·:[ Arik’s blog ]:·
• • • • •

As you may or may not know, I’m relocating to the US. Specifically San Francisco Bay Area.

My company’s new offices are in Palo Alto, so I’ll probably be living nearby.

I’m scheduled to fly over this Friday. It won’t actually be relocation, because I don’t have my US work visa yet, it’s in the works - I’m still an employee of the Israeli company, and it’s considered a business trip. I do intend to scope the area for places to live and acquaint myself with the new surrunding.

I will probably have more to write on this in the near future, so stay tuned.

Some more information about the trojan in this link:

How This Trojan Horse Works in this Case – 4Law Exclusive Presentation

Some very detailed logs of its activity.

– Arik

I’ve followed up on some info regarding the specific trojan used, and it seems like it’s the Hotword.B trojan.

The symantec analysis (and a similar one on Aladdin’s site) show that the protocol used to get a configuration file was FTP. No mention of the protocol used to actually get the data out, but it may as well be FTP.

This surprises me - in many organizations in Israel that I’ve been in, FTP is disallowed at the perimiter. I guess those attacked didn’t bother to disallow it, or - more properly - allow only a limited set of protocols. An average organization with a private network, a properly configured HTTP proxy (i.e. only HTTP traffic) and no direct routing to the Internet would have been safe from this particular attack.

And on a different note, the Aladdin link above was in an unsolicited message I got from Aladdin. I might have given them my email address at some time in the past, but I did not intend it to be used to send me UCE. A lot of Israeli security companies are trying to jump on the bandwagon and make money off the trojan discovery.

My previous post on this topic is here.

The press calls it ‘The Trojan Horses Scandal’. I’ll include a few links to Israeli press below.

To make long stories short, I’ve summarized the information I got from the press and my personal insights, sort of blended in. My information came mainly from the press, and I’ve extrapolated in places, so don’t take anything for granted:

• A list of very prominent Israeli companies were infected by a trojan. Foreign companies may have been victims as well, but names of those were not provided.
• The trojan was targeted specifically at those companies by the perpetrator, and more specifically at key people in those companies and PR companies working for those companies.
• The trojan was targeted at Windows machines.
• The attack vector was social engineering, using e-mail and CD-ROMs sent to the victims as ‘a business proposal’.
• Data proliferated from some of the infected machines includes (but is not limited to) the ‘My Documents’ folder and screen captures.
• The stolen data was sent to “FTP servers” both out and inside Israel. The protocol used for the actual transfer was not disclosed.
• The trojan was never detected within the infiltrated companies until the police looked for it.

• The first lead into the case came from a writer, Amnon Jacquont, whose pre-published book was found on the net.
• The writer has been the target of identity theft in the past months, by someone who apparently wanted to cause him harm. Activities included posting to various forums with his identity, using his network account and writing disparaging entries in the Hebrew branch of Wikipedia and forums of Israeli book stores.
• The writer’s wife, a known Israeli radio personality, finally talked him into filing a complaint with the police. When asked by the police if they have a suspect, the couple pointed a finger at their ex-son-in-law, Michael Haefrati. The divorce was ugly and involved a lawsuit that Michael has lost.
• The police computer crime unit inspected Amnon’s computer, and located a trojan. They traced the data to an “FTP server”.
• Upon inspection of the data on the server, the investigators discovered internal documents belonging to the aforementioned prominent companies.

• After around 6 months of investigation, the police has a comprehensive list of victim companies and of the companies that benefited from the information.
• The deals were brokered by three private investigation firm, and Michael was the technical contact that executed the attacks in person.
• Come Sunday the 29th (today), a large police force accompanied by computer experts confiscated a large amount of equipment from a comprehensive list of companies and private residences. A few suspects have been arrested.
• As expected, the suspect companies blame the investigation companies for any illegal act, and Michael (who was apprehended in the UK) claims his software was not meant to be used illegally. Investigators are sure, however, that Michael has made target-specific adaptations to the software.

My take on this:

• It was bound to happen sooner or later. I know I’m a pessimist, but I suspect this is currently going on unchecked on a very large scale worldwide.
• Being computer-smart is not enough. If you want to be a successful and free cracker, you have to be real-world smart too: Michael was caught because he used his software to execute a personal vendetta against his ex-father-in-law. Had he not done that, these activities could have remained hidden to this day.
• Moreover, from what I gather (although it is not stated specifically) the reason the investigators cought up with his commercial enterprise is because he has left the Jacquont files on the same server as files from his other activities.
• This is not the last we are going to hear about this type of attacks.

Stay safe.

Some media links:

Haaretz: Top Israeli execs held in industrial espionage case
Haaretz: Haephrati’s arrest “was like music to our ears,” says couple who sparked probe
Haaretz: Analysis / Trojan horse violates more than one law
Globes: YES, Pele-Phone, Cellcom execs arrested for computer espionage
YNetNews: Scandal shocks business world
IsraelInsider: Trojangate: Top Israeli execs arrested for using virus to spy on each other
DEBKAfile: Two Suspected Israeli Computer Hackers Face Extradition from London
Boaz Gutman’s site

Too much comment spam made me cancel comments for this post.