers enslaved in the botnet to stop sending stolen data and to shut down. A similar tactic was used in a Dutch case, but it was the first time U.S. authorities had used this method to shut down a botnet, according to court documents.

Looks like Uncle Sugar is finally getting good at this. Can’t complain in the least. Shutting down black hat hackers like this is long overdue.

The Rustock botnet, which sent up to 30 billion spam messages per day, might have been run by two or three people. Early analysis, following raids to knock out the spam network, suggest that it was the work of a small team.

Rustock was made up of about one million hijacked PCs and employed a series of tricks to hide itself from scrutiny for years.

Since the raids on the network’s hardware, global spam levels have dropped and remain relatively low.

“It does not look like there were more than a couple of people running it to me,” said Alex Lanstein, a senior engineer at security firm FireEye, which helped with the investigation into Rustock…

He said that the character of the code inside the Rustock malware and the way the giant network was run suggested that it was operated by a small team…

Rustock evaded capture for years because of the clever way it was controlled, he said. Victims were snared when they visited websites seeded with booby-trapped adverts and links.

Once PCs were compromised, updates were regularly pushed out to them using custom written encryption. Those downloads contained the spam engine that despatched billions of ads for fake pharmaceuticals…

“When you are a programmer and you realise that you have the full force of the Microsoft legal department pointed directly at you, then you might say to yourself its time to try something else,” he said.

Any bets on whatever they do for grins, giggles and geedus, next – is legal? Once you get hooked on higher returns from crime it’s difficult to accept less.

Rustock, purveyor of more e-mail spam than any other network in the world, was felled last week by Microsoft and federal law enforcement agents.

A lawsuit by Microsoft that was unsealed at the company’s request late today triggered several coordinated raids last Wednesday that took down Rustock, a botnet that infected millions of computers with malicious code in order to turn them into a massive spam-sending network.

“This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day,” Richard Boscovich, senior attorney in the Microsoft Digital Crimes Unit, wrote in a blog post today.

The Wall Street Journal first reported that it was Microsoft’s digital crimes unit, working in concert with U.S. marshals, that raided seven hosting facilities across the country and seized the command-and-control machines that ran the network. Those are the servers that send instructions to the fleet of infected computers to dish out spam messages hawking such items as phony lottery scams and fake and potentially dangerous prescription drugs.The takedown was known internally as Operation b107.

Shutting down Rustock could put a huge dent in spam worldwide. Tech security giant Symantec estimated last year that Rustock was responsible for 39 percent of the world’s spam. Global spam levels dropped 12 percent after Dutch authorities took down a Trojan horse named Bredolab last November.

Rock on, Microsoft. Cleaning up the ethically-diseased flavor of hacker is always worthwhile.

No doubt there will be a new rationale for script kiddies – or the occasional “honest” crook – who will rejoin the scumsuckers of spam. Their relationship to ordinary folks who simply wish to avail themselves of modern communications will continue to be parasitic.

An FBI official said a two-year-long multinational investigation led them to nab a 23-year-old Slovenian, who allegedly created a malicious software code that infected 12 million computers worldwide.

Stephen Gaudin, a legal attache of the FBI to the U.S. embassy in Vienna, Austria, told reporters that the cooperation between the FBI, Slovenian and Spanish forces was “unparalleled.”

Slovenian police detained and questioned the man, identified only by his code name Iserdo, ten days ago, in the northwestern industrial city of Maribor. He was released after questioning, but police say they have made sure he cannot tamper with evidence or flee the country. They have not given details of how they have ensured that.

The investigation is ongoing and Iserdo was not formally indicted yet.

He is suspected of selling the malware to the operators of the Spanish Mariposa botnet — a network of infected computers — which stole credit cards and online banking credentials.

The Mariposa botnet, which has been dismantled, was easily one of the world’s biggest, infecting hundreds of companies and at least 40 major banks in 190 countries since appearing in Dec. 2008.

Toni Kastelic, the head of Slovenian police cyber crime department, said police also questioned another, 24-year-old person, and confiscated 75 computers in seven house searches…

He didn’t identify the chief suspect, Iserdo — which, read backwards, means “salvation” in Slovenian.

The dude is going to need more than salvation. Even with a plea deal exposing the other sleazeballs in his brigade of script-kiddies, I imagine – I hope – they throw away the key.

Spanish police have arrested three men accused of masterminding one of the biggest computer crimes to date — infecting more than 13 million PCs with a virus that stole credit card numbers and other data.

The men were suspected of running the Mariposa botnet, named after the Spanish word for butterfly, said Spain’s Civil Guard.

Mariposa had infected machines in 190 countries in homes, government agencies, schools, more than half of the world’s 1,000 largest companies and at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring…

Mariposa initially spread by exploiting a vulnerability in Microsoft Corp’s Internet Explorer Web browser. It also contaminated machines by infecting USB memory sticks and by sending out tainted links using Microsoft’s MSN instant messaging software, he said.

A Microsoft spokeswoman said the company did not immediately have any comment…

Panda Security Senior Research Advisor Pedro Bustamante said that one of the three was caught with 800,000 personal credentials when Spanish police arrested him.

“Mariposa’s the biggest ever to be shut down, but this is only the tip of the iceberg. These things come up constantly,” said Mark Rasch, former head of the U.S. Department of Justice computer crimes unit.

Maybe just the tip of the iceberg; but, it feels like there has been a measurable increase in arrests, lately.

Overdue. Welcome.

Waledac holiday template

Microsoft is intent on eliminating the Waledac botnet and is using the legal system to help.

Tim Cranton, Microsoft’s associate general counsel, wrote on the company’s blog that Microsoft has been shutting down Waledac by working with technology partners and taking legal action.

In response to a complaint filed by Microsoft, a federal judge issued a temporary restraining order to shut down 227 Internet domains believed to be run by cybercriminals spreading the Waledac spambot.

This week’s legal takedown of Waledac, known internally at Microsoft as “Operation b49,” came after months of investigation, wrote Cranton. Once the company had gathered its evidence, the challenge was how to find a legal means to allow Microsoft to block the suspected domains from their botnets and stop them from further infecting and controlling their victims.

To achieve this, Microsoft looked at a legal principle called “ex parte TRO.” Ex parte means without notifying the other side, and TRO stands for temporary restraining order…

“We drafted the complaint in such a way that explained to the court that the amount of damages to consumers across the world, and also other companies in addition to Microsoft itself, warranted the granting of this rather extraordinary order,” said Richard Boscovich…

The legal action has already cut off access to Waledac at the domain level, according to Cranton. This means the connection has been severed between the command and control centers of the botnet and most of the infected computers worldwide. Cranton said that Microsoft is working with security organizations to take down Waledac’s remaining peer-to-peer command and control connections.

All of the members of the worldwide dweebs association – those who never update against viruses, trojans, persist in wandering down the highway to spam hell – need to be reminded for the umpteenth time of their participation in crimes against the freedom of the Web.

The Federal Trade Commission had a rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic junk shut down by a district court judge.

The FTC order shuts off Pricewert LLC, which does business under a variety of names including Triple Fiber Network (3FN) and APS Telecom, a company it said actively recruit and collude with criminals seeking to distribute a whole host of nastiness including child pornography, spyware, viruses, trojan horses, phishing, botnet command and control servers, and pornography featuring violence, bestiality, and incest. The FTC said Pricewert advertised its services in the darkest corners of the Internet, including a forum established to facilitate communication between criminals.

The FTC also alleges that the defendant engaged in the deployment and operation of botnets. Botnets can be used for a variety of illicit purposes, including sending spam and launching denial of service attacks. According to the FTC, the defendant recruited bot herders and hosted the command-and-control servers – the computers that relay commands from the bot herders to the compromised computers known as “zombie drones…”

Pricewert, based in San Jose, California, shielded its criminal clientele by either ignoring take-down requests issued by the online security community or shifting its criminal elements to other Internet Protocol addresses it controlled to evade detection…

In an interview with The Washington Post’s Security Fix, FTC Chairman Jonathan Leibowitz said, “Anything bad on the Internet, they were involved in it. We’re very proud, because in one fell swoop we’ve gone after a big facilitator of some of the utterly worst conduct.”

Will they do anything about ISP’s capping bandwidth, now? That’s not exactly gracious conduct.

Uh, Owen is the one without a uniform…

A teenager from New Zealand who was accused of stealing millions of pounds has been let off without a conviction, despite pleading guilty to hacking into computers around the world.

18-year-old Owen Thor Walker, known online as “AKILL”, was ordered to pay just £5,500 in costs and damages after a high court hearing in Hamilton, New Zealand, and could even end up working with local police to help them understand online crime.

Walker was arrested in November last year after an investigation involving the New Zealand police, FBI, US Secret Service and Dutch police, and was initially accused of leading a computer hacking ring that had stolen more than £12m from victims around the world.

After a high court hearing, however, police said Walker was in fact employed by the group to write software which they then used to access people’s bank accounts. According to police, Walker did not directly take money from people’s bank accounts, but the software he wrote was used by other criminals…

Original reports of the bust did make it sound like a boy genius and master criminal. His youth impressed the journalists, no doubt.

Good to see his botnet down and some of his accomplices heading for the slammer.