Feds Say No Dice in Retrieving Your Data Seized in Megaupload Case

Photo: Parker Miles Blohm/Flickr

Federal prosecutors are proposing a process that would make it essentially impossible for former Megaupload users to recover their data following the government’s seizure of the file-sharing service’s servers and domain names in January as part of its prosecution of a criminal copyright infringement indictment of Megaupload’s employees.

That’s according to Julie Samuels, an Electronic Frontier Foundation attorney representing an Ohio man seeking the return of his high school sports footage.

“It’s almost an insurmountable hurdle for any individual or small business,” Samuels, in a telephone interview Wednesday, said of the government’s position.

The government asserted in a court filing Tuesday that the process of returning videos to EFF client Kyle Goodwin, so far the only individual to come forward demanding return of data, “may require the testimony of numerous witnesses, including potential expert witnesses.”

The government’s position comes as people increasingly store documents in the cloud, while the government, in the name of protecting intellectual property, has shown a willingness to seize servers and domain names first and worry later about the consequences, like there being no clear process on how to return data to their rightful owners. 

The government fears a rush of some of 60 million-plus former Megaupload customers could make a claim to get their data back. The government says that Goodwin’s court declaration asserting he owns files in a Megaupload account is not good enough.

“Mr. Goodwin has yet to demonstrate whether he has an interest in any property seized by the government,” the authorities said in a brief filing. The government added that “the mere fact that he may claim, for example, an initial copyright to a version of the files he uploaded is not sufficient to establish that he has an ownership interest in the property that is the subject of this motion.”

Goodwin wants U.S. District Judge Liam O’Grady, the judge overseeing the Megaupload criminal infringement prosecution, to continue his order preserving the 25 petabytes of data the authorities seized in January. Goodwin, the operator of OhioSportsNet, which films and streams high school sports, wants to access his copyrighted footage that he stored on the file-sharing network. His hard drive crashed days before the government shuttered the site Jan. 19, he claims in a court filing.

The government also suggested that Goodwin may have uploaded unauthorized music to Megaupload, too, which cannot be returned.

The authorities suggested that “cheaper remedies” might exist for Goodwin to retrieve his content, “such as data recovery from Mr. Goodwin’s hard drive.”

Here’s what the government said the judge should consider before agreeing that Goodwin should get back his files:

(1) whether Mr. Goodwin has ‘clean hands’ or whether he is barred from obtaining equitable relief;

(2) the cost and technical feasibility of finding a single user’s data on the Carpathia servers;

(3) the number of other affected parties similarly situated to Mr. Goodwin;

(4) how, if at all, the government can prevent the return of infringing materials and other contraband from the servers;

(5) and whether other, cheaper remedies exist, such as data recovery from Mr. Goodwin’s hard drive.

Such issues may require the testimony of numerous witnesses, including potential expert witnesses. Many of these difficult issues may be avoided if the Court determines that Mr. Goodwin’s lacks an interest in the seized property, or that his interest is narrower than he currently claims.

Megaupload allowed users to upload large files and share them with others, but the feds and Hollywood allege the service was used almost exclusively for sharing copyrighted material without permission — which Megaupload denies.

A hearing on the data issue is pending.

Federal authorities have said they have copied some, but not all of the Megaupload data, and said Carpathia, Megaupload’s Virginia-based server host, could delete the 25 million gigabytes of Megaupload data it is hosting on 1,100 servers — a decision the judge in the case has tentatively halted.

Carpathia has said it is spending $9,000 daily to retain the data, and is demanding that Judge O’Grady relieve it of that burden. Megaupload, meanwhile, wants the government to free up some of the millions in dollars of seized Megaupload assets to be released to pay Carpathia to retain the data for its defense and possibly to return data to its customers.

The criminal prosecution of Megaupload targets seven individuals connected to the Hong Kong-based file-sharing site, including founder Kim Dotcom. They were indicted in January on a variety of charges, including criminal copyright infringement and conspiracy to commit money laundering.

Five of the members of what the authorities called a five-year-old “racketeering conspiracy” have been arrested in New Zealand, pending possible extradition to the United States — though that has devolved into political mess, after the New Zealand government admitted to spying illegally on Dotcom.

The U.S. government said the site, which generated hundreds of millions in user fees and advertising, facilitated copyright infringement of movies, often before their theatrical release, in addition to music, television programs, electronic books, and business and entertainment software. The government said Megaupload’s “estimated harm” to copyright holders was “well in excess of $500 million.”

Tool Talk: Cracking the Code on XtremeRAT

Late last week, reports began to surface that the Israeli police (along with other regional law enforcement) were targeted by a malware attack.  The entry vector was described as a phishing campaign sent from Benny Gantz (head of the Israeli Defense Forces).  Initially, details and indicators around the malware were beyond sparse. Aside from the FROM: address, little was known that could assist in any sort of investigation. After nearly 24 hours from the first reports, both details and samples of the malware started to flow. As soon as we could confirm details of the phish email and the malicious attachments, we were able to cross-reference sample data already in our malware database and connect the dots.

Generic Dropper.p (Xtrat)

Generic Dropper.p (XtremeRAT)
























This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

Sample Data





The result sets are organized as a specific directory structure.

Analysis Report sample

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data

Sample Data

Sample Data 2

Sample Data 2

Sample Data 3

Sample Data 3

Sample Data 4

Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.


Memory dumps



All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped Files

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.


Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

If you would like to learn more, you can read the following sources:


























Sandy Storms Inboxes

Hurricane Sandy, one of the most devastating Superstorms in decades, hit the US East coast. Causing the loss of lives and businesses and leaving countless people without electricity, Sandy has now added spam to its list of misery. We are observing spam messages related to the hurricane flowing into Symantec Probe Networks. The top word combinations in message headlines are "hurricane – sandy", "coast – sandy", "sandy – storm", and "sandy – superstorm."

Figure 1. Message volume over a two-day period

Typical spam attacks like "Gift card offer" and "Money making & Financial" spam are currently targeting the disaster. Below are the screenshots of some spam samples.

The following are examples of subject lines seen in the spam messages:

  • Help Sandy Victims and get $1000 for Best Buy!
  • Sandy Strikes... [WARNING]
  • Deposit Processing Open Today (Frankenstorm doesn't stop us)

Spammers taking advantage of disasters is nothing new. Previously, for example, we witnessed phishing and spam campaigns using the Haiti earthquake as a means of spreading. We anticipate fake news, photos, donation requests, 419 scams, phishing campaigns, and malicious video link attacks will be seen over the coming few days.

We advise users to follow best practices while online. Users are advised to type website addresses directly into their Internet browser for any online video rather than clicking on links contained in emails.

Finally, never donate money or buy products through wire transfer services or similarly untraceable methods of payment. Instead, reach out to the storm victims through legitimate and secure channels.

As always, we will be continuously updating our anti-spam filters to block these emails from reaching users. 

Thanks to Anand Muralidharan for contributing to this blog.