Press Release

‘Bot Roast II’ Nets 8 Individuals

Second Phase of Ongoing Cyber Investigation Reveals More Than $20 Million in Economic Loss and More Than One Million Victimized Computers. Public Urged To Take Precaution.

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation ‘Bot Roast’ was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

FBI Director Robert S. Mueller, III said, “Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users.”

A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” A botherder can gain control of these computers by unleashing malicious software such as viruses, worms, or trojan horses. By executing a simple task such as opening an attachment, clicking on an advertisement, or providing personal information to a phishing site (a fraudulent site that mimics a legitimate site), an individual computer user has unintentionally allowed unauthorized access. Bot operators will then typically use these compromised computers as vehicles to facilitate other actions such as commit identity theft, launch denial of service attacks, and install keystroke loggers.

FBI offices participating in Bot Roast II included Cincinnati, Detroit, Jacksonville, Los Angeles, Philadelphia, Sacramento, and Washington, D.C. As happens most often with complex cyber investigations, there was valuable intelligence sharing amongst law enforcement agencies that led to the success of Bot Roast II. Exchange of information between the U.S. Secret Service, the New Zealand Police, and the FBI led to the initiation and enhancement of additional botnet investigations. In one example, authorities in New Zealand, working in collaboration with the FBI Philadelphia Office, conducted a search this week at the residence of an individual who goes by the cyber ID of AKILL. AKILL is believed to be the ringleader of an elite international botnet coding group that is responsible for infecting more than one million computers.

The individuals identified as part of Bot Roast II are as follows:

1. Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet’s ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

2. Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

3. Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

4. Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

5. Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

6. John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

7. Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

8. Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey’s targets of DDoS often resided on shared servers which contained other customer’s data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.

FBI Assistant Director James E. Finch, Cyber Division, said, “The public is reminded once again that they can play a part in thwarting botnet activity. Practicing strong computer security habits such as updating anti-virus software, installing a firewall, using strong passwords, and employing good e-mail and web security practices are as basic as putting locks on your doors and windows. Without employing these safeguards, botnets, along with criminal and possibly terrorist activities, will continue to flourish.”

It should be noted that the FBI does not contact the public online with requests for personal information. Computer users are urged to be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact either the local police or your local FBI field office as well as file an online complaint with the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.

For more information on botnets and tips for cyber crime prevention, the public is encouraged to visit the following online resources:

• www.fbi.gov

• www.onguardonline.gov

• www.lookstoogoodtobetrue.com

• www.uscert.gov

• www.ic3.gov

Paperghost wants your input as to how should young (13 year old) hackers be treated…

http://www.vitalsecurity.org/2007/11/want-to-see-13-year-old-kids-goin g.html

Firefox 2.0.0.10 has been released to fix multiple vulnerabilities in the popular open source web browser.

What’s New in Firefox 2.0.0.10
Release Date: November 26, 2007
Security Update: The following security issues were fixed.
MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard

Earlier Changes: For information about previous changes, please see the Firefox 2.0.0.9 Release Notes.
Firefox 2 Features: For an overview, please see Firefox 2 Features.

Secunia Advisory: SA27725 Mozilla Firefox Multiple Vulnerabilities

Firefox users should immediately upgrade to 2.0.0.10.

Just a little levity for the day.

Once again found on Digg Are you Spyware Savy. OK you got me curious. So, I check out the blog post at Bauer-Power: Information is Power!

So, quickly scanning the page this passage just jumps right out at me:

2. What are browser cookies?

Ans: These are created by unethical persons to track your browsing preferences for their own use, to spam your pc with advertisements and marketing ploys, to steal personal information like bank account details, credit card numbers and so on, and to cause harm to your computer and business by stealing data/files.

Now, this guy clearly didn’t write this article himself, since Windows Defender Beta 2 is referenced later in the article.

Back to the subject of this article the HTTP Cookie, or Browser Cookie, or just simply Cookie That is one piece of Super Spyware to do all that. As, I stated in an earlier article, It’s a Cookie, Just Delete It!

Cookies are simple pieces of data unable to perform any operation by themselves. They are neither spyware nor viruses. Cookies are not program code. They cannot erase or read information from the user’s computer. However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, they do not contain personal information.

Here are a few Myths about Cookies:

• Myth: Cookies are like worms and viruses in that they can erase data from the user’s hard disks;
• Myth: Cookies are a form of spyware in that they can read personal information stored on the user’s computer;
• Myth: Cookies generate popups;
• Myth: Cookies are used for spamming;
• Myth: Cookies are only used for advertising.

What exactly is a cookie? HTTP cookies, sometimes known as web cookies, tracking cookies, or just cookies, are small text files sent by a server to a web browser and back unchanged. Cookies are used for authenticating, tracking, and maintaining specific information about users, such as site preferences and shopping cart contents.

There are some privacy concerns around the use of cookies. They can be used for tracking browsing behavior. As a result, they have been subject to legislation in various countries such as the United States and in the European Union. Cookies have also been criticised because the identification of users they provide is not always accurate and they could potentially be used for network attacks.

Cookies are also subject to a number of misconceptions, mostly based on the erroneous notion that they are computer programs. In fact, cookies are simple pieces of data unable to perform any operation by themselves. They are neither spyware nor viruses, despite the detection of certain cookies by many anti-spyware products.

To delete cookies:

Internet Explorer Users
1. On the Tools menu, click Internet Options.
2. On the General tab, click Settings, and then click View files.
3. Select the cookie you want to delete, and then, on the File menu, click Delete.

To delete all of the cookies on your computer, click Delete Cookies on the General tab.

Firefox Users
On the Tools menu, Options, clicking the Privacy button, and under Cookies click the Clear button.

Opera Users
Can manage, disable, and enable cookies by clicking the File menu, Preferences, and selecting Privacy.

Note
Some Web sites store your member name and password or other personally identifiable information about you in a cookie; therefore, if you delete a cookie, you may need to re-enter this information the next time you visit the site.

If you been following along, many are familiar with the IE Defender dissuasion at Castle Cops, http://www.castlecops.com/p1017137-iedefender.html#1017137. Previously blogged about, here.

Well, today Andy at Security Cadets, blogged this, Is this the new comedy? IE Defender Related.

Here is what the site looked like yesterday:

Image from Security Cadets.

Today:

The site now displays: IEDefender is coming…
Source: AndyAtHull (securitycadets.com)
Edited: 2007-11-12 12:16 PM EST

Site Live now serving IE Defender:

Whois Information for: xiedefender.com

[whois.estdomains.com]
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.comDomain Name: XIEDEFENDER.COM

Registrant:
N/A
Alexander (iedefender@gmail.com)
Yborevicha street
Kiev
Kiev Oblast,93000
UA
Tel. +380.993363649

Creation Date: 25-Oct-2007
Expiration Date: 25-Oct-2008

Domain servers in listed order:
ns2.xiedefender.com
ns1.xiedefender.com

Administrative Contact:
N/A
Alexander (iedefender@gmail.com)
Yborevicha street
Kiev
Kiev Oblast,93000
UA
Tel. +380.993363649

Technical Contact:
N/A
Alexander (iedefender@gmail.com)
Yborevicha street
Kiev
Kiev Oblast,93000
UA
Tel. +380.993363649

Billing Contact:
N/A
Alexander (iedefender@gmail.com)
Yborevicha street
Kiev
Kiev Oblast,93000
UA
Tel. +380.993363649

Status:ACTIVE

The data in this whois database is provided to you for informationpurposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this informationavailable “as is”, and do not guarantee its accuracy. By submitting awhois query, you agree that you will use this data only for lawfulpurposes and that, under no circumstances will you use this data to:( 1) enable high volume, automated, electronic processes that stress orload this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of massunsolicited, commercial advertising or solicitations via fascimile,electronic mail, or by telephone. The compilation, repackaging,dissemination or other use of this data is expressly prohibited withoutprior written consent from us. The registrar of record is Critical Internet, Inc.. We reserve the right to modifythese terms at any time. By submitting this query, you agree to abideby these terms.

Same folks, different page.

Over at Geek to go! Sari makes a very excellent case for why grammar and spelling are very important in written communication. Especially on the Internet.

It’s said that you only get one chance to make a first impression. Online, that first impression is made with the written word. What do you want yours to be?

You can read the entire article Geeks Need Grammar too at Geeks to go!

Yesterday while doing my usually rounds which include checking out Digg, is saw a Digg post about Vista blocking Firefox.

Initial reaction, What The …., then I forgot about it as I went back to checking sites and doing some additional research on IE Defender.

So, today here I am, back to what in the world is going on with Microsoft and blocking Firefox. Is there some sort of attempt to keep competing browsers, not running in Windows Protected mode, from accessing the internet? Nope, not even close.

Larry Osterman does a much better job of explaining what is going on, then I ever could. You can read about it in his blog post: Chris Pirillo’s annoyed by the Windows Firewall prompt

Information of how to configure the Windows Firewall, on both XP and Vista, for Firefox can be found in the Mozilla Support Tutorial Configuring Windows Firewall

Since, writing and making FixIEDef available to the general public; free of charge of course; I’m starting to get some feed back from users that were infected by this piece of fraudware.

Comments can be viewed here: http://blog.malwareteks.com/?p=163#comments.

Also started receiving email feed back.

Rick said:

Dear ShadowPuterDude,

I just wanted to extend a thank-you for taking a stand against those assholes at IE Defender and not only calling them out on the carpet but by writing and providing the FixIEDef utility. I was infected the first time and was able to find the .dll that was causing the problem and delete it. But not two days later a new version that was almost impossible to correct and had me ready to throw my laptop out the window. I am a bit of a tech guy and this virus kicked my ass and had me on my last nerve as my IE was useless because the error message would not go away. I wrote to the IE Defender guys and got an e-mail back saying that they don’t hijack systems they fix them…… I found your script and I had everything fixed in moments. So again thank-you for your time and effort to help guys like me deal with a very nasty problem. You have a new fan and supporter of your site and what you do.

Sincerely, Rick <Last Name Removed>

Email message edited for format and spelling.

So, In you face! IE Defender.

FixIEDef can be download from the following locations:

Primary Download location:
MalwareTeks: http://downloads.malwareteks.com/FixIEDef.exe

Download Mirrors for FixIEDef:
http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
http://hosts-file.net/download/fixiedef/fixiedef.exe
http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
http://archives.mysteryfcm.co.uk/?f=Security/AntiMalware/Antispyware/F ixIEDef

Instructions: See http://www.malwareteks.com/FixIEDef.php