Department of Homeland Security Daily Open Source Infrastructure Report

Monday, January 26, 2009

Complete DHS Daily Report for January 26, 2009

Daily Report


 According to USA Today, faulty testing kits from Inverness Medical Innovations in Massachusetts resulted in incorrect diagnoses of West Nile virus in at least 42 states, said an officer with the Centers for Disease Control and Prevention. (See item 25)

25. January 22, USA Today – (National) West Nile virus cases were overstated in 2008 across U.S. State health departments across the nation are learning this month the number of West Nile virus cases they thought they had in 2008 was overstated — in one case by more than 35 percent — because of faulty testing kits. The problem test kits, from Inverness Medical Innovations of Waltham, Massachusetts, resulted in incorrect diagnoses of West Nile virus in at least 42 states, said an epidemic intelligence service officer with the Centers for Disease Control and Prevention (CDC). The CDC raised concerns about the faulty kits. “If a person had a false-positive test result for West Nile virus disease, this may have resulted in the incorrect diagnosis and failure to consider other possible causes of their illness,” the CDC stated on its Web site. A false notion that cases are up also could lead states to alter prevention plans. A spokeswoman said some states may want to adjust their prevention planning once they get the new results. An Inverness spokesman said a component failed in the problem test kits. He added that the problem has been corrected, and the company is working with the U.S. Food and Drug Administration to get the kits back on the market by this spring. Source:

 WXII 12 Winston-Salem reports that streets near the U.S. Federal Building in Greensboro, North Carolina were closed Friday as crews worked to remove a suspicious package, which was tested and showed positive signs that it contained explosive residue. (See item 28)

28. January 23, WXII 12 Winston-Salem – (North Carolina) Bomb squad removes suspicious package from Federal Building. Several streets near the U.S. Federal Building in Greensboro, North Carolina were closed Friday as crews worked to remove a suspicious package that had been discovered. Police said the package was tested and showed positive signs that it contained explosive residue. The Greensboro Hazardous Devices Team was called in to remove the package. There were no injuries, and police said roads that had been closed during the investigation were reopened around noon. Source:


Banking and Finance Sector

12. January 23, Medford Mail Tribune – (Oregon) Police warn of cell-phone scam. A scam text message purporting to be from Bank of the Cascades popped up on cell phones across the Rogue Valley — including one issued to the head of the Medford Police Department’s financial investigation section. The message sent out on January 22 asked people to call a number with an area code in California’s Central Valley to verify their accounts as part of a “protection program.” Investigators warned people who got the message on January 22 to delete it without replying or calling the number it provided. Bank of the Cascades reported that it does not conduct business via text messages. The bank’s security division believes this scam is coming from outside the United States. Source:

13. January 22, PC World – (International) Symbian malware takes money from phone. Hackers have discovered a new way to steal money: texting it out of an individual’s phone. Security vendor Kaspersky Lab says it has spotted new variants of a Trojan horse program that do just that, by taking advantage of a feature that lets mobile-phone users in Indonesia use SMS (Short Message Service) text messages to transfer money in their mobile accounts from one phone to another. The software is a variant of the Trojan-SMS.Python.Flocker malware, originally written by Russian fraudsters. This software had been used to sign unwitting victims up for expensive mobile services such as ringtones, presumably with the program’s authors getting a healthy kickback. For the attack to work, the victim must first be tricked into downloading the Python.Flocker program onto a Symbian-based mobile phone. Once installed, the software uses a feature available to Indonesian mobile-phone users that lets them send a short SMS message to another subscriber that transfers the money into their account. The Trojan transfers the equivalent of between $0.45 and $0.90, depending on which version of the program is installed. The Symbian operating system is used in phones made by Nokia, Motorola, Samsung, and Sony Ericsson, among others. Source:

14. January 22, Waterloo-Cedar Falls Courier – (Iowa) Area bank thwarts phishing scam. A potential Internet phishing scam involving several customers of Grundy National Bank has been quashed, bank officials said on January 21. In this instance, a link to a bogus Web site, designed to simulate the Grundy bank’s legitimate site, was distributed to e-mail accounts. The message came in the form as a “new alert message” and directed the recipient to log into a site designed to resemble the bank’s site. The bank’s marketing officer said the bank received several calls from alarmed customers on January 20 and proceeded to take steps to shut down the bogus site. Source:

Information Technology

32. January 23, The Register – (International) Countdown to Conficker activation begins. Security watchers are bracing themselves to respond to the activation of the huge botnet created by the Conficker superworm. The malware has created a network of infected PCs under its control estimated at 9 million or even more, according to the latest estimates — dwarfing the zombie army created by the infamous Storm worm, which reached a comparatively paltry 1m at its peak in September 2007. Variants of Conficker (aka Downadup), which began circulating in late November 2008, exploit the MS08-067 vulnerability in the Microsoft Windows server service addressed by Redmond with an out-of-sequence patch last October 2008. The malware also infects removable devices and network shares using a special autorun file. The worm uses social engineering trickery so that users on Windows machines looking to simply browse the contents of a memory stick may be tricked into selecting an option that actually runs a malware payload and infects their PC. Source:

33. January 23, CNET News – (International) Apple issues critical QuickTime security update. Apple issued a critical QuickTime security update, aimed at resolving vulnerabilities in its media player that could potentially allow a malicious attacker to take control of a user’s computer, according to an Apple advisory released last week. Users running QuicTime 7 for Windows, or OSX, are affected, as well as those who are using Mac OS X 10.4 or Mac OS X 10.5, according to Apple. Apple is advising users to update to QuickTime 7.6, with QuickTime 7.6 for Windows, or QuickTime 7.6 for Leopard, or QuickTime 7.6 for Tiger. The update seeks to address QuickTime security flaws which could potentially allow a malicious attacker to launch a buffer overflow and execute arbitrary code on a user’s system. The attack could potentially occur via a maliciously crafted movie file, AVI movie file, QTVR movie file, or an RTSP URL, according to Apple. Security researcher Secunia, in its security advisory on January 22, noted the vulnerabilities are considered “highly critical.” Source:

34. January 22, Washington Post – (International) Pirated iWork software infects Macs with Trojan horse. A company that makes security software for Mac computers is warning that copies of Apple’s iWork productivity software that are available for download from peer-to-peer (P2P) file-sharing networks may be infected with a Trojan horse program. The malicious software appears to be designed to enlist infected systems in a bot army that is targeting Web sites with so much junk traffic they can no longer accommodate legitimate visitors. In an alert issued on January 22, Intego said some pirated versions of the $79 iWork software suite circulating on BitTorrent trackers are infected with what it calls OSX.Trojan.iServices.A. Intego said the Trojan is bundled so that it runs when the user installs the pirated iWork software. iServices.A then opens up a “backdoor” on the victim’s computer, effectively alerting the virus writer that a new system is infected and potentially allowing the attacker to upload new software to or perform other actions on the infected Mac. An Intego spokesperson said it appears from looking at the figures from a high-profile torrent tracker site, as of January 22, the installer program for the infected software suite had been downloaded at least 20,000 times. Source:

35. January 22, DarkReading – (International) Trojan attack masquerades as airline e-ticket notice. Security researchers have spotted a new attack designed to fool users into thinking that airline tickets have been purchased with their credit cards. The attack, which was first spotted as an email from Northwest Airlines, and subsequently as a message from United Airlines, is a realistic-looking “receipt” that contains an attachment bearing the name Your or, according to researchers at security vendor Sophos. The idea is to fool the unwitting user into clicking on the attachment to get more information on who purchased it, according to a researcher at Sophos. “The file does not contain a genuine electronic ticket, of course, and your credit card has not been charged,” he says. “The hackers are hoping that you will be so affronted at being charged for an airline flight that you have not booked that you will open the attachment without thinking.” Users who click on the e-ticket file trigger the download of Troj/Agent-IPS, a data-stealing Trojan horse. Source:

Communications Sector

Nothing to report.