Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 31, 2009

Complete DHS Daily Report for August 31, 2009

Daily Report

Top Stories

 The Tampa Bay Business Journal reports that the Federal Aviation Administration is investigating Southwest Airlines after a routine inspection found that the airline had installed unauthorized parts on 46 of its planes. The carrier grounded those planes for several hours on August 22 after the FAA’s inspection. (See item 22)

22. August 27, Tampa Bay Business Journal – (National) FAA investigating Southwest Airlines. The Federal Aviation Administration (FAA) is investigating Southwest Airlines after a routine inspection found that the airline had installed unauthorized parts on 46 of its planes. The Dallas-based carrier grounded those planes for several hours Saturday after the FAA’s inspection. The unauthorized part, known as a hinge fitting, goes on the airplane’s wing, an FAA spokesman said. The FAA determined that the unauthorized part “was not an immediate safety hazard,” and it is working with Southwest to find a solution. Though the FAA found no immediate safety issue, Southwest temporarily grounded the planes anyway. The 46 planes in question represent close to 10 percent of Southwest’s total fleet, but the airline would be able to accommodate passengers in the event that they were grounded. The company has extra planes available for contingencies. Source:

 According to IDG News Service, the FBI is trying to figure out who is sending unsolicited laptop computers to state governors across the United States. Some state officials are worried that the laptops may contain malicious software for accessing government computers. (See item 34)

34. August 27, IDG News Service – (National) FBI investigating laptops sent to U.S. governors. There may be a new type of Trojan Horse attack to worry about. The U.S. Federal Bureau of Investigation is trying to figure out who is sending laptop computers to state governors across the United States, including the West Virginia governor and Wyoming governor. Some state officials are worried that they may contain malicious software. According to sources familiar with the investigation, other states have been targeted too, with HP laptops mysteriously ordered for officials in 10 states. Four of the orders were delivered, while the remaining six were intercepted, according to a source who spoke on condition of anonymity because of the ongoing investigation. The West Virginia laptops were delivered to the governor’s office several weeks ago, prompting state officials to contact police, according to the state’s chief technology officer. “We were notified by the governor’s office that they had received the laptops and they had not ordered them,” he said. “We checked our records and we had not ordered them.” State officials in Vermont and Wyoming told him they have received similar unsolicited orders, he said. Although there is no evidence that the computers contain malicious code, HP confirmed on August 27 that there have been several such orders and that they have been linked to fraud. HP is working with law enforcement personnel on a criminal investigation. Criminals have tried to put malware on USB devices and then left them outside company offices, hoping someone would plug them into a computer and inadvertently install malicious software on the network. Many Windows systems are configured to automatically run software included on CDs and USB devices using a Windows feature called AutoRun. Many organized criminals would be happy to spend the cost of five PCs in order to access government computers, said the director of investigations with security consultancy Team Cymru. Source:


Banking and Finance Sector

15. August 28, St. Louis Business Journal – (National) Banks on FDIC’s problem list top 400. The FDIC added 111 banks to its “Problem List” in the second quarter. At the end of June, there were 416 insured institutions on the list, up from 305 on March 31. This is the largest number of institutions on the list since June 30, 1994, when there were 434 institutions on the list, according to the government fund that protects consumer deposits. Total assets of problem institutions increased during the quarter from $220 billion to $299.8 billion, the highest level since December 31, 1993. The Federal Deposit Insurance Corp. does not name the problem banks. Deteriorating loan quality in the second quarter continued to hamper commercial banks and savings institutions insured by the Federal Deposit Insurance Corp., sending them to a multi-billion-dollar loss. Banks insured by FDIC posted a loss of $3.7 billion in the second quarter, the FDIC said on August 27. This compares with a $4.8 billion profit in the second quarter of 2008. And more than 28 percent of all insured institutions reported a loss in the second quarter, compared with 18 percent a year earlier. Source:

16. August 27, ZDNet – (National) Hackers mailing malware-infested CDs to banks. Reminiscent of the days when viruses were distributed on floppy disks, cybercriminals are currently mailing infected CDs to credit unions and smaller banks as part of a clever offline scheme to load malicious software into computers with valuable data. According to an alert issued by the National Credit Union Association, a credit union reported receiving a bogus fraud advisory accompanied by two compact discs. The letter advises credit unions to review training material (contained on the CDs). Doing so could result in a possible security breach to a user’s computer system, or have other adverse consequences. The letter contains several spelling and grammatical errors but, as a researcher points out, this low-tech attack method can be highly effective because smaller businesses are not properly equipped and educated to deal with these types of threats. Source:

17. August 27, U.S. Department of Justice – (National) Stanford Financial Group CFO pleads guilty to charges related to $7 billion scheme to defraud investors. The former chief financial officer of Houston-based Stanford Financial Group (SFG) pleaded guilty Thursday to fraud and obstruction charges related to a $7 billion scheme to defraud investors. The former chief was charged in a criminal information, filed on June 18, 2009, with conspiracy to commit mail, wire and securities fraud; mail fraud; and conspiracy to obstruct a U.S. Securities and Exchange Commission (SEC) investigation. According to the plea documents, the former chief admitted that as part of the scheme, he and his co-conspirators defrauded investors who purchased approximately $7 billion in certificates of deposit (CDs) administered by Stanford International Bank Ltd. (SIBL), an offshore bank located on the island of Antigua. He further admitted that he and his co-conspirators misused and misappropriated most of those investor assets, including by diverting more than $1.6 billion into undisclosed personal loans to a co-conspirator, while misrepresenting to investors SIBL’s financial condition, its investment strategy and the extent of its regulatory oversight by Antiguan authorities. According to the plea documents, the former chief and his co-conspirators began in 1990 to make false entries into the general ledgers of SIBL relating to revenues and revenue balances. Source:

18. August 27, The Register – (International) Trojan zaps banking credentials via IM. Instant messaging is being adopted by a growing number of banking malware applications, which zap pilfered credentials to thieves in real time. The latest entrant is Zeus, a trojan that monitors an infected PC for passwords entered into banking websites and other financial services. Over the past three months, investigators from RSA FraudAction Research Lab have observed the program, which also goes by the name Torpig and Mebroot, using the Jabber IM protocol to make sure the most valuable credentials do not get lost in the shuffle. The move signals the growing focus on immediacy among scammers as they try to counter the increased use of measures designed to detect and prevent banking fraud. “One of the things that has definitely changed in recent times is that the half life of a stolen credential is decreasing,” said a senior manager for identity protection and verification at RSA, a division of EMC. “There is definitely a sense of urgency of the part of these fraudsters about using the credential.” Previously, Zeus uploaded the credentials to a drop server database, which scammers periodically checked. The new method employs PHP scripts that automatically send credentials as soon as they are intercepted. That allows thieves to retrieve the information much more quickly than would otherwise be possible. It also allows retrieval even when crooks, many of whom do not always have reliable net connections, do not have access to the server hosting the drop. As a growing number of banks adopt the use of one-time passwords, the need for speedier delivery mechanisms is growing. Instant messaging makes it possible for thieves to thwart such measures by, in some cases, allowing them to silently make transactions while a victim is still logged in to an online bank. A competing trojan known as Sinowal has used similar methods since last year, RSA researchers said. Source:

Information Technology

38. August 28, Tech Herald – ( International) Symantec discovers Trojan targeting Skype users. Early on August 27, Symantec issued an advisory that they have discovered the availability of source code for a Trojan that targets Skype users. The Trojan, once installed on a system, has the ability to record conversations in progress, and transmit the recording to a third party. The Trojan is being called Trojan.Peskyspy, and can be delivered in any number of ways, including email links and social engineering attacks, where a user is tricked into downloading and installing an application. The Trojan is targeting Windows API hooks, a technique used to alter the planned behavior of an application, which Microsoft has intended to be used by audio applications. The Trojan compromises the machine and then through the hooking technique is able to eavesdrop on a conversation before it even reaches Skype, or any other audio application. Once a machine has been compromised, the Skype Trojan can use an application that handles audio processing within a computer and save the call data as an MP3 file. This MP3 is then sent over the Internet to a predefined server where the attacker can then listen to the recorded conversations. The MP3 is stored locally and encrypted before it is sent off. “Recording the call as an MP3 keeps the size of the audio files low and means there is less data to be transferred over the network, helping to speed up the transfer and avoid detection,” Symantec said in their alert. Presently, Symantec is calling the risk posed by this threat quite low, as they have not seen any evidence of compiled versions of the Trojan moving around online. Source:

39. August 28, The Register – (International) Hackers serve up pre-release malware to Mac fanboys. Virus slingers are taking advantage of the release of Apple’s Snow Leopard operating system by offering malware from sites touting operating system upgrades. Dodgy sites supposedly offering Snow Leopard were rigged to push an Apple-specific DNS changer Trojan, detected by Trend Micro as JAHLAV-K. The malware is a MAC OS X mountable Disk Image file (.DMG) that comes contaminated with various malicious scripts, as explained here. Users infected with the Apple specific malware would find their internet connections redirected to phishing sites and other fraudulent endeavours. Some of these bogus sites hosted scareware (fake anti-virus) packages. Fake sites offering the Mac malware were in operation in the run-up to the release of Snow Leopard on August 28. There are more details in a blog on Trend Micro’s website. A similar attack, detected earlier the week of August 24, offered malware in the guise of Foxit PDF Reader software for Apple Macs. The pirated version “Foxit Reader for Mac” comes loaded with the Jahlav Trojan horse, anti-virus firm Sophos warns. Foxit Reader is not yet officially available for Apple Macs. When it does come out, prospective users ought to use the official Foxit website, Foxit advises. Source:

40. August 27, Network World – (International) Web attacks across globe appear linked, security researcher says. Three significant waves of SQL injection attacks appear to be under the control of the same source, according to one security researcher. Roughly 80,000 Web sites in China, 67,000 in the U.S. and 40,000 in India remain compromised and under botnet control as a result of separate and ongoing SQL injection attacks. The highest infection point during the last three months reached into the millions at one point in China. The SQL injection attacks have inserted malicious iFrames into legitimate Web sites in order to force visitors off them and onto dangerous malware-laden sites. A senior security researcher at ScanSafe says she believes these three waves of SQL injection attacks are likely the handiwork of the same attacker because of the similarity of the domain-name registration information and style of attack. “It’s the thread of the domain names being used,” the researcher says. Seven of these “mal-domains,” a term coined by the researcher to describe domain names used solely to build Internet infrastructure to spread malware or otherwise cause harm, were registered under the same name and address (which are clearly bogus, being not more than gibberish). These domain names are now apparently being farmed out across the world as part of the globally distinct attacks in China, U.S. and India. In this case, the identified domain names were registered using bogus information provided to registrar Go Daddy, which the researcher says is “highly unusual,” since Go Daddy has a generally good reputation and attackers typically prefer “domain name providers that turn a blind eye.” Source:

41. August 27, PC1News – (International) Is Worm.Deborm hiding in your LAN? Computer worms, viruses, Trojans and other threats are increasingly looking for ways to exploit systems. Some of them actively try to break into a user’s PC and others just patiently wait till the user provides the way to the system. But no matter how a threat finds its way into a PC; the most important thing is that as soon as one enters the system, the machine is at risk of being destroyed or otherwise negatively affected. That is the case with Deborm, a worm spreading itself without any user intervention. Deborm has the ability to propagate itself via networks. In other words, Worm.Deborm spreads itself over a local area network (LAN) to any computers that have writable file shares. Once executed, Worm.Deborm will copy itself to a startup folder; as a result, it will automatically run upon reboot. This parasite has the ability to break simple passwords that are used either on the machine or when surfing the web. It is also important to note that Deborm worm will install a backdoor that will then allow a remote attacker access to a user’s computer system. Through this backdoor cyber criminals will be able to download additional malware, execute suspicious and often malicious programs, as well as steal confidential personal and financial information. Worm.Deborm is known to be related to a file called malware.exe. It has many distinct variants with different MD5 signatures. Source:

For another story, see item 42 below

Communications Sector

42. August 27, IDG News Service – (International) New attack cracks common Wi-Fi encryption in a minute. Computer scientists in Japan say they have developed a way to break the WPA encryption system used in wireless routers in about one minute. The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) encryption system. The attack was developed by two professors who plan to discuss further details at a technical conference set for September 25 in Hiroshima. In November 2008, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level, according to the organizer of the PacSec security conference where the first WPA hack was demonstrated. “They took this stuff which was fairly theoretical and they’ve made it much more practical,” he said. The Japanese researchers discuss their attack in a paper presented at the Joint Workshop on Information Security, held in Kaohsiung, Taiwan earlier in August. The earlier attack, developed by two researchers, worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm. Source: