Saturday, December 20, 2014

Malware used in the SONY hack - What we are facing from now on...

Shared by the Freedom Writers Project:

US-CERT (United States Computer Emergency Readiness Team) released details of the malware involved. The full release is available by clicking here: Alert (TA14-353A) - Targeted Destructive Malware

SMB Worm ToolThis worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.
Listening Implant: During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase "National Football League." Additionally, this implant listens for connections on TCP port 195 (for "sensvc.exe" and "msensvc.exe") and TCP port 444 (for "netcfg.dll"). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, "HTTP/1.1 GET /dns?\x00." The controller then responds with the string "200!\x00" (for "sensvc.exe" and "msensvc.exe") or with the string "RESPONSE 200 OK!!" (for "netcfg.dll"). The controller sends the byte "!" (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.
Lightweight BackdoorThis is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.
Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.
Destructive Hard Drive ToolThis tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning ToolThis tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
Network Propagation WiperThe malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and \\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.”
OK. As I said above, this is a bit technical. But, it’s not the technical aspects I want you to grasp. I just want you to come away with an understanding of how sophisticated, pervasive and destructive some malware is and how it can be (and is being) used as a cybercrime and cyberwar weapon.
Boiled down to its essence, this attack broke into the entirety of Sony's computer network, stole almost all of the data on the network, and then destroyed the network so that Sony lost most of the data on the network.
The significance for the rest of us is that the Sony incident is just a taste of what we will all confront with increasing frequency in the future.
Please share this with your friends and family so that they will also have a better understanding of what’s involved than the nonsense the mainstream media is broadcasting.
As always, share your thoughts with me at
Be safe, secure and free!
Rob Douglas – Former Washington DC Private Detective

Arrest young substitute teacher for holding heroin at Waco school

Alayne Caroline Ballantine

Six Shooter– The war on drugs claimed another casualty when “the system” swallowed a youthful woman whole, the end result of a somewhat lengthy, very exacting legal process.

On a gray and rainy Friday morning before Christmas, two months after she was first questioned, a Waco Independent School District police officer arrested Alayne Caroline Ballantine, who resides in the 1900 block of Howard, Waco, for forgery and possession of heroin at the Lake Air Montessori Magnet School.

At the time of the offense, October 20, she worked there as a substitute teacher.
Officers arrived promptly to arrest her at half-past 9 a.m. on Friday, December 19, at a location in the 2000 block of Alexander in this city. Their arrest report lists her as unemployed.

To read more, follow this link:

Thursday, December 18, 2014

Top cops oppose media job for ex-Chief Deputy

Ex-Chief Deputy Matt Cawthon says McLennan County Sheriff Parnell McNamara and Woodway Public Safety Director/City Manager Yost Zachary are opposing his proposed retainer as a television crime consultant...

To read more, follow this link:

Tramp on your street

Billy Joe Shaver revealed something about the art of the gunfight that only an "old school man of the world" could explain. As a result, honky tonk heroes all over the world revere his outlaw songs.

To read more, follow this link:

Wednesday, December 17, 2014

Health plan lowers bottom line

Employees moving to a lean, mean, more streamlined “consumer-driven” health plan with a $3,000 annual deductible made nearly a million dollars difference in claims costs for McLennan County during the previous budget year, according to health consultant Randy McGraw, vice president of HUB International.

To read more, follow this link:

Friday, December 12, 2014

Failure of a partnership

Waco - Matt Cawthon is a retired Texas Ranger who reached the end of his string in October, resigned his position as Chief Deputy, and went fishing. Why? First in a series of articles examining that question:

To read more, follow this link:

Monday, December 8, 2014

Top cop on open carry

Waco – Sheriff Parnell McNamara thought hard about open constitutional carry of firearms; he answered a remark about people shooting cops and cops shooting people.
I had to be certified by the U.S. Marshal’s Service in 1987. I was hired in 1970, and later I had to be certified; that was in 1987.”
He recalled the opening day of class, how the Justice Department instructor started things off with a bang, how they flashed a macbre picture of the U.S. Marshal for the jurisdiction of South Dakota  – dead – laid on the medical examiner’s slab, his body riddled with bullets, his soul departed, long gone and far away, to a better place.
To read more, follow this link: