Cloudy Skies

Before the StormImage by premasagar via Flickr

Storm talk is thundering across the security blog horizon. Despite the consensus that this spam monster is indeed a Storm relative, there is some argument over just how NEW this new Storm is.

Several people have taken a look at the spam spewing samples, digging into the malware’s functionality as well as its communication, and the templates used for generating the various spam emails. They have found major similarities between several aspects of the new and old Storm fronts, including filename usage and user-agent typos (Windoss instead of Windows), but the more recent version has excluded the peer to peer portion of the code.

Atif Mushtaq at FireEye writes that these are all details he observed on a Storm variant back in 2008. So is this old news? Nothing about what is being called Pecoan (another name in the long list: Nuwar, Peacomm, Zhelatin, Dorf) is really more sophisticated than its predecessor and the samples I ran only connected with one static IP, so I don’t think this Storm will be as violent as the last. The creators of the original Storm have had enough time to code a better botnet so perhaps this is just a rediscovery of a forgotten remnant.

Right now compromised systems are sending out online pharmacy, adult dating, and nude celebrity emails. The template design allows for a wide array of sender names, subjects, message content, and destination URLs. The malware harvests email addresses from the victim machines and sends Base64 encoded POSTS to pass information and report in to its C&C.

As always, be cautious while online and when in doubt, don’t click.

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

Private Discussion

User privacy is of major concern to just about everyone, because just about everyone needs some level of privacy. Google, with its massive user following and array of product offerings, has a huge responsibility to keep their users’ data confidential and safe. The Google Buzz bungle is an example of how Google’s handling of private user information doesn’t always live up to expectations.

Privacy/Data/Information commissioners from 10 countries sent a joint letter to Google CEO Eric Schmidt on April 20, expressing their concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

The letter made various statements like Google Buzz “betrayed a disappointing disregard for fundamental privacy norms and laws” and that “launching a product in “beta” form is not a substitute for ensuring that new services comply with fair information principles before they are introduced.” Also included were suggested principles to be used by Google to ensure user privacy, such as “collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service” and “ensuring that all personal data is adequately protected.”

While the letter seems well intentioned, its message is a bit late to the stage. U.S. congressmen John Barrow penned his own joint letter to the Federal Trade Commission at the end of March over the same Buzz/privacy issues. Congressman Barrow’s letter cites the Electronic Privacy Information Center’s (EPIC) previously filed complaint “alleging that Google Buzz violates federal privacy law.”  In a manner of public response, Google issued a letter to the Federal Trade Commission regarding their policies on information privacy. In this ten page letter, Google shared their efforts to “develop products that reflect strong privacy standards and practices.” They also stated their support for “strong industry commitments to ensure transparency, user control, and security in Internet services for consumers” as well as “strengthened protections from government intrusion.”

To demonstrate a small history of various government “intrusion”, Google created the government requests page (http://www.google.com/governmentrequests/). The page maps out content removal requests and user data requests made by government agencies for the second half of 2009.  The leaders in user data requests are Brazil (3663), the U.S. (3580), the U.K. (1166) and India (1061).


Also displayed through this map is the inclusion of  every country who signed the privacy letter to Google. Government agencies from France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain, Canada and the United Kingdom all scolded Google for inadvertently disclosing  personal user information, but prodded them for the same information months earlier.

Though data protection departments may not be the ones who made the requests, government is often looked at as a collective entity, causing some to consider these actions as hypocrisy. In the FAQ for the government requests page, Google says “the statistics primarily cover requests in criminal matters.”  Does this justify cooperation from Google? When is it okay to abandon privacy for the sake of law enforcement? I don’t know. It is a difficult balance for Google and world governments in protecting both privacy and national laws.

The Electronic Communications Privacy Act (ECPA) is a key part of finding this balance. Find out more:

If you want to see what Google has on you, start with:

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]