The attempted Clinton-CIA coup against Donald Trump

[Magda Hassan]

Magda, you talk about "Reds Under the Beds" as if Russia was still a Communist country. It isn't. Once again, it is an illiberal regime composed of oligarchs and mobsters, it supports white nationalist movements, murders reporters and political opponents, and has engaged in false flag attacks.

It is not me who thinks this but the MSM and the neocons there using the old anti Russia memes which have proved so useful over the years and many are responding just like Pavlov's dog to it again.

...

However I agree that there is, indeed a "big picture" - but it's one that you repeatedly fail or avoid grasping. This is that it is the US Intelligence Community and the Democratic Party - both fully owned bastard twins of the neocons - who are selling this garbage and who have gone to war to stop Trump taking office, because he openly threatened their b ring their payola and ideology to an end.

Yep.

The problem is that the evidence that really proves it is technical, and I certainly can't provide it, and I don't know what sources or methods might be compromised by doing so. I've already said that it could have been the Israelis or someone else trying to leave Russian fingerprints behind. But that's a high
The man that created the NSA system, William Binney, and understands the technicalities has said it isn't the Russians, it isn't a hack and that it is a leak. ly speculative theory.

The man that created the NSA system whiich would have been able to detect any hacking, William Binney, and understands the technicalities has said it isn't the Russians, it isn't a hack and that it is a leak.

If you want some technical information on why it is not a Russian government hack have a look at this. I received this as I use WordPress and use an add on called Word Fence which is a security add on to protect .php based sites like WordPress. Since the report contains specific indicators of compromise, including IP addresses and a PHP malware sample Wordfence decided to conduct their own analysis. It was in their commercial and professional interest to do so since their own security analysts spend a lot of time analyzing PHP malware because WordPress is powered by PHP.


Conclusion - it is old mal ware of Ukrainian origin can be and is used by any one on any number of hack attemps all over the world and it has no connection to Russia or Russian state intelligence who have their own and better malware. More detail below. My web sites and the servers they reside on, like Craig Murray's and millions of others, including the DNC server, are constantly attacked by these sorts of creations. Hence why I and millions of others use WordFence for protection from such malware. No biggie. Unless you are actually hacked and that didn't happen. Obama also said as much in his last press meeting. He was making it clear that it was not him pushing all this nonsense.

Update at 1am Pacific Time, Monday morning Jan 2nd: Please note that we have published a FAQ that accompanies this report. It contains a summary of our findings and answers several other questions our readers have had. It also provides some background on our methodology. You can read it either before or after reading this report. The original report follows:

The United States government earlier this year officially accused Russia of interfering with the US elections. Earlier this year on October 7th, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement that began:
"The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts."

Yesterday the Obama administration announced that they would expel 35 Russian diplomats and close two Russian facilities in the United States, among other measures, as punishment for interfering with the US 2016 election.

In addition, yesterday the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) released a Joint Analysis Report, or JAR, compiled by the DHS and FBI, which they say attributes the election security compromises to Russian intelligence operatives that they have codenamed GRIZZLY STEPPE.
The report that DHS and DNI released includes in its first paragraph: "This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The report contains specific indicators of compromise, including IP addresses and a PHP malware sample."
At Wordfence our focus is WordPress security. Our security analysts spend a lot of time analyzing PHP malware, because WordPress is powered by PHP.
As an interesting side-project, we performed analysis on the PHP malware sample and the IP addresses that the US government has provided as "…technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS)". [Source]
We used the PHP malware indicator of compromise (IOC) that DHS provided to analyze the attack data that we aggregate to try to find the full malware sample. We discovered that attackers use it to try to infect WordPress websites. We found it in the attacks that we block. Here it is.


The above is the header and here is the footer. The middle contains an encrypted block of text.


This is PHP malware that is uploaded to a server. An attacker then accesses the file in a browser and enters a password. The password also acts as a decryption key and decrypts the encrypted block of text which then executes. Once an attacker enters their password, it is stored in a cookie and they don't need to enter the password again to access the malicious application.
We managed to capture a request from an attacker that contained their password. It was avto' without quotes. We used the password to decrypt the block of encrypted text.
This is what the decrypted PHP looks like. It is a big chunk of PHP code that is a web shell.


We installed the web shell on a sandboxed environment. This is what it looks like:

This is the kind of web shell that we see all the time in our day-to-day forensic operations. It includes the following basic features:

• File browser/explorer
  
• File search function
  
• A database client to download the contents of a hacked site database
  
• Network tools including a port scanner and the ability to bind a service to a port
  
• A tool to brute force attack passwords on FTP and POP3 services.
  
• A command line client to run arbitrary operating system commands
  
• A utility to view server configuration info
  

By viewing the source code, we could find the name of the malware and the version. It is P.A.S. 3.1.0.
We googled it and found a website that makes this malware. You can find the site at this address: http://profexer.name/pas/download.php


You can enter a password that you will use to access your malware once it's installed and then hit download' and a ZIP file downloads.
The ZIP contains a text file and the malware. The text file looks like this:


The website claims the malware is made in Ukraine and the date at the bottom has the Ukraine country code UA.
This malware is version 3.1.7 which is newer than the malware that the DHS indicator of compromise identifies. It is almost identical including it's indentation:

And the footer:

But PAS has evolved even further since 3.1.7. It is now version 4.1.1 which you can get from the same website:

The 4.1.1b info.txt file:

And the code has changed in 4.1.1 quite substantially. This is the header:

The PAS malware is user friendly. It has an About page:

They also have a helpful FAQ:


How does PAS infect WordPress websites?

This is a typical infection attempt for PAS 3.1.0 which is the DHS sample:

The above request is an attempt to install a plugin in the WordPress CMS through the normal file upload method. What surprised us is that this request had a full set of cookies that indicates that the user or bot doing this was signed in and this probably was an actual web browser.

It also includes the WordPress nonce which is a security feature, also indicating this is a user. Only about 25% of the attacks that we see include the WordPress nonce, which suggests that many of these attempts fail.
The vast majority of attacks we see that try to infect with PAS 3.1.0 use this kind of request. Here are a few theories:

• WordPress website owners have malware installed on their workstations and that malware attempts to install PAS 3.1.0 on their WordPress websites.
  
• This is CSRF, or cross site request forgery attack, that installs the malware. This is unlikely because the nonce is present in many requests. A nonce is a security feature that prevents CSRF attacks.
  
• Users are voluntarily installing this on their own websites after downloading it from a malicious website thinking it is safe. Unlikely because the file that is uploaded is plain text PHP and it is clearly suspicious if you examine the file contents.
  
• Attackers are compromising websites through some other means and then using the compromised credentials to manually sign in and install PAS 3.1.0 with a standard browser. These sign-ins could be partially or fully automated.
  

Malware Conclusions

DHS and DNI have released a joint statement that says:
"This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The report contains specific indicators of compromise, including IP addresses and a PHP malware sample."
The PHP malware sample they have provided appears to be P.A.S. version 3.1.0 which is commonly available and the website that claims to have authored it says they are Ukrainian. It is also several versions behind the most current version of P.A.S which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.
Analysis of the IP addresses provided by DHS and DNI

DHS provided us with 876 IP addresses as part of the package of indicators of compromise. Lets look at where they are located. The chart below shows the distribution of IP addresses by country.



As you can see they are globally distributed with most of them in the USA.
Lets look at who the top ISP's are who own the IP addresses:


There are several hosting companies in the mix including OVH SAS, Digital Ocean, Linode and Hetzner. These are hosting companies that provide low cost hosting to WordPress customers and customers who use other PHP applications. A common pattern that we see in the industry is that accounts at these hosts are compromised and those hacked sites are used to launch attacks around the web.
Out of the 876 IP addresses that DHS provided, 134 or about 15% are Tor exit nodes, based on a reverse DNS lookup that we did on each IP address. These are anonymous gateways that are used by anyone using the Tor anonymous browsing service.

We examined our attack data to see which IP addresses in the DHS data are attacking our customer websites. We found a total of 385 active IP addresses during the last 60 days. These IP addresses have launched a total of 21,095,492 complex attacks during that 60 day period that were blocked by the Wordfence firewall. We consider a complex attack to be an attack that tries to exploit a vulnerability to gain access to a target.
We also logged a total of 14,463,133 brute force attacks from these IP addresses during the same period. A brute force attack is a login guessing attack.
The chart below shows the distribution of the number of attacks per IP address. It only takes into account complex attacks. As you can see, a small number of the IP addresses that DHS provided as IOC's are responsible for most of the attacks on WordPress websites that we monitor.

The following shows the list of the top 50 IP addresses in the DHS report sorted by the number of complex attacks we saw from each IP during the past 60 days.


As you can see, many of the top attacking IP addresses are Tor exit nodes. There is also a relatively small number of IP addresses launching most of the attacks on websites we monitor.
Conclusion regarding IP address data

What we're seeing in this IP data is a wide range of countries and hosting providers. 15% of the IP addresses are Tor exit nodes. These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.
Overall Conclusion

The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don't appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.
The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.

You can find a public repository containing the data used in this report on github.

As always I welcome your comments. Please note that I will delete any political comments. Our goal in this report is to merely analyze the data DHS provided and share our findings.

Mark Maunder Wordfence Founder/CEO
Special thanks to Rob McMahon and Dan Moen who provided valuable assistance with this research. For press inquiries please contact Dan Moen at press@wordfence.com.
Comments are now closed. Thank you for your contributions!

If it was a disgruntled DNC leaker, why didn't they put out all these emails during the convention when it might have helped Bernie get the nomination? Why wait to dump most of them in the fall when the only person being helped was Trump? If Seth Rich was the source (or one source) of the leak, why won't Julian Assange just say that?

You and many others seems to have many illusions about Wikileaks what it is and how it works. Wikileaks does not hack any thing. It publishes. Like the NYT and WaPo and the Guardian. Okay, Murdoch's Sun and News of the World did hack but their motivation was also different. Wikileaks do not release their data to coincide with election cycles. They publish only when the data has arrived and been thoroughly vetted and verified. Which is why Wikileaks has a 100% record in this and not the NYT and WaPo who frequently are pushing fake news because they accept the hand outs and media releases given to them by any old agency with an agenda. Maybe the source did upload it during the convention. But why do you assume either the disgruntled leaker or Wikileaks is in control of the timing? You obviously haven't seen the tweets from Wikileaks urging sources not to sit on their information but to share their information asap so it can be more effective? When ever any thing is receive by Wikileaks it also has to under go rigorous verification process. They do not just publish any material unexamined. That is the New York Time's job. All sorts of thing get sent to Wikileaks and other sites like Wikispooks. Not all of it is relevant or fit to be published. There are red herrings galore and people with personal petty vendettas and mental illnesses. It all needs to be assessed to sort the jewels from the dross and real from the fake. When Craig Murray was ambassador to Khazakstan and he leaked copies of his official communication and information to Whitehall and the foreign office that the US and UK were allowing rendition and the torture and secret prisons to operate there it took some time to verify all his documentation. It was not taken at face value. It wasn't a matter of him leaking it and Wikileaks publishing it the next day. And why would Wikileaks give up its sources? The whole idea is that you can upload anonymously for protection. Who would ever use Wikileaks in future if they feared their identity would be exposed? And you assume Wikileaks knows their identity. They do in some cases but not all. Also there is more than one leaker in these events.

David: "who have gone to war to stop Trump taking office, because he openly threatened their b ring their payola and ideology to an end."

Hysterical. Read that long interview I posted with Trump's three biographers. This man believes in nothing except HIMSELF. He will take advice primarily from Javanka (Jared and Ivanka), he will care only about looking like a "winner." He will block out all other realities. Trump is the most shallow man to ever occupy the White House. He is not going to bring anybody's payola or ideology to an end.

Well they should all love him like they did Reagan then if it is all going to stay the same and the gravy train rolls on. But they don't. And it is not because of his hair style that they don't love him. Or his misogyny or racism. That they can live with. Of course he is shallow and egotistical and wants to be a winner. But hey he already won so he is a winner. But some one is feeling like they lost. And lost big. Not just entitled Hilary Clinton. So the big guns are being wheeled out. Dems had 8 years to fix the Electoral College which had already screwed them over before. Why didn't they? Why did they roll over and play dead when Gore was shafted and not this time? Reagan. Bush. Clinton. Bush. Obama. [insert Clinton 2 here] But the machine broke down this time and now there is a rogue Trump to deal with. Not business as usual. How is Trump any worse or more dangerous than the idiot Bush? Who also stole the election btw. Is it because we knew idiot Bush was just the front man for the real (unelected) players and we actualy were comfortable with these unelected masters of the universe being in control ? Now those (unelected) players are not there any more and don't have their puppet in office. As if it's like the end of the world for some and as if we were not heading there any way under the previous chaotic destructive neocons. Trump sure is not the Messiah but he certainly represents change. Clearly this is terrifying for some. Some thing that Obama never delivered despite the promise. What that change will be is yet to be seen. I m not particularly hopeful, at least domestically, given who I see being chosen to populate his swamp but the break in transmission gives us a chance to stop the war drums and put some better music on to dance to.