Thursday, December 10, 2009

Dec.12 Creative NSA and Pentagon spoof. Infected with Packed.Generic.271 or Zeus? CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS from ecu@nsa.gov or jh.colving@js.pentagon.mil Wed, 9 Dec 2009 07:49:06 and 09:25:41

The links appear to be dead at this point. Infected with Packed.Generic.271 (Zeus?)
AFRL-RI-RS-TR-2009-136
Final Technical Report
December 2009

CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS (CYBERCAFE)

INFORMATION SUBJECT TO EXPORT CONTROL LAWS

WARNING - This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751 et seq.) or the Export Administration Act of 1979, as amended (Title 50, U.S.C. App. 2401, et seq.). Violations of these export laws are subject to severe criminal penalties. Disseminate IAW DoDD 5230.25.

DESTRUCTION NOTICE - For classified documents, follow the procedures in DOD 5220.22-M, National Industrial Security Manual (NISPOM), section 5-705 or DOD 5200.1-R, Information Security Program, Chapter VI. For unclassified limited documents, destroy by any method that will prevent disclosure of contents or reconstruction of the document.

Export of the attached information (which includes, in some circumstances, release to foreign nationals within the United States) without first obtaining approval or license from the Department of State for items controlled by the International Traffic in Arms Regulation (ITAR), or the Department of Commerce for items controlled by the Export Administration Regulation (EAR), may constitute a violation of law.

Download:
http://www.zeropaid.com/bbs/includes/CYBERCAFE.zip

or

http://rapidshare.com/files/318309046/CYBERCAFE.zip.html
http://www.sendspace.com/file/fmbt01








Just saw a posting about it on funsec  - someone from Virginia Tech police got it
CYBER-PMESII COMMANDER?S ANALYSIS (fwd)

From: Valdis.Kletnieks () vt edu
Date: Wed, 09 Dec 2009 13:29:39 -0500

Somehow, I doubt the payload here is in fact from NSA, nor covered by any
DOD restrictions. Have at it, forensics junkies. ;)

And thank you Fedora Rawhide for breaking GnuPG on me. ;)

These folks actually got to the bottom of this
http://cryptome.org/cybercafe-virus/cybercafe-virus.htm

http://seclists.org/funsec/2009/q4/960


 The links were taken down earlier today - did not comply with terms of service


or capacity exceeded - first come, first served





Message header 1

Microsoft Mail Internet Headers Version 2.0
Received: from XXXXXXXX(XXXXXXXX]) by xxx.xxx.xxx with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 9 Dec 2009 08:18:53 -0500
Received: from mail28.messagelabs.com ([216.82.249.131]) by XXX.XXX.XXX; Wed, 09 Dec 2009 08:18:52 -0500
X-VirusChecked: Checked
X-Env-Sender: root@pl2.rackco.com
X-Msg-Ref: server-6.tower-28.messagelabs.com!1260364730!41971890!1
X-StarScan-Version: 6.2.4; banners=-,-,XXXXXXXX
X-Originating-IP: [207.226.165.250]
X-SpamReason: No, hits=1.0 required=7.0 tests=SUBJ_ALL_CAPS
Received: (qmail 373 invoked from network); 9 Dec 2009 13:18:51 -0000
Received: from mail.amateursplayroom.com (HELO pl2.rackco.com) (207.226.165.250)
by server-6.tower-28.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 9 Dec 2009 13:18:51 -0000
Received: (qmail 2571 invoked by uid 48); 9 Dec 2009 07:49:06 -0500
Date: 9 Dec 2009 07:49:06 -0500
Message-ID: <20091209124906.2567.qmail@pl2.rackco.com>
Subject: CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS
From: ecu@nsa.gov
Return-Path: root@pl2.rackco.com
X-OriginalArrivalTime: 09 Dec 2009 13:18:53.0702 (UTC) FILETIME=[27A43A60:01CA78D2]

Header 2
Microsoft Mail Internet Headers Version 2.0
Received: fromXXXXXXXX ([XXXXXXXX]) by XXXXXXXX with Microsoft SMTPSVC(6.0.3790.3959);
     Wed, 9 Dec 2009 09:25:53 -0500
Received: from mail200.messagelabs.com ([216.82.254.195]) by XXXXXXXX with InterScan Message Security Suite; Wed, 09 Dec 2009 09:25:53 -0500
X-VirusChecked: Checked
X-Env-Sender: apache@newsocketworks.virtual.vps-host.net
X-Msg-Ref: server-11.tower-200.messagelabs.com!1260368751!48706339!1
X-StarScan-Version: 6.2.4; banners=-,-,XXXXXXXX
X-Originating-IP: [216.154.216.196]
X-SpamReason: No, hits=1.0 required=7.0 tests=SUBJ_ALL_CAPS
Received: (qmail 1879 invoked from network); 9 Dec 2009 14:25:52 -0000
Received: from slfc.virtual.vps-host.net (HELO newsocketworks.virtual.vps-host.net) (216.154.216.196)
  by server-11.tower-200.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 9 Dec 2009 14:25:52 -0000
Received-SPF: pass (newsocketworks.virtual.vps-host.net: domain of apache@newsocketworks.virtual.vps-host.net designates 127.0.0.1 as permitted sender) receiver=newsocketworks.virtual.vps-host.net; client-ip=127.0.0.1; helo=newsocketworks.virtual.vps-host.net; envelope-from=apache@newsocketworks.virtual.vps-host.net; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf2-1.0.0;
Received: from newsocketworks.virtual.vps-host.net (localhost.localdomain [127.0.0.1])
    by newsocketworks.virtual.vps-host.net (8.13.8/8.13.8) with ESMTP id nB9EPp8O009730
    for <XXXXXXXX>; Wed, 9 Dec 2009 09:25:51 -0500
Received: (from apache@localhost)
    by newsocketworks.virtual.vps-host.net (8.13.8/8.13.8/Submit) id nB9EPfcR009726;
    Wed, 9 Dec 2009 09:25:41 -0500
Date: Wed, 9 Dec 2009 09:25:41 -0500
Message-Id: <200912091425.nB9EPfcR009726@newsocketworks.virtual.vps-host.net>
To: XXXXXXXX
Subject: RE: CYBERCAFE
From: jh.colving@js.pentagon.mil
Return-Path: apache@newsocketworks.virtual.vps-host.net
X-OriginalArrivalTime: 09 Dec 2009 14:25:53.0978 (UTC) FILETIME=[83E9A9A0:01CA78DB]


AFRL-RI-RS-TR-2009-136
Final Technical Report
December 2009

CYBER-PMESII COMMANDER’S ANALYSIS OF FORECAST EFFECTS (CYBERCAFE)

INFORMATION SUBJECT TO EXPORT CONTROL LAWS

WARNING - This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751 et seq.) or the Export Administration Act of 1979, as amended (Title 50, U.S.C. App. 2401, et seq.). Violations of these export laws are subject to severe criminal penalties. Disseminate IAW DoDD 5230.25.

DESTRUCTION NOTICE - For classified documents, follow the procedures in DOD 5220.22-M, National Industrial Security Manual (NISPOM), section 5-705 or DOD 5200.1-R, Information Security Program, Chapter VI. For unclassified limited documents, destroy by any method that will prevent disclosure of contents or reconstruction of the document.

Export of the attached information (which includes, in some circumstances, release to foreign nationals within the United States) without first obtaining approval or license from the Department of State for items controlled by the International Traffic in Arms Regulation (ITAR), or the Department of Commerce for items controlled by the Export Administration Regulation (EAR), may constitute a violation of law.

Download:
http://www.zeropaid.com/bbs/includes/CYBERCAFE.zip

or

http://rapidshare.com/files/318309046/CYBERCAFE.zip.html
http://www.sendspace.com/file/fmbt01

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.

No comments:

Post a Comment