Episode 386 – Zeus for Dummies, Advanced Persistent Canada, Thor, Shin Bet, Osama Sneakernet & Disposal

SANS: SANS Security 504: Hacker Techniques, Exploits & Incident Handling (Dave Shackleford)
When:  Sunday, May 15, 2011 – Friday, May 20, 2011
Where: Baltimore, MD
http://www.sans.org/cyber-guardian-2011/description.php?tid=243

LayerOne 2011
When: Saturday May 28th – Sunday May 29th
Where: Los Angeles, CA
http://www.layerone.org/

My Hard Drive Died
5-Day Data Recovery Expert Certification
Where: Atlanta, Georgia
When: June 6-10, 2011

5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

#BSidesCT
Where: Meriden, Connecticut
When: June 11, 2011
http://bsidesct.eventbrite.com

eXcon
Where: Meriden, Connecticut
When: June 11-12, 2011
http://excon.eventbrite.com  (email excon@nesit.net for more info)
Begins after BSidesCT Registration cost is $50.00

#BSidesVienna
When: June 18, 2011
Where: Vienna, Austria
http://www.bsidesvienna.com
CFP open now!

2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
CFP CLOSES SUNDAY!http://blog.brucon.org/2011/01/brucon-call-for-papers-2011.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
CFP open now through June 3, 2011! Email submissions to Conference@gaissa.org

EFF:
The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://action.eff.org/site/TR/Contest/Advocacy?team_id=1730&pg=team&fr_id=1060

PTES-G:
We need your help!  PTES-G needs your assistance, in helping develop the missing areas.  If you find an area where you could assist us, we would certainly be interested in talking to you.  Send an email to ptes-g@isdpodcast.com with the area that you want to compose.   Even if you aren’t familiar with a particular area, you can still submit the procedures for how to use a particular tool.  This guideline is for you, so naturally it stands to reason that it would be created by you.  Please help us!

Stories

Source: http://pastehtml.com/view/1ego60e.html

Presumably the same person who posted the source code online has also graciously posted the instruction manual for Version 2.1.0.0, March 20, 2011 of the Zeus crimeware kit on pastehtml.  Reading over this instruction manual shows the level of sophistication of the authors of Zeus.  The manual gives many insights on how the piece of malware you create will be able to hide itself from the user and the operating system.  Here is a short (paraphrased) excerpt from the Bot-Protection section:

1. All objects IE: files, MUTEXes and registry keys will be created with completely random and unique names.
2. The code that first installs the bot is destroyed after the bot is installed.
3. Files are not hidden from WinAPI, because anti-virus tools will find the file too easily.
4. The bot can be updated on the fly without a reboot.
5. The bot self-monitors it’s own integrity of it’s files, keys and other objects.

After the protection section, the manual spells out the server-side functions of the bot:

1. Socks 4/4a/5 server with support for UDP and IPv6.
2. Backconnect for any service (RDP, Socks, FTP, etc.) on the infected machine. I.e. may gain access to a computer that is behind a NAT, or, for example, which has prohibited connections by a firewall. For this feature to work there are used additional applications that run on any Windows-server on the Internet, which has a dedicated IP.
3. Getting a screenshot of your desktop in real time.

Next, the manual spells out the different ways your custom piece of malware can hook into the wininet.dll or nspr4.dll’s to intercept http/https traffic going through IE or Firefox.  (pro-tip, keep Opera handy):

1. Modification of the loaded pages content (HTTP-inject).
2. Transparent pages redirect (HTTP-fake).
3. Getting out of the page content the right pieces of data (for example the bank account balance).
4. Temporary blocking HTTP-injects and HTTP-fakes.
5. Temporary blocking access to a certain URL.
6. Blocking logging requests for specific URL.
7. Forcing logging of all GET requests for specific URL.
8. Creating a snapshot of the screen around the mouse cursor during the click of buttons.
9. Getting session cookies and blocking user access to specific URL.

The list goes on and on but shows that this is truly a swiss army knife of malware.  Skipping down to the C&C feature description section, there is a lot of focus on client tracking and geolocation along with some logging and notification features.  One particularly interesting section of features spells out the client details that are tracked:

• Windows version, user language and time zone.
• Location and computer IP-address (not for local).
• Internet connection speed (measured by calculating the load time of a predetermined HTTP-resource).
• The first and last time of communication with the server.
• Time online.

When you read over the instructions, you realize what an incredible tool this could be for plain old white hat system administration.  The level of detail provided in the instructions is truly impressive and rivals most legitimate pieces of software that we’ve seen as of late.  

The other conclusion we can easily draw is that the Zeus crimeware kit is clearly the work of a well-backed team of developers rather than some Russian dude in his basement.

Most of the document is incredibly interesting and we urge our listeners to take a peak to see what’s behind the curtain.

Source: http://business.financialpost.com/2011/05/09/canada-new-breeding-ground-for-cyber-crime

Canada is becoming a new breeding ground for cyber criminals, according to a report obtained by the Financial Post.

The number of Canadian servers found to be hosting phishing sites — malicious websites designed to lure visitors to enter sensitive personal information — jumped 319% over the past year, says the report to be released Tuesday from cyber-security firm Websense Inc.

The rise is second only to Egypt, said Patrik Runald, senior security research man-ager at Websense.

“And Egypt obviously came from pretty much nowhere, so it is easy [for it] to have a higher percentage increase,” Mr. Runald said. “In all the other [western] countries like the U.S., France, the U.K. and Germany the number of servers are going down, whereas in Canada, for some reason, it is going up.”

Canada now sits just behind the United States globally in the number of servers hosting phishing sites, ahead of Germany, U.K. and France.

Source: http://www.chron.com/disp/story.mpl/metropolitan/7557244.html

Unlike the Marvel Comics hero of Asgard who packed cinemas this weekend,a different Thor without superpowers was punished in a Houston federal courtroom Monday for a failed scheme to hack local ATMs using Barack Obama as an alias.

Thor Morris, 20, of Jacksonville, N.C., was sentenced to three years and one month in federal prison without parole for attempting to embezzle more than $200,000 from three dozen local automated teller machines last year.

According to the criminal complaint, Morris confided in an FBI informant that he planned to use a confidential operator's manual to reprogram Tranax ATMs, as he had done in the past in other states, and make the machines issue $20 for every $1 requested.

The fraud charge against Morris came after his plan was uncovered during an investigation initiated about a year ago by the FBI's Cyber Crimes Division. He was arrested April 22, 2010 while attempting to gain unauthorized access into a storefront ATM in far southwest Houston.

Source: http://www.jpost.com/Defense/Article.aspx?id=219257

Israel has detected what appears to have been attempts to use cyber-warfare to attack critical state infrastructure, outgoing Shin Bet (Israel Security Agency) chief Yuval Diskin said on Wednesday.

Speaking to military reporters ahead of his scheduled retirement later this month, Diskin said that the Shin Bet, which is responsible for defending state infrastructure – including the water system and electrical grid from cyber attacks – has detected “fingerprints” and “tracks” of attempted attacks.

“All over the world, including in Israel, there are cyber attacks,” Diskin said. “We can’t say for certain the attacks were against critical infrastructure, but there are fingerprints and tracks that maybe there were attempts, and they were treated.”

The Shin Bet, Diskin said, recently completed a major review of its
technological and cyber capabilities, and has outlined a multi-year plan that will be implemented in the coming months by his successor Yoram Cohen, his former deputy.

Source:http://news.yahoo.com/s/ap/us_bin_laden

Using intermediaries and inexpensive computer disks, Osama bin Laden managed to send emails while in hiding, without leaving a digital fingerprint for U.S. eavesdroppers to find.
His system was painstaking and slow, but it worked, and it allowed him to become a prolific email writer despite not having Internet or phone lines running to his compound.

His methods, described in new detail to The Associated Press by a counterterrorism official and a second person briefed on the U.S. investigation, frustrated Western efforts to trace him through cyberspace. The people spoke to the AP on condition of anonymity to discuss the sensitive intelligence analysis.

Bin Laden's system was built on discipline and trust. But it also left behind an extensive archive of email exchanges for the U.S. to scour. The trove of electronic records pulled out of his compound after he was killed last week is revealing thousands of messages and potentially hundreds of email addresses, the AP has learned.

At that location, the courier would plug the memory drive into a computer, copy bin Laden's message into an email and send it. Reversing the process, the courier would copy any incoming email to the flash drive and return to the compound, where bin Laden would read his messages offline.

It was a slow, toilsome process. And it was so meticulous that even veteran intelligence officials have marveled at bin Laden's ability to maintain it for so long. The U.S. always suspected bin Laden was communicating through couriers but did not anticipate the breadth of his communications as revealed by the materials he left behind.

Navy SEALs hauled away roughly 100 flash memory drives after they killed bin Laden, and officials said they appear to archive the back-and-forth communication between bin Laden and his associates around the world.

Al-Qaida operatives are known to change email addresses, so it's unclear how many are still active since bin Laden's death. But the long list of electronic addresses and phone numbers in the emails is expected to touch off a flurry of national security letters and subpoenas to Internet service providers. The Justice Department is already coming off a year in which it significantly increased the number of national security letters, which allow the FBI to quickly demand information from companies and others without asking a judge to formally issue a subpoena.

Officials gave no indication that bin Laden was communicating with anyone inside the U.S., but terrorists have historically used U.S.-based Internet providers or free Internet-based email services.

The cache of electronic documents is so enormous that the government has enlisted Arabic speakers from around the intelligence community to pore over it. Officials have said the records revealed no new terror plot but showed bin Laden remained involved in al-Qaida's operations long after the U.S. had assumed he had passed control to his deputy, Ayman al-Zawahri.

The files seized from bin Laden's compound not only have the potential to help the U.S. find other al-Qaida figures, they may also force terrorists to change their routines. That could make them more vulnerable to making mistakes and being discovered.

Source: http://www.dispatch.com/live/content/local_news/stories/2011/05/02/computer-disposal-might-pose-risks.html?sid=101

Columbus could be placing sensitive data in danger of theft when it retires old computers, a security expert warned.

The city's Department of Technology receives guarantees from its computer-disposal vendor that hard drives and other data-containing computer parts have been destroyed. But city technicians keep no record of what they have taken out of service and sent for destruction, The Dispatch learned through a public-records request.

That makes it difficult to ensure that all the retired equipment has been disposed of properly, said Gene Spafford, a Purdue University professor who is executive director of the school's Center for Education and Research in Information Assurance and Security.

"If they don't have positive tracking between tracking what's in the system and tracking what's being disposed of with one-to-one matches of serial numbers, it's possible for someone to steal the equipment without anybody knowing about it," Spafford said.

The city government, which handles income-tax records and medical records, among other sensitive data, has never lost any of it, said Gary Cavin, the city's technology director.