Hacker Launches Botnet Attack via P2P Software

June 29, 2008 – 11:51 AM

A 19-year-old hacker is agreeing to plead guilty to masterminding a botnet to obtain thousands of victims’ personal data in an anonymous scheme a federal cybercrime official described Friday as the nation’s first such attack in which peer-to-peer software was the “infection point.”

The defendant, Jason Michael Milmont, launched the assault last year from his Cheyenne, Wyoming residence, and anonymously controlled as many as 15,000 computers at a time, said Wesley L. Hsu, chief of the Cyber and Intellectual Property Crimes Section for federal prosecutors in Los Angeles. As part of the deal, in which a judge could hand him up to five years imprisonment, Milmont has agreed to pay $73,000 in restitution, the government said.

“It’s the first time that we know of that peer-to-peer software was used as the infection point,” Hsu said in an interview with Threat Level.

The malware infection became commonly known as the Nugache Worm, which embedded itself in the Windows OS.

According to the plea agreement, the worm was installed in various ways. The first incarnation of infections came from a website Milmont created that offered free installation of Limewire, the popular peer-to-peer file sharing program. He embedded that software downloads with his malware.

“Any time you download something from the internet, it’s possible somebody has appended software to it that isn’t supposed to be there,” Hsu said.

Hsu said Milmont is expected soon to enter his plea to one count of unlawfully accessing computers in a Wyoming federal court. Milmont’s attorney, Robert R. Rose, did not immediately respond for comment.

Another incarnation of the infection included using AOL instant messenger as the delivery point of his malware. The malware would spread itself via chats, with a message asking a buddy to view a photo on a website such as MySpace.com or Photobucket.com. The user would be taken to a spoofed website, and would become infected with the Nugache Worm, the plea deal said.

“All of the data stored on the compromised machines would be available to defendant, including, but not limited to, credit card information,” according to the plea agreement.

The agreement also said that he took control of financial accounts of his victims.

“After obtaining this information from a victim’s computer, defendant used his/her financial institution’s online user name and password to access the account online,” the agreement said. “Defendant then changed the victim’s e-mail address to a similar e-mail that he controlled and the mailing address to an address in Cheyenne, Wyoming, typically an address that was listed for sale.”

He would also change the telephone number on a victim’s account to a number he controlled using Skype. “He paid for this service by using the credit card numbers harvested from his botnet,” the plea agreement said.

Hacker Launches Botnet Attack via P2P Software | Threat Level from Wired.com

Posted in Internet, Networking, Privacy, Security | No Comments

AVG Update: Yet More Fake Traffic With New Disguises

June 29, 2008 – 11:47 AM

In an update to our June 20th post referring to Grisoft’s AVG anti-virus product spewing fake traffic (in our opinion a flawed architecture design by the company’s CTO, Karel Obluk). Cade Metz, of The Register, has delved a bit deeper into the issue, and has discovered that over last weekend, AVG modified the product to be even more intrusive to web masters, systems and network engineers managing legitimate sites, and generally causing mayhem in analysis and bandwidth costs. Now, the company has re-crafted it’s product to include two more disguised agents:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)

We believe, like most others, that it is a good thing to perform search and destroy operations (or thoroughly examine links for potential mal-activities) on malware laden sites,and to protect users from such. Flawed architectures like the AVG product, place the burden of such actions on the wrong side of the equation (an analogy, if you will: anti-cancer medication that also kills healthy cells).

We envision the next step from affected sites (specifically large sites that can show significant financial loss due to bandwidth related charges) to enter into legal action regarding the product.

AVG Update: Yet More Fake Traffic With New Disguises | Infosecurity.US

Posted in Internet, Privacy, Security | No Comments

Another Call for Packets – Port 502

June 29, 2008 – 11:44 AM

Usually, I don’t have two calls for packets on a shift, but this one definately bears looking into and hopefully finding an answer. There is an increase on port 502, when you look at the targets, that started today. Till today, life has been pretty quiet on that port. Port 502 is a known port when dealing with SCADA systems. According to an article on SCADA Honeynets, “Modbus TCP on port 502 is a widely used, standard SCADA protocol in PLC’s and other field devices that monitor sensors and control instruments.”

If you have packets, logs or ideas on this increase, please send them into us.

SANS Internet Storm Center; Cooperative Network Security Community – Internet Security – isc

Posted in Internet, Security | No Comments

Microsoft repairs PCs crippled by XP SP3 update

June 29, 2008 – 11:39 AM

Nearly three weeks after security vendor Symantec released a free tool to clean up PCs crippled by the Windows XP Service Pack 3 (SP3) update, Microsoft issued a fix that should reestablish lost Internet and wireless connections.

Earlier this week, Microsoft posted a hotfix for a problem users first reported in mid-May. Users of Symantec’s consumer security software said that after updating their PCs to XP SP3, a bug emptied Windows’ Device Driver and deleted network connections.

Although Symantec initially blamed Microsoft for the snafu, it later accepted some responsibility. In late May, Symantec acknowledged that Microsoft’s updating process and a security feature in its own Norton-branded software combined to swamp the Windows registry with hundreds, sometimes thousands, of bogus and corrupted keys. That security feature, dubbed “SymProtect” by Symantec, was designed to protect the company’s security software from attack by guarding against unauthorized changes to the registry.

Although Microsoft had previously declined to comment on the episode, the support document that accompanied the hotfix fingered Symantec’s software. “This problem occurs when the Fixccs.exe process is called during the Windows XP SP3 installation,” said Microsoft. “This process creates some intermediate registry subkeys, and it later deletes these subkeys. In some cases, some anti-virus applications may not let the Fixccs.exe process delete these intermediate registry subkeys.”

Microsoft repairs PCs crippled by XP SP3 update – Network World

Posted in Windows | No Comments

IronKey USB key has military grade encryption

June 29, 2008 – 11:30 AM

Plenty of USB storage keys are on the market, but Ironkey is the first to use military level encryption. Sold in 1GB, 2GB, and 4GB sizes, the key features a processor called the Cryptochip, which uses Public Key Cryptography ciphers linked to an online account to create encryption keys on the hardware. A Federal Information Processing standard 140-2 compliant true random number generator on the Cryptochip ensure that encryption keys are extremely secure and totally random.

Ironkeys come in different sizes, but there are also three different versions, each with unique features. The basic version has a very James Bond-esque feature to destroy the data on it in case of an emergency. The personal version is loaded with Firefox 3 with various addons that make browsing encrypted and anonymous. The enterprise version is made to order with no specific price on the IronKey site, just a form to order one built to your specifications. All of them support Windows, OS X, and a large amount of Linux distros, and they all come in tamper proof and water resistant cases with a brushed metal finish. We tend to think this level of security is overkill for the average person, but people can’t seem to get with our freewheeling approach to security; remember, we leave our WLAN open.

IronKey USB key has military grade encryption – Hack a Day

Posted in Hardware, Networking, Privacy, Security | No Comments