Saturday, March 31, 2012

USPS Click-N-Ship abused in malware spam

This campaign begins with an email that looks like this:



The email indicates that you have been charged a random amount of money to have a shipping label created. In this case, we were charged $47.44. Because we haven't really ordered a shipping label, we might be upset to be charged, and click the "USPS Click-N-Ship" link that APPEARS to take you to "www.usps.com/clicknship".

In reality, there are more than eight hundred destination webpages on more than one hundred sixty (160) websites were advertised in emails that we saw in the UAB Spam Data Mine that use this template, but none of them go to the United States Postal Service.

A single destination would have many subdirectories, all created by the hacker, that contained the link. For example, this Czech website:

1 | lenkajonasova.chytrak.cz | /1xmg2qrr/index.html
11 | lenkajonasova.chytrak.cz | /9hEetc63/index.html
5 | lenkajonasova.chytrak.cz | /CgeknEwU/index.html
14 | lenkajonasova.chytrak.cz | /FP817PwV/index.html
9 | lenkajonasova.chytrak.cz | /hQLv8GxT/index.html
1 | lenkajonasova.chytrak.cz | /LRt1KuAY/index.html
13 | lenkajonasova.chytrak.cz | /qedwZQiv/index.html
1 | lenkajonasova.chytrak.cz | /rSqvJdhP/index.html

The spam messages use a variety of subjects. The ones we saw yesterday were:

count | subject | sender_domain
-------+--------------------------------------------+---------------
479 | USPS postage labels order confirmation. | usps.com
433 | Your USPS postage charge. | usps.com
428 | USPS postage labels receipt. | usps.com
403 | Your USPS postage labels charge. | usps.com
384 | Your USPS shipment postage labels receipt. | usps.com
346 | USPS postage labels invoice. | usps.com
322 | Your USPS delivery. | usps.com
319 | USPS postage invoice. | usps.com
(8 rows)


This was a very light campaign, compared to many that we have seen recently. We received more than half of these emails in a single 15 minute span ending at 7:15 AM our time - which would be 8:15 AM on the US East Coast. We have the theory that the new spam campaign, with a never-before-seen malware sample, is sent at the beginning of the East Coast day as a way to get maximum infections in places like New York City and Washington DC.


The most common websites, all with their own "random-looking" subdirectories were:
count | machine
-------+----------------------------------
598 | h7xb37qx.utawebhost.at
208 | jadore-events.ro
150 | kissmyname.fr
143 | renkliproje.com
139 | kegelmale.com
138 | layarstudio.com
127 | firemediastd.com
126 | hillside.99k.org
126 | ks306518.kimsufi.com
118 | k-linkinternational.com
113 | graphicdesignamerica.com
112 | hascrafts.com
112 | iaatiaus.org
102 | immodefisc.net

(The rest of the list is at the end of this article...)

A Sample Run


Each day in the UAB Computer Forensics Research Laboratory, students in the MS/CFSM program produce a report shared with the government called the "Emerging Threats By Email" report. They take a prevalent "new threat" in the email from that day and document it's action, in part by infecting themselves with the malware! Here's a sample run through I did this morning using the techniques followed in our daily report.

We begin by visiting a website advertised in the spam. In this case, I chose:

allahverdi.eu (109.235.251.244) /BSg1hNCZ/index.html (400 bytes)

These "email-advertised links" each call javascript files from a variety of other sites. In this example run, visiting the site caused us to load Javascript from the URL below.

uglyd.com/xTnfi7mG (210.193.7.161) / xTnfi7mG/js.js (81 bytes)

This javascript file sets the "document location" for the current browser
window to be "http://178.32.160.255:8080" with a path of showthreat.php
?t = 73a07bcb51f4be71. This is a Black Hole Exploit kit server, which causes the rest of the infection to be continued.)

This is the location my run gave this morning . . . yesterday morning's run used a different Black Hole Exploit Kit location:



178.32.160.255:8080/showthread.php?t=blahblahblah (20,110 bytes)

178.32.160.255:8080/data/Pol.jar (14,740 bytes)

178.32.160.255:8080/q.php?f=4203d&e=0 (dropped calc.exe 151,593 bytes)
MD5 = 44226029540cd2ad401c4051f8dac610
VirusTotal (16/42)

The next two files are dropped because of the Java execution of "Pol.jar".

At the time of the UAB Emerging Threats by Email report on Friday morning March 29th, the Virus Total detections for this malware were "2 of 42". More than 20 hours later the detection is still only "19 of 42".

santacasaitajuba.com.br (200.26.137.121) /WBoTANuY/hBhT7.exe (323,624 bytes)
MD5 = 276dbbb4ae33e9e202249b462eaeb01e
VirusTotal (19/42)

elespacio.telmexla.net.co (200.98.197.103) /sNxQTzEK/bHk6KE.exe (323,624 bytes)
MD5 = 276dbbb4ae33e9e202249b462eaeb01e
VirusTotal (19/42)



The "Zeus file" (the 323,624 byte one) copies itself into a newly created randomly named directory within the current user's "Application Data" directory. In the current run, it disguised itself with a "Notepad" icon, claiming to be "Notepad / Microsoft Corporation" in it's properties. The file was named peix.exe (but that's random also.) The file does an "in place update" so that my MD5 modified without changing the filename. My new MD5 of this morning was:

98202808dea55042a3a1aa2d28ab640a

Which gives a current VirusTotal detection of (14/42):

AntiVir = TR/Crypt.XPACK.Gen
Avast = Win32:Spyware-gen [Spy]
AVG = Zbot.CO
BitDefender = Gen:Variant.Kazy.64187
DrWeb = Trojan.PWS.Panda.1947
F-Secure = Gen:Variant.Kazy.64187
GData = Gen:Variant.Kazy.64174
Kaspersky = Trojan-Dropper.Win32.Injector.dxrh
McAfee = PWS-FADB!98202808DEA5
Microsoft = PWS:WIn32/Zbot.gen!AF
NOD32 = Win32/Spy.Zbot.AAN
Norman = W32/Kryptik.BKR
Rising = Trojan.Win32.Generic.12BDDB90
VIPRE = Trojan.Win32.Generic.pak!cobra

Most of those definitions just mean "Hey! This is Bad! Don't Run It!"

Antivirus companies don't use the same names for most of this stuff as cybercrime investigators. So, for instance, in the Microsoft Lawsuit last week, they described criminals involved with three malware families = Zeus, SpyEye, and IceIX. All of these would show a "Zbot" or "Kazy" detection in the group above. PWS means "Pass Word Stealer." "pak", "XPACK", and "kryptic" just mean that the malware is compressed in a way that implies it is probably malicious.

The bottom line is that this very successful malware distribution campaign has tricked people into installing something from the broader Zeus family (whether Zeus, SpyEye, or IceIX doesn't really matter to the consumer). Once compromised, that computer is going to begin sharing personal financial information with criminals, and allowing remote control access to the computer from anywhere in the world to allow further malicious activity to occur.

This is the kind of malware that was featured on NBC's Rock Center with Brian Williams recently, and that was at the heart of the civil action taken by Microsoft, FS-ISAC, and NACHA that lead to the seizure of many domain names and some servers controlled by Zeus Criminals.



Click to learn more about UAB's Center for Information Assurance and Joint Forensics Research or to learn about UAB's Masters Degree in Computer Forensics & Security Management.




other destinations



98 | made.lu
96 | maceraoyunlari.host.org
88 | kazahana.hanabie.com
85 | kthtu.or.kr
84 | ftp.peratur.com.br
82 | agroturystyka-szczawnica.pl
78 | lenkajonasova.chytrak.cz
77 | ftp.lucpinheiro.com.br
74 | imo213.com
70 | indonesiatravelnow.com
67 | gulfcoastlocalsearch.com
67 | laptopschematic.org
65 | 4realpeople.info
62 | incaltamintepeg.ro
58 | davidanber.com
52 | malibojevnik.si
52 | 188.121.58.196
45 | lcvtv.com
44 | lastrender.com
44 | laserreproducciones.com
44 | lukasz-slaby.pl
41 | 032b67b.netsolhost.com
41 | larryharrison.com
40 | 182.18.152.247
39 | genxlogistics.com
38 | 0317159.netsolhost.com
37 | getprofitsfast.com
37 | kbizzsolutions.com
34 | icon-construction.ca
33 | mariekebrouwers.nl
33 | kgncomputers.com
30 | meinungsmacher.at
21 | heroesandheritage.net
20 | interfinbrok.ro
16 | ecrane.vn
16 | erolkara.net
12 | euro2012bettingtips.com
11 | ftp.tack.sk
11 | stcw95.org
10 | 6111homewood.com
10 | meritmobile.com
10 | ozerresidence.com
10 | ftp.infoesporte.com.br
10 | grossturismo.com.br

Friday, March 30, 2012

Bubble Device by Nicholas Hanna



Nicholas Hanna is lately experiment with textures, patterns and forms produced by the use of water. After create the great 水书法器 Water Calligraphy Device, he has built a new automated device to do huge soap bubbles. As he told us, Nicholas is interested in investigating the aesthetics of bubbles and the continuous, automated production of temporal objects. An influence for this project is Elaine Scarry, and her book On Beauty, in which she presents a theory of beauty as that which begets copies of itself. See more;




Thursday, March 29, 2012

GOD KNOX by KOKOFREAKBEAN



KOKOFREAKBEAN tells us about his new chaotic work;
"GOD KNOX is my gentle, fart-like blitz of a myth revolving around the creation of divinities. It begins with a zesty summoning ritual betwixt several tranny shamans and ends with a personal nirvana. After becoming increasingly dissatisfied with the 2D jigsaw flatness of my previous work, I intended this project to feature more three-dimensional environments and slightly more protracted pacing. This new emphasis allowed me to dwell on compositions and apply more new techniques than ever before. I must declare that I am tempted to disown, mutilate, hambone, and honor kill most of my previous video work due to the healthily robust quality of the mental boner induced by my buxom new video animal, but I will resist that urge as long as infanticide strikes me as distasteful. Please enjoy and spread my sweet beast to the farthest corners of this diseased multiverse so that it may heave and splinter towards something approximating infinity. And blah blah blah." See more;

See his previous post 1, 2.




Wednesday, March 28, 2012

Irrational Computing by Ralf Baecker



Irrational Computing by Ralf Baecker, 2011, is an artistic test of material, esthetics and potentials of digital processes. The installation is based on semiconductor crystals – the basic commodity of information technology. The installation consists of five interlinked modules that use the varied electrical and mechanical particularities and characteristics of crystals and minerals and, through their networking, form a kind of primitive macroscopic signal processor. “Irrational Computing” is not supposed to “function” – its aim is to search for the poetic elements on the border between “accuracy” and “chaos” amplifying the mystic and magic side of these materials. See more;

“Irrational Computing” investigates material, aethetics and potential of digital processes. The basic raw materials of our surrounding information technology are semiconductor crystals such as silicon, quartz or silicon carbide, which, thanks to today’s advanced microtechnology and extremely sophisticated procedures, are processed into transistors or integrated circuits (IC), with the materiality of modern microprocessors having long since ceased to be graspable. The extreme miniaturization and the black-box set-up elude visual interpretation. The Installations circuit runs counter to the developments in information technology, representing the system in a dimension that is enlarged many times over. The project thus corresponds to an extreme zooming-in on the smallest “physical” units of digital processes.

The installation consists of five interlinked modules that use the varied electrical and mechanical particularities and characteristics of crystals and minerals and, through their networking, form a kind of primitive macroscopic signal processor. The crystals used for the purpose are either taken directly from nature, industrial waste products or have been especially cultivated for the purpose. A silicon carbide crystal, for example, is made to light up at numerous points with the help of electrodes (LED). On the crystal piece, there appears a kind of display, which is targeted by the data flows generated by other modules. At the same time, the crystal functions as a sound generator, since the electrical impulses change the surface of the crystal, causing it to vibrate. Via loudspeakers, these microscopic reverberations are made audible for visitors.

Digital systems, in their function, are conceived logically and rationally. The lowest physical or electro-technical level (crystals with semiconductor properties) are based, however, on quantum mechanical, i.e. statistical or unpredictable processes. Modern computer technology has thus tamed and domesticated the chaotic, so to speak. In his work, Ralf Baecker comments on this paradox by examining the aesthetics of the materials from which has developed a global digital network. “Irrational Computing” is not supposed to “function” – its aim is to search for the poetic elements on the border between “accuracy” and “chaos.”

Irrational Computing by Ralf Baecker, produced by DOCK e.V. with support of the Schering Stiftung.

Piece for Words and Views by Jorinde Voigt



"In her new series of 36 drawings, “Piece for Words and Views” Jorinde Voigt is concerned with processes of perception and imagination. The artist took Roland Barthes’ “Fragmente einer Sprache der Liebe” (2004) (Fragments d’un discours amoureux, 1977) and Douglas R. Hofstadter’s “Gödel, Escher, Bach. Ein Endloses Geflochtenes Band” (Gödel, Escher, Bach: An Eternal Golden Braid, 1979) as patterns for this work. Voigt transposes words from these classics into her encoded language of notation and collage technique. The division of the series into three blocks with 21, nine and six sheets reflects Voigt’s study of the different chapters in the books. The drawing cycle was produced as a direct continuation of the collages “308 Views on Plants and Trees” and “100 Views on Chinese Erotic Art. From 16th to 20th Century” (2011). After the worlds of botany and fine art, the artist has now turned to literature as a field of research." - Lisa Sintermann. See more;


The concept of "Piece for Words and Views" was written by Lisa Sintermann who made a complete essay about this new series by Jorinde Voigt. She speaks about the form and color, movement, melody, rhythm, imagination, notation and collage. It helps to understand better the new work of Voigt, I recommend to download it here.  

See the new work of Jorinde Voigt at David Nolan Gallery, New York until April 28, 2012  and at Lisson Gallery, London until next April 28.










DNS Changer: Countdown clock reset, but still ticking

Operation Ghost Click


Last November, the main FBI.gov website headline was "DNS Malware: Is Your Computer Infected?". The story detailed the arrest of six Estonian criminals who had infected more than 4 million computers with malware that changed Domain Name Server settings on the impacted computers. The impact of this change was that when a user typed an address in their web browser, or even followed a link on the web page, instead of asking their Internet Service Provider's DNS server where they should go to reach the computer that had that name, they would ask a DNS server run by the criminals.

Most of the time, the traffic still went to the correct address. But at any time of the criminals' choosing, they could replace any website with content created or provided by the criminals. This allowed them to do things like place an advertisement for an illegal pharmaceutical website selling Viagra on a website that should have been showing an advertisement paid for by a legitimate advertiser.

The case, called "Operation Ghost Click" was the result of many security professionals and researchers working together with law enforcement to build a coordinated view of the threat. The University of Alabama at Birmingham was among those thanked on the FBI website.

DNS Servers and ISC


This case had one HUGE technical problem. If the criminals' computers were siezed and turned off, all of the four million computers that were relying on those computer to "find things" on the Internet by resolving domain names to numeric IP addresses for them would fail. They wouldn't just "default back" to some pre-infection DNS setting, they would just stop being able to use the Internet at all until someone with some tech-savvy fixed the DNS settings on those computers.

Because of this, the court order did something unprecedented. Paul Vixie, from the Internet Systems Consorium, a tiny non-profit in California that helps to keep name services working right for the entire world, was contracted to REPLACE the criminals' DNS Servers with ISC DNS Servers that would give the right answer to any DNS queries they received. Vixie wrote about his experience with this operation in the CircleID blog on Internet Infrastructure on March 27th.

The problem, as Vixie, and other security researchers such as Brian Krebs, have related is that the court order was supposed to be a temporary measure, just until the Department of Justice managed to get everyone's DNS settings set back the way they were supposed to be. Back in November, the court decided March 9th would be a good day to turn off the ISC DNS servers.

But are you STILL infected?


Unfortunately, the vast majority of the 4 million compromised computers have not been fixed. On March 8th the court agreed to give them an extension until July 9th. (Krebs has a copy of the court order here)

But how do you know if YOU are still infected?

CLICK THIS PICTURE



When I visit the website "DNS-OK.US" I get a green background on the image (shown above) which tells me that my computer is not using a DNS server address that formerly belonged to an Estonian cybercriminal. (The website is available in several other languages as well.)


The tech behind this is that the website is checking to see if you resolve your DNS by using an IP address in the following ranges:

77.67.83.1 - 77.67.83.254
85.255.112.1 - 85.255.127.254
67.210.0.1 - 67.210.15.254
93.188.160.1 - 93.188.167.254
213.109.64.1 - 213.109.79.254
64.28.176.1 - 64.28.191.254


If you ARE, then you need to assign a NEW DNS SERVER ADDRESS.

The DNS Changer Working Group has a CHECKUP page and a DNS CLEANUP page to explain this process to technical people. Any "computer savvy" person should be able to follow their guidelines to get the job done.

Good luck!

Gary Warner
Center for Information Assurance and Joint Forensics Research at the University of Alabama at Birmingham.
Learn more about our Masters Degree in Computer Forensics and Security Management.

Tuesday, March 27, 2012

Junkjet Nº5 · net.heart


The image above is the cover of the fifth issue from the great collectable publication Junk Jet, it shows the real size of this last number (be sure you are seeing the real resolution, press cmd + 0). I like each publication has a different size, usually very handle, this is 25.5 x 15.5 cm with a total of 154 pages which content shows and speaks about the work of many talented net.artists and the internet culture. This issue called net.heart transfers internet things from their digital space into a paper jet. —— "It has developed an archive impossible that transports, in print format, net based works, or fragments of works showing collections, series, animations, applications, and reflecting anti-heart texts on the net and its new forms of art, design, and architecture. N°5, the net.heart issue, has transferred internet things from their digital space into a paper jet. This transportation procedure relies on documents in a similar way as the museum relies on photograph and video documenting performance arts. And Junk Jet believes that this analogue documentation is in no way inferior to pseudo-preserving techniques of data migration, emulation, or reprogramming. At the end, Junk Jet says: Transportation is not so much about the artwork as object, but rather about the indication of the subjective decision of the artist. In this sense Junk Jet is a Russian conceptualist."  It is edited by Mona Mahall and Asli Serbest. See more;


About the project Junk Jet, "is a zine-jet, a collaborative format set up to discuss speculative works on topics of media, aesthetics, and electronics. Junk Jet is an irregular series of medial events, and a low-fi paper publication, edited by Asli Serbest and Mona Mahall (m-a-u-s-e-r) and published by their own igmade.edition. Junk Jet is about wild forms and found objects, about weird theories and (small) narratives, anti-fashions and non-styles, about exploring do-it-yourself works, accidental outcomes, deviant and normal aesthetic forms that result from jammed common practices, misused media, and subverted customary tools. It is about cultivating an anti heart by “introducing noise to signal”." 

Artists featured in this Nº5 net.heart: 0100101110101101.ORG, Adam Cruces, Agathe Andre, Alessandro Bava, Alexei Shulgin, Angela Genusa, Angelo Plessas, Aureliano Segundo, Asli Serbest, Aristide Antonas, Artie Vierkant, Ball-Nogues, Bärbel Jetter, Bea Fremderman, Beatriz Ramo, Ben Aqua, Ben Vickers, Billy Rennekamp, Bonno van Doorn, Brad Troemel, Brian Droitcour, Bryan Boyer, Carsten Güth, Christian Oldham, Christine Nasz and Stefanie Hunold, Constant Dullaart, Dennis Knopf, Eilis Mcdonald, Fabien Mousse, Gene McHugh, Greg J. Smith, Hanne Mugaas, Jacob Engblom, Jasper Elings, JODI, Jonas Lund, Jordan Tate, Katja Novitskova, Laimonas Zakas, Lenox Twins, m-a-u-s-e-r, Marisa Olson, Michael Schoner, Mike Ruiz, Mimi Zeiger, Mona Mahall, Natalie Bookchin, Nicholas O'Brien, Nicolas Sassoon, NIEI, NLarchitects, Olia Lialina, Palace Palace, Ricardo Scofidio, Parker Ito, Patrick Cruz, Pieterjan Grandry, Rafaël Rozendaal, Raphael Bastide, Sam Hancocks, Sarah Weis, Something Fantastic, Sterling Crispin, Theo Seemann, Will Brand, Wyne Veen.

You can buy this Nº5 directly here in the following (paypal) link, the price includes also the shipping costs.

 

                                                          
Click images to enlarge.











P O S T E R



Monday, March 26, 2012

MicrosoftDCU, FS-ISAC, and NACHA vs. Zeus

On March 24, 2012, Microsoft unveiled a joint lawsuit with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearing House Association (NACHA). Based on a Temporary Restraining Order filed as part of the Law Suit, Microsoft and their agent, Stroz Friedberg, accompanied by U.S. Marshals, served their TRO at the BurstNET facility in Scranton, Pennsylvania, and at Continuum Data Centers in Chicago, Illinois. Servers named in the TRO were allowed to be monitored to capture four hours of network traffic before taking the servers into possession where they will be held in Escrow by Stroz Friedberg.

In addition, more than 1700 domain names were redirected to the Microsoft IP address 199.2.137.141. While at first, I thought it would be a useful service to our readership to list the 1700+ domain names, I believe (and will hopefully have confirmation from Microsoft shortly) that it would be sufficient for network administrators to look for traffic destined to this new "rerouted" address. If you have a computer on your network sending traffic to 199.2.137.141, my current understanding is that this computer is likely attempting to send traffic to one of the domains that are subject to this TRO, and that this is an indication that computer may be infected with Zeus, ICE-IX, or SpyEye. Appropriate security measures will vary based on the role and use of that computer within your organization, but password changes of any accounts accessed from that computer, and malware removal would be minimum steps.

The lawsuit names "John Does 1-39" which are described by their online monickers or "handles", many of which will be well known to anyone who has been researching Zeus:

JOHN DOES 1-39 D/B/A Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits AND JabberZeus Crew CONTROLLING COMPUTER BOTNETS THEREBY INJURING PLAINTIFFS, AND THEIR CUSTOMERS AND MEMBERS

All of the supporting legal documents can be found on the Microsoft-registered server:

zeuslegalnotice.com

The Temporary Restraining Order seizes 1,703 domain names! Each domain name is listed with the role that it played in the overall scheme to infect computers and steal data from their users. For example:

filmv.net - dropzone
finance-customer.com - source
firelinesecrets.com - embedded_js
fllmphpxpwqeyhj.net - dropzone, source, infector
flsunstate333.com - updater

A "source" would be a domain that was advertised in an email. An "embedded_js" would be a site to which the source redirected to load hostile java script. A "dropzone" would receive credentials from an infected computer. An "updater" would push additional or new commands, configurations, or malicious code to the already compromised computers.

Microsoft


In a 179 page Declaration, Mark Debenham, a Senior Manager of Investigations in the Microsoft Digital Crimes Unit, lays out the overall structure of the Zeus gang and the way in which Zeus infects users and steals money. He describes the three-fold purpose of Zeus as to infect end-user computers in order to:

(1) steal credentials for online accounts, such as account login information for Microsoft or other websites, or financial and banking credentials, from the owners or users of those computers.

(2) access the victims' online accounts with the stolen credentials, and

(3) transfer information or funds from the victims' accounts to accounts or computer controlled by the Defendants.

Debenham goes on to say that three inter-related malware families are the subject of this lawsuit -- Zeus, Ice-IX, and SpyEye, and that all were created and sold by the individuals using the handles:

Slavik, Monstr, Harderman, Gribodemon, and nvidiag

John Doe 1 is identified as the Zeus botnet code creator, who uses the handles Slavik, Monstr, IOO, and Nu11. bashorg@talking.cc

John Doe 2 is identified as the creator of Ice-IX, who uses the handles nvidiag, zebra7753, lexa_mef, gss, and iceIX. iceix@secure-jabber.biz. ICQ 610875708.

John Doe 3 is identified as the creator of SpyEye, who uses the handles Harderman and Gribodemon. shwark.power.andrew@gmail.com, johnlecun@gmail.com, gribodemon@pochta.ru, glazgo-update-notifier@gajim.org, gribo-demon@jabber.ru.

John Doe 4 is identifed as an operator within the "JabberZeus Crew" who recruits money mules and uses them to cah out stolen credentials. He uses the handles Aqua, aquaSecond, it, percent, cp01, hct, xman, and Pepsi. aqua@incomeet.com, ICQ 637760688.

etc.

NACHA



In a separate 163 page declaration, Pamela Moore, the Senior Vice President and Chief Financial Officer of NACHA documents the particular harm caused to NACHA, showing that in same cases the volume of documented spam messages imitating NACHA rose as high as 167 million emails in a single 24 hour period.

Readers of this blog will be well-familiar with the NACHA scams that lead to Zeus, as we have been documenting them as far back as November 12, 2009 when we wrote the article Newest Zeus = NACHA: The Electronic Payments Association.

According to Moore's affidavit, just in the month of November 2011, NACHA was responsible for terminating 555 websites that were distributing malicious content linked from an email message imitating NACHA. As a small business with less than 100 employees, NACHA has been hit with $624,000 in costs responding to the emails that falsely claimed to be from her organization.

Moore's declaration contains her 15 page statement followed by page after page of documented evidence supporting that false and misleading emails were sent out related to these Zeus actors.

American Banking Association


William Johnson of the American Banking Association also entered a statement of support. Johnson serves as the Vice President and Senior Advisor for Risk Management Policy for the ABA. He also chairs the ABA's Information Security Working Group and their Bank Security Committee. In addition, Johnson is on the board of the FS-ISAC, on the Steering Committee for NACHA's Internet Council. The ABA is of huge importance to the banking world. 92% of the $13 Trillion in U.S. Banking assets are held by ABA members.

Statistics shared by Johnson include:
- 2010 was the first time where electronic debit card fraud exceeded traditional check card fraud
- 96% of all banks incurred losses from debit card fraud in 2010. Community Banks experiencing such fraud grew from 61% in 2006 to 96% in 2010.
- In 2009, 36% of banking customers said "online banking" was their primary means of interacting with their bank. In 2010 it was 62%.
- In 2011 4.9% of the U.S. adult population was a victim of identity theft.
- In 2009, the average victim of identity theft spent 68 hours and $741 in costs repairing the damage caused by identity theft.


Kyrus Technologies



Jesse Kornblum (yes, THAT Jesse Kornblum!) of Kyrus Technologies also prepared an affidavit of support for the lawsuit. Jesse was a Computer Crime Investigator for the Air Force Office of Special Investigations, ultimately becoming the Chief of the Computer Crime Investigations Division of the Air Force Office of Special Investigations.

In his role at Kyrus Technologies he and his team reverse engineered many of the Zeus malware binaries, comparing known source code and various binaries, and showing conclusive evidence of shared code between SpyEye, ICE-IX, and Zeus (which they refer to as PCRE). For the malware reverse engineering geeks, be sure to read the Kornblum Declaration (55 page PDF).

Orrick, Herrington, Sutcliffe


Kornblum's declaration was for the malware geeks. For the lawyers in the readership, Jacob Heath of the law firm Orrick, Herrington & Sutcliffe LLP also makes a declaration in support of the call for the Temporary Restraining Order. Orrick is the counsel of record for Microsoft in this matter.

They have arranged the website on which these procedings are located, as well as the publication of proceedings throughout "Russia, Ukraine, and Romania, where Defendants are generally believed to reside."

Heath's declaration - part one carefully walks through the finer points of ICANN's Policies and procedures showing the clauses that give them the rights to suspend, cancel, or seize the domain names in question, as well as terms of service at BURSTNET (AKA Network Operations Center, Inc.) that require the client's to register domains using truthful information. "Failure to comply fully with this provision may result in immediate suspension or termination of your right to use BurstNET(R) Services" and also showing the BurstNET policies stating that BurstNET services "may be used only for lawful purposes" and specifically banning malware, botnets, spam, or phishing uses of these services.

How thoughtful of Microsoft to help BurstNET enforce these policies!







For many more details, and a video about this weekend's raid at BurstNet in Scranton, Pennsylvania, please see the Official Microsoft Blog.

Sunday, March 25, 2012

Operation Open Market: The Vendors

When we wrote last week about Operation Open Market the court documents had not yet been released in a major multi-agency Identity Theft case which targeted criminals who traded in the identities of others through the online site "Carder.su" and its affiliated other sites. We profiled the prior identity theft career of one of the charged, Jonathan Vergnetti, while we waited for the rest of the court documents to be made publicly available.

Now we are part way there. We have received copies of all three of the indictments related to this operation. Today we'll focus on the largest of the three cases, which still has a considerable amount of data redacted in the version that has been released by the courts. I refer to this case as "The Vendors" case because most of those charged were approved vendors of services in the Carder.su framework. The case, known as "No: 2:12-CR-004" in the PACER system, currently charges 39 defendants in the U.S. District Court of Nevada.

DISCLAIMER: The data below is a reflection of the CHARGES. Of course these dirty rotten identity thieves are presumed innocent until convicted in a court of law.

[REDACTED] indicates someone whose identity is being suppressed for the time being, but "John Doe" indicates someone who is known only by their online monickers such as those used at Carder.su. Authorities may be interested in learning more true identities of John Does if you have them.

A quick index of Carder.su aliases that are still John Does:

Senna071, Morfiy, Gruber, Maxxtro, Elit3, Fozzy, Vitrum, Lermentov, TM, Zo0mer, Deputat, Centurion, and Consigliori. If you know who those folks are, I'm sure your local FBI office would be interested. Refer to "Operation Open Market Nevada Case 2:12-CR-004" when you call. 8-)



The Charges


Count 1: 18 USC § 1962(c) and 1963: Participate in a Racketeer Influenced Corrupt Organization
Count 2: 18 USC § 1962(d): Conspiracy to Engage in a Racketeer Influenced Corrupt Organization
Counts 3-17: 18 USC § 1028(a)(1): Unlawful Trafficking in and Production of Counterfeit Identification Documents or Authentication Features
Count 18: 18 USC § 1028(a)(1): Attempt to Unlawful Trafficking in and Production of Counterfeit Identification Documents or Authentication Features
Count 19: 18 USC § 1028(a)(2): Conspiracy to Unlawfully Transfer Identification Document, Authentication Feature, and False Identification Document
Count 20: 18 USC § 1028(a)(7) and (c)(3)(A): Unlawful Transfer, Possession, and Use of a Means of Identification
Count 21: 18 USC § 1029(a)(2): Trafficking in and Use of Counterfeit and Unauthorized Access Devices
Counts 22-55: 18 USC § 1029(a)(3): Possession of Fifteen or More Counterfeit and Unauthorized Access Devices
Counts 56-60: 18 USC § 1029(a)(4): Unlawful Possession, Production, and Trafficking in Device-making Equipment
Counts 61-62: 18 USC § 1029(a)(4): Conspiracy to Unlawful Possession, Production and Trafficking in Device-Making Equipment
18 USC § 2: Aiding and Abetting (applied to Counts 1, 3-17, 18, 20, 21, 22-56, 61-62).

The Charged



[REDACTED] AKA Admin, AKA Support (Counts 1,2,19)

[REDACTED] AKA Graf, (Counts 1,2,33,44,47)

Alexander Kostyukov, AKA Temp, AKA Klbs (Counts 1-2, 3-17) (Age 27, arrested in Miami, Florida, a Russian citizen)

Maceo Boozer III, AKA XXXSimone, AKA Gr, AKA El Padrino, AKA Mr. Right, AKA MRDC87 (Counts 1,2,3-17) (Age 23, arrested in Detroit, Michigan)

[REDACTED] AKA [REDACTED], AKA Ray (Counts 1,2, 3-17)

Edward Montecalvo, AKA Nightmare, AKA Tenure44 (Counts 1,2,3-17,22-55), arrested in Morgantown, West Virginia. (Carder.su Member#8711, Carding.su Member#8237 Current Status: RIPPER. His profile says he sells FEDEX labels and Track2 Dumps)

[REDACTED] AKA Ibatistuta (Counts 1-2)

[REDACTED] AKA cc--trader, AKA Kengza (Counts 1-2, 20, 22-55)

Jermaine Smith, AKA SirCharlie57, AKA FairBusinessMan (Counts 1-2, 61-62), age 31, arrested in Newark, New Jersey

Makyl Haggerty, AKA Wave (Counts 1-2) NOT YET ARRESTED, LAST KNOWN ADDRESS IN SAN FRANCISCO, CALIFORNIA

[REDACTED] AKA Bank Manager, AKA Document Manager, AKA Corey (Counts (1-2, 61-62)

[REDACTED] AKA AbagnaleFrank (Counts 1-2)

[REDACTED] AKA Devica, (Counts 1-2)

[REDACTED] AKA Track2, AKA Bulba, AKA NCUX (Counts 1-2, 22-55)

Qasir Mukhtar, AKA Caliber, (Counts 1-2, 56-60), Age 27, arrested in New York, NY

[REDACTED] AKA [REDACTED], AKA Patistota, (Counts 1-2, 22-55)

[REDACTED] AKA Source (Counts 1-2, 22-55)

[REDACTED] AKA C4rd3r (Counts 1-2, 22-55)

[REDACTED] AKA Bowl (Counts 1-2, 22-55)

[REDACTED] AKA Dorbik, AKA Matad0r (Count 2)

Michael Lofton, AKA Killit, AKA Lofeazy (Counts 1-2, 3-17), Age 34, arrested in Las Vegas, NV

Shiyang Gou, AKA CDER, (Counts 1-2, 3-17), Age 27, Arrested in New York, NY

David Ray Camez, AKA BadMan, AKA DoctorSex, (Counts 1-2, 3-17), Arrested in Las Vegas, NV

Cameron Harrison, AKA Kilobit, (Counts 1-2,3-17), Age 25, Augusta, Georgia

[REDACTED] AKA Qiller (Counts 1-2, 3-17)

Duvaughn Butler, AKA MackMann (Counts 1-2, 21, 61-62), age 37, arrested in Las Vegas, Nevada

Fredrick Thomas, AKA 1Stunna (Counts 1-2), age 31, arrested in Orlando, Florida

John Doe 1, AKA Senna071 (Counts 1-2, 3-17)
John Doe 2, AKA Morfiy (Counts 1-2, 3-17)
John Doe 3, AKA Gruber (Counts 1-2, 18)
John Doe 4, AKA MAXXTRO (Counts 1-2)
John Doe 5, AKA Elit3 (Counts 1-2)
John Doe 6, AKA Fozzy (Counts 1-2, 22-55)
John Doe 7, AKA Vitrum, AKA Lermentov (Counts 1-2, 22-55)
[REDACTED] AKA Panther, AKA Euphoric, AKA Darkmth (Counts 1-2, 22-55)
John Doe 8, AKA TM (Counts 1-2, 22-55)
John Doe 9, AKA ZO0MER, AKA Deputat (Counts 1-2, 22-55)
John Doe 10, AKA Centurion (Counts 1-2, 22-55)
John Doe 11, AKA Consigliori (Counts 1-2, 61-62)

The main indictment goes after the vendors who provided services at Carder.su, which includes Carder.info, Carder.su, Crdsu.su, Carder.biz, and Carder.pro.


LEADERSHIP



The name of the Administrator (AKA Admin AKA Support) is known but [REDACTED]. There are two moderators charged in the indictment, one [REDACTED] AKA Graf and the other unknown, called JOHN DOE 4, AKA MAXXTRO.

Vendors



Kostyukov, AKA Temp, AKA Klbs, is a vendor of Cashout Services at Carder.su, receiving a fee between 45% and 62% of the total funds laundered in exchange for providing members with cashout.

Boozer, AKA XXXSimone, AKA G4, AKA El Padrino, AKA Mr. Right, AKA mrdc87, is a vendor of Dumps at Carder.su. He sells dumps for between $15 and $150 each, depending on the quantity and the geographical location. United States dumps are least expensive, and European dumps are most expensive.

[REDACTED Defendant #5] AKA RAY is a vendor of Counterfeit Plastic. He sells blank cards for $20 to $25, with a minimum order of 50 cards. Embossed counterfeit credit cards were $65 to $75 with a minimum order of 10. He is also a vendor of Dumps – stolen credit card account numbers – ranging from $30 to $45 each.

Montecalvo, AKA N1ghtmare AKA Tenure44, is a vendor of Dumps at Carder.su as well. He was arrested at his home in Morgantown, West Virginia.

[REDACTED Defendant #7] AKA Ibatistuta is a vendor of Dumps, Counterfeit Credit Cards, Counterfeit Holograms and Signature Panels.

[REDACTED Defendant #8] AKA CC—Trader AKA Kengza is a vendor of Fullz or credit cards along with the cardholder information: name, date of birth, Social Security Number, address, telephone number, mother’s maiden name, ATM PIN, Expiration Date, and the CVV number or the security code on the back of the card for $20 each with a minimum order of $200. He also sells Paypal accounts for $10 each. He also sells access to online banking accounts with Fullz identification information for between $140 and $200, depending on the balance in the victim’s account.

Smith, AKA Sircharlie57 AKA Fairbusinesssman, is a vendor of Counterfeit Plastic and Counterfeit Credit Cards at Carder.su.

Haggerty, AKA Wave, is a vendor of Counterfeit Identification Documents and Counterfeit Credit Cards at Carder.su. Haggerty offers drivers licenses for the states of Arizona, California, Florida, Georgia, Hawaii, Illinois, Louisiana, Nevada, New Jersey, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, and Wisconsin, as well as British Columbia, Canada.
Drivers Licenses range from $100 to $200. Blank credit cards were $20 and embossed cards $30 each.

[REDACTED Defendant #11], AKA Bank Manager, AKA Document Manager, AKA Corey, is a vendor of Counterfeit Identification Documents, stolen or otherwise stolen corporate account information, dumps, and counterfeit credit cards in the Carder.su organization.

[REDACTED Defendant #12], AKA AbagnaleFrank, is a vendor of Dumps. He sells a mix of 100 Visa and Master Card accounts for $1500, and 100 American Express cards for $1,000.

[REDACTED Defendant #13], AKA Devica, is a vendor of counterfeit credit cards and holograms.

[REDACTED Defendant #14], AKA Track2, AKA Bulba, AKA nCux, is a vendor of dumps (ICQ#572019043/164419326/460085653). He has his own website that he advertises to sell his dumps that allows users to do searches for the types of cards they want and to pay using Liberty Reserve dollars (an online currency). Card prices are approximately $20 each.

Mukhtar, AKA Caliber, is a vendor of Counterfeit Plastic and Counterfeit Credit Cards as well as Counterfeit Holograms and Signature panels. Blank plastic was sold for $15, embossed credit cards for $20. Cards with photos or chips were $25 unembossed or $30 embossed. Cards with both chip and photo were $30 unembossed or $35 embossed. His prices were negotiable based on volume.

[REDACTED Defendant #16] AKA Patistota is a vendor of CVVs as well, with a custom website that allowed buyers to shop for cards at specific banks by their BINs (Bank Identification Numbers, the prefix of a Visa or MasterCard number), and offered a service for testing whether the CVV on a card was valid.

[REDACTED Defendant #17] AKA Source is a vendor of dumps, which he sells from $12 to $150 each depending on quantity and geographical location. He also advertised his own specialty site on Carder.su which allows members to lookup cards for sale by BIN.

[REDACTED Defendant #18] AKA C4rd3R is a vendor of CVVs and Fullz on Carder.su, and offers member-to-member ICQ chats.

[REDACTED Defendant #19] AKA Bowl is a vendor of CVVs at Carder.su, and advertises his own website on Carder.su websites.

[REDACTED Defendant #20] AKA Dorbik AKA Matad0r is a vendor of Bullet Proof Hosting services. Bulletproof hosting guarantees that websites hosted in these locations will not be shut down, even if they are blatantly hosting criminal content. Other criminals hosted carding forums and phishing sites on Dorbik’s services.

John Doe 3, AKA Gruber, is a vendor of counterfeit identification documents in the Carder.su organization. He makes cards for Arizona, California, Florida, Georgia, Hawaii, Illinois, Louisiana, Nevada, New Jersey, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, and Wisconsin, as well as British Columbia, Canada. (By pricing and state selection, it is clear that Gruber and Haggerty are working together.)

John Doe 5, AKA Elit3, is a vendor of Fullz which he sells for $5 to $7 each with a minimum order of $15. He also sells Enroll data (all the personal information in a Fullz, plus login information for an online bank account) for $15 to $20 if the Enroll also included an ATM PIN.

John Doe 6, AKA Fozzy, is a vendor of dumps in the Carder.su organization with prices from $12 to $100 depending on quantity and geographic location.

John Doe 7, AKA Vitrum, AKA Lermentov, is a vendor of dumps in the Carder.su organization, priced between $15 and $100 depending on quantity and geographic location.

[REDACTED Defendant #35], AKA Panther, AKA Euphoric, AKA Darkmth, is a vendor of dumps in the Carder.su organization with prices beginning at $20 for United States dumps.

John Doe 8, AKA TM, is a vendor of dumps and CVVs in the Carder.su, which he sells through his own website advertised on Carder.su.

John Doe 9, AKA Zo0mer, AKA Deputat, is a vendor of stolen Paypal accounts, including names and passwords, as well as proxies (for hiding member’s true IP addresses while performing transactions) and Fullz. He also provided Credit Card testing services, and information services, including lookups of Social Security numbers, Dates of Birth, and Mother’s Maiden Names. He sold dumps for between $15 and $150 depending on quantity and geographic location.

John Doe 10, AKA Centurion, is a vendor of dumps in the Carder.su organization which he sold for between $15 and $80 depending on quantity and geographic location.

John Doe 11, AKA Consigliori, is a vendor of dumps in the Carder.su organization and sells blank plastic cards for $15 or embossed credit cards for $20 each.

Members charged with production and trafficking



Michael Lofton, AKA Killit, AKA Lofeazy.
Shiyang Gou, AKA Cder.
David Ray Camez, aka BadMan, aka DoctorSex.
Cameron Harrison, AKA Kilobit.
[REDACTED Defendant #25], AKA Qiller.
Duvaughn Butler, AKA Mackmann.
Fredrick Thomas, AKA 1Stunna.
John Doe 1, AKA Senna071.
John Doe 2, AKA Morfiy.

More on the Charges


In the Full Indictment individual charges are shown with many examples.

For example, one charge lists all of those charged with trafficking in false identities, and gives one example of a purchase date from each vendor, with dates ranging from January 23, 2009 to April 7, 2011, and showing what state the driver's license was for, including many in Nevada, some in New York, and others in Texas, Georgia, and Virginia.

To show the Conspiracy charges, each charge provides evidence of at least two of the defendants communicating and agreeing to be involved in criminal activity.

For the "Possession of Document-making Implements" charge, an example is that Montecalvo was found to have laminates used in the production of counterfeit Illinois driver's licenses; and Photoshop templates for creating counterfeit Maryland and Florida driver's licenses.

Several of the members, including REDACTED #8, 12, and 16, and Lofton, Harrison, Thomas, Maxxtro, and Elit3 are shown committing fraud by making charges using cards on certain dates belonging to certain named people. Dates range from MAXXTRO in November of 2006 to REDACTED #16 on September 16, 2010.

The "Possession of more than 15" cards charges are spelled out by showing how many provably counterfeit cards each charged user was shown to have on a particular date (presumably when a search was performed or an email was sent or received containing that information). Some were as low as 17 for Fozzy on February 15, 2007, and as high as "More than 490" for REDACTED #7. Dates of evidence range from February 13, 2007 to June 14, 2011. That's right, bad guys! Even if you "got out of the game" five years ago, you can still be charged for your activities at that time.

Again, for more details, interested readers are referred to the full 50 page PDF of the indictment.

Wednesday, March 21, 2012

Zeus still a Spam Threat

Tonight's Rock Center with Brian Williams episode talked about the September 2010 "Trident BreACH" case. One of the things that the students in the UAB Computer Forensics Research Laboratory learn is that Cybercrime investigation is a community event. Hundreds of researchers around the world have been tracking cybercriminals who use malware, including Zeus.

UAB now provides a daily report to law enforcement called "Emerging Threats by Email" which regularly documents continued Zeus-related malware threats delivered by spam email. This week there have been several new "social engineering" scams that attempt to convince the email recipient to click on a link.

The UAB Spam Data Mine currently gathers and analyzes more than a million new spam messages each day. Here are some of the Zeus threats we've seen in the spam in the past 72 hours.



The spam message here uses the subject:

J.P. Morgan ACCESS Action Required-Password Reset

The email says that the "Security Administrator" has reset your password to a temporary password, and now you need to logon at "www.jpmorganaccess.com"

Only the link doesn't actually go to JP Morgan. There are more than fifty websites that are actually linked here, each one hacked to include a new subdirectory that contains a file full of redirectors. Those redirectors end up at a "Black Hole Exploit Kit" which then infects the visitor with the Zeus trojan.

The Black Hole Exploit Kit is "crimeware" - criminals sell the software as a service that allows the "renter" of the crimeware to infect visitors with the malware of their choice. Brian Krebs has a nice write up about Black Hole Exploit kits and Crimevertising.



This spam message claims to be a notice from the "Commercial Electronic Office" and tells the recipient they need to access their "Deposit Adjustment Notice" by signing on to "the CEO Portal".

This one works exactly like the JP Morgan version. Forty-five different destinations, each a hacked website, contain redirectors which also send visitors to a Black Hole Exploit kit that drops Zeus.



One of the broader social engineering scams this week says that you are about to fly from the Washington DC airport and that it's time to Check-in online. After receiving such an email, the temptation would be to just "take a peek" and figure out whether you've been charged for a flight!

You might have figured out by now that if you click the link, it's going to take you to one of 140 compromised websites which all have redirectors on them that will automatically take your web browser to a Black Hole Exploit kit that will infect your computer with Zeus.



On March 19th we saw around 9,000 of these messages using the following subjects:

2239 | Careerbuilder.com open positions suggestion.
2188 | New position found for you at Careerbuilder.com.
2106 | Careerbuilder.com has found an open position for you
1930 | Careerbuilder.com has found a vacant position for you
1842 | Careerbuilder.com open position notification.

Some of the templates were a bit screwed up, so, while there was a position of "Chief Legal Officer" being offered at "Security Finance Corporation." But another message offers the position of "Chief commercial officer Chief Communications Officer" at "%." (Apparently the variable name for the company didn't match up.)

There's also a "Chief Customer Officer" (whatever that is.)

When the email recipient clicks on the job title, perhaps while saying to themselves "How silly, why would anyone want me to be the Chief Legal Officer? I'm not even a lawyer!" they aren't taken to CareerBuilder, but to one of the 100+ websites that have each been hacked to place a set of redirectors that sends the visitor to a Black Hole Exploit kit, which will infect the visitor with Zeus.



In the very most recent of these "BlackHole to Zeus" malware campaigns, LinkedIn is being imitated. The LinkedIn invitation claims to be from "Your classmate", but guess what happens if you click one of the 820 advertised URLs, each disguised as your "friend's" name?

Yes, it loads several redirectors, and then sends them to a Black Hole Exploit kit that infects the visitor with Zeus!


As an example, one of the links:

... DANGER: DO NOT CLICK OR FOLLOW ANY OF THESE ...




promocaolilicaetigor.com.br / VJBqqR5H / index.html


contains three redirectors:


gilson.kooka.be / ACwhfZ0X / js.js

m2m-direct.co.uk / tx96TETB / js.js

maksutoski.com / 5GUVH5Sz / js.js


Each of these points to the Black Hole Exploit kit at:


slickcurve.com / showthread.php ?t= 73a07bcb51f4be71


The Black Hole Exploit kit caused my test machine to download:
- a 111,129 byte executable (two times)
- a 17,476 byte Java JAR file
- a 283,160 byte executable (three times)

The 283,160 byte file is the Zeus malware. It was pulled from:

- 173.255.195.167 (slickcurve.com) a computer in New Jersey
- 64.90.51.63 (dosimedio.com) a computer in Brea, California
- 213.152.26.166 (dynolite.eu) a computer in France

But all of those computers are also compromised by the criminal to host the malware. Two of the domains are more than four years old!

The copy of Zeus that gets downloaded is 283,160 bytes in size and has an MD5 of 424c6b3afcde978b05cef918f04df759.

The current VirusTotal report shows that 15 of 43 current anti-virus products will detect this file as malware, although currently only Kaspersky, Microsoft, and Norman call it by ZeuS's most common name, Zbot.




Prospective students might want to learn more about UAB's Master's Degree in Computer Forensics and Security Management (MSCFSM)

Businesses interested in supporting our research are invited to learn more about the Center for Information Assurance and Joint Forensics Research (CIA|JFR)

®NOVA · David Quiles Guilló · SPECIAL POST


David Quiles Guilló. photo by Giselle Galvão

®NOVA Festival is a multidimensional art festival, which brings to the forefront of the contemporary audiovisual  arts. The festival is a live construction site, which combines visual art, experimental, contemporary techniques, technological resources. The idea came from ROJO®, founded 11 years ago in Barcelona by David Quiles Guilló, director and curator of the exhibition, whose previous editions have been through São Paulo, Los Angeles and Rio de Janeiro. This year it is going to open in few days, just the next 6th April in Sao Paulo at MIS "Museu da Imagem e do Som"  supported by SESC Pompéia. It will feature the work of over 100 guest artists!

Triangulation Blog is supporting the ®NOVA Festival as online media partner and I really want to dedicate a post to this great event created because of the enthusiasm of David Quiles Guilló. Many of the artists participating on this festival have already been featured here,  I feel there is a really good connection with ®NOVA. For this Special Post we have an excellent interview made by Juliana D Chohfi to David, they both speak everything about and around the festival. Don't miss it! See more;

▼ Read the interview ▼


Juliana D Chohfi asks to David Quiles Guilló:

J:How did the ROJO start?
D:Rojo came out of a combination of factors. First one was my desire to have my own business. And just at that time I realized that young artists didn’t have many platforms to showcase their work. I had a communication agency and it didn’t take long for me to realize that this wasn’t really my area; I wanted to have an agency to work with these young artists. I was also upset because my clients wouldn’t take in ideas that wouldn’t go their way. So I dismissed all my staff, or my staff dismissed me (laughs). I said I was going to create a new platform and wasn’t sure how to maintain it and that the next three months no one would be paid. I was left alone with my idea of Rojo. And just there and then the project began. It started from a necessity that I spotted in the market and my needs, a reason to get in touch with all the people I admired.

J:It seems that ®NOVA is a ROJO that materialized in space and gained voice and soundtrack. Where did ®NOVA come from?
D:It aroused from a need to work less. When we thought of ®NOVA, in 2007, I was in Barcelona and we were making 20 monthly openings all over the world. At the same time we produced the magazine and did clients projects. Hectic times! And I thought: “What if I could get everything together in a single project and get paid a million dollars?” This was the first idea. The project was called The Wrong. The idea was a biennial where all the artists in it, were those who never made it to proper Biennials. It started well, but when I moved to Brazil the idea evolved into an event that happens several times a year, a big event to gather many artists. Graziela (Graziela Calfat, Executive Director of ®NOVA, married to David) came up with the name. ®NOVA means new, we thought it had everything to do with what we were thinking, a short name that would work with Rojo. And yes, you got it right. ®NOVA is everything we did before separately, now gathered in one event only. It has music shows, performance, communication, collaboration between artists that have never worked together before and it has brands involved in the project. Everyone thought it was madness in Spain; we came to Brazil and it worked here. Brazil is much more open. I’m getting to do what I wanted to and also work a little less. It is indeed too much work, but what changed is the intensity. Before all months were hectic, now only eight months of hard work for two hectic months (laughs).


Atsuhiro Ito

J:What has changed since the first edition of ®NOVA to the upcoming one?
D:Interesting. In fact we’re going backwards, which is good! The first ®NOVA was done here at MIS (Museum of Image and Sound in São Paulo) and this edition will also happen here. We’re going back to our roots. Back then we used to test new formulas. Artists were put together: an artist would paint a wall and another would paint over it, a big work in process. The music was left a bit behind. This changed in the following editions. I tried to mix everything and a bit more, music artists, video, we did an experiment with film; and suddenly we were going too far. It was getting difficult, not only to the public but to the artists as well. They came here not knowing what they would do and in the end they wouldn’t take in all the experience we had to offer. So we took a step back. This edition will have a mixture of different medias in the same space and music mixed with video but the artists will be free to do what they like, the way they like it but always among other artists. The change is mainly in the course of ®NOVA. We went far and came back with all this experience for the edition of 2012. The big difference is the experience we gained and the content. Today we bring more artists from all around the world that are even more innovative. The content is always changing and the medias too. It’s an evolution.

J:®NOVA’s format is completely innovative and different from what we see in multimedia exhibitions that pop up everywhere. Was it your intention to break the conventional format?
D:One of Rojo’s features is to create formats. Some of them are conventional such as the magazine, the website; and others not so conventional, such as art shows on the street. It’s more conventional nowadays but I started doing these shows a long time ago. But coming back to the question, I think the format is very important because the artist can’t feel his participating of another music festival or another group show. So we try to innovate in what we present and how we are going to present it. We ended up breaking some taboos. Back then you couldn’t put a type of artist next to another one that wouldn’t match, Street Art wouldn’t go with installation or High Art and music and performance. The idea was that all types of artists and all kinds of work could coexist in the same space for a period of time long enough so that the artists were able to work properly and that the public wouldn’t have that feeling that “if I don’t go to the exhibition now, I’m gonna miss it.” The format emerged from the desire of mixing everything we like, without caring much about what the market was going to say. The idea is to mix new artists with artists already known. Nothing was done to clash with someone’s idea, that’s not it, it’s all about what we want to do and believe it’s good not only for us, but for the artists. The artists have to take in all they can when they come to the event. If they were put with artists who they’re are used to working, it’s only another show, whereas if they work with artists they have never imagined working; then that’s an experience and you start to get the feel of ®NOVA. We are turning into a big family of people who become best partners, creating new bands, new projects and this is what we always wanted: to shake the art world a little.


Penique Productions

J:The project receives artists from all around the world, including Brazil. In general, how do you select the artists?
D:In general, we select… I say we select, but no (laughs), I select. There are some criteria. The first is to compensate people who have worked with me at some point of Rojo’s history and gave more than they received, people who did very much for Rojo and this is the time that I have to appreciate their work. This is a deeper reason. Not that everyone who worked with me before is part of ®NOVA, it has to fit in the project. The other criterion is to find artists that have no ‘fear’. Artists that I can easily get in touch with. Hardly ever you will find an artist in ®NOVA that came through an agent or gallery. I want to speak directly to the artist, there must be a relationship so that he understands what we will do here and the risk it assumes. I don’t want anyone in the middle of it evaluating whether this is good for his career. There is another criterion that is what I call complementary arts. I try to mix things that complement each other and try not to have artists working in the same aesthetic area at ®NOVA. I seek works that are very distant. My research goes pretty much this way. I want artists that always have something to add. I don’t fight for artists that have name, unless it’s an easygoing person. I’m looking for people artists. We are a family. I don’t have a selection committee, I have people that recommend artists, I have my sources of information, and I look for artists that I like. I select what I want; I am a despot, a dictator (laughs). Finally, the last criterion is that everything has to fit in, or not, let’s leave it this way… I think everything has to be a little disengaged. Our work is to put together all that wouldn’t normally go.

J:A memorable moment or show in ®NOVA?
D:Difficult question. We had five editions already. I remember Rio, last year’s opening night with Hildur Guðnadóttir and Quayola was very very nice. It was beautiful! We always have an idea of the result but we never know for sure. It was awesome! I mentioned this show because it’s still fresh in my mind. I think all the openings and closing nights are memorable. I enjoyed the opening of our first edition in LA. The music was really cool. We placed Computer Jay (who’s coming this year) with Cristopher Cichocki, two different worlds. Computer Jay produces cool soul jazz and Christopher makes noise without much sense; it was great. I really liked Protey Temen’s presentation at the Cinemateca last year. It ended up with everyone dancing. I don’t t know if it was alcohol or the craziness of his film (laughs), his presentation was really lysergic, he was speaking Russian, we couldn’t understand a thing. I thought it was the most radical of all. It was the closest to what I was looking for, something that you lose the sense of who was the public, of what was going on there. Overall, I think that the Sunday pizzas are memorable! That’s the time everyone is relaxed; people are either done with their work or are arriving at the project to get started. Everyone talks to each other, leaving behind that “don’t you know who I am” feeling. All the artists that come here have their individual world, they have a reputation, followers, and galleries; but when they get together with other artists, they drop this nonsense. That’s when partnerships and collaborations begin. This is the best time.

J:Experimentalism seems to be the watchword of the project.
D:No, I don’t think that experimentalism is the watchword. The word experimentalism pushes people away because they think we will create something that they won’t be able to understand. And that’s not our point. We want to bring together four different fields of art that are usually understood separately, to be acknowledged together. It’s not that I don’t like the word experimentalism. I do. The word festival, for example, has only appeared in this edition, I have resisted to this word for long now. It seems that festival is a three-day show with art and parties. What we do lasts longer and it’s bigger than that, but it feels like we are closer to it than nothing at all. Before this edition, the project was called ®NOVA Contemporary Culture. What does that mean? (laughs). I think experimentalism is not the watchword but the way we work. We experiment with pretty much everything.


Zimoun

J:What does ®NOVA mean to you?
D:®NOVA is my son. I feel that I am approaching the format I would like to work with all my life, I don’t get tired of making ®NOVA, although it’s very tiring. There’s a song by Hess is More that says ‘creation keeps the devil away’. It’s great and I really believe in it, if you’re working and doing things you enjoy, this ‘devil’ – that can be interpreted in a thousand ways – has no way of entering your life, there’s no room for it. There’s nothing that will stop my desire to keep doing something cool. I am very close to what I would like to do every day, meet artists, bring people together and do many, many cool things. I’m still approaching the correct format, but I’m close, very close.

J:The project has happened in LA as well. Do you feel the reception of the public is different from the one in Brazil? Does São Paulo and Rio de Janeiro influence the project?
D:The difference between São Paulo and Rio de Janeiro is more noticeable because we spent more time in both cities. Los Angeles happened only once and it was kind of a sample of what we wanted to do. We did only a week and a half of project and the result - the exhibition - was on for more thirty days. In LA, they don’t really care for the work in progress. They prefer something ready-made. Some medias even arrived before the opening but they didn’t take in the idea we were presenting. I guess that’s because it is a different concept and they are not used to it, nor the galleries are used to staying open while the artists are working. When it comes to São Paulo and Rio de Janeiro, the difference is mainly the cost. São Paulo has a much greater cost to bring people to the event. I guess it’s because the city has a lot going on. Although it has more public, the cost is still higher. In Rio, we did one of the most difficult events ever. Here in São Paulo at the Cinemateca, we had a script, had a name, artists and had a trailer, while in Rio we just got some artists together and spread the word that there was going to be an experimental work. People actually came to see what was going on! In São Paulo this would never happen! I think Rio is more receptive, perhaps because it lacks such sort of gatherings and events. They are much more open to see what we do and have different opinions about it. Here (São Paulo) we got a unanimous vote saying that the project was cool. In Rio, there were some who felt the project was horrible and others that thought it was wonderful! To me, that’s something that adds up.

J:How did it feel to produce ®NOVA’s communication campaign? Many countries, few days…
D:That’s the first time someone asks me that. It was really cool! More than half of the people we were going to work with, we met for the first time. Usually the artists arrive at the event and we welcome them here. In this case was the opposite. We went to them and they welcomed us. So it was a really nice thing. I visited cities that I didn’t know, Stockholm, Dublin… doing things out of the computer is cool too! It was a way to get everyone out of the emails, computer and work together. That’s what excites me I think. In the logistics part, well there wasn’t enough time for leisure. Frank (Isaac Niemand) says: “Now that we know we can do it, we should never do it again!” No, not really. I’m already preparing the next campaign and it will be awesome.

J:What is the main concept behind the communications campaign of 2012?
D:We always suffered with the artist’s promotional images. They either didn’t have the proper settings or were images that had been published somewhere at least once. I thought it would be nice to have our own pictures. At the same time, we wanted the audience to recognize a unique image of ®NOVA. The first year when we brought the Fuck Buttons, the public thought that it was part of the museum’s program, that had no involvement with ®NOVA. This time we want to create an image that somehow unifies the event so we went after the artists to take their picture with this image. We got in touch with Koen (Koen Delaere). I ordered him one hundred works for the exhibition and ten of these works were turned into t-shirts. He created five unique t-shirts and customized other five. All t-shirts have a similar style, but are still different. And we expect the media to publish these photos and the public will identify the event because of these images. Without being explicit with a logo. Again, the form is to experiment, we are testing this and next year we will have an evolution of this idea, something even crazier, but I won’t tell you now (laughs).

J:How would you describe the ®NOVA generation?
D:Those friends that you would like to have forever! A generation of people that is open to the new and free from conventions and ego. People that show what they do and share how they do it, sharing their secrets. Is the kind of people that spend a week with others they don’t know and that’s all right. People that share a room with others they don’t know and that’s not a problem. Those friends you communicate via Internet and get together once a year and nothing has changed.


Graham Caldwell

J:®NOVA is really ‘new’. Did you find obstacles to establish the project?
D:I haven’t been lucky yet to make a project in which I didn’t find difficulties (laughs). I’m still waiting for this to happen. I’d love that! (laughs). I not only found holdbacks in developing concepts but in institutions and brands as well, it was hard to make them believe that what I was going to do would have a minimal repercussion. Because in the end, what they want is to have their institutions full of audience and brands that will reach their target audience. This is complex. We were fortunate enough to have the background of Rojo, clients like JB of Diageo, Nike, Pepe Jeans, Diesel, Smart, among others. We worked directly with the international marketing of some of these brands, not just for one project but for several years. This shows credibility, we had such luck.

J:Tell us about ATLAS, ®NOVA’s mini-series.
D:I’ll tell you why we got to a mini-series. We’ve been making videos of work in progress and making of for four editions now. So Frank (Isaac Niemand) and I decided to rethink this format. We wanted to make something cool that could have continuity. Something detached from the work in progress because we already have hours and hours of artists at work, we even have a proper film. We wanted to innovate and ended up with a mini-series format that everyone enjoys. The mini-series revolves around two protagonists, they are friends living together and working in KLM, the airline that supports ®NOVA. They are flight attendants who travel the world, speak several languages but almost never meet each other. Together they go through various situations that somehow interact with ®NOVA. Each chapter has three minutes. The first season has thirteen chapters, plus a pilot that we’re shooting today. I was very focused on the aesthetic part and I think it will end up as something very sentimental (laughs). The idea is that people who think they do not understand ®NOVA, will get closer to it through these characters, and perceive it as something available for them as well. That’s what we are seeking. We are super pretentious, always have been. And again, is not the word but the way. We are experimenting. For me it is only the first of many seasons.

J:Where do you find your inspiration?
D:Inspiration? Inspiration. Everything I guess. The city. São Paulo. It is a sunbeam, a downpour. Not that nature inspires me, but its visual part. And São Paulo is radical. Just a moment ago there was a thunderstorm and out came the sun, then back to a darkness and rain drops again. I think these contrasts inspire me.

J:What is your expectation for this year? And what can the public expect?
D:It’s like I was talking to one of the actresses just now… keep your expectations low and everything will work out. I’m not expecting much, everything will go wrong, and the artists won’t be able to cope with the space… (laughs) The music won’t be good (more laughter)… Expectations? I always have the best expectations! The public can expect a lot of cool people and artists from different places of the world, many of them are coming for the first time to Brazil and don’t know what they will find here, they don’t know the public nor their reactions. Expect a lot of different things from what is usually seen and don’t worry about being an art critic to appreciate what will happen there. We like to create sensations and magical moments. We like to make good, beautiful and affordable things. Expect great music of course! Much different and really good music. The tunes include neoclassical music by Nils Frahm and Bosques de mi mente. They are composers of a classical music that nearly turns into pop music. There’s Jay Jay Johanson, it’s been eleven years since he last came to Brazil, and he has great albums and will come with an amazing format. Another great attraction will be by Mouse on Mars that will bring a new show that is full of nonsense. There’s Gonjasufi that plays on that roots side. Wow! There’s a lot of great music! Esmerine is amazing and they play something like a post-rock with different instruments. Thiago Pethit is on the Brazilian team of great music, I really like him and he will open the event beside Beast who creates a lysergic Rock that has nothing to do with Pethit’s sound. I think it will be an incredible mix. I hope many people leave ®NOVA with their new favorite band. Another pretentious goal, I know (laughs).

Interview made by Juliana D Chohfi. Thank you!


For finishing this post there is an awesome inspiring 75min documentary film about NOVA, directed by Isaac Niemand.  It shows a previous edition of NOVA which happened in July and August 2010 at the same location, at MIS, so you can have an idea about how is going to be the upcoming festival. I also enjoyed to hear the artists participating speaking about their art and work.



This is happening, and starts in few days, the opening day, Friday April 6 to 12 pm, the exhibition will present over 50 gigs, will feature more than 100 national and international artists working in live. In the cultural spaces of São Paulo and Rio de Janeiro, artists are grouped in teams collaborating with each other. Thus, the exhibition will remain in constant motion and creation to the final week of the show, which will host the big closing party.
®NOVA for 55 days offer more than 80 hours of film, art and video art to generate a unique experience, pointing to the cultural diversity of contemporary art with the use of colors, lights, textures, music, design and collaborative artistic compositions.

Check some of the artists participating here.
Join ROJO on facebook here

David, thanks for creating all this!

6 April - 31 May 2012 / Sao Paulo & Rio de Janeiro / Brazil