FBI surveillance malware in bomb threat case tests constitutional limits

The FBI has an elite hacker team that creates customized malware to identify or monitor high-value suspects who are adept at covering their tracks online, according to a published report.

The growing sophistication of the spyware—which can report users' geographic locations and remotely activate a computer’s camera without triggering the light that lets users know it's recording—is pushing the boundaries of constitutional limits on searches and seizures, The Washington Post reported in an article published Friday. Critics compare it to a physical search that indiscriminately seizes the entire contents of a home, rather than just those items linked to a suspected crime. Former US officials said the FBI uses the technique sparingly, in part to prevent it from being widely known.

The 2,000-word article recounts an FBI hunt for "Mo," a man who made a series of threats by e-mail, video chat, and an Internet voice service to detonate bombs at universities, airports, and hotels across a wide swath of the US last year. After tracing phone numbers and checking IP addresses used to access accounts, investigators were no closer to knowing who the man was or even where in the world he was located. Then, officials tried something new.

Read 5 remaining paragraphs | Comments

Hacked Websites Used To Get Top 10 Search Result For UGG Boots

When hacked websites are covered in the news it is usually due to information stored on the websites being compromised or malware being added to the website, but many websites are hacked for the less newsworthy goal of getting a top search result. We most often see this type of hack used to try get top search results for pharmaceutical related terms, hence this type of hack is often incorrectly labeled as being a pharma hack. We just ran into a set of websites hacked to reach the top search results for a very different item, UGG boots. The Huffington Post reported earlier this week that UGG boots are the fourth most most popular searched gift on Google Shopping, so it is easy to understand why this term would be targeted. In this case the hackers have been fairly successful in making it to the top of the results. Currently the eighth result for the search term for “UGG boots” in Google is one of the websites they have hacked:

UGG Boots Search Result Page 1

At this point Google has detected that website in question has been hacked, but they haven’t removed it from the search results. To put that place in the results in perspective, major chains DICK’S Sporting Goods, Victoria Secret, and Bloomingdale’s all have their UGG Boot pages showing up on the second page of search results for the term.

Hackers also made it to the eight spot for the term “uggs” using another hacked website:

Uggs Search Result Page 1

So how do the hackers gain top spots in the search results? The hackers use two sets of websites that they hacked. The first set are hacked to add links to pages on the second set of website. In the first set of websites HTML code full of links like this are added to the website:

Spam Link Source Code

Links are an important factor in how Google decide what pages to show in their search results, so if you can hack a lot of website and insert links to a web page you want to get in the top search results, you can make it happen.

The second set of websites are hacked to show Google content related to the search term instead of their usual content, which is referred to as cloaking. One of the websites in the links above is the website for the Virginia Department of Rail and Public Transportation and you can see the cloaking in action with it. If you do a search for their website right now on Google you will get this listing:

VA DRPT Google Search Result

Cryptolocker Q&A: Menace of the Year

Cybercriminals are constantly looking for ways to evolve their malware. Evolution is the key for survival because antivirus research, analysis, countermeasures, and public awareness thwart the efficacy of malware and its spread. During the past year, Ransomware has received a lot of news coverage which has decreased the number of uninformed victims and lowered the impact and effectiveness of the malware along with the percentage of return to the criminal.

Due to this increased public awareness, in the last quarter of 2013 we have seen cybercriminals reorganize around a new type of extortion: Cryptolocker. This threat is pervasive and preys on a victim's biggest fear: losing their valuable data. Unlike previous Ransomware that locked operating systems and left data files alone and usually recoverable, Cryptolocker makes extortion of victims more effective because there is no way to retrieve locked files without the attacker's private key.

The following Q&A outlines Cryptolocker and Symantec’s protection against this malware:

Q: What is the difference between Ransomware and Cryptolocker (also known as Ransomcrypt)?

The difference between Ransomlock and Cryptolocker Trojans is that Ransomlock Trojans generally lock computer screens while Cryptolocker Trojans encrypt and lock individual files. Both threats are motivated by monetary gains that cybercriminals can make from extorting money from victims.

Q: When was this threat discovered?

In September 2013 the Cryptolocker threat began to be seen the wild.

Q: Is the Cryptolocker threat family something new?

No. Symantec detects other similar malware families such as Trojan.Gpcoder (May 2005) and Trojan.Ransomcrypt (June 2009) that encrypt and hold files ransom on compromised systems.

Q: What is the severity of this Cryptolocker threat?

The severity is high. If files are encrypted by Cryptolocker and you do not have a backup of the file, it is likely that the file is lost.

Q: How do I know I have been infected by Cryptolocker?

Once infected, you will be presented on screen with a ransom demand.


Figure 1. Cryptolocker ransom demand

Q: How does a victim get infected?

Victims receive spam email that use social engineering tactics to try and entice opening of the attached zip file.


Figure 2. Cryptolocker spam email example

If victims open the zip file attached to the email, they will find an executable file disguised to look like an invoice report or some other similar social engineering ploy, depending on the email theme. This executable file is Downloader.Upatre that will download Trojan.Zbot. Once infected with Trojan.Zbot, the Downloader.Upatre also downloads Trojan.Cryptolocker onto the compromised system. Trojan.Cryptolocker then reaches out to a command-and-control server (C&C) generated through a built-in domain generation algorithm (DGA). Once an active C&C is found, the threat will download the public key that is used to encrypt the files on the compromised system while the linked private key—required for decrypting the files— remains on the cybercriminal’s server. The private key remains in the cybercriminal control and cannot be used without access to the C&C server which changes regularly.


Figure 3. Cryptolocker attack steps

Q: Does Symantec have protection in place for Cryptolocker and the other associated malware?

Yes. Symantec has the following protection in place for this threat:

Detection name

Detection type


Antivirus signature


Antivirus signature


Antivirus signature


Antivirus signature


Heuristic detection


Heuristic detection


Heuristic detection

System Infected: Trojan.Cryptolocker

Intrusion Prevention Signature

Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware.

Some earlier Symantec detections that detect this threat have been renamed:

  • Virus definitions dated November 13, 2013, or earlier detected this threat as Trojan.Ransomcrypt.F
  • Intrusion Prevention Signature (IPS) alerts dated November 14, 2013, or earlier were listed as "System Infected: Trojan.Ransomcrypt.F"

Q: What do the C&Cs look like?

The following are recent examples of command-and-control (C&C) servers from the DGA:

  • kstattdnfujtl.info/home/
  • yuwspfhfnjmkxts.biz/home/
  • nqktirfigqfyow.org/home/

Cryptolocker can generate up to one thousand similar looking domain names per day in its search for an active C&C.

Q: How sophisticated is this threat?

While the Cryptolocker campaign uses a common technique of spam email and social engineering in order to infect victims, the threat itself also uses more sophisticated techniques like the following:

  • Cryptolocker employs public-key cryptography using strong RSA 2048 encryption. Once files are encrypted without the private key held on the attacker’s server, the victim will not be able to decrypt the files.
  • Cryptolocker employs a DGA that is based on the Mersenne twister pseudo-random number generator to find active C&Cs.

Q: How prevalent is the threat?

Symantec telemetry for this threat shows that the threat is prevalent in the United States at present. While the numbers being reported are low, the severity of the attack is still considerable for victims.


Figure 4. Top 5 countries reporting detections

Q: Has Symantec previously released any publications around these attacks?

Yes, Symantec has released the following blogs:

Q: Should I pay the ransom?

No. You should never pay a ransom. Payment to cybercriminals only encourages more malware campaigns. There is no guarantee that payment will lead to the decryption of your files.

Q: Who is behind the Cryptolocker malware?

Investigations into the cybercriminals behind the Cryptolocker malware are ongoing.

Q: Is there any advice on how to recover files affected by this attack?

Yes, Symantec Technical Support has released the following article:

Q: Any advice on how to not become a victim?

Yes. First, follow information security best practices and always backup your files. Keep your systems up to date with the latest virus definitions and software patches. Refrain from opening any suspicious unsolicited emails. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.

Q: Does Symantec offer backup and disaster recovery software?

Yes. Symantec has the Backup Exec Family of products.

Kingpin behind large chunk of world’s malware exploits led lavish life

A screenshot showing BlackHole statistics.

An online crime kingpin arrested in October and charged with creating and distributing the Blackhole exploit kit may have had his hand in as much as 40 percent of the world's malware infections, according to information released by the security firm that helped track him down.

The 27-year-old Russian, identified only as Paunch, allegedly earned about $50,000 per month selling BlackHole subscriptions for as much as $500 per month, according to a report published Friday by security firm Group-IB. He is also alleged to be behind the much more expensive Cool Exploit Kit and a "Crypt" service used to obfuscate malware to go undetected by antivirus programs. With more than 1,000 customers, he was able to lead a lavish lifestyle that included driving a white Porsche Cayenne, Group-IB said.

Exploit kits are the do-it-yourself tools used to embed crimeware into hacked or malicious websites so they target a host of vulnerabilities found on end-user computers. People who visit the websites are exposed to "drive-by" attacks that are often able to install highly malicious software on the computers with no sign that anything is amiss. Group-IB estimated that Paunch may have supplied the code used in as much as 40 percent of the PC crimeware infections worldwide. Researchers arrived at that guess by gauging sales of BlackHole and Cool, which they said accounted for about 40 percent of world revenue for exploit kits. Even assuming that some crimeware is installed independent of exploit kits, it's hard to overstate the role these two kits played in seeding the Web with exploit code that installed malware used in bank fraud and other forms of online crime.

Read 3 remaining paragraphs | Comments