Thursday, December 9, 2010

Complete DHS Daily Report for December 9, 2010

Daily Report

Top Stories

• The Associated Press reports at least 40 people have been treated at hospitals following an ammonia spill that evacuated Randolph, a small city in eastern Minnesota. (See item 7)

7. December 8, Associated Press – (Minnesota) At least 40 treated for ammonia spill injuries. At least 40 people have been treated at hospitals following an ammonia spill that evacuated a small city in eastern Minnesota. Cannon Falls Medical Center said most of the 19 people treated due to injuries from the leak in Randolph will be released December 8. Twenty-one patients were treated at Northfield Hospital. It said five were admitted and one required decontamination. Dakota County emergency managers said a ruptured line spilled anhydrous ammonia at the River Country Co-op north of Randolph. The caustic chemical can cause respiratory injuries. The emergency preparedness coordinator said about 400 residents of Randolph were evacuated to a nearby fire station. Students from the school complex were sent to a church outside the city. Source:

• According to BBC News, authorities have arrested a man in Baltimore, Maryland, for allegedly plotting to blow up an area military recruitment center. (See item 36)

36. December 8, BBC News – (Maryland) Baltimore arrest over ‘recruitment center bomb plot’. Authorities have arrested a man in Baltimore, Maryland, for allegedly plotting to blow up a military recruitment center. A Department of Justice (DOJ) spokesman said the suspect was an American citizen. The spokesman said the man had been monitored by law enforcement officers for months as part of a sting operation. The U.S. Attorney’s Office for Maryland said the suspect was plotting to blow up a military base using a vehicle bomb. The office added there was no danger to the public, and that the explosives were inert. It is not yet clear which of the military recruiting bases in Catonsville, Maryland was his alleged target. Source:


Banking and Finance Sector

14. December 8, Help Net Security – (International) Zeus targets major retailers. Trusteer has discovered a Zeus botnet argeting credit card accounts of major retailers, including Macy’s and Nordstrom just as the holiday gift buying season is in full swing. They captured and analyzed malware samples designed to steal credit card information, probably in order to conduct card-not-present (CNP) fraud. This attack is using a Zeus botnet — the latest and most sophisticated version of the Zeus malware platform. CNP fraud refers to transactions when a credit card is not physically present, as in an Internet, mail or phone purchase. It is difficult for a merchant to verify the actual cardholder is indeed authorizing the purchase. Because of the greater risk, card issuers tend to charge merchants higher fees for CNP transactions. To make matters worse, merchants are typically responsible for CNP fraud transactions. Therefore, CNP merchants must take extra precaution against fraud exposure and associated losses. Source:

15. December 8, Banking Busines Review – (Utah) CFTC charges MXBK Group with defrauding hundreds of US customers. The U.S. Commodity Futures Trading Commission (CFTC) has filed an enforcement action in the U.S. District Court for the District of Utah, charging MXBK Group, a private Mexican financial services holding company, and its forex trading division, MBFX SA, with issuing false customer statements and misrepresenting trading results on their Web site. CFTC said MBFX has never been registered in any capacity with it. The CFTC’s complaint alleged that, from at least 2005 to the present, the defendants accepted at least $28 million from more than 800 U.S. customers for the purpose of trading forex on behalf of customers in pooled accounts. The complaint further charged that, from June 2008 through April 2009, the defendants trading profits when they lost about $19.4 million. The defendants allegedly reported trading profits in at least 8 separate months, when they actually incurred substantial trading losses, often exceeding $1 million per month. In its continuing litigation, the CFTC seeks restitution, disgorgement of ill-gotten gains, civil monetary penalties, an accounting of defendants’ assets and liabilities, permanent trading and registration bans, and permanent injunctions against further violations of the federal commodities laws. The CFTC’s action arose from a joint CFTC cooperative enforcement investigation with the FBI, IRS and the Securities and Exchange Commission. Source:

16. December 8, Honolulu Star Advertiser – (Hawaii) FBI offers $10,000 reward in case of serial bank robber. The FBI is joining the Honolulu Police Department’s (HPD) search for the pistol-wielding “backpack bandit” believed responsible for at least four bank robberies on Oahu, Hawaii this year. The FBI announced December 7 it is offering a $10,000 reward for information leading to his arrest. That is in addition to a $1,000 CrimeStoppers reward. Authorities have dubbed the robber “the backpack bandit” because he has pulled a gun from a backpack in each robbery. The robber “appears to be escalating his level of violence and we are concerned that in the future someone might get hurt,” said the head of HPD’s Criminal Investigation Division. Bank robberies in Hawaii typically consist of a robber showing a note to a teller demanding money, he said. “In this case, he’s brandishing a firearm, going up to multiple tellers. It’s a level of violence we’re not accustomed to here in Hawaii.” An FBI Special Agent said that in one case, a pregnant teller was taken to a hospital for stress symptoms after encountering the robber. Source:

17. December 8, Deutsche Presse-Agentur – (International) WikiLeaks supporters claim to have brought down MasterCard website. A group of hackers supporting the WikiLeaks organization claimed December 7 that it brought down the Web site of MasterCard. The credit card company recently cut the ability of funders to use MasterCard services to donate to WikiLeaks, as did a number of other firms, including rival Visa and online payment service Paypal. The attackers claimed on their Twitter account that the denial of service attack on the Web site was part of “Operation:Payback.” was not accessible immediately following the announcement, and trying to log onto the site, users received a “Network Error” message. The same group of hackers claimed earlier the week of December 5 that they had managed to disrupt the Web site of the Swiss Postfinance, a bank that shut the account of the WikiLeaks founder. Source:

18. December 7, Denver Post – (Colorado) Cops nab man wanted in four Denver bank robberies in bus station bathroom. A man suspected of robbing two downtown Denver, Colorado banks December 7 was arrested after he walked into a bathroom at the Greyhound bus station at 19th and Curtis Streets, according to Denver police. The 37-year-old man is suspected in the robberies of at least four downtown banks. The first robbery December 7 occurred at the First Bank, 1200 17th Street, at about 7:30 a.m. At approximately 9 a.m., a robber fitting the same description, walked into the Bank of Denver, 405 16th Street, and held it up. A red dye pack exploded as the suspect fled the scene of one of the robberies. A Denver police spokesman said police officers flooded the area, and an undercover officer spotted the suspect. The cases are being investigated by Denver police and the FBI. Source:

19. December 7, Crain’s Chicago Business – (Illinois) Bank executive sentenced to 63 months for fraud. A former Chicago, Illinois-area bank executive was sentenced December 7 to 63 months in federal prison for his role in defrauding his bank of at least $5.1 million. The 56-year-old had pleaded guilty to fraud in August. The Wood Dale resident is scheduled to start serving his prison sentence January 20. The convict was vice-president of loans at First Security Trust & Savings Bank in Elmwood Park. The U.S. Attorney’s Office and the FBI claimed he cost the bank at least $5.1 million when he changed loan terms for 50 customers. Between September 2004 and February 2009, the convict either lied about the amount of collateral required to back a loan or he manipulated documents to hide their delinquency. As a result of the fraud, the bank covered checks worth $2 million for money that wasn’t actually there. The convict is required to repay the $5.1 million in addition to serving his sentence. Source:

For more stories, see item 49 below

Information Technology

45. December 8, Softpedia – (International) New complex rootkit variant leverages Stuxnet 0-day vunerability. Security researchers warn a new variant of a sophisticated rootkit dubbed TDL4 is leveraging an yet-unpatched privilege escalation vulnerability originally exploited in the wild by the infamous Stuxnet worm. TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which appeared in 2008. However, unlike its predecessors, TDL4 is capable of bypassing the code signing protection in 64-bit versions of Windows Vista and 7. By default, these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts. This is done by code injected into the Master Boot Record (MBR) when the computer is initially infected, and the rootkit also disables Windows debugging functions so that researchers have a hard time analyzing it. At the beginning of this month, security experts from Kasperky Lab began seeing new TDL4 samples, which make use of a zero-day privilege escalation vulnerability in the Windows Task Scheduler. The flaw, which is identified as CVE-2010-3888, is being leveraged to escalate privileges to Local System level in order to bypass UAC (User Access Control) and inject code into the print spooler process. Source:

46. December 8, Help Net Security – (International) WordPress Comment Rating plugin CSRF vulnerability. A vulnerability has been reported in the Comment Rating plug-in for WordPress, which can be exploited by malicious people to conduct cross-site request forgery attacks, according to Secunia. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions by tricking an administrative user into visiting a malicious Web site. The vulnerability is reported in versions prior to 2.9.21. Source:

47. December 8, Help Net Security – (International) WikiLeaks-related spam carries worm. Malware pushers are taking advantage of users’ curiosity about WikiLeaks to gain access to their computers. An e-mail with “IRAN Nuclear BOMB!” in the subject line has been detected by Symantec, with a spoofed header to make it look like it cam from, saying “OBAMA is and IMPOSTOR!” and offering an URL. By clicking on it, the victim is taken to a site where a Wikileaks.jar file attempts to downloaded a worm on the victim’s computer. The worm in question opens a backdoor into the system by using a predetermined port and IP address, and allows the attacker to do all kinds of mischief: stealing, spying, routing traffic through the computer. It can also spread further by by copying itself to removable drives and the share folders of file-sharing programs. Source: 48. December 8, ITProPortal – (International) Twitter hit by worm. Twitter has been hit with a new kind of worm exploiting Google’s URL shortening service “”. According to TechCrunch, the Twitter virus is using links that start with “http://goo(dot)gl” in order to spread malware. In many cases, the message accompanying the infected link says that the user has “just found the easiest way to track who follows and unfollows you”. The virus, which seems to have originated from Twitter’s mobile site, tries to redirect unsuspecting users to malicious Web sites by encouraging them to click on the link. Using social engineering, users are fooled into thinking the link is secure based on the senders’ reputation and the idea that URL belongs to a trusted Web giant. People are advised not to click on a random link, even if they have received it from a trusted source. Source:

49. December 7, The Register – (International) Whitehats peer into new botnet’s heart of ‘Darkness’ DDoSes R Us. Whitehat hackers are tracking a new botnet that has become a popular platform for launching Web attacks. Over the past few weeks, members of the Shadowserver group have observed the Darkness botnet unleashing distributed denial of service attacks on more than 100 Web sites in the financial, insurance, and retail industries. They have also uncovered an online campaign advertising DDoS-for-hire services that boast high quality and an average cost of $50 for 24 hours of use. “It now appears that ‘Darkness’ is overtaking BlackEnergy as the DDoS bot of choice,” a Shadowserver volunteer wrote. “There are many ads and offers for DDoS services using ‘Darkness.’ It is regularly updated and improved and of this writing is up to version 7. There also appear to be no shortage of buyers looking to add ‘Darkness’ to their botnet arsenal.” Source:

50. December 7, Softpedia – (International) Rogue private messages direct Facebook users to Waledac Trojan. A wave of rogue private messages received by many Facebook users directs them to malicious Web sites serving a version of the Waledac Trojan. According to scam tracking Web site Facecrooks, the messages read “I got you a surprise www.[random_name].blogspot(dot)com.” Several different blogspot URLs were observed in these messages, suggesting the people behind this campaign have registered many accounts in advance and rotate them as soon as they get suspended. Visiting the Web sites triggers a prompt that reads “Download photoalbum” and serves an executable file called photo.exe, which is actually a Waledac variant. According to Symantec, Waledac “is a worm that spreads by sending emails that contain links to copies of itself. It also sends spam, downloads other threats, and operates as part of a botnet.” In its description of the threats, the antivirus vendor said Waledac authors commonly organize social engineering-based campaigns to trick users into installing it. Source:

Communications Sector

51. December 8, Erictric – (National) Verizon Wireless 3G data network goes down overnight due to technical glitch. The Verizon Wireless 3G data network was completely down December 8. Many people were unable to access the Internet from their mobile devices. It has now been confirmed that the outage was caused by a technical glitch during routine maintenance. The 3G data network was apparently down for about 3 hours and 20 minutes from 1:40 a.m. to 5 a.m. Source: