Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, July 15, 2010

Complete DHS Daily Report for July 15, 2010

Daily Report

Top Stories

• The Pittsburgh Tribune-Review reports that an explosion July 14 at U.S. Steel’s Clairton Works in Pennsylvania sent 15 people to area hospitals, at least five of them with critical injuries. A union official said no fatalities were reported. (See item 9)

9. July 14, Pittsburgh Tribune-Review – (Pennsylvania) 15 injured in explosion at US Steel Clairton Works. An explosion July 14 at U.S. Steel’s Clairton Works in Pennsylvania sent 15 people to area hospitals, at least five of them with critical injuries. A union official said no fatalities were reported. Two workers were rushed to West Penn Hospital’s burn unit in Bloomfield, where they were being assessed by doctors. A spokeswoman said the explosion occurred in the mill’s B Battery, an area where coke is made. She said it did not appear there were any fatalities. A worker manning phones at the United Steelworkers’ Local 1557 union hall in Clairton said the mill has nine batteries of ovens for making coke, a fuel made from coal that is used in blast furnaces to make steel. All were shut down after the explosion, the worker said. It remained unclear what caused the blast, the worker said. Source:

• A study released July 13 by the Centers for Disease Control (CDC) and the Florida Department of Health found dengue virus in the Florida Keys, according to CNN. The report noted 12 confirmed cases in Key West so far in 2010, and that about 5 percent of all Key West residents, or 1,000 people, were exposed to it in 2009. (See item 32)

32. July 14, CNN – (Florida) Dengue reappears in the U.S. A study released Tuesday by the Centers for Disease Control (CDC) and the Florida Department of Health finds dengue virus is showing up in the Florida Keys. According to the report, approximately 5 percent of Key West residents, or about 1,000 people, were exposed to it in 2009. So far this year, there have been 12 confirmed cases of dengue in the Key West area. The last time there was a dengue outbreak in Florida was 1934. “These people had not traveled outside of Florida, so we need to determine if these cases are an isolated occurrence or if dengue has once again become endemic in the continental United States,” the chief of the CDC’s dengue branch said in a press release. “We are concerned that if dengue gains a foothold in Key West, it will travel to other Southern cities ... like Miami.” Dengue is the most common virus transmitted by mosquitoes in the world. It causes up to 100 million infections and kills 25,000 people every year. Dengue is found in tropical and sub-tropical climates worldwide, mostly in urban and semi-urban areas, according to the World Health Organization. Symptoms include high fever, severe headache, severe pain behind the eyes, joint pain, muscle and bone pain. There is no vaccine to prevent dengue, but early detection and treatment can reduce the risk of severe illness. Source:


Banking and Finance Sector

12. July 14, Network World – (International) ZeuS Trojan attempts to exploit MasterCard, Visa security programs. The notorious ZeuS banking Trojan is showing off a new trick: Popping up on infected computers with a fake enrollment screen for the “Verified By Visa” or “MasterCard SecureCode Security” programs. The real and legitimate Visa and MasterCard card-fraud prevention programs have cardholders use a password when making card-based purchases online as an additional means of security. The Zeus Trojan, with its ever-growing capability to steal financial information and execute unauthorized funds transfers, has recently been seen attacking banking customers on infected machines by displaying a fake “Verified by Visa” enrollment screen, or its MasterCard counterpart SecureCode, trying to lure victims into a fraudulent online enrollment action that would end up giving criminals sensitive financial data. “When you log into your bank, it says you have to enroll in Verified by Visa, that it is regulated now and you have to do it,” explains the CEO at Trusteer, a security firm that makes software specifically designed for use by banks and their customers to deter malware of this kind. The remotely controlled ZeuS botnet, used by criminal organizations, infects PCs, waits for the victim to log onto a list of targeted banks or financial institutions, and uses various ruses to steal credentials or execute unauthorized funds transfers. This newer attack with utterly fake Verified by Visa and MasterCard SecureCode is designed to trick banking customers into giving over their personal identification numbers, Social Security numbers, credit- and debit-card numbers with expiration dates, and more, the CEO said. “We are investigating ZeuS so we encounter new variants.” Source:

13. July 14, Associated Press – (National) FBI hunts ‘burly bandit’. Authorities are asking for the public’s help in finding a man wanted in at least 10 bank robberies in four New England states. The suspect, dubbed the “burly bandit,” is believed to have robbed banks in Massachusetts, Rhode Island, Connecticut and New Hampshire since April, with the most recent hold up at the Ocean Bank in Merrimack, New Hampshire July 2. The FBI in Boston is offering up to a $20,000 reward for information that could lead to an arrest. The man is described as a white male with short brown hair, in his late 40s or early 50s, approximately 6 feet tall, weighing 250 to 300 pounds. Authorities said he has worn sunglasses, a wig, and a variety of hats including a straw cowboy hat, during the robberies. Source:

14. July 14, Bank Info Security – (National) FDIC regains backup authority. In a move seen as strengthening its oversight powers, the Federal Deposit Insurance Corporation’s (FDIC) board voted recently to restore the agency’s backup supervisory authority. This means that the FDIC can now step in and examine large banks currently under the supervision of other banking regulators, including the Office of the Comptroller of the Currency and the Office of Thrift Supervision. The agency had been given this power back in 1983, following some costly failures of banks that the FDIC had little or no prior knowledge of, said a former FDIC chairman. This power remained in place until 1993, when the board tempered the FDIC’s backup supervisory program by requiring prior board approval before FDIC examiners could exam a national bank or thrift. The revised Memorandum of Understanding gives the FDIC backup supervision authority under an expanded list of circumstances. Source:

15. July 13, KRCG 13 Columbia – (Missouri) Phishing scam targets local bank customers. Scammers targeted Mid-Missouri bank customers July 13. Several viewers contacted the KRCG newsroom to report an automated call received on their cell phones. The message tells the recipient their Mid-America Bank debit card has been deactivated, and to enter the card number to continue. The Mid-America Bank confirmed the calls are not legitimate. The message is part of a phishing scam intended to trick recipients into giving up credit card numbers for fraudulent use. The calls targeted AT&T mobile customers in Mid-Missouri, whether or not they are customers of Mid-America Bank. Mid-America Bank said their customers’ information has not been compromised. Source:

Information Technology

43. July 14, The H Security – (International) Scareware: Now with live support. A researcher of Kaspersky has discovered that scareware distributors are now offering live support. Users installing fake anti-virus software Security Master AV and clicking on the “Online Support” button are directed to a chat window in which they can put questions directly to the scareware “vendor.” The aliases “Debora Brown,” “Kendra Grace” and “David Lee” appear to have all the time in the world online to convince victims in fluent English that their software is genuine, and to get them to install the bogus full product. Alternatively, victims can call them up, or send an e-mail. As a special extra, the “support team” offers a one-day, trial version of the full product, which reliably removes the imaginary malware identified by the “demo” version from the user’s system. The Kaspersky researcher was even offered an uninstaller for the Security Master software, but this left behind a number of files. He thinks the extra-helpful scareware distributor is located in Russia or the Ukraine. Information on recognizing scareware and on the dangers it poses can be found in the article “Rogue anti-virus products” on The H Open. Source:

44. July 14, – (International) UK re-enters spam relaying ‘Dirty Dozen’. The U.S. is still the country most likely to relay spam e-mails, but the U.K. is gaining fast, according to the latest figures from Sophos. The security firm said that the U.K. had shot up from ninth to fourth position on the list. The proportion of spam sent by the U.S. has increased by just over 2 percent in the last quarter alone, and now stands at roughly 15 percent. The U.K., which has not always been on the list, is responsible for about 4.5 percent of all relayed spam. The gain is indicative of the increases seen across Europe, which has not traditionally been a spam hotspot. “It’s sad to see spam relayed via compromised European computers on the rise. The U.K., France, Italy and Poland have all crept up the rankings since the start of the year,” said the senior technology consultant at Sophos, in a blog post. He explained that, for all the efforts of spammers, their success or failure is determined by the actions of individual end users. Spam accounts for 97 percent of all e-mail received by businesses, according to Sophos. Source:

45. July 14, CNET News – (International) Report: Adobe Reader, IE top vulnerability list. The most exploited vulnerabilities tend to be Adobe Reader and Internet Explorer, but a rising target for exploits is Java, according to a report set to be released July 14 by M86 Security Labs. Of the 15 most exploited vulnerabilities observed by M86 Labs during the first half of this year, four involved Adobe Reader and five Internet Explorer, the lab wrote in its latest security report for January through June 2010. Also on the Top 15 list were vulnerabilities affecting Microsoft Access Snapshot Viewer, Real Player, Microsoft DirectShow, SSreader, and AOL SuperBuddy. Most of the exploits were first reported more than a year earlier and were addressed by vendors, “highlighting the need to keep software updated with the latest versions and patches,” the report said. More Java-based vulnerabilities have been actively exploited, reflecting attackers’ attraction to Java’s popularity and broad install base. In the most common attack scenario, browsers visiting a legitimate Web site are redirected by a hidden iFrame or JavaScript to a malicious Web page that hosts a malicious Java applet, according to the report. Meanwhile, attackers are finding new ways to dodge malware-detection mechanisms, the M86 report found. “Over the last few months, we have observed a new technique of code obfuscation that combines JavaScript and Adobe’s ActionScript scripting language,” which is built into Flash. Source:

46. July 14, CNET News – (National) Report: Alleged Russian spy worked for Microsoft. A twelfth alleged Russian spy recently identified by the U.S. government has a tech connection: he worked for Microsoft. The alleged spy has been deported to Russia because federal investigators believe he was “in the early stages” of alleged espionage, The Washington Post reported July 14. The paper’s anonymous government source asserted that the allege spy had “obtained absolutely no information” while he was in the United States. He had been in the Seattle area and working for Microsoft as a software tester since October. Microsoft confirmed to the Post that the suspect was, in fact, an employee since last October. Source:

47. July 13, IDG News Service – (International) With fix now out, Microsoft sees jump in XP attacks. Microsoft urged Windows users to update their software July 13, saying it has now seen more than 25,000 attacks leveraging one of the critical bugs fixed in July’s monthly security patches. Microsoft researchers tracked a “fairly large,” spike in Web-based attacks that exploit the problem the past weekend, the company said in a blog posting. “As of midnight on July 12 (GMT), over 25,000 distinct computers in over 100 countries/regions have reported this attack attempt at least one time.” On the busiest single day, Microsoft researchers tracked more than 2,500 attacks, a small number considering Windows’ massive user-base. Still, Microsoft and security experts are worried about this flaw because it has been publicly known for more than a month, and has shown up in real-world attacks. Users in Russia are now the most-targeted, Microsoft said. They have accounted for 2 percent of all attacks, which translates to about 10 times the worldwide average total number of attacks per computer. Portugal is the second most-targeted region. Successful attacks secretly install malicious software on the victim’s machine, often a program called Obitel. Once Obitel is on a PC, it enables other malware to be loaded, such as malware that can log keystrokes, send spam, or perform other nefarious tasks. Source:

48. July 13, Help Net Security – (International) Cybercriminals increase effectiveness with multi-stage attacks. Cybercriminals have been increasing the effectiveness of their individual outreach by creating multi-stage or blended attacks, which combine messaging and Web elements. They use e-mail or search-engine results to lure victims to sites hosting spam advertising, malware, or phishing. A new Commtouch report analyzes the many methods fraudsters, malware distributors and spammers use to inspire their victims to action, such as leveraging trusted brands like Apple and Google; holidays, or current events, for example, the World Cup international soccer tournament. During Q2, Gmail and Yahoo kept the top spots as far as spoofed domains for e-mail distribution, but they have been joined in the top six by Twitter. The Twitter domain was faked in a widespread mailing designed to lure users to a “password reset” Web page that contained malware. Other highlights from the Commtouch report include: Spam levels averaged 82 percent of all e-mail traffic throughout the quarter, bottoming out at 71 percent at the start of May and peaking at nearly 92 percent near the end of June. These numbers are slightly lower than those detected in Q1 and equate to an average of 179 billion spam messages per day; Pharmacy spam retained the top spot with 64 percent of all spam; and India has surpassed Brazil for the title of the country with the most zombies (13 percent of the world’s total). Source:

49. July 13, The New New Internet – (National) FBI raids cyber gang following harassment. Federal agents raided the homes of three members of a hacker gang who allegedly harassed a security expert who helped to put the group’s leader into prison, according to media reports. Back in May, a suspect pleaded guilty to charges of computer-tampering for placing malware on computer machines at the Texas hospital where the security expert worked. The suspect led the anarchistic hacking group Electronik Tribulation Army. His arrest fueled harassment by other members of the group against the security researcher who first alerted authorities. “They set up a Web site in my name to pose as me, and put up embarrassing content or things they thought would embarrass me, including a call-to-action to buy sex toys, and fake pornographic images,” said the owner of McGrew Security. “They harvested e-mail addresses from the university I work at and e-mailed it out to those addresses.” Source:

50. July 13, PC Advisor UK – (International) Bizarre phone ransom Trojan found by researchers. Researchers have discovered a bizarre piece of Trojan ransomeware which disables programs on infected PCs before demanding victims make an unaccountably small payment to a Ukrainian mobile phone network in return for an unlock code. According to Webroot, the Krotten ransom Trojan is one of the oddest pieces of malware of the year. Taking the path of least resistance, it eschews the complex encryption outlook taken by a range of ransomware programs in the past and simply sets out to interfere with the host PC in as many ways as possible. It starts out by changing 40 registry keys for a number of Windows settings, adding expletive text in Russian to the Internet Explorer title bar, disabling features such as the Windows Start bar, and blocking the ability to print or open files. It also stops most applications from running at all. Any location in Windows that would normally display the current time now also displays a Russian language profanity. Rebooting the system will display the following text box in Russian, which Webroot helpfully translates in its blog on Krotten. “In order to restore normal functionality of your computer without losing all the information! and saving money, send me an e-mail to, with the code for replenishing a Kyivstar account with 30 Grivna. In response within 24 hours you will get an e-mail with a file to remove this program from your computer.” Grivna is the currency of the Ukraine and 30 Grivna is the equivalent of less than $4, a curiously small sum to demand. This, and the generally incompetent nature of some aspects of the malware, raises the possibility that it is more of a prank than a serious means of scamming people for money. The Trojan was, the researchers reckon, also written using a DIY malware kit called Sign 0f Misery (S0M). Source:

51. July 12, Infoworld – (International) SANS study: One in five mobile devices running malware. Ask a painful question, get a painful answer: That was the lesson the SANS Institute’s Internet Storm Center (ISC) learned recently when it surveyed its membership on the subject of malicious programs that target mobile devices like iPhones and BlackBerrys. In a running poll that has, so far, netted 540 respondents, SANS researchers found that 85 percent were not scanning their mobile devices for malicious programs. Of the 15 percent who were, 18 percent found mobile malware running on their devices. That’s higher than the overall infection rate for PCs in North America, which Microsoft (in this case, the best arbiter of such questions) pegs at between 7 and 10 percent of all Windows systems in the United States and Canada. In fact, 18 percent is close to the infection rate for XP SP1 systems. by extrapolating the number, SANS projects that as many as 83 of the 457 participants who were not scanning their mobile devices could be missing an active malware infection. Experts noted that a review of the number of smartphones in use globally and the infection numbers get even scarier, but also more hypothetical — after all, the mobile universe is not a monoculture like the PC world. There are endless variations of Symbian, Windows Mobile, Palm, as well as BlackBerry, iPhone, Android and the like. Not all are equally valuable or attractive to attackers, experts said. It is also not clear what kinds of malware turned up on the self-reported scans and whether false positives might be in the mix. Source:

Communications Sector

52. July 13, Lakeland Ledger – (Florida) Damaged cable disrupts AT&T cellular service in Polk. AT&T said a road construction crew is to blame for the cell phone outage July 13 that affected Polk County, Florida. Service was restored about 7:30 p.m. A road crew in Lake Mary accidentally cut a main AT&T cable about 4 p.m. that served several cell sites in the West and Central Florida areas, according to the Orlando Sentinel. AT&T cell phone service was intermittent during the afternoon and into the evening. Other cell phone companies were not affected. Source:

53. July 13, Kitsap Sun – (Washington) Manette phone lines damaged; service disrupted to 120 customers. Up to 120 Qwest phone customers in Manette, Washington lost phone service July 12 in an outage expected to last for some into early July 14. A regional spokesman for Qwest said a line that runs under water into a vertical cliff appears to have let water come in. The line is north of the Manette Bridge. Crews are permanently rerouting customers affected by the outage rather than trying to access the damaged line. The lines were likely installed around World War II. The spokesman said he believes this is probably the last submarine line Qwest uses to serve the Manette area. Source: