The FBI Have Contacted Me!

I received the following e-mail [screenshot below] this morning which says it has come from the FBI, not only that, it states that it was sent by FBI Director Robert S.Mueller the Third of the Anti-terrorist and Monetary Crimes Division and if I don't respond and/or supply the requested information that I'll be charged!





It goes on to say that I have $10,500,000.00 being wired to me via a Secured Diplomatic Transit Account [S.D.T.A] and I need to prove that I have the required paperwork, including a Diplomatic Immunity Seal of Transfer [DIST] and an FBI Identification Record (aka a Rap Sheet or Criminal History Record) to prove I am who I claim to be and that I'm not a terrorist or drugs dealer. If I can supply these proofs, then the money is all mine!

OK, how many of you out there reading this would go along with this? Hands up, so I can count ;-)

Now, how many of the rest of you smell something fishy? Well, it isn't a Phish at all, it is just another new version of the so-called 419 scam.

The twist here, is that the Boys and Girls from Lagos [or almost anywhere else in the World now] are using fear as a new social engineering tactic to get you to part with personal data which they will then either mis-use or sell to others.

If you somehow, miraculously come up with the requested proofs, then guess what, you won't get any money at all, because there is no money in the first place, and the e-mail isn't from the FBI [or anyone in law-enforcement], surprise! ;-)

Whatever you do don't fall for this scam [or any of it's relations], it relies on what the Lagos boys call Wad [rich, greedy people]. They also use a less polite name for the people they dupe; Mgbada*.

To the Boys and Girls from Lagos [the 419ers that run these scams], it is a business, some say it should be considered an African cottage industry, however they want to try and justify it, it is still a crime, no more, no less.

Other unusual examples of 419s I've covered include

• Scam Victims Compensation Payments


• Barclays FIVE MILLION US Dollar Transfer


• A Google Product Too Far?


• Secret Intelligence Service SCAM ALERT!! E-mail

Lots of other examples have also been covered oer the years on this blog, and I have written several articles for Virus Bulletin on 419s, which can be found here.

* If anyone can tell me what this means in English, then please e-mail me, thanks.

EICAR 2008 Conference Paper Now Available

This is a quick update on my posting from yesterday, and to announce that the full paper for the EICAR 2008 conference which was held earlier this week is now available for download as a PDF [Adobe Acrobat] file.

To refresh you memories,here is the abstract from the paper, entitled "Where To Now: Detecting The Unknown":

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn't a week ago and that they can't access the Windows 'Task Manager' or open a command prompt any more.

Is this caused by malware or is it a 'user' problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the 'suspect' system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for 'odd' system or network behaviour.

The paper can be downloaded via the following links:

• http://momusings.com/papers/EICAR2008-Where-To-Now-1.01.pdf


• http://momusings.co.uk/Documents/EICAR2008-Where-To-Now-1.01.pdf

As usual all feedback is most welcome.

No, I [Still] Haven't Fallen Off The Edge Of The World....

Or been kidnapped by aliens, gone over to the dark side or gone down with a virus [or should that now be malcode?].

It seems that about this time, every year, I end up writing a post like this, so here is this years version. ;-)

Sorry for the lack of blog entries over the last month or so, but I've been writing a conference paper for the EICAR international conference which is, as I write this, being held in Laval, France.

So, am I writing this blog entry from there? No, unfortunately not, let me explain...

Why am I not presenting my paper at EICAR 2008 in Laval, France? Why am I not there today?

Well, the decision was made that because we [the new team/service I'm part of] was in the middle of a major analysis of new malcode, and this was a very high priority. It was decided at a commercial level that it would be better if I were available at a moments notice if new samples were found that required immediate analysis. If I were in Laval, France I would be unable to work on live malcode and keep in contact.

So, I'd like to apologise once more to EICAR that I was unable to attend and present my paper at the conference. Hopefully, if the team I'm now part of is expanded this won't have to happen again. Anyone that attended EICAR will have still seen my paper presented, but by Eric Filiol [who does not work for IBM or ISS] instead. This was the best solution we could come up with at the last moment.

The paper will be made available later this week at the following locations*:

• http://momusings.com/papers


• http://momusings.co.uk/publications.aspx

Writing the paper for EICAR is only one of the reasons for my lack of posting, other changes have been afoot!

Firstly, I have moved to a new company, well sort of, I now work for Internet Security Systems, who as some of you may know were acquired by IBM a while ago. So, I now work for ISS, which is owned by IBM. However, my role has changed as I now work in the X-Force Professional Security Services section as a Malware Analyst and Consultant.

So, what does this new role involve?

The main part of it is malware analysis and reverse-engineering. So, in some ways I have stepped back in time to the sort of work I used to do when I wrote my own anti-virus detection and remediation tools [whilst I was working for another company]. However, the game has changed quite a bit since then; luckily my skills are not that rusty, so I have managed to get back up to speed very quickly. Other skills I have picked up and honed over the years will probably also be required for other parts of my new role; more on that another time.

However, that is not all that has kept me from posting recently, other things include:

• Lecturing at the University of Warwick on malware and internet security later this month, so my slides need to be updated and tweaked before then.


• Writing and submitting abstracts for this years Virus Bulletin conference to be held in Ottawa, Canada this year.


• Building systems and finding/creating tools to help in the analysis of new samples, they just keep coming!


• Working very long hours on malcode analysis.

Normal, [once or twice a week postings] service will be resumed as soon as I can find that elusive 25th hour in the day, or I decide to give up trying to get any sleep at all!



* All my published papers and articles can be found at those web addresses.