Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

hacking the election

Published: 2008-11-05
Last Updated: 2008-11-06 16:36:18 UTC
by donald smith (Version: 3)
0 comment(s)

You probably have heard of voting machines that have various security issues.
This article isn't about that. In attempting to hack the election the "politically motivated"
have tried methods other then breaking into the voting machine infrastructure.

I have heard reports of automated phone calls, sms and seen email intended to convince
the receiver that they should vote the day after the election.
Why would you want to convince people to vote late, because that means they didn't
get to vote? People are great procrastinators given an option of doing something today or
doing something tomorrow many of us choose tomorrow;)

This is an email with headers that was sent to George Mason distribution list.

Received      from caduceus1.gmu.edu ([129.174.0.40]) by mercury1.gmu.edu (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0K9S00CFRQAJRMF0@mercury1.gmu.edu>; Tue, 04 Nov 2008 01:35:07 -0500 (EST)
Received      from cronus.gmu.edu ([129.174.0.112]) by caduceus1.gmu.edu (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0K9S00AZLQ20TAA0@caduceus1.gmu.edu>; Tue, 04 Nov 2008 01:35:07 -0500 (EST)
Received      from ironport2.gmu.edu (ironport2.gmu.edu [129.174.0.125]) by cronus.gmu.edu (8.13.4/8.13.4) with ESMTP id mA46SYhN028499; Tue, 04 Nov 2008 01:28:43 -0500 (EST)
Received      from mail04.gmu.edu ([129.174.0.116]) by ironport2.gmu.edu with ESMTP; Tue, 04 Nov 2008 01:28:42 -0500
Received      from LISTSERV.GMU.EDU (mail04.gmu.edu [129.174.0.116]) by mail04.gmu.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Sg429402; Tue, 04 Nov 2008 01:28:42 -0500 (EST)
Received      by LISTSERV.GMU.EDU (LISTSERV-TCP/IP release 14.4) with spool id 2611076 for ANNOUNCE04-L@LISTSERV.GMU.EDU; Tue, 04 Nov 2008 01:26:42 -0500
Received      from ironport2.gmu.edu (ironport2.gmu.edu [129.174.0.125]) by mail04.gmu.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Gg427221 for <ANNOUNCE04-L@mail04.gmu.edu>; Tue, 04 Nov 2008 01:16:42 -0500 (EST)
Received      from m154.prod.democracyinaction.org ([8.15.20.154]) by ironport2.gmu.edu with ESMTP; Tue, 04 Nov 2008 01:16:42 -0500
Received      from [10.15.20.114] ([10.15.20.114:39637] helo=web4.mcl.wiredforchange.com) by mailer.mcl.wiredforchange.com (envelope-from <noreply@gmu.edu>) (ecelerity 2.2.2.35 r(26825/26826)) with ESMTP id BC/ED-21096-AC8EF094; Tue, 04 Nov 2008 01:16:42 -0500
Date      Tue, 04 Nov 2008 01:16:42 -0500
From      Office of the Provost <noreply@gmu.edu>
Subject      Election Day Update
Sender      ANNOUNCE04-L <ANNOUNCE04-L@mail04.gmu.edu>
To      ANNOUNCE04-L@mail04.gmu.edu
Reply-to      noreply@gmu.edu
Message-id      <23911171.1225779402109.JavaMail.root@web4.mcl.wiredforchange.com>
MIME-version      1.0
Content-type      multipart/alternative; boundary="----=_Part_3017_30982749.1225779402108"
Precedence      list
X-Sender-IP      129.174.0.116
X-Sender-IP      8.15.20.154
X_DIA_Originating_IP      : 85.195.123.24
X_DIA_Source      : Host:web4.mcl.wiredforchange.com DB org
X_DIA_Referer      :
X-SENDER-REPUTATION      4.5
X-IronPort-Anti-Spam-Filtered      true
X-IronPort-Anti-Spam-Result      AooAAD96D0mBrgB0kWdsb2JhbACCRzKRHgEBAQEJCwoHEQStA4YRhEuDU4Mv
X-IronPort-AV      E=Sophos;i="4.33,541,1220241600"; d="scan'208";a="55510806"
X-SENDER-REPUTATION      3.7
X-IronPort-Anti-Spam-Filtered      true
X-IronPort-Anti-Spam-Result      AogAAP12D0kIDxSaiWdsb2JhbACCRzKRHgEBAQoLCAkQBax6hhCES4NTgy8
X-IronPort-AV      E=Sophos;i="4.33,541,1220241600"; d="scan'208";a="55510203"
Comments      To: ANNOUNCE04-L@mail04.gmu.edu
List-Owner      <mailto:ANNOUNCE04-L-request@LISTSERV.GMU.EDU>
List-Subscribe      <mailto:ANNOUNCE04-L-subscribe-request@LISTSERV.GMU.EDU>
List-Unsubscribe      <mailto:ANNOUNCE04-L-unsubscribe-request@LISTSERV.GMU.EDU>
List-Help      <mailto:LISTSERV@LISTSERV.GMU.EDU?body=INFO+ANNOUNCE04-L>

To the Mason Community:

Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you.

Peter N. Stearns
Provost


Brian Krebs does a good job of covering this here:
http://voices.washingtonpost.com/securityfix/2008/11/election_hoax_e-mail_sent_via.html

These tricks aren't new they are just upgraded for the Internet and the mass
messaging capabilities that has created.

This is a list of "dirty tricks" from the 2004 election.
http://www.flcv.com/dirtytrf.html

Putting flyers on the door is a bit risky, calling from your home phone is a bit risky,
sending sms spam, email spam, etc ... is fairly safe. Just do it from a compromised system
in another nation, via an open mail relay and chances are you'll never get caught (sigh).

 


UPDATE:
Thanks to our friend and fequent contributor Juha-Matti we have the text of the SMS's being sent
"Due to long lines if you are voting for Barack Obama you can vote tomorrow"
or
"Due to long lines, all Obama voters are asked to vote tomorrow".

The orginating phone number is reportedly 505-507-6041.
Link: http://blog.wired.com/27bstroke6/2008/11/bogus-robo-text.html

UPDATE2:

It appears both of the campaings were hacked.

http://www.newsweek.com/id/167581

"The computer systems of both the Obama and McCain campaigns were victims
of a sophisticated cyberattack by an unknown "foreign entity," prompting
a federal investigation, NEWSWEEK reports today."
 

Keywords: voter fraud
0 comment(s)

If you missed President Elect Obamas speech have some malware instead

Published: 2008-11-05
Last Updated: 2008-11-05 20:00:14 UTC
by donald smith (Version: 1)
0 comment(s)

Thanks go out to Gary Warner for alerting us to this bogus presedential
speech malware being spammed out right now.
"A very prevalent spam campaign promising a chance to view Obama's
acceptance speech is leading instead to keylogger malware that sends
the stolen keystrokes to the Ukraine."

http://garwarner.blogspot.com/2008/11/computer-virus-masquerades-as-obama.html

UPDATE:
Jack pointed out this link from Websense which also leads people to malware using a fake video this time.
http://securitylabs.websense.com/content/Alerts/3229.aspx

0 comment(s)

ms08-067 exploitation by 61.218.147.66

Published: 2008-11-05
Last Updated: 2008-11-05 15:31:35 UTC
by donald smith (Version: 1)
0 comment(s)

Tillmann at mwcollect.org wrote in with a sample ms08-067 analysis.

“we've caught an MS08-067 exploitation attempt and provide the
trace and a brief analysis here: http://honeytrap.mwcollect.org/msexploit  “

The analysis is good. They have sample packets of the exploit and the call back shell. They show an example of libemu’s sctest. They find the exploiting ip 61.218.147.66. That IP is definitely sequentially scanning ip addresses for tcp 445 looking for vulnerable systems so blocking it at your enterprise gateway is recommended.
 UPDATE:
Emerging Threats has released signature's to catch trojan checkin and worm traffic outbound.

2008737 - ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin (emerging.rules)
2008739 - ET CURRENT_EVENTS MS08067 Worm Traffic Outbound (emerging.rules)
http://doc.emergingthreats.net/bin/view/Main/2008737
http://doc.emergingthreats.net/bin/view/Main/2008739
Joel covered Sourcefire's signatures and other details related to this activity in his diary here:
http://isc.sans.org/diary.html?storyid=5275

Keywords:
0 comment(s)

Bot net hunters get an improved tool from SRI bothunters

Published: 2008-11-05
Last Updated: 2008-11-05 02:25:00 UTC
by donald smith (Version: 1)
0 comment(s)

A new version of bothunter's botnet detection tool was recently released.
They have added: dynamic updating, an upgrade to the ruleset,
a basic GUI, bug fixes, malware oriented scan detection, and a set of
malware DNS-query detectors. It has support for linux, freeBSD, MacOS X,
Windows XP and a Live-CD so you can run it without installing it.
This tool uses some unusual correlation techniques to watch the
multi-directional flow of traffic from potentially infected internal systems
with external systems including c&c controllers, malware distribution etc...

From www.bothunter.net
"BotHunter flips the paradigm of classic network-based intrusion detection,"
says Phillip Porras, lead developer of the BotHunter project.
"Rather than monitoring who is trying to break into your network,
BotHunter detects those machines inside your network that are trying to
propagate infections or are being remotely controlled by external hackers."
BotHunter also includes a regular update service that allows fielded systems
to be updated with the latest information regarding remote botnet control sites,
malware related-DNS lookups, and Russian Business Network (RBN) address space,
 which are used to control infected computers. "Modern malware defenses need to
be adaptive and aware of the latest strategies used by Internet malware, and
BotHunter is ready to meet this challenge."

BotHunter is available for download at www.bothunter.net.
BotHunter was funded through the Cyber-Threat Analytics (http://www.cyber-ta.org)
research grant from the U.S. Army Research Office.




 

Keywords: Bothunter
0 comment(s)
Diary Archives