Monday, October 29, 2007

First 2008 Presidential Spam Campaign?

Does Ron Paul suddenly have a strong support base among foreign computer owners with strange names and multiple personalities? or is it possible we have the First 2008 Presidential Spam Campaign?

I thought it odd when I logged in to my computer this morning and found an email in which someone declared Ron Paul to be the winner of the Republican Debate yesterday, but then, I have all sorts of odd friends. By the time I had received my fifteenth copy of the email, I knew this was something more than a deluded pseudo-Republican. I thought at first this was a virus, but now it seems to be a plain ole Spam Campaign.

The question, I suppose, is what should be done about it? Will we see fans of other campaigns hiring out spam campaigns devoted to extolling the views and records of their candidates? Will there be an evolving message body on the Ron Paul spam to keep pace with the upcoming events on the campaign trail? Its too early to tell, but we will continue to document the trend from the Spam Lab at UAB.

Here's the body of the email . . .





Hello Scott,

Ron Paul is for the people, unless you want your children to
have human implant RFID chips, a National ID card and create
a North American Union and see an economic collapse far worse
than the great depression. Vote for Ron Paul he speaks the
truth and the media and government is afraid of him. This is
the last honest politican left to bring this country out of
this rut from the War Profiteers and bush Administration has
created. Get motivated America, don't believe the lies of the
media he has also WON the GOP Debate On Sunday! Value Freedom
and Liberty instead of corporate lies and corruption. Bypass
this media blackout they are doing to Ron Paul, tell your family
and friends and get involved in a local group at meetup.com make
your voice heard! He will end the War In Iraq immediately,
He will eliminate the IRS and wasteful government spending, and
eliminate the Federal Reserve and restore power to the people
and the only person not a member on the CFR. Can any other runner
make these claims or give Americans the true freedom we were all
raised to believe? We are all economic slaves to the banks and the
illegal federal Reserve. This is why our currency is worth nothing
because of Hidden Inflation Tax and the IRS taking everything
you make!

** RON PAUL WILL STOP THE IRAQ WAR IMMEDIATELY! **

He has NEVER voted:
* to raise taxes
* for an unbalanced budget
* to raise congressional pay
* for a federal restriction on gun ownership
* to increase the power of the executive branch

He HAS voted:
* against the Iraq war
* against the inappropriately named USA PATRIOT act
* against regulating the internet
* against the Military Commissions Act

He will eliminate the IRS, Wasteful Government Spending &
Stop The Iraq War Immediately!

Most importantly, he voted NO on anything in Congress that
is not allowed by the Constitution. And he Despises any
politican that does not do their job for the people and lives
up to the constitution!

Google.com & Youtube.com Search: "Ron Paul"
Join The Revolution!

***************************************
We Need A Real President That Will Restore And Protect
Americans! Stop The War! Protect Our Borders!
*********VOTE RON PAUL 2008************
ubPOJg






The subject line seems to be selected from a small number of subject lines, and then appended with a random character cluster (perhaps to break spam filters?):

Subject lines:

Vote Ron Paul 2008! ZyhYKbw

Iraq Scam Exposed, Ron Paul TLshVzn

Ron Paul Exposes Federal Reserve bpIHP

Ron Paul Stops Iraq War! gPsLhM

Iraq Scam Exposed, Ron Paul wjtsLBp

Ron Paul Stops Iraq War! LcskHxT

Government Wasteful Spending Eliminated by Ron Paul vpntZRr

Vote Ron Paul 2008! pboLKjr

Who Is Ron Paul? ZTobxay

Ron Paul Exposes Federal Reserve JrZXihF

Ron Paul Stops Iraq War! LyNdrha

Ron Paul Eliminates The IRS! fiqfRZZ

Government Wasteful Spending Eliminated by Ron Paul BtkmlDF

Ron Paul Wins GOP Debate! HMzjoqO

Ron Paul Exposes Federal Reserve SBHBcSO

Government Wasteful Spending Eliminated By Ron Paul mEoHUiR

Government Wasteful Spending Eliminated By Ron Paul HRAyaaI


The spam seems to invent a random first and last name, and combine that with a true email address from the infected machine. Here are sample senders from my inbox:


curtice andrzej - sph@research-int.com - [77.181.200.157] (Germany)

byrann shan - phyllis@faxsav.com - [86.9.35.98] (the UK)

humbert jerrimy - alessand@tvldyn.com - [87.210.63.248] (the Netherlands)

jamey jamal - fataneh@i-qts.com - [124.84.175.218] (Japan)

algernon heung-do - melville@surecom.com - [124.84.175.218] (Japan)

christoforo sharad - fang@ohiohills.com - [124.84.175.218] (Japan)

fabe rosemary - hywel@msn.com - [124.84.175.218] (Japan)

hamil orlando - osulliva@surecom.com - [58.140.151.170] (Korea)

cristobal dai - irma@seagate.com - [58.140.151.170] (Korea)

frants cresswell - aziz@3com.com - [190.86.81.131] (El Salvador)

claudius quinn - avi@shoyher.com - [200.166.91.2] (Brazil)

chaim billie - mukund@atomis.com - [200.166.91.2] (Brazil)

chris field - hal@connecthouston.com - [79.3.4.33] (Italy)

alonso sidharta - cindy@e-business-associates.com - [58.141.39.110](Korea)

linn ming-hor - jikun@four-soft.com - [196.207.13.18] (Nigeria)

jerad anant - gorog@franceloisirs.com - [218.209.109.27] (Korea)

Friday, October 26, 2007

How Many Websites Can a Hacker Hack without Being Prosecuted?

Apparently the answer to that is TENS OF THOUSANDS, or more.

IskorpitX, the tutor of an entire generation of Turkish hackers, will shortly be able to claim that he has broken into 200,000 websites. (He's currently at 191,000 according to one popular hacker watching website).

Brasilian hacker, Fatal Error, runs a distant second, having broken in to "only" 32,000 websites according to the same source.

Wouldn't you say that would make them "targets of interest" for law enforcement activity? Sadly, that is not the case. Perhaps, you think to yourself, they have only attacked "low value" websites. Perhaps they are brand new to the scene? If only that were the case! Fatal Error, who lists many US Government websites, and even my home state of Alabama government websites, among his victims, has been actively attacking websites since 2002.

IskorpitX has been defacing websites since at least 2003, and has the governments of Argentina, Australia, Brazil, China, Columbia, France, India, Italy, Korea, Malaysia, Peru, the Philippines, Thailand, Venezuela and South Africa among his many victims. Of course the US government is on the list as well (such as the National Endowment for the Humanities), as well as Harvard University and Bank of America.

IskorpitX even has his own YouTube videos!

http://www.youtube.com/watch?v=ahqSeJvM2XU

http://www.youtube.com/watch?v=jTah9ckvV3Y

Other Turkish "Cyber Warriors" have even done television news interviews about why they hack websites!

http://www.youtube.com/watch?v=w4QgEsuTZrM


Here's one interesting hacker this week and the victims which are still laying around in Google's Cache:

I found it interesting because this hacker is doing SQL Exploits such as we've seen on several high profile attacks in the past including the National Institutes of Health and the United Nations. In this case, a content management system is being SQL injected to replace "titles" of things with the name of the hacker.

Google for the string "OwneD by RootDamages by FasT", and you'll find some interesting victims among the 26,100 pages being returned.

How about The Department of Veterans Affairs and their Cooperative Studies program?

www.vacsp.gov/news.cfm
www.csp.gov/news.cfm

(Although the Malaysian government also got a visit:

www.mygeoportal.gov.my/faq.cfm

Or the Michigan Bar Association?

www.michbar.org/news.cfm

Systems Integrator "Regan Technologies"?

www.rtcorp.com/news.cfm

The Esalen Center for Theory & Research still has pages with the title "OwneD by RootDamages by FasT", such as:

http://www.esalenctr.org/display/confpage.cfm?confid=10&pageid=105&pgtype=1

As does Applied Robotics:

http://www.arobotics.com/about/company_news/news_details.cfm?ID=17

But they weren't just limited to News articles. I think I'd feel very safe using a shopping cart where every product in the online store had been renamed to "OwneD by RootDamages by FasT", such as those at MetroPole360:

http://www.metropole360.com/productcat.cfm?productCatID=3

But you don't have to be a business to have an insecure webserver. Just ask the National Limousine Association, or the NorWest Dog Training Club:

http://209.85.165.104/search?q=cache:d_YOcnX94A4J:norwestdogtraining.co.nz/Newsletter.cfm

http://209.85.165.104/search?q=cache:aN6AmMtGh0kJ:www.limo.org/scriptContent/t_inside.cfm

One subject "that comes up over and over again on Ducati Online" is "OwneD by RootDamages by FasT" according to this news article:

http://www.ducati.net/faq.cfm?id=4

They're even having a conference on the topic in Brasil at the Psychology Congress. September 7th was their conference on "OwneD by RootDamages by FasT". They expected 6 thousand people to attend.

So how many websites will these hackers be allowed to deface before someone decides to arrest them?

Monday, October 15, 2007

Is Your Fifth Grader Smarter Than a Laughing Cat?

Have you seen the television show "Are You Smarter Than a Fifth Grader?" I've been thinking about a variation of that question as I consider the newest version of The Storm Worm.

This morning on the "Good Morning, Alabama" show as I discussed the Storm Worm, the weatherman laughed and said "Fortunately, I pretty much stay awy from laughing cats". So do most adults with bank accounts. Ask the question another way though. "Is there anyone who uses your computer who is into laughing cats?"

Laughing Cat Storm Worm


Twenty of the Twenty-nine anti-virus products I scanned this particular virus with (using Virus Total), did not report an infection. As of this writing, ClamAV, F-Prot, F-Secure, Microsoft, Panda, and Symantec were among the anti-virus programs who said "No Virus Found" to this current malware. ( Click for Results of this scan.)

Previous versions of the Storm Worm have used things such as Greeting Cards, an NFL Game Tracker, Labor Day greetings, Fourth of July greetings, and even Virus Alerts as means to trick people into visiting the malware site.

UAB's Computer Forensics research area will continue to study and document the storm worm until we can find a way to identify the criminals and bring them to justice.

I'll be giving a Public Lecture on Botnets this Friday (October 19th) at the Hull University Center Auditorium.