Is it real? The Trump-Russia server connection

Does the Trump organization have a private internet connection with Russia? That's what a long, detailed article from Slate is asking.

Here's the story in a nutshell: The Russian-owned Alfa Bank appears to have had a private connection to a Trump server. The server in question was registered as belonging to the domain. It has a history of sending Trump-branded marketing emails, but in the recent past appeared to have been communicating only with a Russian server registered to Alfa Bank. The Alfa server seems to have regularly communicated with the Trump server, yet other connection attempts from other servers seem to be blocked (likely indicating that the servers only accept connections from each other or a limited list of servers).

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

When the media started to investigate and asked the Russian organization about the domain name and server, the Trump server, after years of existing in the same place, suddenly changed names and domain names. The first server to reconnect to the Trump server with its new name? The Russian server that had previously connected to it. After the media inquired about the second, newer connection, the Trump server was taken down.

Much of the data and analysis has been shared publicly. I checked it out as much as I could and I agree with experts already quoted in the Slate article: There's no definitive proof, but it's highly likely there was a formal connection. The biggest smoking gun, in my opinion, is the timing of the domain name change and the automatic reconnection to the new name after the server had been moved. That suggests a formal, established, private connection.

This is not my opinion alone. The Slate article quotes internet pioneer Paul Vixie, who after examining the logs concluded that the two parties were communicating in a "secretive" fashion.

Slate reported that both involved entities deny any connection to the other, other than what must be either innocent, random spam or regular DNS traffic. This answer is even more confusing -- and likely wrong. If the data is correct and the Russian server reconnected to the Trump server with its new name and domain, it doesn't seem like either spam or DNS traffic. It's the opposite of random.

Alfa Bank has purportedly hired the trusted industry firm Mandiant to investigate the matter (the founder of Mandiant, along with several other early employees, came from Foundstone, where I used to work). I'd trust what Mandiant says, but in response to a Slate request, Mandiant said it was unable to comment until the investigation was complete.

If I were Alfa Bank or Trump enterprises, and there was nothing illegal or unethical going on, I would release a detailed forensic analysis for both servers. We have enough data outside of their control to confirm or contradict the findings. It would be difficult for anyone to fake a full forensic analysis that agreed with publicly available data.

In the end, even if there was a dedicated private connection between Trump and Russia, who knows what it was about? It could be anything. It could be regular business or marketing emails without a hint of illegal or unethical behavior. But without either side being more forthcoming, we can't know. FBI criminal investigations have been approved with less evidence.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and
InfoWorld Security Adviser

Previously unpublished documents released by former National Security Agency contractor Edward Snowden confirm that some of the spy agency's top-secret code has been leaked or hacked, The Intercept reported Friday.

The online news site's editors include journalists that worked with Snowden to publicize his notorious 2013 NSA leak revealing the extent of government snooping on private data.

The Intercept said Snowden had given the site a classified draft NSA manual on how to implant malware -- malicious code that is used to monitor or control someone else's computer.

Whether code published online by a mysterious group called "Shadow Brokers" is genuine has been the source of much debate in recent days.

The NSA has steadfastly declined to comment on whether it has been the victim of a security breach.

Over the weekend, the Shadow Brokers posted two sets of files, one that is freely accessible and another that remains encrypted.

They said they would release this additional information subject to raising one million Bitcoins -- digital currency, in this case worth about $ 575 million -- through an online auction.

According to the Intercept, the draft NSA manual contains instructions to NSA operators telling them to use a specific string of characters associated with the SECONDDATE malware program.

The exact same characters appear throughout parts of the Shadow Brokers leak, the Intercept said.

According to The New York Times, much of the code was created to peer through the computer firewalls of foreign powers like China, Iran and Russia.

Such access would enable the NSA to plant malware in rivals' systems and monitor -- or even attack -- their networks.

Whoever obtained the code would have had to break into NSA servers that store the files, the Times said.

Related: Cisco finds zero-day vulnerability leaked by Shadow Brokers

view counter

© AFP 2016


SecurityWeek RSS Feed

A new Ransomware-as-a-Service project has sprung up, and the “service providers” are allowing others to use it for free, but take a 20 percent cut out of every ransom that gets paid by the victims. The ransomware is called Shark.

Shark Ransomware-as-a-Service project

According to security researcher David Montenegro and Bleeping Computer, the project’s site is accessible to anyone who knows the address, and not just to Tor users. It’s a simple WordPress site, from where would-be criminals can download a .zip file containing the ransomware configuration builder (Payload Builder.exe), a warning note (Readme.txt), and the ransomware executable (Shark.exe).

They are instructed to use the configuration builder to choose which folders and files the ransomware will encrypt, the users of which country to target, the amount of money they will ask of the victims, to input an email address to which a notification will be sent when the payload infects a machine.

“When the configuration is entered, a base64 version of the configuration will be generated. This code is then used as an argument to the Shark.exe to specify that the custom configuration that should be used,” Lawrence Abrams explains.

The Bitcoin address to which the payment will go is that of the original malware authors, who should take their 20 percent and forward the rest to the crooks that distribute this custom made version of it.

Whether they actually keep their side of the bargain is still unknown.

“Taking into account that Shark’s promotional campaign was based on spamming and getting banned from underground hacking forums like Megatop, this looks more like a scam than anything else, with some crook trying to fool cybercrime newcomers into distributing his malware and keeping all the profits,” Softpedia’s Catalin Cimpanu pointed out.

The payload created through the builder seems to be working as promised. It encrypts files with the chosen file extensions and adds the .locked extension to the encrypted versions of the files. Malware researchers will hopefully soon create a decryption tool that will reverse that action.

In the meantime, the ransomware is obviously not “undectecable by AV” as the authors claim. Symantec has added detection for it to its products, and they sure won’t be the only ones.

Help Net Security