An Anonymous Update

The group "Anonymous" who has been waging attacks on the Church of Scientology lately, both verbal, and DDoS, has issued another 2 minute video that attempts to dispel media claims that it is made up of a group of Super Hackers, I guess those are hackers with capes. Instead, the video claims that they are made up of everyday people who are simply fed up with the CoS. In the video, they also want everyone to be ready for February 10th, 2008, when they will create some sort of event(s) in protest of the church. Here's a link to the group's latest video offering--->here!

Unlock Your True Hacktivist ...page 309

I'm sure most of you by now have seen, or are at least aware of "The Tom Cruise Video Scientologists Don't Want You to See!". If you are unaware, it is a video interview of Tom Cruise on Scientology. You watch as he progressively becomes crazier in front of your very eyes. I had a lot of trouble understanding any of it, filled with impressive stream of conscience psychobabble and acronyms we were supposed to already understand. You've got to rise above the sp's, or something like that, I don't know, but I was clued in by my work mate that he had referenced sp in a different interview, and explained it to be short for 'suppressive people'.
At any rate, apparently the Church of Scientology really didn't want you to see it, because they used copyright law to have the video pulled from YouTube. It didn't take long for it to be reposted by many other users, though, so if you missed it, try this link.
Next, enter the group that calls themselves Anonymous, who took great offense to the removal of the video. They claim that it was an attempt to censor the internet, though it seems that they just really have an issue with the Scientologists. They have since posted their own video on YouTube showing time lapse scenes of clouds rolling by as a computer generated voice explains their disdain for the "church", and how their organization should be destroyed. "We shall proceed to expel you from the Internet and systematically dismantle the Church of Scientology in its present form." Here's the link to Anon's video. In addition to the video, Robert Vamosi of McAfee tells us that many local Scientology chapters' websites have been defaced, as well as some Denial of Service attacks that prevented access to other sites. He also states that several real world attacks have taken place as well, including fax-spamming of those same offices.
Well, this could prove to be interesting.

An Open Letter to Slawomir J. Borowy

Dear Mr. Borowy,
I ran across several hundred of your highly enlightening emails today. I have to say that, I knew something was up with the FBI, but I thought it was just me and my disdain for acronyms. Now I am convinced that as you so eloquently put it "The Mukasey Law, Justice and Order For Robbing, Killing and Enriching From Within The FBI Counterintelligence Under Its Acting Assistant Director Daniel Lee Cloyd", is the cold hard truth! I had to ask myself, how can anyone put any mistrust into a "Former Polish diplomat, UN officer and participant in sensitive FBI projects to uncover Russian and Eastern-Central European spies in FBI also"?!
I feel awful hearing that your Gateway computer that you won in a bid war on eBay was intercepted by the FBI and replaced with the exact same model with a different hardware configuration. Those bastards will stop at nothing!
I'll tell you, I have been on board ever since 2003 when you opened my eyes to the fact that the Bush-Cheney White House hired consulting firms that only employed people that did not finish any college and were still payed 6 figure salaries, thus facilitating the September 11th attacks.
Worst of all was that time you and your wife were "partly homeless", and your laptop was hacked, so you had to redo your warnings of the fact that Hilary Rodham Clinton's quest for the White House is simply a ploy to keep you and your wife on the streets and not in your house sitting jobs. Good thing you got that out right before the Iowa Caucuses! Your letters alone are likely the reason Obama won for the Dems.
In closing, I'd just like to thank you for the heads up in all of these more than important events over the years. Your conspiracy theo... , er facts, in plain well versed english, that don't sound, if I may add, insane at all, have led me to a level above consciousness, which just so happens to be in a bunker 3 miles beneath the Earth's surface shivering in a corner.

Your friend and believer,
...phread

Jihadi Encryption: the sequel

An Islamic web site run by the GIMF, or Global Islamic Media Front, known for posting many pro - al Qaeda sentiments and propaganda has released an updated version of security software designed to make communication more secure. It's called the Mujahideen Secrets 2, and it was released for free on the password protected site.
"This special edition of the software was developed and issued by ... Ekhlaas in order to support the mujahideen (holy war fighters) in general and the (al Qaeda-linked group) Islamic State in Iraq in particular," the site said.
It's features include:
The five best encryption algorithms available in cryptography. (AES finalist algorithms)
A top notch file shredding program.
Secure Messaging with encryption via text.
File transfer capability using file to text encoding
all of which with digital signatures to prove authenticity, and an easy to use GUI.
With the internet being a very popular place to all young people, including Muslims, the use of such sites and tools may prove popular among the average cyber jihadists, or hobbyist hackers that want to keep their data secure.

Here Come The HTTP Botnets!

As I've described before, and I'm sure you're well aware of, a botnet is a group of compromised computers, or zombies, as I prefer to call them, that are linked together through some sort of command protocol set up by the botmaster, or botherder. Until recently there has been only two techniques that these botnets have used to communicate. The first being the originating means of C&C or command and control, and that was to issue commands to the main computer via IRC. A bot would be set up as an apparent user in an IRC chat room, and the botherder would issue commands to it as if they were chatting, though somewhat more cryptically, and the main bot would then carry out the orders and communicate the commands to the other bots in the network. This form of communication became much easier to stifle as the IRC commands would basically broadcast the location of the main computer in the chain once intercepted. Once the main computer was taken down, the entire botnet would fall.
With the rise of the Storm Worm's now infamous botnet, so came the birth of the peer to peer communicating botnet. Taking its queue from popular P2P file sharing networks, this version is still very strong today because all of the zombies within the network communicate amongst themselves allowing pieces of the network to survive when other parts of the same network have been cleaned or taken down.
Recently experts in the field have been noticing the rise of a third type of botnet known as the HTTP botnet which communicates via web requests. Instead of the bots in this type of network being configured with a list of IRC commands to communicate with, it is set-up to communicate with certain URLs. It will connect via the internet to these URLs with a HTTP post that contains unique identifiers for the bot, and in return the server it is communicating with will send back the HTTP commands that it has been set-up with, often utilizing the ever popular 'GET' command. With this command it could download malware files, spam information, or even DDoS instructions from a command such as "http://get flood\[]\[]" that would also contain information about the specific target to attack. The connection isn't constant as it is with the IRC, or P2P connections, which allow the botnets to exchange a singular command with the server, and go about its duties. This would definitely make it more difficult to thwart a DDoS attack, for example, once it was already in progress.
For the most part there a very few of these in existence, but it's possible that it could catch on once the idea spreads, or automated set-up, or kit, software appears in the wild.

X S P

Is everyone ready for the latest and greatest in flash in the pan spamming?! I introduce to you Cross Site Printing, or XSP. Cross Site Printing is at present a very easily pulled off, proof of concept exploit to networked printers. It is essentially achieved by introducing a networked PC to a XSS, Cross Site Scripting, exploit via malicious web page that utilizes a bit of JavaScript to send a print job to the network printer spool. Spammers can use this exploit to send whatever bit of advertising they'd like to your office printer. It reminds me of my last place of employment where these amazing stock tips used to pour out of the fax machine all day long. Of course, this exploit can be pulled off via direct telnet connection to the printer as well, but unless you're pranking your workmates by making them believe that the printer is watching them, this will be a highly unlikely approach.
The ease in this exploit lies in the fact that most printers on a network are behind a company's firewall, and therefore considered safe, and like your mom's wireless router back home, not password protected. It doesn't help that it is well known that the majority of network printers communicate on the same port 9100, which is left open by most browsers currently for easy printing, and it hadn't been an issue before. I foresee a future filled with authentication, and Vista like pop-up window approvals in the year ahead. I also don't see how this could last, unless people prefer to be lazy, and ignore it by simply trashing all the new printer ads they receive instead of incorporating a simple firewall change or password protection, and that's just not very green, now is it?!
One piece of good news is that this only affects networked printers, and not printers that are plugged directly into the PC, such as yours at home. So you IT guys can get a jump on things and put protection in place now to show "the man" how well you micro manage the company's pennies. By saving all of that potentially wasted paper, ink, machine wear, and electricity, you can show the boss how you subtracted that right out of its TCO, it adds up, but you knew that. I think you deserve a promotion for being so darn proactive!

Fradulent IRS Emails

I know it's usually a scary instance to see any sort of mail other than a return from the Internal Revenue Service, and this campaign should warrant a little more fear than the rest. Currently we are seeing a pretty large campaign of fraudulent mail purporting to be from the IRS. It instructs all business/corporate accountants, and treasury managers to download a slew of updates to what is supposed to be last minute tax law changes.
Once you click on the link in the email, it will take you to a site that is copied across many different domains all beginning with a sub domain that attempts to trick the user into believing they are on a legitimate IRS site. e.g. www6.irs.gov.xxxxxxx.biz/~~~. There are several links masquerading as different sections of tax law to download. They are in actuality malicious executable files that may appear to be .Pdfs on an out dated browser. These files are likely poised to steal information from your computer and pave the way for other malware to be downloaded.
We are currently blocking all of these emails at AppRiver as fraudulent, and are analyzing the downloaded files themselves in order to update virus definitions.

That's What You Get

After 2 data discs were lost by the HMRC of Tyne and Wear, UK, consisting of personal tax related information for around 25 million people, brainiac host, Jeremy Clarkson, of the television version of popular autophile magazine Top Gear, made the laughable mistake of having his own personal bank account information printed in the Sun newspaper just to prove that there was absolutely nothing anyone could really do with that information except maybe put money into the account. I guess his goal was to put 25 million people at ease, and show that one person really can make a difference. Well, if anything he likely scared them all a little more, and made himself appear to be quite unaware of the world around him at the same time. Just as you may have predicted, hours after the paper pressed his account had an automatic direct draft set up for £500 to a UK Diabetes charity. Lucky for him the culprit was only out to teach him a 'little' lesson, and not completely empty him out like they could have. Wow, people never cease to amaze me! There is no word whether or not Mr. Clarkson let the charity keep the money or not. I'm hoping for his own posterity's sake, he did.

Rebuilding An Empire

After a short time off, the Storm Worm seems to have switched from a strong utilization period back to a rebuilding phase. This past holiday season saw a dramatic spike in the number of these Storm seeding attempts coming through the filters.
It can safely be assumed that the botnet in general is a living breathing thing. Certain bots in these malicious computer armies are taken offline on a daily basis, as new ones arrive. This causes an obvious fluctuation in the overall size of the botnet. The Storm Worm itself hadn't had a campaign in quite some time, relative to its original tempo, designed to infect new computers. This would have caused the botnet to shrink significantly in size as computers were disinfected, thrown out with the trash, or the old IPs exposed, and in turn blocked by a number of blacklists rendering its rental spam et al. business far less effective.
Now it looks like it was time to get the numbers back up. We saw as many as 17 million individual attempts by the Storm gang, give or take a few thousand, since the 30th of December, and the numbers remain high today with nearly 2 million seen, and it's only noon!
As always, be vigilant about your email. The general rule of thumb is to not open email from individuals you don't recognize.This is especially true with these e-cards, or unsolicited news headlines used as subject lines, as they've been a very popular social engineering technique used by these guys.

1-900-Mal-Ware

There are reports floating around today that a new variation on the ransonmware trojan is circulating through the US, the UK, and France. It completely locks up your computer stating that "Browser Security and Antiadware Software component license exprited! (sic)". In order to get it back into working order, it instructs you to dial a 900 number.
Unlike many of these trojans, it doesn't involve the theft of credit card numbers, or bank accounts, instead, since it's utilizing the 900 number, the charges go right to your phone bill, and if the criminals can get the money from the payment processors fast enough, it will greatly reduce their risk.