Monday, May 13, 2013

The Kelihos Botnet: Spam Data Mine + i2 Analyst Notebook

On April 17th & 18th, 2013, we blogged about spammers who were using the Boston Marathon Explosion and the Texas Fertilizer Plant Explosion to dramatically increase the size of their botnet. The botnet in question was the Kelihos botnet, and the primary purpose of the malware being delivered in that two day campaign was to cause newly infected computers to also join the botnet as additional spam-sending computers. Malcovery Security, where I serve as Chief Technologist, put out a free copy of their daily malware "Top Threats Today" report because the prevalence of that spam was nearly 80 times the level that we normally consider to be an "outbreak" of malicious activity.

So, what have the criminals behind Kelihos been doing with all of their new spam-sending power? Primarily they are sending Pump and Dump spam.

Pump & Dump

A Pump and Dump spam campaign is an email that claims a particular stock symbol is going to have a large increase in value in the near future and encourages investors to jump in while the price is still low. These are usually sub-penny stocks where the criminals have arranged to own millions of shares of an existent publicly traded "pink sheets" company. They then do false press releases about new business developments, accompanied with a spam campaign. We've seen stocks rise from 1/5th of a cent to 30 or 40 cents or on rare occasion $1 per share before the criminal dumps his millions of shares for a 10,000% profit. These attacks often coincide with brokerage phishing attacks where a stolen Fidelity account (or something like it) is used to buy the initial shares, or to buy many shares to give the appearance of high market activity in the junk stock to encourage wary investors.

Over the weekend, the Kelihos Pump & Dump target is "GT RL" which they claim is a small movie studio that is primed for an acquisition. In the spam emails they tell the story of an investor who owned 39% of Lions Gate and earned $1 Billion USD when the studio was acquired by a larger organization. GTRL is "Get Real USA, Inc." which claims last summer to have had "Academy Award Nominee Dean Wright" join their board of advisors, according to their website, which is denying any involvement in the current spam run.

On March 4, 2013, GTRL opened the market day trading at $0.0052. Friday it closed at $0.01 on a volume of 1.9 million shares traded. So someone is certainly buying shares!

Why do we care? Primarily because it has been one of the top spam-sending botnets ever since the Boston explosion spam. Yesterday, May 11, we saw a RIDICULOUS number of spam subject lines, all touting this penny stock.

Spam Data Mine

Long time readers will be familiar with the UAB Spam Data Mine. In December, we licensed the Spam Data Mine technology to Malcovery who use the Malcovery Spam Data Mine to identify Today's Top Threats for their customers, based on techniques and methodologies developed at UAB over the past six years. The Spam Data Mine receives in the neighborhood of a million messages per day, which we "parse" to extract key features which are stored in a PostgreSQL database. As we look at the top subjects recently, they have been dominated by Pump & Dump spam. For example, here are some of yesterday's Top Subject lines related to Stock:

  1267 | It is Our New Alert! This Low Float Monster is a Must See
  1203 | You won't beleive your eyes!
  1123 | This Stock is Starting to Heat Up
  1109 | Perfect Time To Add!
  1103 | Our Featured Gem
   804 | It`s official, this stock is a 100% perfect buy!
   621 | There should be outrage against bailouts!
   617 | Things to Know Before Your Next Trade
   574 | Closing out the week with Mega Gains!
   534 | This Stock is moving up as it should
   526 | Exciting Trade Idea Details Inside!
   503 | New Pick Coming Tomorrow, This is a Must Read!
   496 | This Stock is well positioned for another monster run!
   494 | Spectacular bouquets, only $19.99!
   478 | Stocks on watch for mega gains this week!
   460 | This Company IS RED HOT!!!
   458 | This Company is on Immediate Alert! This Bull is Positioning for a Major Run

If we just limit our search to spam that contained the word "Stock" or "Company" in the spam, we had more than 175,000 emails yesterday, using 1,976 subject lines! But how would we know the other subject lines in the campaign? "Perfect Time To Add!" doesn't have the word "Stock" or "Company" in the subject. There is also no guarantee that all of the messages containing these words are part of this spam campaign.

To get a better handle on this, we are going to do a series of queries to build a candidate pool, and then use IBM's i2 Analyst's Notebook to perform what we call "Visual Pre-Clustering" to help us determine some ground truth and to help us screen out some possible outliers. If there are several unrelated botnets all sending Pump and Dump spam, the clusters should be easily identifiable using this technique, while if there are other spam messages unrelated to Pump and Dump being sent by Kelihos, those should also be easily identifiable.

First, let's pile up our data:

Spam Queries to Build a Candidate Data Set

To begin, I'm going to collect a list of IP addresses of computers that sent me spam on May 11, 2013 that used the word "stock" or "company" in their spam message. This query creates a temp table called "may11stockip" that contains the list of IP addresses that sent me those messages and a count of how many times each was used.

spam=> select count(*), sender_ip into may11stockip from spam where (subject ilike '%stock%' or subject ilike '%company%') and receiving_date = '2013-05-11' group by sender_ip order by count desc;
This gave me 27,425 unique addresses. Our next step is to ask the Spam Data Mine for other subjects that were sent by that group of IP addresses. While it is true that I could build one massive query to do all of this work, we've found over time that the temporary tables can be useful to have preserved, and using the temporary tables actual speeds up the final result.

spam=> select count(*), subject into may11stocksub from spam a, may11stockip b where a.sender_ip = b.sender_ip and receiving_date = '2013-05-11' group by subject order by count desc;

This generated 6,420 spam subject lines! Far more than the 1976 that contained the words "stock" or "company"! In fact, given the size of the botnet, it is actually likely that I may have received some spam from computers that DID NOT use the word "stock" or "company", so we'll run one more iteration. Dropping the "may11stockip" table, we rebuild it from any computer that sent a subject found in the new temptable, may11stocksub.

spam=> select count(*), sender_ip into may11stockip from spam a, may11stocksub b where a.subject = b.subject and receiving_date = '2013-05-11' group by sender_ip;

Now we have 93,538 candidate IP addresses to consider as possible Kelihos nodes!

Our last iteration in building our "Pile of Data" to hand to i2 is to create relationships between those 93,538 candidate IP addresses and all of the subjects they used. Our goal is to have a nice table that can be imported into i2 Analyst's Notebook.

spam=> select count(*), a.sender_ip, subject into may11stockpairs from spam a, may11stock b where receiving_date = '2013-05-11' and a.sender_ip = b.sender_ip group by a.sender_ip, subject order by count desc;
This generates 282,763 pairs of "sender_ip x subject".

Visual Pre-Clustering with i2 Analyst's Notebook

From these 282,763 pairs, we're going to let i2 do all the hard work. Here's the basic idea. Let's say we have 4 computers, A, B, C, and D and each of these computers sent an email from the set M1, M2, M3, M4, M5, M6, M7. For the sake of argument, we are going to say that because there is NO CHANCE that the computers would have sent the same email, unless they were CONTROLLED by the same criminal spammer. If we can demonstrate which computers sent the same messages, we could then determine which computers were controlled by the same criminal.

A - M1
A - M2
A - M3
B - M4
B - M5
C - M1
C - M6
C - M7
D - M1
D - M6 
D - M7
If we were to draw a picture of that, just as you see it on the list, it might look like this:

But if we allow i2 to give a more intuitive layout, it would look like this, which makes it very plain that Computers A, C, and D are sending "the same" emails, while Computer B is sending "different" emails.

One Day of Kelihos in i2 Analyst's Notebook

You might say to yourself, "That didn't seem to add much value?" But now imagine that there are 282,763 rows on your list instead of eleven, and that instead of having four computers you have 93,538 and instead of having seven email subjects you have 7,226.

Here's the chart you get when you do that!

or with some labels on it:

Cluster A
The cluster labeled as "A" is our main "Stock Pump & Dump" cluster. All of our "main" Stock and Company subjects are in the heart of that cluster, with many related computers coming from them.

Cluster B
This cluster is primarily formed of spam for "Work at Home" scams. Some sample subjects from this group include:

Ready to be your own boss?
Business Startup
Your second chance in life just arrived
Sick of paying bills?
Wanna pay off your debts?
Stop just barely making ends meet every month
Make Money Online
Wanna Learn how to make money online?
Success Kit
Ill show you the road to early retirement
Successful Business
New Income
Wanna make up to $6500/month?
Job openings in your area!
At Home Income
A living online is easier than you think
Work From Home Jobs Available!

One slight "False join" is linking "A" and "B" and has to be manually eliminated. "Empty Subject" is the only subject in Cluster H hidden in the midst of the Corpus Callosum that joins A and B. After discovering this, we manually deleted that subject from the chart, and re-ordered the chart, after also first removing "disjointed" clusters that had not tie to the core, such as Cluster F and the others at the top, and many of the "Fan-subclusters" such as Cluster I that surrounded Cluster A.

The "Cleaned Up" version of the chart still makes it abundantly clear that THOUSANDS of IP addresses that are part of the "Stock Pump and Dump" cluster on the left are ALSO part of the "Work at Home" (B) and "Pharmacy Express" (C,D,E) clusters on the right. The Cleaned Up chart, shown below, still has 91,833 IP Addresses and 6,242 Email Subjects, with 277,747 unique "pairs" between them.

IP addresses closer to the right have primarily "Work at Home" spam subjects, such as

 count |                 subject                  
     2 | TODAY`S TRADING IDEA IS `Advanced`
     1 | Work for Moms
     1 | It moves up nicely on heavy accumulation
     1 | Job Hiring is at an all time low...
     1 | Sick of paying bills?
     1 | Business Startup
(6 rows)


 count |               subject               
    13 | Successful Business
     1 | Sick of not making ends meet?
     1 | Wanna make up to $6500/month?
     1 | Job Hiring is at an all time low...
     1 | What kind of investor are you?
(5 rows)

IP addresses closer to the left have primarily "Stock Pump and Dump" spam subjects, such as

 count |                                subject                                 
     5 | This Company is Ready to Run
     5 | It is one to watch this week!
     4 | Analysts gives this stock a "STRONG SPECULATIVE BUY" rating
     4 | New Play Coming
     3 | This Company has a history of Huge Rallies, on verge of another Rally?
     3 | New Wild Breakout Pick Coming TONIGHT!
     3 | The NEW TRADE ALERT
     3 | A Potential Mover from Penny Stock
     3 | It Is Wasting Little Time Making Waves
     2 | This Company Ends Last Week Strong
     2 | Get Ready For The Hottest Gold Pick On The Planet!
     2 | Our New Blazin Sub-Penny Alert!
     1 | Be Ready
     1 | Success Kit
     1 | This Company exploded in volume today
     1 | Second chance for traders who have `calmed down`...
     1 | Sick of a dead end job?
     1 | We`ve Got A Bouncer On Our Hands!
     1 | This Stock Signs Agreement With Reputable PR Agency
     1 | Back to work week will get this play really going!
(20 rows)

The "Bumps" that circle cluster B are groups of IP addresses that share "some but not all" of the subjects found in Cluster B. There are many IP addresses that we saw only once or twice -- because of their low volume, they do not appear as "fully meshed" as the IP addresses in the "core" of Cluster B. A couple examples will demonstrate this.

In the core of Cluster B we see thousands of IP addresses that were used for at least 2 or 3 Work at Home messages:

     2 | Successful Business
     1 | Wanna make up to $6500/month?
     1 | Income At Home
     1 | Success Kit
     1 | Stop just barely making ends meet every month
     2 | Success Kit
     1 | Wanna make up to $6500/month?
     1 | Income At Home
     2 | Work for Moms
     1 | Replace your nine to five...
     1 | Business Startup
     1 | Success Kit
     1 | Make Money Online
     1 | Your second chance in life just arrived
Small "micro clusters" of IP addresses used for both the "C" or "D" Pharma spam and one or more of the Work at Home subjects fill the ridge between Clusters "B" and "C, D, E":

     1 | ð°ð°ð°Cialis (30 pills 20mg) USD 91.50 & Viagra (30 pills 100mg)  USD 81.90ð°ð°ð°
     1 | ð°ð°ð°Viagra (30 pills 100mg)  USD 81.90 & Cialis (30 pills 20mg) USD 91.50 ð°ð°ð°
     1 | Your second chance in life just arrived
     1 | ð°ð°ð°Cialis (30 pills 20mg) USD 91.50 & Viagra (30 pills 100mg)  USD 81.90ð°ð°ð°
     1 | Replace your nine to five...
     1 | ð°ð°ð°Viagra (30 pills 100mg)  USD 81.90 & Cialis (30 pills 20mg) USD 91.50 ð°ð°ð°

Here are two example IP addresses from a single "Bump" on the left edge of Cluster B.

     1 | Stop just barely making ends meet every month
     1 | Stop just barely making ends meet every month

Cluster C, D, and E
These are Viagra Spam clusters. C & D are two very popular subjects, both resolving to "Pharmacy Express" websites. The small cluster "E" is formed of IP addresses that sent spam for both Cluster C and Cluster D.

Cluster F & Friends
Cluster F and the neighboring small clusters at the top of the chart have been included primarily through a coincidental usage of the word "Company" in their subject lines. F, for example, is a well-known spammer of the type the industry calls a "Snowshoe spammer." They rotate through hosted data centers, paying their bills for nice hardware to be used for spamming with stolen credit cards. When they get thrown out of one data center for spamming, they move to the next.

Cluster G & J
These clusters are also primarily joined through the coincidental use of the word "Company" in the subcluster subjects.

Cluster I
There are many "Fan-shapes" around the edges of Cluster A. Looking at Cluster I as an example, there are 36 subjects in that "fan cluster" all related to "Replica goods":

A Rolex replica watch
Beautiful quartz, water-resistant Replica watches
Box Sets
Gold Watches
Gucci Bags

Only a single (subject x sender_ip) pair links this fan-cluster to the main Cluster A. The subject "replica watches! rolex, patek philippe, vacheron constantin and others!" which was attached to dozens of IP addresses in the fan-cluster, is also attached to the IP address "" That IP address also sent us two messages with the email subjects "This Stock Move Starting!".

154 IP addresses in Cluster A also used the subject "This Stock Move Starting!"

To focus on the core activity, disconnected subclusters, such as F, and "fan-clusters" such as I are removed from the chart, and the layout is performed again.

Thursday, May 09, 2013

ATM Cashers in 26 Countries steal $40M

CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist. Former FBI Assistant Director John Miller shares the story and says "We've learned how they carried out this cyber-attack, and it's unlike anything ever seen before."

Except it isn't. In fact, on Tuesday morning this week I was sharing a presentation about financial cyber crimes with Iberia Bank in New Orleans, LA. I mentioned that one of the things that banks still need to be on the lookout for is true "intrusions" into their system. By planting malware on internal bank systems, criminals can gain deep penetrating access to the internal workings of the bank and take their time, recruiting specialists to help them learn the inner workings of the bank to coordinate very elaborate schemes.

The attack described by Miller involves a group who had partnered together around the world calling themselves the "Unlimited Operation". In the scheme he describes, hackers gain internal access to a bank, or in the most recent case "a Visa/MasterCard processing Center," and gain the ability to manipulate the withdrawal limit on certain ATM Debit cards. These card numbers are then distributed around the world to "Cashing Gangs" that make local copies of the ATM cards and build a network of cashers who "work the machines."

One of the most notorious hacking operations in U.S. History was "Solar Sunrise" - a deep penetration into the Pentagon's computer operations that served as a wake up call for the U.S. Government and lead to the production of a video (now available on YouTube) called

(YouTube video: Solar Sunrise: Dawn of a New Threat

The hacker mastermind behind Solar Sunrise was an Israeli hacker, Ehud Tenenbaum, who called himself The Analyzer. In September of 2008 we wrote about him on this blog in the story Is The Analyzer Really Back? (The return of Ehud Tenenbaum) because Tenenbaum was the mastermind behind an attack against a Calgary-based financial services company. In that case, Tenenbaum penetrated the company's internal systems and gained the ability to alter or remove the ATM withdrawal limits. Then, teams of cashers, armed with counterfeit ATM cards bearing the magnetic stripe information corresponding to those accounts, hit the streets withdrawing $2 Million dollars in a blitz of ATM-withdrawals.

But that's not the only time it happened. This blog also ran the story in November 2009 called The $9 Million World-Wide Bank Robbery that shared the details of exactly the same type of raid being performed against RBS WorldPay, headquartered in Atlanta, Georgia. In that case, Estonian hackers penetrated the financial services company, that specializes in "Payroll Debit Cards". After doing so, they contracted with fellow-criminals in Russia, Yevgeny Anikin and Viktor Pleschcuk, who have both confessed their crimes, and received suspended sentences in the Russian bribery-based version of Justice. (See article: Hacker3 escapes jail time in RBS WorldPay ATM heist.) Anikin and Pleschuk worked with the famous Credit Card trading criminal BadB (Vladislav Horohorin) to build a network of cashers operating in 280 cities. Over the course of 12 hours, 2100 ATM machines in 280 cities allowed more than $9 Million in withdrawals from those 44 accounts.

That doesn't mean Cyber Criminals can't go to jail though! Vladislav Horohorin was arrested in Nice, France as he prepared to return to Moscow. (See the Daily Mail story, One of world's most wanted cyber criminals caught on French Riviera.) Horohorin, or "BadB" was the founder of Carder Planet, and was actually returned to the US, where he was tried and in April 2013 Sentenced to 88 Months in Prison.

For a look at one of the US-based casher rings in the RBS WorldPay case, we could also consider the case of Sonya Martin, a Nigerian woman, who ran the Chicago casher gang used in that case. Sonya's ring only withdrew $89,120 in Chicago, but she still got a 30 month sentence back in August 2012. See: Cell leader in RBS WorldPay fraud scheme sentenced.

One other case that used this methodology, and also had New York City ties, was the case that charged Ukrainians Yuriy Ryabinin and Ivan Biltse with performing $750,000 in ATM withdrawals. reported the story in 2008, which documented that $5 million was withdrawn in more than 9,000 withdrawals "all around the world" on September 30th and October 1st of that year. According to an affidavit shared by Wired Magazine, this case was tied to a breach of a Citibank server that processed ATM withdrawals at 7-Eleven convenience stores.

In the current case described this morning by CBS, it was described that later today New York U.S. Attorney's office prosecutor Loretta Lynch would announce the arrest of seven members of a New York casher gang that hit ATM's up and down Broadway for almost $2 million during the most recent "Unlimited Operation" case. "Unlimited" was involved in a similar $5 Million raid against a financial institution in India. CBS shared a graphic of the location of ATM machines that were used in the arrests that will be announced later today.

In the New York case, the arrested cashers were:

  • ALBERTO YUSI LAJUD-PEÑA, 23 (deceased)

The Eastern District of New York's Press Release, Eight Members of New York Cell of Cybercrime Organization Indicted in $45 Million Cybercrime Campaign, released today, May 09, 2013, explains the details of how the cashers above, who withdrew $2.8 Million in New York, fit in to the larger "Unlimited Operations." In the first operation, the New York crew withdrew $400,000 from 140 ATMs in New York City in two hours and 25 minutes. In the second operation, February 19-20, 2013, the crew performed 3,000 ATM withdrawals, scoring $2.4 Million in cash between 3 PM on the 19th and 1:26 AM on the 20th, stealing about $240,000 per hour!

The worldwide take on the Feb 19-20 raid included 36,000 transactions and $40 million!

Alberto Yusi Lajud-Peña, the leader of the New York casher ring, laundered the cash, in one case depositing 7,491 $20 bills in a single transaction in Miami, Florida. The crew bought and sold "portable luxury goods" with the cash, including luxury watches and cars, including a Mercedes SUV and a Porsche Panamera valued at $250,000 between the two. Alberto, also known as "Prime" online, was murdered in the Dominican Republic sometime after these robberies occurred.

U.S. Attorney Lynch says that law enforcement authorities in Japan, Canada, Germany, and Romania made great contributions in the case, but that they also received cooperation from the authorities in the UAE, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

What these cases are intended to demonstrate is the importance of closely monitoring the internal corporate network for signs of a breach. In a presentation at ITWeb Security Summit this week, "Formulating an attack-focused security plan", Mandiant CSO Richard Bejtlich shares that 75% of break-ins happen through someone clicking on or responding to a malicious email, and that in 2/3rds of incidents, the breach isn't discovered by the company but is reported by a third party organization. Bejlitch says that by the time the attacker is discovered "they will have been inside your company for around eight months."

That's what Malcovery's Today's Top Threats report is intended to address. What is that Top Threat email that is going to lead to criminals having control of one or more of your internal employees? It takes time for the criminal to learn enough about your organization's internal workings to be able to take over and reset ATM balances. Quick detection of the breach is key to preventing problems like those described above.

Wednesday, May 08, 2013

Alabama Identity Theft in FTC Annual Consumer Sentinel Report

Each year the Federal Trade Commission puts out a report called the Consumer Sentinel Report that is not a statistical projection about Identity theft and fraud, but a listing of actual complaints received.

(102 page report here: Consumer Sentinel 2012)

Metropolitan Statistical AreaComplaints per 100,000
Miami / Fort Lauderdale / Pompano Beach, FL 645.4
Naples / Marco Island, FL 397.8
Tampa / St. Petersburg / Clearwater, FL 352.3
Cape Coral / Fort Myers, FL 292.5
Tallahassee, FL 288.5
Lakeland / Winter Haven, FL 281
Port St. Lucie / Fort Pierce, FL 272.6
Atlanta / Sandy Springs / Marietta, GA 246.6
North Port / Bradenton / Sarasota, FL 244.9
Orlando / Kissimmee / Sanford, FL 233.8
Punta Gorda, FL 220.7
Valdosta, GA 218.5
Ocala, FL 213.4
Albany, GA 209.1
Columbus, GA/AL 205.9
Montgomery, AL 203.7
Jacksonville, FL 190.4
Detroit / Warren / Livonia, MI 188.2
Sebastian / Vero Beach, FL 184.7
Savannah, GA 183.3
Palm Bay / Melbourne / Titusville, FL182.6
Gainesville, FL182.4
Deltona / Daytona Beach / Ormond Beach, FL177.9
Beaumont / Port Arthur, TX176
Macon, GA170.5

16 of top 25 in Florida
6 of top 25 in Georgia
1 in Alabama
1 in Michigan
1 in Texas

Alabama, my home state, seems to have some seriously bad scores in the area of Identity Theft. The report lists "per capita" complaints, ordered by the "Metropolitan areas" as defined by the US Census Bureau.

Alabama Cities:

#15 - Columbus, GA/AL (205.9 per 100,000)
#16 - Montgomery, AL (203.7 per 100,000)
#42 - Auburn-Opelika, AL (124.1 per 100,000)
#62 - Birmingham-Hoover, AL (111 per 100,000)
#91 - Enterprise-Ozark, AL (97.8 per 100,000)
#118 - Anniston-Oxford, AL (90.2 per 100,000)
#125 - Tuscaloosa, AL (88.4 per 100,000)
#132 - Dothan, AL (87.2 per 100,000)
#145 - Gadsden, AL (84.3 per 100,000)
#195 - Decatur, AL (72.8 per 100,000)
#198 - Daphne-Fairhope-Foley, AL (72.4 per 100,000)
#303 - Florence-Muscle Shoals, AL (56.4 per 100,000)

SpyEye Botherder BX1 - welcome to Georgia!


The BX1 Indictment

(Click to download the Bx1 Indictment) North District of Georgia (Atlanta)

Criminal Docket for Case#: 1:11-cr-00557-UNA-1 (filed 12/20/2011)


(1) 18:1349 Attempt and Conspiracy to Commit Mail Fraud
(2-11) 18:1343 & 2 – Fraud by Wire, Radio, or Television
(13) 18:1030(a)(5)(A), 1030(c)(4)(B) – Fraud Activity Connected with Computers
(14-23) 18:1030(a)(2)(C), 1030(c)(2)(B)(i) – Fraud Activity Connected with Computers

From December 2009 to September 2011 [Redacted] and Hamza Bendelladj, AKA Bx1 conspired to … defraud financial institutions and individuals and obtain money and property from them by means of materially false and fraudulent pretenses, representations and promises, as well as omission of material facts, including moneys, funds, credits, assets, and other properties.

Botnets were defined and described, and SpyEye was described as having the capabilities to “facilitate the theft of confidential personal and financial information by numerous examples including a data grabber or keystroke logger, and at times by presenting a fake bank web page or portions of a bank web page to trick a user into entering personal information.

(The principal author of SpyEye is redacted in the published Indictment). Bx1 is listed as a co-conspirator who helped develop SpyEye components. The behavior of SpyEye is described in great detail, including the creation and deployment of particular Web Injects and how they behave.

Bx1 communicated through email, instant messaging programs, and web forums to discuss purchasing, updating, customizing, developing components for, and pricing SpyEye, as well as aspects of operating SpyEye components.

From at least February 21, 2011 through February 24, 2011 at least one of Bx1’s C&C servers were located in Atlanta, Georgia, distributing configs that targeted 253 unique financial institutions.

Counts 2 through 11 of the indictment trace particular infections that could be documented through the logs of the Atlanta-based server and which lead to confirmed financial losses of particular victims in California, North Carolina, New York, and Virginia.

Count 12 names particular websites used by Bx1 for his advertising, including the website where particular messages in January, June, July, and September 2010 are cited. The June issue discussed “Form Grabbing” while an update in September introduced the ability to scan all controlled bots for Credit Card credentials. In April 2011, the YouTube user “danielhb1988” called himself Bx1 and claimed to be selling SpyEye in a video advertised on that site. In July 2011, an undercover law enforcement officer purchased SpyEye from Bx1 for $8,500, receiving his purchased code from

Counts 14 through 23 document particular examples of the SpyEye server at, communicating with protected computers

The Atlanta Server

During the time period stated in the indictment, the IP address indicated was known to be distributing malware from the hostile URL (spaces added for safety):

www . 100myr . com / cp / bin / exe . exe

www . 100myr . com / cp / gate . php ? guid = (infected machine configuration report stuff here)

That server was hosted at Global Network Access ( in Atlanta.

The domain was registered January 20, 2011 on by

That same email address was used to register the domain ""

Tuesday, May 07, 2013

Cyber Aspects of the Pentagon's new China report (A2/AD, CNE)

This week the Pentagon released their Annual Report to Congress, Military and Security Developments Involving the People's Republic of China 2013. While the 83-page report details all aspects of military and security, our readership will of course be most interested in the Cyber aspects. For their convenience I've just copied the portions most relevant to that target audience.

Starting at the beginning, "China's leaders in 2012 sustained investment in [missiles and counter-space weapons] and military cyberspace capabilities that appear designed to enable anti-access/area-denial (A2/AD) misisons (what PLA strategists refer to as "counter-intervention operations").

(For more on A2/AD, please see this excellent Q&A on the topic from the Center for Strategic and International Studies (CSIS), The Emerging Anti-Access Area-Denial Challenge.) Chapter 3 of the report, "Force Modernization Goals and Trends," mentions that "Beijing is investing in military programs and weapons designed to improve extended-range power projection and operations in emerging domains such as cyber, space, and electronic warfare.

Anti-Access/Area Denial (A2/AD)

(Begin Quote) As part of its planning for military contingencies, China continues to develop measures to deter or counter third-party intervention, particularly by the United States. China's approach to dealing with this challenge is manifested in a sustained effort to develop the capability to attack, at long ranges, military forces that might deploy or operate within the western Pacific, which the DoD characterizes as "anti-access" and "area denial" (A2/AD) capabilities. China is pursuing a variety of air, sea, undersea, space and counter-space, information warfare systems and operational concepts to achieve this capability, moving toward an array of overlapping, multilayered offensive capabilities extending from China's coast into the western Pacific. China's 2008 Defense White Paper asserts, for example, that one of the priorities for the development of China's armed forces is to "increase the country's capabilities to maintain maritime, space, and electromagnetic space security."

An essential element, if not a fundamental prerequisite, of China's emerging A2/AD regime is the ability to control and dominate the information spectrum in all dimensions of the modern battlespace. PLA authors often cite the need in modern warfare to control information, sometimes termed "information blockade" or "informaiton dominance," and to seize the initiative and gain an information advantage in the early phases of a campaign to achieve air and sea superiority. China is improving information and operational security to protect its own information structures, and is also developing electronic and information warfare capabilities, including denial and deception, to defeat those of its adversaries. China's "information blockade" likely envisions employment of military and non-military instruments of state power across the battlespace, including in cyberspace and outer space. China's investments in advanced electronic warfare systems, counter-space weapons, and computer network operations (CNO) -- combined with more traditional forms of control historically associated with the PLA and CCP systems, such as propaganda and denial through opacity, reflect the emphasis and priority China's leaders place on building capacity for information advantage.


Information Operations

New technologies allow the PLA to share intelligence, battlefield information, logistics information, weather reports, etc., instantaneously (over robust and redundant communications networks), resulting in improved situational awareness for commanders. In particular, by enabling the sharing of near-real-time ISR data with commanders in the field, decision-making processes are facilitated, shortening command timelines and making operations more efficient.


Cyber Activities Directed Against the Department of Defense

In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military. These intrusions were focused on exfiltrating information. China is using its computer network exploitation (CNE) capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs. The information targeted could potentially be used to benefit China’s defense industry, high technology industries, policymaker interest in US leadership thinking on key China issues, and military planners building a picture of U.S. network defense networks, logistics, and related military capabilities that could be exploited during a crisis. Although this alone is a serious concern, the accesses and skills required for these intrusions are similar to those necessary to conduct computer network attacks. China’s 2010 Defense White Paper notes China’s own concern over foreign cyberwarfare efforts and highlighted the importance of cyber-security in China’s national defense.

Cyberwarfare in China’s Military

. Cyberwarfare capabilities could serve Chinese military operations in three key areas. First and foremost, they allow data collection for intelligence and computer network attack purposes. Second, they can be employed to constrain an adversary’s actions or slow response time by targeting network-based logistics, communications, and commercial activities. Third, they can serve as a force multiplier when coupled with kinetic attacks during times of crisis or conflict.

Developing cyber capabilities for warfare is consistent with authoritative PLA military writings. Two military doctrinal writings, Science of Strategy, and Science of Campaigns identify information warfare (IW) as integral to achieving information superiority and an effective means for countering a stronger foe. Although neither document identifies the specific criteria for employing computer network attack against an adversary, both advocate developing capabilities to compete in this medium.

The Science of Strategy and Science of Campaigns detail the effectiveness of IW and CNO in conflicts and advocate targeting adversary C2 and logistics networks to affect their ability to operate during the early stages of conflict. As Science of Strategy explains, “In the information war, the command and control system is the heart of information collection, control, and application on the battlefield. It is also the nerve center of the entire battlefield.”

In parallel with its military preparations, China has increased diplomatic engagement and advocacy in multilateral and international forums where cyber issues are discussed and debated. Beijing’s agenda is frequently in line with Russia’s efforts to promote more international control over cyber activities. China and Russia continue to promote an Information Security Code of Conduct that would have governments exercise sovereign authority over the flow of information and control of content in cyberspace. Both governments also continue to play a disruptive role in multilateral efforts to establish transparency and confidence-building measures in international fora such as the Organization for Security and Cooperation in Europe (OSCE), ASEAN Regional Forum, and the UN Group of Governmental Experts. Although China has not yet agreed with the U.S. position that existing mechanisms, such as international humanitarian law, apply in cyberspace, Beijing’s thinking continues to evolve. (End Quote)