Detecting BBB/IRS/FTC/Proforma Trojan-Infected Users on Your Network

June 18th, 2007

We’ve gotten some inquiries as to how to find users infected by the recent BBB/IRS/FTC/Proforma trojan scams on corporate networks where an IDS/IPS device that can detect the exfiltration traffic might not be in play.

If you keep logs of firewall/proxy or DNS server traffic, you may be able to spot infected users by traffic analysis. This activity has been going on since at least February, so it is prudent to go back in the logfiles at least until the beginning of 2007 when searching.

Read more…

BBB Scam Changes Social Engineering Ploy

June 15th, 2007

Since we first wrote about the BBB phishing emails, we’ve seen variants change from forging BBB complaint letters to false IRS criminal investigation notices to FTC investigation notices. We’re now seeing messages from the same phishing group posing as “Proforma” invoices, now being sent with a Word document attachment (actually MS Word this time, not RTF doc files as in the other BBB/IRS phishing scheme).

Read more…

BBB/IRS Phishes and the Chinese Connection

June 7th, 2007

Recently we detailed the workings of two different phishing emails designed to install malware on the computers of executives through social engineering ploys. The first ploy was an email pretending to be a complaint routed through the Better Business Bureau. We saw this used to install two different families of malware. The second ploy, posing as a criminal investigation notice from the IRS, has now been seen installing the same two families of malware.

The one that got our attention in the first place, known as Troj-iwebho, has a simple yet powerful tactic - steal ALL data being sent from the victim’s web browser. Banking, email, shopping, stock trading, prescription/healthcare data and casual (sometimes very personal) browsing - everything the user does online is databased by the attacker. It seems on the surface that it makes for an identity theft scam with a very high payoff potential.

Read more…

Speaking at BlackHat USA 2007

June 4th, 2007

My presentation “Just Another Windows Kernel Perl Hacker” has been accepted at BlackHat Briefings USA 2007. If you’re going to Vegas this year, stop by and catch my talk, and I’ll tell you how to use Perl to remotely debug the Windows kernel from the *nix box of your choice.

QA, Anyone?

March 30th, 2007

Microsoft is not alone when it comes to writing vulnerable code. It’s downright hard to write secure code in low-level languages. It’s understandable, especially when most of your core code was written before buffer overflow exploits were even understood by most programmers. But when a vulnerability is pointed out in your code, and you claim to spend inordinate amounts of time developing and testing patches for it, wouldn’t it make sense to spend a little time auditing the rest of the code for the same bug?

Read more…

A Rustock-ing Stuffer

January 10th, 2007

Recently I took a look at the Rustock trojan in order to see what the financial motive behind it was. No surprise, as it turns out the motive is spam. Using a sandnet, I injected myself into the botnet - able to capture (and blackhole) a small portion of the spam being sent through the system. And, as with a lot of spam these days, it′s the pump-and-dump kind - spam touting penny stocks to would-be investors.

The specific spam sent by the Rustock botnet a few days ago can be seen at right. The stock being promoted is a penny stock that trades at fractions of a cent on a normal basis. I tracked both the spam and the stock price over the course of a few days, and did a few calculations.

Read more…

The USTR’s Silence on Spam, Viruses and Fraud From Russia

December 11th, 2006

The Office of the United States Trade Representative calls American small business “The Economic Engine Driving the World Economy”. Yet, when negotiating recently with Russia over the terms of Russia’s accession to the World Trade Organization, the USTR seems to have focused only on those American businesses with massive lobbying power (e.g., the software, movie, music and pharmaceutical industries). In a document outlining the details of the agreement, the USTR specifically names a single website in Russia ( that the music industry would like to have targeted for shutdown.

But, in this effort, the USTR ignores a fundamental component of the economic relationship between the U.S. and Russia in the Internet age - the rampant fraud, spam and virus epidemic that is slowly draining resources and money from U.S. citizens and companies alike. Unlike the potentially inflated profit loss estimates from the music and software industries which are based more on wishful thinking than fact, it is possible place a real dollar amount on the amount of money being siphoned from the U.S. economy by phishing and credit card fraud. Although many former Soviet bloc countries are involved and no country is blameless when it comes to internet fraud, Russia harbors more than its fair share of cyber-criminals.

Read more…