Tag Archives: Rogue AV

loveme, kissme, catch me, try me.

Picture by dprotz used under Creative Commons

Yesterday evening the FBI issued a press release regarding the legal action against Aleksandr Andreevich Panin, a Russian national perhaps better known as “Gribodemon” and “Harderman”, the online aliases behind the notorious SyEye banking Trojan and Hamza Bendelladj a Tunisian national who went by the online moniker of “Bx1”. Panin has entered a guilty plea to the charges of conspiracy to commit wire and bank fraud, the charges against Bendelladj are still pending. The FBI press release gives thanks to Trend Micro’s Forward Looking Threat Research team for their assistance in the investigation.

Bendelladj is alleged to have operated at least one command and control server for SpyEye, although as our TrendLabs blog and our investigation make clear, his involvement seems to be far deeper. He was arrested at Bangkok airport on the 5th January 2013 and Panin was arrested on July 1 last year when he flew through Atlanta.

The FTR team at Trend Micro began a particularly focused investigation into the person or people behind SpyEye almost 4 years ago. Over the intervening period, we mapped out the infrastructure used to support the malware, we identified weak points in that infrastructure and pursued a number of important leads pointing to the identities of individuals behind this pernicious banking Trojan. Once we felt that we had sufficient information we involved law enforcement who drove it to the successful conclusion you see today.

Our ongoing research turned up a wealth of data, much of which it would be imprudent to share while legal action is still ongoing, however it might interest you to know that some of the most frequent passwords used by one of the accused include “loveme”, “kissme” and “Danny000”. I’ll let you draw your own conclusions regarding OpSec.

The arrests last year and yesterday’s guilty plea are another illustration that Trend Micro’s strategy of going after the people behind online crime, instead of simply the infrastructure they exploit, is the right one. You may more often see stories that a botnet has been “taken down” resulting perhaps in a massive drop in the number of infected computers or Spam, but these types of activity while laudable are only temporary. Criminals will very soon come back and often come back stronger, having learned from their previous failures, the network of compromised computers will be rebuilt and the crime spree begin anew.

As with DNS Changer, as with the Reveton Ransomware, Trend Micro has proactively provided information and assistance to law enforcement that has led to arrests of individuals rather than the simple switching-off of criminal computers. It is through activities such as these that we hope to fulfil our mission of creating a world safe for exchanging digital information.

New bracelets for ransomware kingpin

Image courtesy of .v1ctor. on Flickr

I’m happy to say that, as a result of close cooperation between Trend Micro threat research and Spanish law enforcement a number of important arrests have been made in connection with the Reveton ransomware. The Spanish police announcement can be found here [Spanish].

Over the past several months Trend Micro researchers have been providing evidence and intelligence related to the Reveton ransomware or “police trojan”. Law enforcement in Spain first became interested in this malware as a result of complaints they were receiving from victims of the scam. Trend Micro and Spanish law enforcement agencies have collaborated extremely closely; sharing intelligence, sharing samples and related technical detail. As a direct result of activities carried out by Trend Micro threat research, they were able to map the criminal network infrastructure including traffic redirection and command and control servers. Some of the intelligence gathered by law enforcement enabled them to reach a high degree of certainty of the identity of one of the individuals at the very top of this criminal gang.
Continue reading

Conficker, Duqu, Stuxnet, Aliens, Confuxnet!

I have just read a Reuters news story where respected “cyber warfare expert” John Bumgarner is reported to claim that Conficker was devised and released to act as a global smokescreen for the surgical attack, using Stuxnet on nuclear facilities in Iran.
Bumgarner claims that initial reconnaissance work was carried out using Duqu in 2007 to identify targets relevant to a later attack by Stuxnet. In November 2008 Conficker was released globally to infect as many machines as possible. When a Conficker infection phoned home, if the victim machine was found to be in a apposite location (Iran) it was flagged as a later target for Stuxnet. He further states that Conficker did no damage to machines outside Iran and that on the infamous April 1st “activation date” (of the third variant from March 2009) it was used to pull down Stuxnet to those machines located in interesting locations in Iran.
Here is the evidence, all of it unsubstantiated as far as I can ascertain, that Bumgarner presents to support his claim:
1- Both Stuxnet and Conficker show evidence of “unprecedented sophistication” leading him to believe that they are related.
2- Both Stuxnet and Conficker use the same vulnerability to infect machines (MS08-67)
3 – Unspecified “key dates” in timestamps of unspecified “different versions” of Conficker and Stuxnet overlap and also “helped him to identify April 1 2009 as the launch date for the attack“.
4 – April 1st 2009 was the 30th anniversary of the declaration of an Islamic Republic in Iran. Other unspecified dates also corresponded with days when “Iranian President Mahmoud Ahmadinejad said his nation would pursue its nuclear program despite international objections, and another with the day that he made a highly controversial appearance at Columbia University in New York“.
As regards the end-game, the eventual infection of machines physically located in the right place inside nuclear facilities, Bumgarner concedes that at this point the malware wasn’t yet “in the target“. So to make that final crucial leap, Stuxnet was designed to infect USB drives, in the hope that someone would later take the same USB drive from a Conficker/Stuxnet infected machine and plug it into a machine located in an air-gapped network in nuclear facility. At that point, Bumgarner states, “it was checkmate“.
Phew, what a ride! You’ll forgive me I hope if I say that this account stretches my credulity to breaking point. Let me list a few reasons why.
1 – If targets outside of Iran were surplus to requirements, why did the first iteration of Conficker only exclude computers based in the Ukraine? Why was that restriction later removed? Why not only infect machines in Iran in the first place? It is also not true to say that machines infected with Conficker were all unharmed, Conficker was used to deliver Fake AV and had a functional relationship with Waledac botnet C&C
2 – The levels of sophistication in Conficker and Stuxnet are in different leagues. The original version of Conficker used a single already patched Windows vulnerability to spread, the second variant added the capability to spread via removable drives and by brute forcing passwords against a list of common password variants, neither method sophisticated. There was a level of sophistication in the scale of pseudo-random domains that were generated by the malware as potential C&C locations, but nothing that wasn’t quickly reverse engineered and understood. In the third variant of Conficker the propagation methods were actually removed, only to reappear again in the fourth significant variant. Stuxnet was a far more sophisticated animal, taking advantage of zero-day vulnerabilities and requiring specialist knowledge of SCADA systems and nuclear facilities.
3 – I would theorise that the creators of Stuxnet chose to also use the MS08-67 vulnerability because its effectiveness is demonstrated by the fact that Conficker is still one of the most prevalent infections in enterprise networks, three years after its initial appearance. Why would you make two pieces of malware that propagate using the same vulnerability and yet rely on one to download the other?
4 – The “activation date” of April 1 was coded into the third variant of Conficker. You don’t need unspecified time-stamps on unspecified files to tell you that.
5 – April 1st is also April Fool’s day in many countries around the world, it’s also the anniversary of the founding of Apple Inc., the founding of the Serious Organised Crime Agency (SOCA) in the UK, the birth of the Republic of Ireland and the land blockade of West Berlin by the East German military. Get my point? As regards President Mahmoud Ahmadinejad saying that his country would continue to pursue it’s nuclear program, well surely, pick a day, pick any day…
Then of course there’s the difficult conclusion, relying on persons unknown to plug a USB device into a Confuxnet infected machine, then unknowingly taking that same USB drive and plugging it into a PLC in a nuclear facility. Given the “unprecedented sophistication” of everything that has gone before, it’s this one just a tiny bit of a shot in the dark? A little bit “hit and hope”?
Sorry Mr. Bumgarner, it could be true, of course it could, and it could be that you have been misreported, but on the evidence you present so far, I just don’t buy it.
If I were a government with this kind of resource at my disposal, wouldn’t it make sense for one of my operatives in the target facility to simply take the USB containing Stuxnet right there for me?
I know, there weren’t any aliens.