Saturday, October 03, 2015

Hillary's Email Server and the New York City malware

Wednesday night (September 30th) I had a strange Tweet in my notifications from a journalist at ForeignPolicy:
Elias explained that he was wanting some quotes in response to a "hyperbolic AP story" by Bradley Klapper, Jack Gillum and Stephen Braun that had posted on the AP wire. (The same story has been posted in the Washington Post, US News & World Report and other top news sources.
The story begins with the opening paragraph:

Russia-linked hackers tried at least five times in August 2011 to trick Hillary Rodham Clinton into infecting her computer systems while she was secretary of state, according to newly released emails from the State Department.
The New York Times version of the story is far more sensational (and far more incorrect) in their telling of the story. Given the victim of all this attention, you would have thought these stories were from Fox News! Here's NYT making up scary security-sounding stuff:

Still, the evidence that Mrs. Clinton's personal account had been on the receiving end of a "spear phishing" attempt, revealed in a batch of her emails released by the State Department on Wednesday, raises the same question the F.B.I. is trying to answer as it combs through the forensic evidence from the server that was once in Mrs. Clinton's basement.
In fact, a disclaimer on the bottom of the NYT news story now reads:
A headline on Friday with an article about Hillary Rodham Clinton's email server overstated what is known about an investigation into the server's security. As the article correctly noted, Mrs. Clinton received spam email that was intended to place malware on her computer network; the investigation has not yet determined that the malware effort was successful.

What Elias did that apparently the AP reporters and the NYT reporters did NOT do was a simple Google search. If they had, they would have seen the story on this blog, dated August 17, 2011, with the headline New York City "Uniform Traffic Ticket" tops spammed malware. The image that accompanied that story, shown below, reveals why the email was turned over to the government:

 As Politico suggests in their story Most Clinton spam messages likely deleted, the workers tasked with finding "work-related" emails to turn over probably started with a few simple rules like "turn over all the emails that are from .gov addresses" -- which would include this spam, which claimed to be from

The point of that CyberCrime & Doing Time blog post was to share that this was one of the highest volume spam campaigns we had seen that summer!  Just in the UAB Spam Data Mine, we had received 11,000 copies of this email!  Spear-Phishing, which the New York Times wrongly suggests happened here, is when an email message is personalized to target a particular high-wealth or high value target.  If Hillary Clinton was targeted, so were about 11,000 mostly entirely fictitious people whose spam goes into the UAB Spam Data Mine, as well as a few hundred people who chose to share their emails with us!

What is ChepVil?

It isn't a mystery at all.  In fact, we have that documented in the blog post as well.  The malware is not mysterious at all.  It was part of a "pay-per-install" malware ring that was very popular at that time.  When my lab at UAB reported the malware to VirusTotal, it was detected by 18 of 43 anti-virus programs, with both Microsoft and Sophos detecting the malware and calling it "Chepvil" (Microsoft called it "TrojanDownloader: Win32/Chepvil.N" while Sophos called it "Mal/ChepVil-A" - we were using the name "FraudLoad" for this malware at that time).  You can see that August 17, 2011 VirusTotal report as it looked the day we reported it.  (And you can see in the comment there, also from that day, that we explained the source of the malware and gave a link back to our blog post.)

ChepVil is a type of malware that was heavily based on the BredoLab malware, although by August 2011, the BredoLab original author was already in jail.  Armenian programmer, Georgy Avanesov,  was arrested in October of 2010 when the Dutch High Tech Crime Team police seized 143 servers located at LeaseWeb in the Netherlands that he used to control his world-wide spamming operations.  At the time of his arrest, BredoLab was infecting 3 million computer per month and being used to send approximately 3.6 billion spam messages per day.  Despite this massive seizure, because his source code was already known by other malware criminals, the attacks quickly resumed following his arrest.

The August 17, 2011 version of this malware made a connection back to the Russian domain name, (associated with BredoLab, according to Sophos, see for example this Sophos report from August 4, 2011.)

We reported malware communicating to that server to the Microsoft Malware Protection Center on August 11, 2011 -- pointing out that it was hosted on the IP address, one of several IP addresses on that same netblock that took turns hosting during August 2011, all  hosted in Mykolayiv, Ukraine.   The first time we saw this family of malware communicating with that server was in a big campaign imitating the FBI on May 5, 2011.  The same malware family pretended to be the United Parcel Service on June 9, 2011, sending my lab at UAB more than 54,000 copies of the malware.  We produced a map of the computers that sent us both the May 5 FBI spam and the June 9 UPS spam and shared it with law enforcement at that time:

The point is - it wasn't "targeted" and it wasn't "spear-phishing" and it isn't a "mystery" about how it  came to be sent to Mrs. Clinton.   This wasn't a clever Russian master mind sitting in his evil lair dreaming of taking over the State Department.  One of the millions of spam bots that were part of this network (or actually probably FIVE of them) asked the Command & Control server "Who shall I spam next?" and happened to draw Mrs. Clinton's email address.

But What COULD the Malware Do? 

In August of 2011, the primary thing that Chepvil did was deliver "Fake Anti-Virus" software.  That's it.  The malware would connect to the server and ask "What additional malware would you like to infect me with?"  The server would then see who was currently paying the highest commission to have their malware installed, and whether the daily quota for installing that additional malware had already been fulfilled, and install whatever it was told to install.

In August of 2011 - the only thing we saw Chepvil install was Fake Anti-Virus, and a near cousin "Fake System Alert".  So, *IF* Mrs. Clinton had actually been infected by this malware, it would have caused a pop-up animation to play, claiming she was infected with dozens of nasty viruses, and that she needed to pay the criminals $59 to get rid of the malware.  None of that is true -- the malware is actually just "ScareWare" -- intended to irritate you with pop-up warnings about being infected until you finally give up and pay the "license fee" or have the malware professionally removed from your PC.

The Daily Malware Report

Olivia Foust Vining (now at PhishLabs, Hi Olivia!) was the student malware analyst in my lab who brought this malware to my attention that day in her "Daily Malware Report" (a research project sponsored by UPS!)  By the end of her shift, we had actually seen 45,377 copies of the malware!  Her report gave every 15 minute breakdowns of how many copies we received during the morning hours.

count |        mbox         
   326 | 2011-08-17 03:30:00
   264 | 2011-08-17 03:45:00
  1880 | 2011-08-17 04:00:00
   756 | 2011-08-17 04:15:00
  1930 | 2011-08-17 04:30:00
  2608 | 2011-08-17 04:45:00
  5982 | 2011-08-17 05:00:00
  4364 | 2011-08-17 05:15:00
  3544 | 2011-08-17 05:30:00
  2418 | 2011-08-17 05:45:00
  2262 | 2011-08-17 06:00:00
   999 | 2011-08-17 06:15:00
   870 | 2011-08-17 06:30:00
   972 | 2011-08-17 06:45:00
   643 | 2011-08-17 07:00:00
   277 | 2011-08-17 07:15:00
   354 | 2011-08-17 07:30:00
   200 | 2011-08-17 07:45:00
  4571 | 2011-08-17 08:00:00
  3974 | 2011-08-17 08:15:00
  3109 | 2011-08-17 08:30:00
  2047 | 2011-08-17 08:45:00
  1617 | 2011-08-17 09:00:00
(23 rows)

For comparison, here is the count of the other high malware volumes for that day:

count |             md5_hex              
 45377 | 1c2b06a9fbbea641ae09529e52f29b96 <= the "Uniform traffic ticket" malware
  3484 | e7b48c4421a68740dfd321dade6fd5e6 <= "End of July Statement" malware
  2627 | c1f67a7542359397544bd0af0b546166 <= "Your credit card has been blocked" malware
  1021 | d22eadfda41fcbeb692c600c97d10ff5 <= "Money Transfer Information" malware

But how did Spammers learn Mrs. Clinton's email address?

There are four primary ways that spammers gather email addresses.

The first is specialized software programs that scour the web looking for email addresses on websites.  One of the richest sources of these is actually "archives" of large email lists.  When email lists provide web access to their history, many do so publicly, allowing these scraping tools to learn the email addresses of every person mentioned on the mailing list.  Spammers also JOIN tons of mailing lists to be able to gather the email addresses posted there.

Data dumps are another rich source of email addresses.  Do you recall, for example, the Adobe breach in 2013 when 38 million people who had ever used an email address to register for the free download of Adobe reader or any other Adobe product had their email addresses publicly revealed?  Such events are great days for the spammer community!

Next, we have malware on other people's computers. Many malware programs have as one "module" code that will scan a computer for email addresses.  If even ONE of Hillary's regular correspondents became infected with malware, her email address would have been discovered that way.

Lastly, we have SMTP harvesters.  These programs scan for mail servers, enumerate the domains served by that server, and then begin asking "do you deliver email for amos@? ann@? ... zach@?" The more intense of these servers will ask for every single letter and number combination, until it has a complete list of the "known" email addresses for the given domain.

So . . . it isn't surprising at all that even "secret" email addresses receive spam.

Thanks, Foreign Policy, for getting it right! 

I was pleasantly surprised by how well Elias Groll handled the details on this story.  He quickly identified the scare-mongering going on over at the AP, and reached out for the facts.  Obviously what I shared above is far too much technical detail for the readers of FP, but I do want to commend the level-headed reporting in their story:

Clinton's Private Emails Show Aides Worried About the Security of Her Correspondence

Wednesday, August 26, 2015

Hackers vs. Drones: ISIS Cyber Caliphate Leader Junaid Hussain

In what may be a first move in the new escalation of cyber warfare with kinetic results, Junaid Hussain, the 20-something hacker who fled to ISIS after being charged with hacking Tony Blair's email accounts, has been killed by a drone strike.

CNN is running with the exclusive at this time claiming "The U.S. military and intelligence community is in the final stages of confirming that a U.S. drone strike this week killed Junaid Hussain."

(Click for CNN Story)

CNN quotes "several U.S. officials" that "the drone strike was specifically targeting Hussain traveling in a vehicle in Syria after the U.S. got intelligence on where he was and watched him to confirm his presence before striking."

Those who follow the defacement community will be well-familiar with Hussain's previous shenanigans online as the leader of Team Poison.  He gradually drifted from target-of-opportunity defacing to more difficult "called target" defacing, and was eventually jailed at age 18 by the British government after publishing the details of Tony Blair's email accounts, as broadly documented in July of 2012.

Click for Telegraph story

Hussain, who hacked under the name "Trick" during his Team Poison days in England, was sentenced to six months imprisonment for "conspiring to commit public nuisance," "causing a computer to perform a function to gain unauthorized access to data or programs" and "defacing numerous websites" between January 1, 2010 and April 14, 2012.  After his release he was arrested again for his cyber activities and fled the country while out on bail.

2012 - TeaMp0ison hacks NATO
 Hacking governments and militaries was something TeamPoison (TeaMp0isoN) had been doing for years prior to Trick's run-in with the UK authorities.  Above is a typical rant from Trick decrying NATO, BAE Systems, BP Oil, and Rupert Murdoch.

On August 3, 2015, the Mirror ran the headline "ISIS: British computer hacker who fled to Syria is third on US hit list of key Islamist militants".  At that time, he was using his new jihadi-friendly hacking name of "Abu Hussain al-Britani".  According to the Mirror article, only Jihadi John (Mohammed Emwazi) and ISIS Leader Abu Bakr al-Baghdadi were more wanted on the US "kill list."

Among his crimes, Hussain was identified as the man suspected in hacking the Twitter and Facebook accounts of US Central Command.Their most recent Twitter accounts @UmmHussain_18 and @AbuHussain_23 were created after their August 13th leak of US government personnel contact information caused #17 and #22 to be deleted by Twitter.

His 45-year-old rock-musician wife Sally Jones, now "Umm Hussain Al-Britani" and their 10-year-old son also lived with him in Syria.  As of 14AUG2015, there was concern that she may have been seen back in England:

Click for "Mrs. Terror Back in Britain?"

Tuesday, August 25, 2015

The Case of Spamford Wallace: Guilty at Last!

My anti-spam community friends were all abuzz today with the news that Spamford Wallace had pleaded guilty in a Las Vegas court to "compromising approximately 500,000 Facebook accounts" in order to deliver "more than 27 million spam messages."

What might amaze the General Reader is that this is the SAME Spamford Wallace case that began with an indictment on July 6, 2011.

The Spamford Wallace Indictment

July 6, 2011 Original Charges

According to the Indictment, Wallace created an account on November 4, 2008 under the name "David Frederix" and then tested posting spam messages to his 'real' wall "Sanford MasterWeb Wallace" experimenting with which posts would best evade Facebook's filters.

He then made a script that would automate the process of logging in to a Facebook account, obtaining a list of all of the Friends of that account, and then posting his advertising message to each of those friends' walls.  Spamford then created a domain registrar account at Moniker Online and another at Dynadot (using the name Laura Frederix) and between the two created 2,500 domain names that would be used in these spamming attacks against Facebook users.

On November 5 and 6, 2008, Sanford sent approximately 125,000 spam messages to Facebook users using this method.  On December 28, 2008, another run was made, posting nearly 300,000 spam messages, by logging in through 143 different IP addresses that were used as proxies to disguise his origins.  On February 17, 2009, another 125,000 messages were posted.

At this point, a civil injunction was served on Sanford Wallace in the case of Facebook Inc v. Sanford Wallace (Northern District of California No 09-00798 JF) where Judge Jeremy Fogel ordered Sanford Wallace to no longer access Facebook's computer network.  (Orders issued on March 2, 2009 and March 24, 2009).  Sanford logged in on April 17, 2009, in violation of this order, while flying on a Virgin Airlines flight  from Las Vegas to New York.

In 2011, Sanford was back on Facebook, using a profile called "David Sinful-Saturdays Fredericks"

Counts 1,3, 7 - Fraud and Related Activity in Connection with Electronic Mail, carry a possibility of 3 years imprisonment.

2, 6, and 9 - Intentional Damage to a Protected Computer, carries a maximum sentence of 10 years imprisonment.

4, 5 and 8 - Fraud and Related Activity in Connection with Electronic Mail, carries a 3 year imprisonment possibility, and a possible $250,000 fine.

Counts 10 and 11  - Criminal Contempt, have unspecified potential penalties.

What's Happened Since?

Lots and lots of lawyering. . . behold the process of a Fair and Speedy Trial!!!!
  • 04AUG2011 - the indictment was unsealed
  • 04AUG2011 - notice of related cases was received.  These included:
  1. the case of Facebook v. Sanford Wallace, Adam Arzoomanian, Scott Shaw, and John Does 1 through 25, for Violation of the CAN-SPAM ACT, violation of the Computer Fraud and Abuse Act, Violation of the California Business Code Section 229489 AKA the California Anti-Phishing Act, and Violation of California Penal Code section 502, the California Comprehensive Data Access and Fraud Act.  That case describes:  "At least one of the Defendants, Sanford (aka "Spamford") Wallace, is a notorious Internet scam artist who has been involved in various illegal spamming and malware activities since the mid 90s.  Indeed, Mr. Wallace has both Federal Trade Commission and civil judgements against him for these activities that total in excell of $235 million."  Myspace, Inc. v. Wallace; FTC v. Seismic Entertainment Prod., Inc; CompuServe v. CyberPromotions, Inc (Ohio, 1997)
  2. This case resulted in a Default Judgement in favor of Facebook signed by Judge Jeremy Fogel on 29OCT2009. 
  • 22AUG2011 - bail hearing
  • 28SEP2011 - case reassigned to a new Judge (Judge D. Lowell Jensen)
  • 30SEP2011 - Order to Waive Appearance proposed )amd gramted_
  • 03OCT2011 - Status hearing held
  • 04OCT2011 - case reassigned to Judge Edward J. Davila
  • 31OCT2011 - Pretrial services form 8 submitted.
  • 28NOV2011 - Status hearing held
  • 09JAN2012 - "Fair and Speedy Trial Act" exemption requested due to AUSA Attorney being engaged in another trial, and for additional time for the defendant's need for effective preparation of counsel. "The ends of justice served by granting the requested continuance outweight the best interest of the public and the defendant in a speedy trial." - extension granted until 09APR2012.
  • 02APR2012 - extended to 07MAY2012 by mutual consent.
  • and again to 06AUG2012, and again to 01OCT2012, and again to 19NOV2012
  • Status hearings held 14JAN2013, 11MAR2013
  • 11MAR2013 - hearing grants a modification to pretrial release conditions to allow Spamford to travel to Albuquerque, New Mexico for work.
  •  More delays 31MAY2013, 08AUG2013, 20SEP2013, in each case ordering that time be "excluded" from consideration in the Fair and Speedy Trial Act to allow for effective preparation for the case.
  • 02NOV2013 - Sanford's attorney (K.C. Maxwell) files a sealed document asking to be relieved from the case 09DEC2013.
  • Extension granted to 03FEB2014
  • 17MAR2014 set as the date to hear the Motion to Withdraw as Counsel.
  • Continued to 31MAR2014, when Wallace assigns his new counsel, William W. Burns, Esquire.
  • 25JUN2014 new counsel asks for more time to prepare
  • 18JUL2014 William Burns petitions the court to withdraw as counsel
  • 21JUL2014 Burns Relieved
  • 21JUL2014 a Financial affidavit is delivered to the court pertaining to Spamford Wallace
  • 01AUG2014 - "The individual named above as defendant, having testified under oaht or having otherwise satisfied this court that he or she (1) is financially unable to employ counsel and (2) does not wish to waive counsel, and because the interests of justice so require, the Court finds that the defendant is indigent, therefore, IT IS ORDERED that the attorney whose name, address and telephone number are listed below is appointed to represent the above defendant." (Wm. Michael Whelan, Jr. / 95 South Market St, Ste 300 / San Jose, CA 95113 / (650) 319-5554 cell)
  • 19AUG2014 - time extended to allow Whelan to prepare
  • 22SEP2014 Status conference held, Jury Trial date set for 05MAY2015 through 22MAY2015.
  • 29SEP2014 Whelan petitions the court that drug testing no longer be required since Sanford has never tested positive. (Granted 15OCT2014)
  • 02MAR2015, status hearing extends case until an 08JUN2015 status hearing
  • 12JUN2015 - new financial affidavit entered under seal
  • 30JUN2015 - a change of plea hearing is requested for 27JUL2015
  • 24AUG2015 - Sanford Wallace pleas guilty to a single count - Count 3.  Sentencing scheduled for 07DEC2015 at 1:30 PM

Guilty of Count Three

So, if we go back to the indictment, what does this mean that Sanford has plead guilty to?

COUNT THREE: (18 U.S.C.  §§1037(a)(1) and (b)(2)(A) - Fraud and Related Activity in Connection with Electronic Mail.

22. The factual allegations contained in Paragraphs One through Eleven above are realleged and incorporated herein as if set forth in full.

23.  On or about December 28, 2008, in the Northern of California and elsewhere, the defendant, SANFORD WALLACE, knowingly accessed a protected computer without authorization, and intentionally initiated the transmission of multiple commercial electronic mail messages from or through such computer, in and affecting interstate and foreign commerce, to wit: the defendant accessed Facebook's computer network in order to initate the transmission of program that resulted in nearly 300,000 spam messages being sent to Facebook users.

What were 1 through 11?  The only really important paragraph is number 5:

5. From approximately November 2008 through March 2009, WALLACE developed and executed a scheme to send spam messages to Facebook users that compromised approximately 500,000 legitimate Facebook accounts, and resulted in over 27 million spam messages being sent through Facebook's servers.)