WikiLeaks Goes Behind Paywall, Anonymous Cries Foul

Secret-spilling site WikiLeaks has moved millions of documents behind a paywall, prompting blowback from elements of an underground ally, the hacking group Anonymous, including one well-known member to conclude that it “cannot support anymore what WikiLeaks has become.”

Upon clicking on any of the site’s documents, including “Cablegate: 250,000 US Embassy Diplomatic Cables,” which is said to have came from alleged WikiLeaks-leaker Bradley Manning, WikiLeaks visitors are taken to a page with a video that lambastes Barack Obama and ends with WikiLeaks chief Julian Assange asking for donations. To access documents, one can donate, share the video on Facebook or tweet it. The fullscreen overlay cannot be closed unless a donation is made or something is shared, though the video does not appear over every document dump.

Prominent Anonymous Twitter accounts were quick to register displeasure. @YourAnonNews called for the wall to come down and then followed up with a damning message:

@AnonymousIRC went further by dropping a long letter to Pastebin, explaining that it has had enough of WikiLeaks’ founder, concluding that WikiLeaks has lost its way and is consumed by Assange’s legal troubles and ego instead of its mission of transparency.

The dustup adds to the rocky relationship between Anonymous and WikiLeaks. Anonymous rallied behind WikiLeaks in December 2010, targeting Visa, MasterCard and PayPal for blocking off donations to WikiLeaks. Fourteen suspects connected to Anonymous were charged last year for allegedly participating in denial-of-service attacks against online payment service provider PayPal.

Later it even acted as a conduit for documents Anonymous obtained via hacking, including break-ins seemingly masterminded by FBI-informant Sabu. For instance, in February, in what was viewed as an unprecedented collaboration between WikiLeaks and Anonymous, WikiLeaks began leaking portions of a massive trove of e-mails from the private intelligence firm Stratfor that Anonymous obtained by hacking the company in December.

But that partnership left many in Anonymous unsatisfied and some Anons set up their own leaking operation, known as Par:AnoIA.

Assange, who has taken refuge at the Ecuador embassy in London, did not immediately respond for comment. But Wikileaks wrote on Twitter that “A tweet, share, wait or donate campaign is not a ‘paywall.’”

Assange was granted asylum by Ecuador in August amid claims that, if he was extradited to Sweden to face an investigation for sex crimes, he would be further extradited to the United States where he would face political persecution and military court trial for publishing documents that have angered the U.S. government. He remains holed up in the London embassy on fears he would be arrested if he fled to Ecuador.

In a message posted on Pastebin, @AnonymousIRC blasted Assange:

…Wikileaks is not — or should not be — about Julian Assange alone. The idea behind Wikileaks was to provide the public with information that would otherwise being kept secret by industries and governments. Information we strongly believe the public has a right to know. But this has been pushed more and more into the background, instead we only hear about Julian Assange, like he had dinner last night with Lady Gaga. That’s great for him but not much of our interest. We are more interested in transparent governments and bringing out documents and information they want to hide from the public.

The message added:

“The conclusion for us is that we cannot support anymore what Wikileaks has become – the One Man Julian Assange show. But we also want to make clear that we still support the original idea behind Wikileaks: Freedom of information and transparent governments. Sadly we realize that Wikileaks does not stand for this idea anymore.

The overlay on WikiLeaks can be circumvented by disabling JavaScript, and many Anonymous docs can be found on mirror sites around the net that lack the paywall.


Multiplatform Fake AV Uses Different GUIs

Since the beginning of October we have seen a variant of fake antivirus malware that belongs to the FakeRean family of rogue security products. FakeRean is distributed by drive-by downloads or is dropped and executed by another malware. It blocks victims from accessing any other legitimate application on an infected machine. Like other fake AV products, it claims to detect infections and displays alerts to scare users into purchasing “protection.” In reality this program does not scan your computer. These rogue malware extort money from PC owners to “fix” their systems. This malware also blocks users from accessing or executing any .exe file on the victim’s machine.

The main difference with this rogue is that it brings up a different GUI depending on the version of Windows it infects.

We can see some GUIs below:


Once executed, the Trojan disables the security system on the victim’s machine.

Like other infections of rogue security products, this variant scares its victims and steals money if they pay for protection. The malware tricks the victims into purchasing the “full” version.

Victims can regain control of their machines by clicking the Manual Activation tab, as shown below, and entering the activation code 3425-814615-3990. This will not remove the malware but it will allow users to work again.

A series of fraudulent progressive bars and scans will show up when the victim clicks Continue.

After the fake updates have been “downloaded,” a victim’s Internet browser will work normally.

The malware is designed to select the color radiant of the GUI that it uses.

The Trojan enumerates the running processes, looking out for AV and security-related services. If found, it terminates them.

A new UPX-packed file is written in memory and executed.

After we unpacked the file, we found many strings that appear on the fake AV GUI.

Advice to Customers

Keep your systems updated with the latest patches. Insure your antimalware software is updated with the latest DATs. Always run a reputable firewall on your machines. And beware of drive-by downloads when visiting any new websites.









New Election System Promises to Help Catch Voting-Machine Problems

Example of the kinds of ballots with questionable markings that Clear Ballot can display quickly for election officials to help them find problematic ballots.

When voting system activists in the U.S. managed to get many paperless electronic voting machines replaced a few years ago with optical-scan machines that use paper ballots, some believed elections would become more transparent and verifiable.

But a spate of problems with optical-scan machines used in elections across the country have shown that the systems are just as much at risk of dropping ballots and votes as touchscreen voting machines, either due to intentional manipulation or unintentional human error.

A new election system promises to resolve that issue by giving election officials the ability to independently and swiftly audit the performance of their optical-scan machines.

Called Clear Ballot, the system is patterned in part after an auditing system that was used in California in 2008. It uses high-speed commercial scanners made by Fujitsu, as well as software developed by the Clear Ballot team, which includes a former developer who worked under Ray Ozzie to create Lotus Notes.

The system has been tested in several Florida counties over the past year, as well as in Connecticut and New Hampshire. It will have its greatest test, however, in the upcoming presidential election, when it will be used to audit election results in seven Florida counties, as well as in two counties in New York.

“It’s the first-ever large-scale verification of elections cast on paper ballot anywhere,” says Clear Ballot CEO Larry Moore, a former vice president at Lotus.

Ballots are first scanned in voting machines made by the vendors before they’re scanned a second time in the Clear Ballot Fujitsu scanner. The Clear Ballot counting software, which sits on a laptop connected to the Fujitsu scanner via USB cable, then processes the ballot images to produce results that can be compared against the vendor machine results.

The software allows election officials to quickly identify ballots that may be causing a discrepancy – such as ones in which voters filled in ovals incorrectly or insufficiently – and pull up ballot images and other visual displays (.pdf) so that election officials can make judgment calls about the voter’s intent and whether a particular mark should be counted as a vote.

An example of Clear Ballet results showing a discrepancy in the vote count for a race.

“We produce a result, and we subject that number against the voting system’s number, and ideally the [discrepancy] is zero,” Moore says. “But if it’s not, we have provided a very efficient way, and a visual way, of helping an election official resolve why the discrepancy occurred.”

 California, as well as many other states, require post-election manual audits of a certain percentage of precinct ballots – often 1 percent of precincts randomly chosen – as a way to detect voting machine glitches or manipulation. But the manual audits can take a week or longer and clash with deadlines for certifying an election.

The time period for certifying an election differs between states, but Florida has one of the tightest certification windows — just seven days. Once an election is certified, it takes a concerted legal effort to get a recount.

Earlier this year, a county in Florida had to reverse the certified results in a race for council seats after an audit showed that the losers in the race were actually the winners. The problem was attributed to voting machine software made by Dominion/Sequoia Voting Systems.

Clear Ballot’s aim, Moore says, is to give election officials a way to swiftly verify election results before they certify elections. The system, he says, can begin producing results within minutes after the polls close on election night.

Clear Ballot also aims to reduce the price of conducting audits. Moore wouldn’t say how much the Clear Ballot system will cost, but he says they hope to meet or beat the current cost of doing manual counts. He noted that Leon County, Florida, which has about 180,000 registered voters, has paid about $18,000 for post-election audits in the past.

After Leon County supervisor of elections Ion Sancho invited Clear Ballot to audit archived ballots from the 2008 presidential election, the Clear Ballot system uncovered 40 ballots that had gone uncounted in that election. The voting machine scanner had ignored the ballots because election workers had torn off a small part of the bottom of one page when they separated the two-page ballots.

The system also found nine ballots with over-votes (double votes) that weren’t caught by the voting machine scanners.

Over-votes are ballots in which a voter marks too many choices in a single race. Optical-scan voting machines are supposed to detect and reject such ballots when they’re scanned so that voters can re-do their selections. But the Clear Ballot test showed that some machines weren’t doing this properly.

“The results so far have really shown the accuracy of well-calibrated machines run by well-oiled election departments, but what they’ve also shown is that there is a tremendous opportunity for human error, and we needed a system that catches that — if not the worst case [scenario], which is fraud,” says Moore.

In the upcoming presidential election, the Clear Ballot system will be auditing ballots in seven counties — Leon, Citrus, Bay, Okaloosa, Indian River, Madison and Duval County. The test will involve about 900,000 two-page ballots, the majority of them in Duval County, which has about 550,000 registered voters.

Since the seven counties use different optical-scan voting machines, the election will help Clear Ballot pit its system against voting machines made by all three of the top vendors – Election Systems and Software, Dominion/Sequoia Voting Systems, and Premier/Diebold.

The system is patterned in part after an audit program that a California county implemented in 2008, which helped uncover 216 ballots that the voting machine had missed.

Humboldt County, a small county in northern California, implemented a pilot project that year called the Transparency Project in order to serve as a check against the Premier/Diebold optical scan machines the county was using. Under the program, every paper ballot scanned by the Premier/Diebold machine was also digitally scanned by a separate commercial scanner not made by a voting machine company.

After completing both scans, officials discovered the discrepancy of 216 ballots. The problem was eventually attributed to the Premier/Diebold software, which randomly deleted entire batches of ballots due to a software error that the company subsequently fixed.

The Clear Ballot system is more sophisticated than the one that was used in Humboldt County. It creates a ballot definition file of each ballot type on the fly, so that the system isn’t relying on a ballot definition file created by election officials for their voting machine scanners. Because the two systems operate independently of one another, the voting machine scanner serves as an auditing mechanism for the Clear Ballot system as much as the Clear Ballot system is an auditing mechanism for the voting machine scanner.

So far, Moore says they do not intend to make their software open source so that it can be examined by others, but he did not rule this out for the future. The company does, however, make its source code available to election districts that have requested it.

Doug Jones, associate professor of computer science at the University of Iowa, and co-author of the book Broken Ballots, says he’s pleased to see the Clear Ballot system being tested in elections.

“It’s a really interesting idea and it’s clever,” says Jones, who has been a long-time critic of electronic voting machines. “If I were setting out to build something I could corrupt, it’s really hard to figure out how to go about it with the architecture they have. I’d love to see them go open source, but … even if they’re a totally closed shop, as long as they’re totally independent of the vendors, it strikes me as a good idea.”

Malware Dubbed "The Remote Control Virus" by Japanese Media Used to Make Death Threats in Japan

News broke over the weekend in Japan that police had arrested three people over the past few months in relation to death threats being posted on bulletin boards and sent through email. However, it was also reported that the suspects were subsequently released without charge due to the discovery of a particular malware infection on all of the suspect’s computers that is believed to have been used to make the threats. Examples of some of the threats include a posting to a government website stating that the person posting the threat will commit mass murder in a popular shopping area; a posting to an Internet forum saying that he/she will blow up a famous shrine; an email sent to an airline company threatening to use a bomb to destroy an aircraft; and an email threatening the kindergarten where a child of the royal family attends. Police are currently investigating the connection between the threats and the malware.

From our analysis, we have confirmed that the malware is capable of controlling a compromised computer from a remote location, which is not anything new to malware. Furthermore, from the various functions we have confirmed, the creator has the capability to command the malware to make the threats mentioned above. We have also discovered that a string of characters used to process encrypted communication with the creator is in Japanese and the code is taken from a Japanese website. Therefore, we believe the creator is most likely a person who has a good understanding of the Japanese language.

Figure 1. Japanese found in the code


We have obtained two versions of the threat so far and each version has a version number as shown below:

Figure 2. Version numbers of the variants of the threat we have found so far


Because the numbers are not in sequential order, there could potentially be more versions we are not aware of.

Symantec has confirmed that customers have been protected against this malware by our reputation technology called Insight. Symantec proactively detected the file as Suspicious.Insight and we have also developed a detection, called Backdoor.Rabasheeta, so that customers can identify infections of this particular threat. This detection also protects customers against similar variants that could potentially be in the wild.

Infection appears to be very limited at this time and the broader population of Internet users should be not affected by this malware. Though the file name iesys.exe is the only file name that we have seen or heard of in relation to this threat, other names could possibly be in existence. For Symantec customers attempting to discover if their computer is compromised by this threat, Symantec advises that users search for the file iesys.exe as well as download the latest definition updates before scanning their computers.

To protect against this type of threat, users should be wary when downloading software from unknown sources. Symantec also advises that users ensure that their operating system and software installed on their computer is up-to-date. Last but not least, do not click on suspicious links or attachments in emails as well as links on websites.

To learn more technical information about this threat, please refer to our writeup.

Update [October 19, 2012]

Symantec has acquired a third variant of this threat. The version number of this variant is 2.0. Symantec products already detected this variant as Backdoor.Rabasheeta before the threat was obtained. From our analysis, it is practically identical to version 2.23 and there are no noticeable differences between the two. We have also confirmed that all three files we have acquired to date would have been proactively detected by Symantec's Insight technology as either WS.Reputation.1 or Suspicious.Insight depending on the product used.

The media reports that the number of users that accessed the malware download site was over 20. We consider the number of infections to be extremely limited. Symantec has yet to confirm any infections from our sources. For those who are concerned of a potential infection, please scan your computer with the latest updates. We also make available a free online scanner for those not using Symantec products.

Again, to protect against this type of threat, users should be wary when downloading software from unknown sources. We also advises that users ensure that their operating system and software installed on their computer is up-to-date, and do not click on suspicious links or attachments in emails as well as links on websites.