Monthly Archives: March 2012

USPS Click-N-Ship abused in malware spam

This campaign begins with an email that looks like this:



The email indicates that you have been charged a random amount of money to have a shipping label created. In this case, we were charged $47.44. Because we haven’t really ordered a shipping label, we might be upset to be charged, and click the “USPS Click-N-Ship” link that APPEARS to take you to “www.usps.com/clicknship”.

In reality, there are more than eight hundred destination webpages on more than one hundred sixty (160) websites were advertised in emails that we saw in the UAB Spam Data Mine that use this template, but none of them go to the United States Postal Service.

A single destination would have many subdirectories, all created by the hacker, that contained the link. For example, this Czech website:

1 | lenkajonasova.chytrak.cz | /1xmg2qrr/index.html
11 | lenkajonasova.chytrak.cz | /9hEetc63/index.html
5 | lenkajonasova.chytrak.cz | /CgeknEwU/index.html
14 | lenkajonasova.chytrak.cz | /FP817PwV/index.html
9 | lenkajonasova.chytrak.cz | /hQLv8GxT/index.html
1 | lenkajonasova.chytrak.cz | /LRt1KuAY/index.html
13 | lenkajonasova.chytrak.cz | /qedwZQiv/index.html
1 | lenkajonasova.chytrak.cz | /rSqvJdhP/index.html

The spam messages use a variety of subjects. The ones we saw yesterday were:

count | subject | sender_domain
——-+——————————————–+—————
479 | USPS postage labels order confirmation. | usps.com
433 | Your USPS postage charge. | usps.com
428 | USPS postage labels receipt. | usps.com
403 | Your USPS postage labels charge. | usps.com
384 | Your USPS shipment postage labels receipt. | usps.com
346 | USPS postage labels invoice. | usps.com
322 | Your USPS delivery. | usps.com
319 | USPS postage invoice. | usps.com
(8 rows)


This was a very light campaign, compared to many that we have seen recently. We received more than half of these emails in a single 15 minute span ending at 7:15 AM our time – which would be 8:15 AM on the US East Coast. We have the theory that the new spam campaign, with a never-before-seen malware sample, is sent at the beginning of the East Coast day as a way to get maximum infections in places like New York City and Washington DC.


The most common websites, all with their own “random-looking” subdirectories were:
count | machine
——-+———————————-
598 | h7xb37qx.utawebhost.at
208 | jadore-events.ro
150 | kissmyname.fr
143 | renkliproje.com
139 | kegelmale.com
138 | layarstudio.com
127 | firemediastd.com
126 | hillside.99k.org
126 | ks306518.kimsufi.com
118 | k-linkinternational.com
113 | graphicdesignamerica.com
112 | hascrafts.com
112 | iaatiaus.org
102 | immodefisc.net

(The rest of the list is at the end of this article…)

A Sample Run


Each day in the UAB Computer Forensics Research Laboratory, students in the MS/CFSM program produce a report shared with the government called the “Emerging Threats By Email” report. They take a prevalent “new threat” in the email from that day and document it’s action, in part by infecting themselves with the malware! Here’s a sample run through I did this morning using the techniques followed in our daily report.

We begin by visiting a website advertised in the spam. In this case, I chose:

allahverdi.eu (109.235.251.244) /BSg1hNCZ/index.html (400 bytes)

These “email-advertised links” each call javascript files from a variety of other sites. In this example run, visiting the site caused us to load Javascript from the URL below.

uglyd.com/xTnfi7mG (210.193.7.161) / xTnfi7mG/js.js (81 bytes)

This javascript file sets the “document location” for the current browser
window to be “http://178.32.160.255:8080″ with a path of showthreat.php
?t = 73a07bcb51f4be71. This is a Black Hole Exploit kit server, which causes the rest of the infection to be continued.)

This is the location my run gave this morning . . . yesterday morning’s run used a different Black Hole Exploit Kit location:



178.32.160.255:8080/showthread.php?t=blahblahblah (20,110 bytes)

178.32.160.255:8080/data/Pol.jar (14,740 bytes)

178.32.160.255:8080/q.php?f=4203d&e=0 (dropped calc.exe 151,593 bytes)
MD5 = 44226029540cd2ad401c4051f8dac610
VirusTotal (16/42)

The next two files are dropped because of the Java execution of “Pol.jar”.

At the time of the UAB Emerging Threats by Email report on Friday morning March 29th, the Virus Total detections for this malware were “2 of 42″. More than 20 hours later the detection is still only “19 of 42″.

santacasaitajuba.com.br (200.26.137.121) /WBoTANuY/hBhT7.exe (323,624 bytes)
MD5 = 276dbbb4ae33e9e202249b462eaeb01e
VirusTotal (19/42)

elespacio.telmexla.net.co (200.98.197.103) /sNxQTzEK/bHk6KE.exe (323,624 bytes)
MD5 = 276dbbb4ae33e9e202249b462eaeb01e
VirusTotal (19/42)



The “Zeus file” (the 323,624 byte one) copies itself into a newly created randomly named directory within the current user’s “Application Data” directory. In the current run, it disguised itself with a “Notepad” icon, claiming to be “Notepad / Microsoft Corporation” in it’s properties. The file was named peix.exe (but that’s random also.) The file does an “in place update” so that my MD5 modified without changing the filename. My new MD5 of this morning was:

98202808dea55042a3a1aa2d28ab640a

Which gives a current VirusTotal detection of (14/42):

AntiVir = TR/Crypt.XPACK.Gen
Avast = Win32:Spyware-gen [Spy]
AVG = Zbot.CO
BitDefender = Gen:Variant.Kazy.64187
DrWeb = Trojan.PWS.Panda.1947
F-Secure = Gen:Variant.Kazy.64187
GData = Gen:Variant.Kazy.64174
Kaspersky = Trojan-Dropper.Win32.Injector.dxrh
McAfee = PWS-FADB!98202808DEA5
Microsoft = PWS:WIn32/Zbot.gen!AF
NOD32 = Win32/Spy.Zbot.AAN
Norman = W32/Kryptik.BKR
Rising = Trojan.Win32.Generic.12BDDB90
VIPRE = Trojan.Win32.Generic.pak!cobra

Most of those definitions just mean “Hey! This is Bad! Don’t Run It!”

Antivirus companies don’t use the same names for most of this stuff as cybercrime investigators. So, for instance, in the Microsoft Lawsuit last week, they described criminals involved with three malware families = Zeus, SpyEye, and IceIX. All of these would show a “Zbot” or “Kazy” detection in the group above. PWS means “Pass Word Stealer.” “pak”, “XPACK”, and “kryptic” just mean that the malware is compressed in a way that implies it is probably malicious.

The bottom line is that this very successful malware distribution campaign has tricked people into installing something from the broader Zeus family (whether Zeus, SpyEye, or IceIX doesn’t really matter to the consumer). Once compromised, that computer is going to begin sharing personal financial information with criminals, and allowing remote control access to the computer from anywhere in the world to allow further malicious activity to occur.

This is the kind of malware that was featured on NBC’s Rock Center with Brian Williams recently, and that was at the heart of the civil action taken by Microsoft, FS-ISAC, and NACHA that lead to the seizure of many domain names and some servers controlled by Zeus Criminals.



Click to learn more about UAB’s Center for Information Assurance and Joint Forensics Research or to learn about UAB’s Masters Degree in Computer Forensics & Security Management.




other destinations



98 | made.lu
96 | maceraoyunlari.host.org
88 | kazahana.hanabie.com
85 | kthtu.or.kr
84 | ftp.peratur.com.br
82 | agroturystyka-szczawnica.pl
78 | lenkajonasova.chytrak.cz
77 | ftp.lucpinheiro.com.br
74 | imo213.com
70 | indonesiatravelnow.com
67 | gulfcoastlocalsearch.com
67 | laptopschematic.org
65 | 4realpeople.info
62 | incaltamintepeg.ro
58 | davidanber.com
52 | malibojevnik.si
52 | 188.121.58.196
45 | lcvtv.com
44 | lastrender.com
44 | laserreproducciones.com
44 | lukasz-slaby.pl
41 | 032b67b.netsolhost.com
41 | larryharrison.com
40 | 182.18.152.247
39 | genxlogistics.com
38 | 0317159.netsolhost.com
37 | getprofitsfast.com
37 | kbizzsolutions.com
34 | icon-construction.ca
33 | mariekebrouwers.nl
33 | kgncomputers.com
30 | meinungsmacher.at
21 | heroesandheritage.net
20 | interfinbrok.ro
16 | ecrane.vn
16 | erolkara.net
12 | euro2012bettingtips.com
11 | ftp.tack.sk
11 | stcw95.org
10 | 6111homewood.com
10 | meritmobile.com
10 | ozerresidence.com
10 | ftp.infoesporte.com.br
10 | grossturismo.com.br

More community TFS build extensions documentation

As part of the on-going effort in documentation I have recently published more documentation for the TFS build extension project activities

  • AssemblyInfo
  • CodeMetric (updated) and CodeMetricHistory
  • File
  • Twitter

More community TFS build extensions documentation

As part of the on-going effort in documentation I have recently published more documentation for the TFS build extension project activities

  • AssemblyInfo
  • CodeMetric (updated) and CodeMetricHistory
  • File
  • Twitter

Visual Studio Live @ Las Vegas Presentations – Tips and Tricks on Architecting Windows Azure for Costs

Unfortunately I wasn’t able to go and speak in Visual Studio Live @ Las Vegas as it was scheduled, due to an illness that made it impossible for me to travel, and stay in bed for a few days.

But even if I wasn’t there I would like to share with you some of the points on this topic “Tips and Tricks on Architecting Windows Azure for Costs”.

Tips & Tricks On Architecting Windows Azure For Costs
View more presentations from Nuno Godinho
The Key points to achieve this are:
  • Cloud pricing isn’t more complex than on-premises, it’s just different
  • Every component has it’s own characteristics, adjust them to your needs
  • Always remember that Requirements impact costs, choose the ones that are really important
  • Always remember that Developers and the way things are developed impact costs, so plan, learn and then code.
  • Windows Azure pricing model can improve code quality, because you pay what you use and very early can discover where things are going out of plan
  • But don’t over-analyze! Don’t just block because things have impacts, because even today the same things are impacting you, the difference is that normally you don’t see them that quickly and transparently, so “GO FOR IT”, you’ll find it’s really worth it.

In some next posts I’ll go in-depth into each one of those.

Special thanks for Maarten Balliauw for providing a presentation he did previously that I could work on.

Visual Studio Live @ Las Vegas Presentations – Architecture Best Practices in Windows Azure

Unfortunately I wasn’t able to go and speak in Visual Studio Live @ Las Vegas as it was scheduled, due to an illness that made it impossible for me to travel, and stay in bed for a few days.

But even if I wasn’t there I would like to share with you some of the points on this topic “Architecture Best Practices in Windows Azure”.

Here are 10 key Architecture Best Practices in Windows Azure:

  1. Architect for Scale
  2. Plan for Disaster Recovery
  3. Secure your Communications
  4. Pick the right Compute size
  5. Partition your Data
  6. Instrument your Solution
  7. Federate your Identity
  8. Use Asynchronous and Reduce Coupling
  9. Reduce Latency
  10. Make Internal Communication Secure

In some next entries I’ll go in-depth into each one of those.

Windows To Go

One of my favourite enterprise features that Microsoft is adding to Windows 8 is Windows To Go, which lets you provision a desktop on a USB flash drive and take it with you to boot on any hardware that meets the usual Windows 8 requirements. An IT department can build a desktop image, with applications installed (perhaps some of the intranet apps that you wouldn’t let your staff install on their home PC), and even domain join it before passing it to someone who needs to travel light, or who wants to be able to do some sensitive work on their personal laptop (the one that’s full of spyware and crap because their kids have had the ability to install anything – you know the one – it’s got so many browser toolbars that any web page is only an inch or two tall!). You can even secure it with BitLocker, without requiring a TPM chip in the hardware that’s going to host it.


Speaking of that host hardware, as I said, so long as it would support Windows 8 and will boot from USB, then you’re good to go. You won’t have access to any internal drives in that hardware (unless you’re also the administrator of that machine), but you will be able to use additional devices that you’ve plugged into its other USB ports, for example. When you use Windows To Go on a host PC for the first time, it’s going to do some plug’n’play detection (which may take a few minutes), then continue to boot. Every new bit of hardware is going to be stored in a profile, so the next time you use the same host it’s going to boot much faster (about as fast as you would expect from an internal drive).


Windows To Go isn’t, as a recent TechTarget mailing so cleverly pointed out, the answer to all your “Consumerisation of IT” dreams – they astutely observed that Windows To Go won’t run on an iPad. Running Windows from a USB flash drive on a device that has no USB port is apparently beyond Microsoft – shame on them! ;-)


As an additional security measure, if you need to exit in a hurry (I like to imagine myself using Windows To Go behind enemy lines while I’m on some kind of secret mission – I don’t know why!), then you can just pull the drive out and the machine will freeze. If you don’t push it back into the same USB port within 60 seconds then the machine will reboot. If you knocked it out by accident (because the guy entering the internet cafe wasn’t actually a SPECTRE assassin hot on your heels), then you can plug it back in and carry on – if you were playing a video at the time, for example, it’ll take under a second to continue playback.


So to recap, as the IT guy, you can give somebody a Windows 8 instance (which you trust) that they can boot on their own hardware (which you don’t trust!), and you can continue to manage that instance like you would any other domain computer. You can give them software that you wouldn’t let them install on an untrusted computer without all the expense of giving them a trusted computer that you’ve configured. Just as importantly, your user can do important work stuff on the shiny new laptop that they bought for themselves without having to give it to you so that you can configure it and take away their admin rights. It’s a fantastic step in the right direction where “Bring Your Own Device/Computer” (BYOD/BYOC) is concerned.


With Windows 8 just in Consumer Preview (and Windows Server 8 in Beta) at present, all the details aren’t fully released about this feature yet, so some of this may not be 100% acurate at the time you read this:


You need at least a 32GB (my test image has Windows 8, Office 2010, Windows Live Essentials and a bunch of files on it and it still has 15GB free). The drive should be USB 3.0, although it’s going to work when plugged into a USB 2.0 port. These flash drive aren’t aren’t especially cheap at the moment, and they don’t all work as you’d hope…


When OEMs build drives, they have firmware that includes (among other things) a Removable Media Bit. The RMB is the thing that tells Windows whether the drive is “fixed” or “removable” (it defines the seperation in Windows Explorer). The trouble is that if you get one where the RMB is set to “removable” then Windows won’t do certain things with it. It won’t let you partition the drive, so you can’t use BitLocker; it won’t run Windows Update (including standalone WU packages); it won’t let you download apps from the Microsoft Store, and I dare say there are other things that I haven’t come up against yet. With some drives you can flip the value of the RMB, but on the Kingston DT Ultimate G2 32GB that I have, you can’t (I asked Kingston about this and told them why it was an issue – they’re going to bear it in mind for future products).


The upshot is that while you may be able to get Windows To Go to work today, you might not be able to do everything with it, and you might want to exercise caution before buying a load of drives, even if someone says that it works with a particular model.


All that said, if you want to give it a go, there are step-by-step instructions on the TechNet wiki, and a very informative video from the 2011 BUILD conference. Also, Ars Technica has an step-by-step with a slightly different method, using the WAIK and a single partition, so you can do it on a “removable” drive (although you can tweak the TechNet steps to do that too).


Before I forget (and because this is one of the things that I was asked at the TechDays UK IT Camp this week), you are going to be activating Windows via AD or a key management server, hence my pointing out right at the start of this post that this is an enterprise feature.

DNS Changer: Countdown clock reset, but still ticking

Operation Ghost Click


Last November, the main FBI.gov website headline was “DNS Malware: Is Your Computer Infected?”. The story detailed the arrest of six Estonian criminals who had infected more than 4 million computers with malware that changed Domain Name Server settings on the impacted computers. The impact of this change was that when a user typed an address in their web browser, or even followed a link on the web page, instead of asking their Internet Service Provider’s DNS server where they should go to reach the computer that had that name, they would ask a DNS server run by the criminals.

Most of the time, the traffic still went to the correct address. But at any time of the criminals’ choosing, they could replace any website with content created or provided by the criminals. This allowed them to do things like place an advertisement for an illegal pharmaceutical website selling Viagra on a website that should have been showing an advertisement paid for by a legitimate advertiser.

The case, called “Operation Ghost Click” was the result of many security professionals and researchers working together with law enforcement to build a coordinated view of the threat. The University of Alabama at Birmingham was among those thanked on the FBI website.

DNS Servers and ISC


This case had one HUGE technical problem. If the criminals’ computers were siezed and turned off, all of the four million computers that were relying on those computer to “find things” on the Internet by resolving domain names to numeric IP addresses for them would fail. They wouldn’t just “default back” to some pre-infection DNS setting, they would just stop being able to use the Internet at all until someone with some tech-savvy fixed the DNS settings on those computers.

Because of this, the court order did something unprecedented. Paul Vixie, from the Internet Systems Consorium, a tiny non-profit in California that helps to keep name services working right for the entire world, was contracted to REPLACE the criminals’ DNS Servers with ISC DNS Servers that would give the right answer to any DNS queries they received. Vixie wrote about his experience with this operation in the CircleID blog on Internet Infrastructure on March 27th.

The problem, as Vixie, and other security researchers such as Brian Krebs, have related is that the court order was supposed to be a temporary measure, just until the Department of Justice managed to get everyone’s DNS settings set back the way they were supposed to be. Back in November, the court decided March 9th would be a good day to turn off the ISC DNS servers.

But are you STILL infected?


Unfortunately, the vast majority of the 4 million compromised computers have not been fixed. On March 8th the court agreed to give them an extension until July 9th. (Krebs has a copy of the court order here)

But how do you know if YOU are still infected?

CLICK THIS PICTURE



When I visit the website “DNS-OK.US” I get a green background on the image (shown above) which tells me that my computer is not using a DNS server address that formerly belonged to an Estonian cybercriminal. (The website is available in several other languages as well.)


The tech behind this is that the website is checking to see if you resolve your DNS by using an IP address in the following ranges:

77.67.83.1 – 77.67.83.254
85.255.112.1 – 85.255.127.254
67.210.0.1 – 67.210.15.254
93.188.160.1 – 93.188.167.254
213.109.64.1 – 213.109.79.254
64.28.176.1 – 64.28.191.254

If you ARE, then you need to assign a NEW DNS SERVER ADDRESS.

The DNS Changer Working Group has a CHECKUP page and a DNS CLEANUP page to explain this process to technical people. Any “computer savvy” person should be able to follow their guidelines to get the job done.

Good luck!

Gary Warner
Center for Information Assurance and Joint Forensics Research at the University of Alabama at Birmingham.
Learn more about our Masters Degree in Computer Forensics and Security Management.

Open Source Microsoft–Build MVC, WebAPI, Razor, and WebPages

Scott Guthrie has announced on his blog that as of this very moment, ASP.NET MVC, ASP.NET WebAPI, and WebPages with Razor syntax have all been open sourced on CodePlex at http://aspnetwebstack.codeplex.com. That’s huge news. Oh and the ASP.NET Web Stack can be repo’d using TFS, SubVersion, Mercurial, and newly added Git.

So, you may be thinking “This sounds cool. But, what does it mean for me?” It means your awesome. It means that you can now take your favorite features and patches to their framework and submit it back to the team for review. It means you can use their framework when it is eventually ported over to Mono and other open-source platforms. It means, you’ll eventually be able to run ASP.NET wherever you’d like.

Be sure to check it out and provide feedback to the team. If you’re not sure what type of feedback to provide, choose from the following:

  • “The ASP.NET team just knocked it out of the park with this: http://aspnetwebstack.codeplex.com. Go OSS!”
  • “ScottGu and his team delivered yet again.”
  • “Who said that Microsoft can’t release software using an open source license?”
  • “Congrats to the ASP.NET team for, yet again, exceeding expectations!”

Your choice. In the meantime, great job Microsoft!



SQL Server # Storing Hierarchical Data – Parent Child n’th level # TSQL

Introduction

Today, I would like to explain one way in which we can store the HIERARCHICAL data in SQL tables. A general table structure which people come up to store this kind of data is -

1

Where, EmployeeID id the UniqueID alloted to every new employee record inserted into the table and ManagerID is the EmployeeID of the immediate manager of the employee. Keeping in mind that Manager is also an employee.

Problem Statement

This table structure very well serves the purpose as long as we have 1-Level hierarchy. However, if the hierarchy is of n’th level, the SELECT statement to fetch the records becomes more complex with this kind of table structure. Suppose, we want to fetch the complete TREE of a particular employee, i.e. list of all the employees who are directly or indirectly managed by a particular employee. How to do it……..?

Thanks to CTE’s for making the life a bit easier – as using them in a recursive manner, we can get the work done. Please follow this msdn link to see an implementation using recursive CTE.

Suggested Table Structure

2

Here, I have just included a new column [PATH]. It is of VARCHAR(MAX) type. I have taken it as VARCHAR(MAX) just to make sure the field is long enough to store the complete path. But one can assign appropriate size as per their system’s requirement.

The basic idea of the [path] column is to store the complete hierarchical path of any employee separated by a delimiter as under –

3

Calculating the new path is very simple. It’s just, {New Path} = {Parent Path} + {Self ID} + {Delimiter}

Now, suppose if I want to fetch all the employees who are directly or indirectly working under EmployeeID = 2, I can use the below tsql –

;WITH CTE AS (
SELECT 1 EmployeeID,NULL ManagerID, '1' [Path]
UNION ALL    
SELECT 2 EmployeeID,1 ManagerID, '12' [Path]
UNION ALL    
SELECT 3 EmployeeID,1 ManagerID, '13' [Path]
UNION ALL    
SELECT 4 EmployeeID,2 ManagerID, '124' [Path]
UNION ALL    
SELECT 5 EmployeeID,4 ManagerID, '1245' [Path]
)
SELECT
  *
FROM
  CTE
WHERE
  [Path] LIKE '%2%'

We can use a simple logic to even find out the level of the Employee –


SELECT
  *,
  (LEN([Path]) - LEN(REPLACE([Path],'',''))) - 2 [Level]
FROM
  CTE
WHERE
  [Path] LIKE '%2%'

4

2 is subtracted from the formula as the length of delimiter for Level-0 is 2.

Conclusion

Hope, this simple trick could save a lot of time for the ones who find themselves lost playing with the hierarchical data.

Unit testing in VS11Beta and getting your tests to run on the new TFSPreview build service

One of my favourite new features in VS11 is that the unit testing is pluggable. You don’t have to use MSTest, you can use any test framework that an adaptor is available for (at the release of the beta this meant the list of framworks on Peter Provost’s blog, but I am sure this will grow).

So what does this mean and how do you use it?

Add some tests

First it is worth noting that you no longer need to use a test project to contain your MSTest, you can if you want, but you don’t need to. So you can

  1. Add a new class library to your solution
  2. Add a reference to Microsoft.VisualStudio.TestTools.UnitTesting and create an MStest test
  3. Add a reference to xUnit (I used NuGet to add the reference) and create an XUnit test
  4. Add a reference to XUnit extensions (NuGet again) and add a row based xUnit test
  5. Add a reference to nUnit (you guessed it – via NuGet) and create a nUnit test

All these test frameworks can live in the same assembly.

Add extra frameworks to the test runner

By default the VS11 test runner will only run the MStest test, but by installing the xUnit.net runner for Visual Studio 11 Beta and NUnit Test Adapter (Beta) either from the Visual Studio gallery or via the Tools –> Extension Manager (and restarting VS) you can see all the test are run

image

You can if you want set it so that every time you compile the test runner triggers (Unit Testing –> Unit Test Settings –> Run Test After Build). All very nice.

image

Running the tests in an automated build

However, what happens when you want to run these tests as part of your automated build?

The build box needs to have have a reference to the extensions. This can be done in three ways. However if you are using the new TFSPreview hosted build services, as announced at VS Live, only one method, the third, is open to you as you have not access to the VM running the build to upload files other than by source control.

By default, if you create a build and run it on the hosted build you will see it all compiles, but only the MStest test is run

image

The fix is actually simple.

  1. First you need to download the xUnit.net runner for Visual Studio 11 Beta and NUnit Test Adapter (Beta) .VSIX packages from Visual Studio Gallery.
  2. Rename the downloaded files as a .ZIP file and unpack them
  3. In TFSPreview source control create a folder under the BuildProcessTemplates for your team project. I called mine CustomActivities (the same folder can be used for custom build extensions hence the name, see Custom Build Extensions for more details)
  4. Copy the .DLLs from the renamed .VSIX files into this folder and check them in. You should have a list as below

    image
  5. In the Team Explorer –> Build hub, select the Actions menu option –> Manage Build Controllers. Set the Version control path for  custom assemblies to the new folder.

    image

You do not need to add any extra files to enable xUnit or nUnit tests as long as you checked in the runtime xUnit and nUnit assemblies from the Nuget package at the solution level. This should have been default behaviour with NuGet in VS11 (i.e. there should be a package folder structure in source control as shown in source explorer graphic above)

You can now queue a build and you should see all the tests are run (in my case MStest, XUnit and nUnit). The only difference from a local run is that the xUnit row based tests appear as separate lines in the report

image

So now you can run tests for any type on a standard TFSPreview hosted build box, a great solution for many projects where just a build and test is all that is required.

Unit testing in VS11Beta and getting your tests to run on the new TFSPreview build service

One of my favourite new features in VS11 is that the unit testing is pluggable. You don’t have to use MSTest, you can use any test framework that an adaptor is available for (at the release of the beta this meant the list of framworks on Peter Provost’s blog, but I am sure this will grow).

So what does this mean and how do you use it?

Add some tests

First it is worth noting that you no longer need to use a test project to contain your MSTest, you can if you want, but you don’t need to. So you can

  1. Add a new class library to your solution
  2. Add a reference to Microsoft.VisualStudio.TestTools.UnitTesting and create an MStest test
  3. Add a reference to xUnit (I used NuGet to add the reference) and create an XUnit test
  4. Add a reference to XUnit extensions (NuGet again) and add a row based xUnit test
  5. Add a reference to nUnit (you guessed it – via NuGet) and create a nUnit test

All these test frameworks can live in the same assembly.

Add extra frameworks to the test runner

By default the VS11 test runner will only run the MStest test, but by installing the xUnit.net runner for Visual Studio 11 Beta and NUnit Test Adapter (Beta) either from the Visual Studio gallery or via the Tools –> Extension Manager (and restarting VS) you can see all the test are run

image

You can if you want set it so that every time you compile the test runner triggers (Unit Testing –> Unit Test Settings –> Run Test After Build). All very nice.

image

Running the tests in an automated build

However, what happens when you want to run these tests as part of your automated build?

The build box needs to have have a reference to the extensions. This can be done in three ways. However if you are using the new TFSPreview hosted build services, as announced at VS Live, only one method, the third, is open to you as you have not access to the VM running the build to upload files other than by source control.

By default, if you create a build and run it on the hosted build you will see it all compiles, but only the MStest test is run

image

The fix is actually simple.

  1. First you need to download the xUnit.net runner for Visual Studio 11 Beta and NUnit Test Adapter (Beta) .VSIX packages from Visual Studio Gallery.
  2. Rename the downloaded files as a .ZIP file and unpack them
  3. In TFSPreview source control create a folder under the BuildProcessTemplates for your team project. I called mine CustomActivities (the same folder can be used for custom build extensions hence the name, see Custom Build Extensions for more details)
  4. Copy the .DLLs from the renamed .VSIX files into this folder and check them in. You should have a list as below

    image
  5. In the Team Explorer –> Build hub, select the Actions menu option –> Manage Build Controllers. Set the Version control path for  custom assemblies to the new folder.

    image

You do not need to add any extra files to enable xUnit or nUnit tests as long as you checked in the runtime xUnit and nUnit assemblies from the Nuget package at the solution level. This should have been default behaviour with NuGet in VS11 (i.e. there should be a package folder structure in source control as shown in source explorer graphic above)

You can now queue a build and you should see all the tests are run (in my case MStest, XUnit and nUnit). The only difference from a local run is that the xUnit row based tests appear as separate lines in the report

image

So now you can run tests for any type on a standard TFSPreview hosted build box, a great solution for many projects where just a build and test is all that is required.

What Do the Performance Values in Windows Task Manager Represent?

If you’ve ever taken a look at Windows Task Manager, you’ve undoubtedly wondered what all the numbers mean. This guide briefly explains each value and helps you familiarize yourself with what these values represent. The performance information is broken down into four categories: CPU Physical Memory Kernel Memory System CPU CPU (Central Processing Unit) usage [...]

What Do the Performance Values in Windows Task Manager Represent?

If you’ve ever taken a look at Windows Task Manager, you’ve undoubtedly wondered what all the numbers mean. This guide briefly explains each value and helps you familiarize yourself with what these values represent. The performance information is broken down into four categories: CPU Physical Memory Kernel Memory System CPU CPU (Central Processing Unit) usage [...]

Let the VS Team know about VS 11

You should really take advantage of the opportunity,  tell them what you dont like and what you  really like


 


Link to Team’s blog http://blogs.msdn.com/b/visualstudio/archive/2012/03/21/visual-studio-11-beta-survey.aspx


 


So far so good, My laptop is a little clunky and I had a lot of problems installing on a 64 bit machine but the problem was Win Update and not VS.

Microsoft Most Influential Virtualization Professional e MMS 2012

Olá pessoal.


Desde outubro do ano passado eu venho participando junto com outros membros da comunidade de um concurso chamado Most Influential Virtualization Professional (MIVP). A idéia, criada pelo gerente de produtos da Microsoft Brasil Danilo Bordini, era de fazer com que a comunidade disseminasse conteúdos relacionados a virtualização, System Center e Windows Server. Por 6 meses eu participei com alguns artigos, vídeos, fórums e webcasts, além da hashtag #MIVP pelo twitter.


Semana passada o Danilo postou no seu blog os ganhadores do concurso e pra minha surpresa eu fui um deles, tendo como prêmio uma viagem pro Microsoft Management Summit 2012 (MMS) em Las Vegas com tudo pago pela Microsoft. o/


Esta foi a lista dos 5 ganhadores do MIVP:


  • Terceiro – Quinto: Prêmio: 01 XBOX 360 cada ITPro. Ganhadores:
    • Herleson Pontes
    • Jordano Mazzoni
    • Rafael Bernardes
  • TOP 2, ou seja, os dois primeiros colocados: Prêmio: 01 viagem ao MMS 2012 (Microsoft Management Summit) em Las Vegas, Estados Unidos. Ganhadores:
    • Cleber Marques
    • Leandro Carvalho

Durante o evento eu estarei extraindo todas as novidades sobre virtualização e System Center e vocês poderão acompanhar tudo aqui pelo blog. Fiquem ligados!



Eu gostaria muito de agradecer ao Danilo pelo prêmio e pela oportunidade de participar, mesmo morando fora, e também aos jurados Vinícius Apolinário, Fabio Hara e Daniel Camillo. Meu muito obrigado pelo reconhecimento.


Também queria parabenizar os outros 4 vencedores: Helerson, Jordano, Rafael e Cleber.


Leandro Carvalho 
MCSA+S+M| MCSE+S | MCTS | MCITP | MCBMSS | MCT | MVP Virtual Machine 
MSVirtualization | BetterTogether | LinhadeCodigo | MVP Profile
TwitterLeandroEduardo | LinkedInLeandroesc

Download de vídeos do You Tube

Você já teve vontade de fazer download dos vídeos do You Tube?

Pois aqui eu apresento duas formas de fazĂŞ-lo. A primeira sem precisar instalar nada e a segunda instalando um software.

  1. Acesse: http://saveyoutube.com/;
  2. Digite o link direto para o vídeo do You Tube na barra azul no topo da página;
  3. Clique em Download;
  4. Quando receber a mensagem escolha Executar;
  5. Aparecerá uma lista de arquivos para download. DĂŞ um clique direito no que lhe interessar e clique em Salvar Destino como…;
  6. Pronto!

Se preferir usar um software para isso vocĂŞ pode usar o VDownloader: http://vdownloader.com/:

MicrosoftDCU, FS-ISAC, and NACHA vs. Zeus

On March 24, 2012, Microsoft unveiled a joint lawsuit with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearing House Association (NACHA). Based on a Temporary Restraining Order filed as part of the Law Suit, Microsoft and their agent, Stroz Friedberg, accompanied by U.S. Marshals, served their TRO at the BurstNET facility in Scranton, Pennsylvania, and at Continuum Data Centers in Chicago, Illinois. Servers named in the TRO were allowed to be monitored to capture four hours of network traffic before taking the servers into possession where they will be held in Escrow by Stroz Friedberg.

In addition, more than 1700 domain names were redirected to the Microsoft IP address 199.2.137.141. While at first, I thought it would be a useful service to our readership to list the 1700+ domain names, I believe (and will hopefully have confirmation from Microsoft shortly) that it would be sufficient for network administrators to look for traffic destined to this new “rerouted” address. If you have a computer on your network sending traffic to 199.2.137.141, my current understanding is that this computer is likely attempting to send traffic to one of the domains that are subject to this TRO, and that this is an indication that computer may be infected with Zeus, ICE-IX, or SpyEye. Appropriate security measures will vary based on the role and use of that computer within your organization, but password changes of any accounts accessed from that computer, and malware removal would be minimum steps.

The lawsuit names “John Does 1-39″ which are described by their online monickers or “handles”, many of which will be well known to anyone who has been researching Zeus:

JOHN DOES 1-39 D/B/A Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits AND JabberZeus Crew CONTROLLING COMPUTER BOTNETS THEREBY INJURING PLAINTIFFS, AND THEIR CUSTOMERS AND MEMBERS

All of the supporting legal documents can be found on the Microsoft-registered server:

zeuslegalnotice.com

The Temporary Restraining Order seizes 1,703 domain names! Each domain name is listed with the role that it played in the overall scheme to infect computers and steal data from their users. For example:

filmv.net – dropzone
finance-customer.com – source
firelinesecrets.com – embedded_js
fllmphpxpwqeyhj.net – dropzone, source, infector
flsunstate333.com – updater

A “source” would be a domain that was advertised in an email. An “embedded_js” would be a site to which the source redirected to load hostile java script. A “dropzone” would receive credentials from an infected computer. An “updater” would push additional or new commands, configurations, or malicious code to the already compromised computers.

Microsoft


In a 179 page Declaration, Mark Debenham, a Senior Manager of Investigations in the Microsoft Digital Crimes Unit, lays out the overall structure of the Zeus gang and the way in which Zeus infects users and steals money. He describes the three-fold purpose of Zeus as to infect end-user computers in order to:

(1) steal credentials for online accounts, such as account login information for Microsoft or other websites, or financial and banking credentials, from the owners or users of those computers.

(2) access the victims’ online accounts with the stolen credentials, and

(3) transfer information or funds from the victims’ accounts to accounts or computer controlled by the Defendants.

Debenham goes on to say that three inter-related malware families are the subject of this lawsuit — Zeus, Ice-IX, and SpyEye, and that all were created and sold by the individuals using the handles:

Slavik, Monstr, Harderman, Gribodemon, and nvidiag

John Doe 1 is identified as the Zeus botnet code creator, who uses the handles Slavik, Monstr, IOO, and Nu11. bashorg@talking.cc

John Doe 2 is identified as the creator of Ice-IX, who uses the handles nvidiag, zebra7753, lexa_mef, gss, and iceIX. iceix@secure-jabber.biz. ICQ 610875708.

John Doe 3 is identified as the creator of SpyEye, who uses the handles Harderman and Gribodemon. shwark.power.andrew@gmail.com, johnlecun@gmail.com, gribodemon@pochta.ru, glazgo-update-notifier@gajim.org, gribo-demon@jabber.ru.

John Doe 4 is identifed as an operator within the “JabberZeus Crew” who recruits money mules and uses them to cah out stolen credentials. He uses the handles Aqua, aquaSecond, it, percent, cp01, hct, xman, and Pepsi. aqua@incomeet.com, ICQ 637760688.

etc.

NACHA



In a separate 163 page declaration, Pamela Moore, the Senior Vice President and Chief Financial Officer of NACHA documents the particular harm caused to NACHA, showing that in same cases the volume of documented spam messages imitating NACHA rose as high as 167 million emails in a single 24 hour period.

Readers of this blog will be well-familiar with the NACHA scams that lead to Zeus, as we have been documenting them as far back as November 12, 2009 when we wrote the article Newest Zeus = NACHA: The Electronic Payments Association.

According to Moore’s affidavit, just in the month of November 2011, NACHA was responsible for terminating 555 websites that were distributing malicious content linked from an email message imitating NACHA. As a small business with less than 100 employees, NACHA has been hit with $624,000 in costs responding to the emails that falsely claimed to be from her organization.

Moore’s declaration contains her 15 page statement followed by page after page of documented evidence supporting that false and misleading emails were sent out related to these Zeus actors.

American Banking Association


William Johnson of the American Banking Association also entered a statement of support. Johnson serves as the Vice President and Senior Advisor for Risk Management Policy for the ABA. He also chairs the ABA’s Information Security Working Group and their Bank Security Committee. In addition, Johnson is on the board of the FS-ISAC, on the Steering Committee for NACHA’s Internet Council. The ABA is of huge importance to the banking world. 92% of the $13 Trillion in U.S. Banking assets are held by ABA members.

Statistics shared by Johnson include:
– 2010 was the first time where electronic debit card fraud exceeded traditional check card fraud
– 96% of all banks incurred losses from debit card fraud in 2010. Community Banks experiencing such fraud grew from 61% in 2006 to 96% in 2010.
– In 2009, 36% of banking customers said “online banking” was their primary means of interacting with their bank. In 2010 it was 62%.
– In 2011 4.9% of the U.S. adult population was a victim of identity theft.
– In 2009, the average victim of identity theft spent 68 hours and $741 in costs repairing the damage caused by identity theft.


Kyrus Technologies



Jesse Kornblum (yes, THAT Jesse Kornblum!) of Kyrus Technologies also prepared an affidavit of support for the lawsuit. Jesse was a Computer Crime Investigator for the Air Force Office of Special Investigations, ultimately becoming the Chief of the Computer Crime Investigations Division of the Air Force Office of Special Investigations.

In his role at Kyrus Technologies he and his team reverse engineered many of the Zeus malware binaries, comparing known source code and various binaries, and showing conclusive evidence of shared code between SpyEye, ICE-IX, and Zeus (which they refer to as PCRE). For the malware reverse engineering geeks, be sure to read the Kornblum Declaration (55 page PDF).

Orrick, Herrington, Sutcliffe


Kornblum’s declaration was for the malware geeks. For the lawyers in the readership, Jacob Heath of the law firm Orrick, Herrington & Sutcliffe LLP also makes a declaration in support of the call for the Temporary Restraining Order. Orrick is the counsel of record for Microsoft in this matter.

They have arranged the website on which these procedings are located, as well as the publication of proceedings throughout “Russia, Ukraine, and Romania, where Defendants are generally believed to reside.”

Heath’s declaration – part one carefully walks through the finer points of ICANN’s Policies and procedures showing the clauses that give them the rights to suspend, cancel, or seize the domain names in question, as well as terms of service at BURSTNET (AKA Network Operations Center, Inc.) that require the client’s to register domains using truthful information. “Failure to comply fully with this provision may result in immediate suspension or termination of your right to use BurstNET(R) Services” and also showing the BurstNET policies stating that BurstNET services “may be used only for lawful purposes” and specifically banning malware, botnets, spam, or phishing uses of these services.

How thoughtful of Microsoft to help BurstNET enforce these policies!







For many more details, and a video about this weekend’s raid at BurstNet in Scranton, Pennsylvania, please see the Official Microsoft Blog.

How I try to keep up to date

I have just added a page to the blog that lists some of the podcasts I try to listen to, in an attempt to keep up to date.

How I try to keep up to date

I have just added a page to the blog that lists some of the podcasts I try to listen to, in an attempt to keep up to date.

Operation Open Market: The Vendors

When we wrote last week about Operation Open Market the court documents had not yet been released in a major multi-agency Identity Theft case which targeted criminals who traded in the identities of others through the online site “Carder.su” and its affiliated other sites. We profiled the prior identity theft career of one of the charged, Jonathan Vergnetti, while we waited for the rest of the court documents to be made publicly available.

Now we are part way there. We have received copies of all three of the indictments related to this operation. Today we’ll focus on the largest of the three cases, which still has a considerable amount of data redacted in the version that has been released by the courts. I refer to this case as “The Vendors” case because most of those charged were approved vendors of services in the Carder.su framework. The case, known as “No: 2:12-CR-004″ in the PACER system, currently charges 39 defendants in the U.S. District Court of Nevada.

DISCLAIMER: The data below is a reflection of the CHARGES. Of course these dirty rotten identity thieves are presumed innocent until convicted in a court of law.

[REDACTED] indicates someone whose identity is being suppressed for the time being, but “John Doe” indicates someone who is known only by their online monickers such as those used at Carder.su. Authorities may be interested in learning more true identities of John Does if you have them.

A quick index of Carder.su aliases that are still John Does:

Senna071, Morfiy, Gruber, Maxxtro, Elit3, Fozzy, Vitrum, Lermentov, TM, Zo0mer, Deputat, Centurion, and Consigliori. If you know who those folks are, I’m sure your local FBI office would be interested. Refer to “Operation Open Market Nevada Case 2:12-CR-004″ when you call. 8-)



The Charges


Count 1: 18 USC § 1962(c) and 1963: Participate in a Racketeer Influenced Corrupt Organization
Count 2: 18 USC § 1962(d): Conspiracy to Engage in a Racketeer Influenced Corrupt Organization
Counts 3-17: 18 USC § 1028(a)(1): Unlawful Trafficking in and Production of Counterfeit Identification Documents or Authentication Features
Count 18: 18 USC § 1028(a)(1): Attempt to Unlawful Trafficking in and Production of Counterfeit Identification Documents or Authentication Features
Count 19: 18 USC § 1028(a)(2): Conspiracy to Unlawfully Transfer Identification Document, Authentication Feature, and False Identification Document
Count 20: 18 USC § 1028(a)(7) and (c)(3)(A): Unlawful Transfer, Possession, and Use of a Means of Identification
Count 21: 18 USC § 1029(a)(2): Trafficking in and Use of Counterfeit and Unauthorized Access Devices
Counts 22-55: 18 USC § 1029(a)(3): Possession of Fifteen or More Counterfeit and Unauthorized Access Devices
Counts 56-60: 18 USC § 1029(a)(4): Unlawful Possession, Production, and Trafficking in Device-making Equipment
Counts 61-62: 18 USC § 1029(a)(4): Conspiracy to Unlawful Possession, Production and Trafficking in Device-Making Equipment
18 USC § 2: Aiding and Abetting (applied to Counts 1, 3-17, 18, 20, 21, 22-56, 61-62).

The Charged



[REDACTED] AKA Admin, AKA Support (Counts 1,2,19)

[REDACTED] AKA Graf, (Counts 1,2,33,44,47)

Alexander Kostyukov, AKA Temp, AKA Klbs (Counts 1-2, 3-17) (Age 27, arrested in Miami, Florida, a Russian citizen)

Maceo Boozer III, AKA XXXSimone, AKA Gr, AKA El Padrino, AKA Mr. Right, AKA MRDC87 (Counts 1,2,3-17) (Age 23, arrested in Detroit, Michigan)

[REDACTED] AKA [REDACTED], AKA Ray (Counts 1,2, 3-17)

Edward Montecalvo, AKA Nightmare, AKA Tenure44 (Counts 1,2,3-17,22-55), arrested in Morgantown, West Virginia. (Carder.su Member#8711, Carding.su Member#8237 Current Status: RIPPER. His profile says he sells FEDEX labels and Track2 Dumps)

[REDACTED] AKA Ibatistuta (Counts 1-2)

[REDACTED] AKA cc–trader, AKA Kengza (Counts 1-2, 20, 22-55)

Jermaine Smith, AKA SirCharlie57, AKA FairBusinessMan (Counts 1-2, 61-62), age 31, arrested in Newark, New Jersey

Makyl Haggerty, AKA Wave (Counts 1-2) NOT YET ARRESTED, LAST KNOWN ADDRESS IN SAN FRANCISCO, CALIFORNIA

[REDACTED] AKA Bank Manager, AKA Document Manager, AKA Corey (Counts (1-2, 61-62)

[REDACTED] AKA AbagnaleFrank (Counts 1-2)

[REDACTED] AKA Devica, (Counts 1-2)

[REDACTED] AKA Track2, AKA Bulba, AKA NCUX (Counts 1-2, 22-55)

Qasir Mukhtar, AKA Caliber, (Counts 1-2, 56-60), Age 27, arrested in New York, NY

[REDACTED] AKA [REDACTED], AKA Patistota, (Counts 1-2, 22-55)

[REDACTED] AKA Source (Counts 1-2, 22-55)

[REDACTED] AKA C4rd3r (Counts 1-2, 22-55)

[REDACTED] AKA Bowl (Counts 1-2, 22-55)

[REDACTED] AKA Dorbik, AKA Matad0r (Count 2)

Michael Lofton, AKA Killit, AKA Lofeazy (Counts 1-2, 3-17), Age 34, arrested in Las Vegas, NV

Shiyang Gou, AKA CDER, (Counts 1-2, 3-17), Age 27, Arrested in New York, NY

David Ray Camez, AKA BadMan, AKA DoctorSex, (Counts 1-2, 3-17), Arrested in Las Vegas, NV

Cameron Harrison, AKA Kilobit, (Counts 1-2,3-17), Age 25, Augusta, Georgia

[REDACTED] AKA Qiller (Counts 1-2, 3-17)

Duvaughn Butler, AKA MackMann (Counts 1-2, 21, 61-62), age 37, arrested in Las Vegas, Nevada

Fredrick Thomas, AKA 1Stunna (Counts 1-2), age 31, arrested in Orlando, Florida

John Doe 1, AKA Senna071 (Counts 1-2, 3-17)
John Doe 2, AKA Morfiy (Counts 1-2, 3-17)
John Doe 3, AKA Gruber (Counts 1-2, 18)
John Doe 4, AKA MAXXTRO (Counts 1-2)
John Doe 5, AKA Elit3 (Counts 1-2)
John Doe 6, AKA Fozzy (Counts 1-2, 22-55)
John Doe 7, AKA Vitrum, AKA Lermentov (Counts 1-2, 22-55)
[REDACTED] AKA Panther, AKA Euphoric, AKA Darkmth (Counts 1-2, 22-55)
John Doe 8, AKA TM (Counts 1-2, 22-55)
John Doe 9, AKA ZO0MER, AKA Deputat (Counts 1-2, 22-55)
John Doe 10, AKA Centurion (Counts 1-2, 22-55)
John Doe 11, AKA Consigliori (Counts 1-2, 61-62)

The main indictment goes after the vendors who provided services at Carder.su, which includes Carder.info, Carder.su, Crdsu.su, Carder.biz, and Carder.pro.


LEADERSHIP



The name of the Administrator (AKA Admin AKA Support) is known but [REDACTED]. There are two moderators charged in the indictment, one [REDACTED] AKA Graf and the other unknown, called JOHN DOE 4, AKA MAXXTRO.

Vendors



Kostyukov, AKA Temp, AKA Klbs, is a vendor of Cashout Services at Carder.su, receiving a fee between 45% and 62% of the total funds laundered in exchange for providing members with cashout.

Boozer, AKA XXXSimone, AKA G4, AKA El Padrino, AKA Mr. Right, AKA mrdc87, is a vendor of Dumps at Carder.su. He sells dumps for between $15 and $150 each, depending on the quantity and the geographical location. United States dumps are least expensive, and European dumps are most expensive.

[REDACTED Defendant #5] AKA RAY is a vendor of Counterfeit Plastic. He sells blank cards for $20 to $25, with a minimum order of 50 cards. Embossed counterfeit credit cards were $65 to $75 with a minimum order of 10. He is also a vendor of Dumps – stolen credit card account numbers – ranging from $30 to $45 each.

Montecalvo, AKA N1ghtmare AKA Tenure44, is a vendor of Dumps at Carder.su as well. He was arrested at his home in Morgantown, West Virginia.

[REDACTED Defendant #7] AKA Ibatistuta is a vendor of Dumps, Counterfeit Credit Cards, Counterfeit Holograms and Signature Panels.

[REDACTED Defendant #8] AKA CC—Trader AKA Kengza is a vendor of Fullz or credit cards along with the cardholder information: name, date of birth, Social Security Number, address, telephone number, mother’s maiden name, ATM PIN, Expiration Date, and the CVV number or the security code on the back of the card for $20 each with a minimum order of $200. He also sells Paypal accounts for $10 each. He also sells access to online banking accounts with Fullz identification information for between $140 and $200, depending on the balance in the victim’s account.

Smith, AKA Sircharlie57 AKA Fairbusinesssman, is a vendor of Counterfeit Plastic and Counterfeit Credit Cards at Carder.su.

Haggerty, AKA Wave, is a vendor of Counterfeit Identification Documents and Counterfeit Credit Cards at Carder.su. Haggerty offers drivers licenses for the states of Arizona, California, Florida, Georgia, Hawaii, Illinois, Louisiana, Nevada, New Jersey, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, and Wisconsin, as well as British Columbia, Canada.
Drivers Licenses range from $100 to $200. Blank credit cards were $20 and embossed cards $30 each.

[REDACTED Defendant #11], AKA Bank Manager, AKA Document Manager, AKA Corey, is a vendor of Counterfeit Identification Documents, stolen or otherwise stolen corporate account information, dumps, and counterfeit credit cards in the Carder.su organization.

[REDACTED Defendant #12], AKA AbagnaleFrank, is a vendor of Dumps. He sells a mix of 100 Visa and Master Card accounts for $1500, and 100 American Express cards for $1,000.

[REDACTED Defendant #13], AKA Devica, is a vendor of counterfeit credit cards and holograms.

[REDACTED Defendant #14], AKA Track2, AKA Bulba, AKA nCux, is a vendor of dumps (ICQ#572019043/164419326/460085653). He has his own website that he advertises to sell his dumps that allows users to do searches for the types of cards they want and to pay using Liberty Reserve dollars (an online currency). Card prices are approximately $20 each.

Mukhtar, AKA Caliber, is a vendor of Counterfeit Plastic and Counterfeit Credit Cards as well as Counterfeit Holograms and Signature panels. Blank plastic was sold for $15, embossed credit cards for $20. Cards with photos or chips were $25 unembossed or $30 embossed. Cards with both chip and photo were $30 unembossed or $35 embossed. His prices were negotiable based on volume.

[REDACTED Defendant #16] AKA Patistota is a vendor of CVVs as well, with a custom website that allowed buyers to shop for cards at specific banks by their BINs (Bank Identification Numbers, the prefix of a Visa or MasterCard number), and offered a service for testing whether the CVV on a card was valid.

[REDACTED Defendant #17] AKA Source is a vendor of dumps, which he sells from $12 to $150 each depending on quantity and geographical location. He also advertised his own specialty site on Carder.su which allows members to lookup cards for sale by BIN.

[REDACTED Defendant #18] AKA C4rd3R is a vendor of CVVs and Fullz on Carder.su, and offers member-to-member ICQ chats.

[REDACTED Defendant #19] AKA Bowl is a vendor of CVVs at Carder.su, and advertises his own website on Carder.su websites.

[REDACTED Defendant #20] AKA Dorbik AKA Matad0r is a vendor of Bullet Proof Hosting services. Bulletproof hosting guarantees that websites hosted in these locations will not be shut down, even if they are blatantly hosting criminal content. Other criminals hosted carding forums and phishing sites on Dorbik’s services.

John Doe 3, AKA Gruber, is a vendor of counterfeit identification documents in the Carder.su organization. He makes cards for Arizona, California, Florida, Georgia, Hawaii, Illinois, Louisiana, Nevada, New Jersey, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, and Wisconsin, as well as British Columbia, Canada. (By pricing and state selection, it is clear that Gruber and Haggerty are working together.)

John Doe 5, AKA Elit3, is a vendor of Fullz which he sells for $5 to $7 each with a minimum order of $15. He also sells Enroll data (all the personal information in a Fullz, plus login information for an online bank account) for $15 to $20 if the Enroll also included an ATM PIN.

John Doe 6, AKA Fozzy, is a vendor of dumps in the Carder.su organization with prices from $12 to $100 depending on quantity and geographic location.

John Doe 7, AKA Vitrum, AKA Lermentov, is a vendor of dumps in the Carder.su organization, priced between $15 and $100 depending on quantity and geographic location.

[REDACTED Defendant #35], AKA Panther, AKA Euphoric, AKA Darkmth, is a vendor of dumps in the Carder.su organization with prices beginning at $20 for United States dumps.

John Doe 8, AKA TM, is a vendor of dumps and CVVs in the Carder.su, which he sells through his own website advertised on Carder.su.

John Doe 9, AKA Zo0mer, AKA Deputat, is a vendor of stolen Paypal accounts, including names and passwords, as well as proxies (for hiding member’s true IP addresses while performing transactions) and Fullz. He also provided Credit Card testing services, and information services, including lookups of Social Security numbers, Dates of Birth, and Mother’s Maiden Names. He sold dumps for between $15 and $150 depending on quantity and geographic location.

John Doe 10, AKA Centurion, is a vendor of dumps in the Carder.su organization which he sold for between $15 and $80 depending on quantity and geographic location.

John Doe 11, AKA Consigliori, is a vendor of dumps in the Carder.su organization and sells blank plastic cards for $15 or embossed credit cards for $20 each.

Members charged with production and trafficking



Michael Lofton, AKA Killit, AKA Lofeazy.
Shiyang Gou, AKA Cder.
David Ray Camez, aka BadMan, aka DoctorSex.
Cameron Harrison, AKA Kilobit.
[REDACTED Defendant #25], AKA Qiller.
Duvaughn Butler, AKA Mackmann.
Fredrick Thomas, AKA 1Stunna.
John Doe 1, AKA Senna071.
John Doe 2, AKA Morfiy.

More on the Charges


In the Full Indictment individual charges are shown with many examples.

For example, one charge lists all of those charged with trafficking in false identities, and gives one example of a purchase date from each vendor, with dates ranging from January 23, 2009 to April 7, 2011, and showing what state the driver’s license was for, including many in Nevada, some in New York, and others in Texas, Georgia, and Virginia.

To show the Conspiracy charges, each charge provides evidence of at least two of the defendants communicating and agreeing to be involved in criminal activity.

For the “Possession of Document-making Implements” charge, an example is that Montecalvo was found to have laminates used in the production of counterfeit Illinois driver’s licenses; and Photoshop templates for creating counterfeit Maryland and Florida driver’s licenses.

Several of the members, including REDACTED #8, 12, and 16, and Lofton, Harrison, Thomas, Maxxtro, and Elit3 are shown committing fraud by making charges using cards on certain dates belonging to certain named people. Dates range from MAXXTRO in November of 2006 to REDACTED #16 on September 16, 2010.

The “Possession of more than 15″ cards charges are spelled out by showing how many provably counterfeit cards each charged user was shown to have on a particular date (presumably when a search was performed or an email was sent or received containing that information). Some were as low as 17 for Fozzy on February 15, 2007, and as high as “More than 490″ for REDACTED #7. Dates of evidence range from February 13, 2007 to June 14, 2011. That’s right, bad guys! Even if you “got out of the game” five years ago, you can still be charged for your activities at that time.

Again, for more details, interested readers are referred to the full 50 page PDF of the indictment.

Recent Comments

Archives