- The Washington Times - Wednesday, January 5, 2011

Malicious software disguised as an e-mailed White HouseChristmas greeting and sent to federal and state government officials netted its authors a huge haul of potentially sensitive data, including passwords and documents, according to computer security analysts.

The malicious software, or malware, was designed to collect log-in and password data for banks, commercial services or financial websites such as eBay and PayPal as well as other sites such as MySpace and Microsoft, according to Alex Cox of Netwitness, a computer forensics firm based in Herndon, Va.

Mr. Cox said the malware also was designed to steal documents stored on computer hard drives and upload them to a server in Belarus. Researchers were able to access the server, but what they found there likely was just a small fraction of the hackers’ haul, Mr. Cox told The Washington Times.

“They were clearing that stuff out every day” and moving it to a more secure location, he said. “That’s fairly standard.”


Mr. Cox said the attack employed a technique known as “phishing,” in which victims are sent an e-mail containing a link to a Web address. When they click it, their computers can become infected with malware, in this case a well-known program called Zeus.

Such packages are known as Trojans because they effectively open the doors of the infected computer from the inside, allowing hackers access. Zeus is designed to steal passwords and other log-in data.

“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings” reads the e-mail, which purports to come from the Executive Office of the President.

Mr. Cox said clicking on the fake Christmas greeting downloads a second kind of Trojan, in addition to Zeus, that searches the infected hard drive for documents and uploads them to the server in Belarus.

He cautioned that the attackers could be anywhere in the world. “Just because the server is there, it doesn’t really tell us anything about the [location of the] attackers,” Mr. Cox said.

Another security specialist who accessed the server said he found “several gigabytes” of data there, including records of court-ordered wiretaps, apparently from the computer of an intelligence analyst with the Massachusetts State Police, and hundreds of grant applications from the National Science Foundation’s Office of Cyber Infrastructure.

“This activity is unusual because most criminals using Zeus are interested in moneymaking activities — such as swiping passwords and creating botnets” rather than collecting government documents, wrote Brian Krebs on his blog Krebs on Security.

Mr. Cox said he did not know who or how many had received the fake greeting. Mr. Krebs said he was “reasonably confident” there were “dozens” of victims, including many working for U.S. or state governments.

Department of Homeland Security spokeswoman Amy Kudwa said the department was aware of the attack and was “monitoring this latest Zeus event as we do with all these crime-ware attacks.”

In reality, the White House does not send out e-cards or electronic Christmas greetings. Presidential holiday cards go out the old-fashioned way, by mail, and are sent by the Democratic National Committee.

Last year’s card, according to to committee spokesman Hari Sevugan, bore a picture of the White House under a blanket of snow and read, “May your holiday be filled with all the simple gifts of the season.”