Last Updated: 2008-11-06 16:36:18 UTC
by donald smith (Version: 3)
You probably have heard of voting machines that have various security issues.
This article isn't about that. In attempting to hack the election the "politically motivated"
have tried methods other then breaking into the voting machine infrastructure.
I have heard reports of automated phone calls, sms and seen email intended to convince
the receiver that they should vote the day after the election.
Why would you want to convince people to vote late, because that means they didn't
get to vote? People are great procrastinators given an option of doing something today or
doing something tomorrow many of us choose tomorrow;)
This is an email with headers that was sent to George Mason distribution list.
Received from caduceus1.gmu.edu ([22.214.171.124]) by mercury1.gmu.edu (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0K9S00CFRQAJRMF0@mercury1.gmu.edu>; Tue, 04 Nov 2008 01:35:07 -0500 (EST)
Received from cronus.gmu.edu ([126.96.36.199]) by caduceus1.gmu.edu (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0K9S00AZLQ20TAA0@caduceus1.gmu.edu>; Tue, 04 Nov 2008 01:35:07 -0500 (EST)
Received from ironport2.gmu.edu (ironport2.gmu.edu [188.8.131.52]) by cronus.gmu.edu (8.13.4/8.13.4) with ESMTP id mA46SYhN028499; Tue, 04 Nov 2008 01:28:43 -0500 (EST)
Received from mail04.gmu.edu ([184.108.40.206]) by ironport2.gmu.edu with ESMTP; Tue, 04 Nov 2008 01:28:42 -0500
Received from LISTSERV.GMU.EDU (mail04.gmu.edu [220.127.116.11]) by mail04.gmu.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Sg429402; Tue, 04 Nov 2008 01:28:42 -0500 (EST)
Received by LISTSERV.GMU.EDU (LISTSERV-TCP/IP release 14.4) with spool id 2611076 for ANNOUNCE04-L@LISTSERV.GMU.EDU; Tue, 04 Nov 2008 01:26:42 -0500
Received from ironport2.gmu.edu (ironport2.gmu.edu [18.104.22.168]) by mail04.gmu.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Gg427221 for <ANNOUNCE04-L@mail04.gmu.edu>; Tue, 04 Nov 2008 01:16:42 -0500 (EST)
Received from m154.prod.democracyinaction.org ([22.214.171.124]) by ironport2.gmu.edu with ESMTP; Tue, 04 Nov 2008 01:16:42 -0500
Received from [10.15.20.114] ([10.15.20.114:39637] helo=web4.mcl.wiredforchange.com) by mailer.mcl.wiredforchange.com (envelope-from <firstname.lastname@example.org>) (ecelerity 126.96.36.199 r(26825/26826)) with ESMTP id BC/ED-21096-AC8EF094; Tue, 04 Nov 2008 01:16:42 -0500
Date Tue, 04 Nov 2008 01:16:42 -0500
From Office of the Provost <email@example.com>
Subject Election Day Update
Sender ANNOUNCE04-L <ANNOUNCE04-L@mail04.gmu.edu>
Content-type multipart/alternative; boundary="----=_Part_3017_30982749.1225779402108"
X_DIA_Originating_IP : 188.8.131.52
X_DIA_Source : Host:web4.mcl.wiredforchange.com DB org
X-IronPort-AV E=Sophos;i="4.33,541,1220241600"; d="scan'208";a="55510806"
X-IronPort-AV E=Sophos;i="4.33,541,1220241600"; d="scan'208";a="55510203"
Comments To: ANNOUNCE04-L@mail04.gmu.edu
To the Mason Community:
Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you.
Peter N. Stearns
Brian Krebs does a good job of covering this here:
These tricks aren't new they are just upgraded for the Internet and the mass
messaging capabilities that has created.
This is a list of "dirty tricks" from the 2004 election.
Putting flyers on the door is a bit risky, calling from your home phone is a bit risky,
sending sms spam, email spam, etc ... is fairly safe. Just do it from a compromised system
in another nation, via an open mail relay and chances are you'll never get caught (sigh).
Thanks to our friend and fequent contributor Juha-Matti we have the text of the SMS's being sent
"Due to long lines if you are voting for Barack Obama you can vote tomorrow"
"Due to long lines, all Obama voters are asked to vote tomorrow".
The orginating phone number is reportedly 505-507-6041.
It appears both of the campaings were hacked.
"The computer systems of both the Obama and McCain campaigns were victims
of a sophisticated cyberattack by an unknown "foreign entity," prompting
a federal investigation, NEWSWEEK reports today."
Last Updated: 2008-11-05 20:00:14 UTC
by donald smith (Version: 1)
Thanks go out to Gary Warner for alerting us to this bogus presedential
speech malware being spammed out right now.
"A very prevalent spam campaign promising a chance to view Obama's
acceptance speech is leading instead to keylogger malware that sends
the stolen keystrokes to the Ukraine."
Jack pointed out this link from Websense which also leads people to malware using a fake video this time.
Last Updated: 2008-11-05 15:31:35 UTC
by donald smith (Version: 1)
Tillmann at mwcollect.org wrote in with a sample ms08-067 analysis.
“we've caught an MS08-067 exploitation attempt and provide the
trace and a brief analysis here: http://honeytrap.mwcollect.org/msexploit “
The analysis is good. They have sample packets of the exploit and the call back shell. They show an example of libemu’s sctest. They find the exploiting ip 184.108.40.206. That IP is definitely sequentially scanning ip addresses for tcp 445 looking for vulnerable systems so blocking it at your enterprise gateway is recommended.
Emerging Threats has released signature's to catch trojan checkin and worm traffic outbound.
2008737 - ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin (emerging.rules)
2008739 - ET CURRENT_EVENTS MS08067 Worm Traffic Outbound (emerging.rules)
Joel covered Sourcefire's signatures and other details related to this activity in his diary here:
Last Updated: 2008-11-05 02:25:00 UTC
by donald smith (Version: 1)
A new version of bothunter's botnet detection tool was recently released.
They have added: dynamic updating, an upgrade to the ruleset,
a basic GUI, bug fixes, malware oriented scan detection, and a set of
malware DNS-query detectors. It has support for linux, freeBSD, MacOS X,
Windows XP and a Live-CD so you can run it without installing it.
This tool uses some unusual correlation techniques to watch the
multi-directional flow of traffic from potentially infected internal systems
with external systems including c&c controllers, malware distribution etc...
"BotHunter flips the paradigm of classic network-based intrusion detection,"
says Phillip Porras, lead developer of the BotHunter project.
"Rather than monitoring who is trying to break into your network,
BotHunter detects those machines inside your network that are trying to
propagate infections or are being remotely controlled by external hackers."
BotHunter also includes a regular update service that allows fielded systems
to be updated with the latest information regarding remote botnet control sites,
malware related-DNS lookups, and Russian Business Network (RBN) address space,
which are used to control infected computers. "Modern malware defenses need to
be adaptive and aware of the latest strategies used by Internet malware, and
BotHunter is ready to meet this challenge."
BotHunter is available for download at www.bothunter.net.
BotHunter was funded through the Cyber-Threat Analytics (http://www.cyber-ta.org)
research grant from the U.S. Army Research Office.