John --B_3381900473_43862352-- From - Sat May 21 19:24:08 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Delivered-To: khijazi@unveillance.com Received: by 10.223.79.78 with SMTP id o14cs254318fak; Wed, 2 Mar 2011 06:00:47 -0800 (PST) Received: by 10.224.28.210 with SMTP id n18mr7117123qac.191.1299074446163; Wed, 02 Mar 2011 06:00:46 -0800 (PST) Return-Path: Received: from gateout02.mbox.net (gateout02.mbox.net [165.212.64.22]) by mx.google.com with ESMTPS id r19si11438199qcs.204.2011.03.02.06.00.44 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Mar 2011 06:00:45 -0800 (PST) Received-SPF: neutral (google.com: 165.212.64.22 is neither permitted nor denied by best guess record for domain of jhunt@mitagroup.com) client-ip=165.212.64.22; Authentication-Results: mx.google.com; spf=neutral (google.com: 165.212.64.22 is neither permitted nor denied by best guess record for domain of jhunt@mitagroup.com) smtp.mail=jhunt@mitagroup.com Received: from gateout02.mbox.net (gwo2-lo [127.0.0.1]) by gateout02.mbox.net (Postfix) with ESMTP id E84C55D2B36 for ; Wed, 2 Mar 2011 14:00:43 +0000 (GMT) X-USANET-Received: from gateout02.mbox.net [127.0.0.1] by gateout02.mbox.net via mtad (C8.MAIN.3.72B) with ESMTP id 645PcBoap9024Mo2; Wed, 02 Mar 2011 14:00:41 -0000 Received: from s1hub4.EXCHPROD.USA.NET [165.212.120.254] by gateout02.mbox.net via smtad (C8.MAIN.3.72B) with ESMTPS id XID931PcBoaQ9182Xo2; Wed, 02 Mar 2011 14:00:41 -0000 X-USANET-Source: 165.212.120.254 IN jhunt@mitagroup.com s1hub4.EXCHPROD.USA.NET X-USANET-MsgId: XID931PcBoaQ9182Xo2 Received: from [142.131.188.222] (142.131.188.222) by exchange.postoffice.net (10.120.220.34) with Microsoft SMTP Server (TLS) id 8.3.137.0; Wed, 2 Mar 2011 14:00:36 +0000 From: James Hunt Content-Type: multipart/alternative; boundary="Apple-Mail-72-792033377" Subject: Fwd: did you collect a view on Treasury? Date: Wed, 2 Mar 2011 08:58:16 -0500 References: <917355.47315.qm@web161804.mail.bf1.yahoo.com> To: Karim Hijazi Message-ID: MIME-Version: 1.0 (Apple Message framework v1082) X-Mailer: Apple Mail (2.1082) --Apple-Mail-72-792033377 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" Here's some more dialogue with Andy. How are you doing on comments to = his questions? As soon as you draw up the documents for the stock purchase and get me = the use of proceeds for the initial $50K, I can move ahead. What I = guess I need from your end here are: 1. Stock sale agreement on the 2.5% for the initial $50K; 2. An agreement for the directorship and advisory assistance for = the other 2.5%. 3. Presuming we can complete the business plan, quality employment = agreements with Fuzzy and Paul, etc. , then I'd put in the second $50K. = I need a couple weeks to get that done to move out of a couple = investments, etc. Hope you also got a copy of the deck I've tried to give you input on. = Last deck I had was the one you presented to the investors. That deck = obviously had Chris at 50%, etc. and needs to be reshaped. Feeling a bit better but still have a serious sinus headache. =20 Met with Reg and Ric last night. As soon as we have things shaped up, = they want to continue the dialogue. jim Would be interested to=20 Begin forwarded message: > From: Andy > Date: March 2, 2011 7:26:08 AM EST > To: James Hunt > Subject: Re: did you collect a view on Treasury? >=20 > I thought they just "recompile" to use different group of domains? >=20 > From: James Hunt > To: Andy > Sent: Wed, March 2, 2011 12:06:21 AM > Subject: Re: did you collect a view on Treasury? >=20 > my guess is that while the bad guys are writing bots all the time that = they, too, run out of great bots to deploy. I bet they probably have = them on the shelf but not likely in great numbers. so they probably = hate to see a really good one taken down quickly. >=20 > On Mar 1, 2011, at 11:11 PM, Andy wrote: >=20 >> That makes sense. I did not realize that all modern botnets would = contact ALL of the control domains but had thought rather only subsets = depending on the "version" of that Malware. I had thought the domains = evolved/migrated over time.... perhaps that is the comment on deploying = a fresh binary... Guess the next question is why wouldn't bad guys just = create a new binary every 2 weeks if it is just a flip of a switch for = them.... since a huge cycle for the good guys that would be a "best = practice" for bad guys I would think. >>=20 >> From: James Hunt >> To: Andy >> Sent: Tue, March 1, 2011 5:25:14 PM >> Subject: Fwd: did you collect a view on Treasury? >>=20 >>=20 >>=20 >> Begin forwarded message: >>=20 >>>=20 >>>=20 >>> We don't require 100% of the malware communication channels to have = a 100% confirmation of it's existence in a given network. I will = explain: >>>=20 >>> Following initial infection, modern malware will call back to ALL of = it's pre-defined command and control domains ( in a round-robin DNS = fashion) to help, as much as possible, the delivery of payload, message = or request. This is why I say that our system as close to real time as = it is, is still a post-mortem tool. The crime, albeit identified, was = successful.=20 >>>=20 >>> So even if we simply have just 1% of the domains commandeered, that = is used by a specific malware, we will eventually see it's communication = and be able to successfully identify it. By definition if a substantial = number of domains are taken down by us, that botnet is effectively = "neutered" and will probably be jettisoned by the bad guys and will move = them to deploy a fresh binary with fresh domains. This is a flip of a = switch for them, but a huge cycle for us. >>>=20 >>> As counter-intuitive as it sounds, we want the bad guys to think it = is fine and see minimal attrition so we can help kill it at the source. = The more communication we collect over a longer period, the more = effective we are at "curing", not just putting a band-aid over the = cancer. >>>=20 >>> Commandeering the domains is not a good solutionary approach to the = chronic issue, but a great way to collect 100% zero false positive proof = of an infection. >>>=20 >>> So in short, as long as we commandeer a few active domains of a = given botnet, we will be able to confirm it's existence anywhere it's = malware infects eventually, following a successful outward bound = connection despite not having all of it's traffic.=20 >>>=20 >>> I hope I understood the question. >>>=20 >>>=20 >>=20 >>=20 >>=20 >=20 >=20 >=20 --Apple-Mail-72-792033377 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii" Here's some more dialogue with Andy. How are = you doing on comments to his questions?

As soon as = you draw up the documents for the stock purchase and get me the use of = proceeds for the initial $50K, I can move ahead. What I guess I = need from your end here are:

1. Stock = sale agreement on the 2.5% for the initial $50K;

2. An = agreement for the directorship and advisory assistance for the other = 2.5%.

3. Presuming we can complete the = business plan, quality employment agreements with Fuzzy and Paul, etc. , = then I'd put in the second $50K. I need a couple weeks to get that = done to move out of a couple investments, = etc.

Hope you also got a copy of the deck I've = tried to give you input on. Last deck I had was the one you = presented to the investors. That deck obviously had Chris at 50%, = etc. and needs to be reshaped.

Feeling a bit = better but still have a serious sinus headache. =

Met with Reg and Ric last night. = As soon as we have things shaped up, they want to continue the = dialogue.

jim

Would be interested to

Begin forwarded = message:

From: Andy <afeinstein@yahoo.com>
Date: March 2, 2011 = 7:26:08 AM EST
To: James Hunt <jhunt@mitagroup.com>
=
Subject: Re: did you = collect a view on Treasury?

I thought they just = "recompile" to use different group of domains?

From: James Hunt <jhunt@mitagroup.com>
To: Andy <afeinstein@yahoo.com>
Sent: Wed, March 2, 2011 12:06:21 = AM
Subject: Re: did you collect a view = on Treasury?

my guess is that while the bad guys are = writing bots all the time that they, too, run out of great bots to = deploy. I bet they probably have them on the shelf but not likely = in great numbers. so they probably hate to see a really good one = taken down quickly.

On Mar 1, 2011, at 11:11 PM, Andy wrote:

That makes sense. I did not realize that = all modern botnets would contact ALL of the control domains but had = thought rather only subsets depending on the "version" of that = Malware. I had thought the domains evolved/migrated over = time.... perhaps that is the comment on deploying a fresh binary... = Guess the next question is why wouldn't bad guys just create a new = binary every 2 weeks if it is just a flip of a switch for them.... since = a huge cycle for the good guys that would be a "best practice" for bad = guys I would think.

From: James Hunt <jhunt@mitagroup.com>
<= span style=3D"font-weight: bold; ">To: Andy <afeinstein@yahoo.com>
Sent: Tue, March 1, 2011 5:25:14 = PM
Subject: Fwd: did you collect a view = on Treasury?

Begin forwarded message:

We don't require 100% of the = malware communication channels to have a 100% confirmation of it's = existence in a given network. I will explain:

Following = initial infection, modern malware will call back to ALL of it's = pre-defined command and control domains ( in a round-robin DNS fashion) = to help, as much as possible, the delivery of payload, message or = request. This is why I say that our system as close to real time = as it is, is still a post-mortem tool. The crime, albeit = identified, was successful.
So even if we simply have just = 1% of the domains commandeered, that is used by a specific malware, we = will eventually see it's communication and be able to successfully = identify it. By definition if a substantial number of domains are = taken down by us, that botnet is effectively "neutered" and will = probably be jettisoned by the bad guys and will move them to deploy a = fresh binary with fresh domains. This is a flip of a switch for = them, but a huge cycle for us.
As counter-intuitive as it = sounds, we want the bad guys to think it is fine and see minimal = attrition so we can help kill it at the source. The more communication = we collect over a longer period, the more effective we are at "curing", = not just putting a band-aid over the cancer.

Commandeering = the domains is not a good solutionary approach to the chronic issue, but = a great way to collect 100% zero false positive proof of an = infection.

So in short, as long as we commandeer a few active = domains of a given botnet, we will be able to confirm it's existence = anywhere it's malware infects eventually, following a successful outward = bound connection despite not having all of it's traffic.

I hope I = understood the question.

= --Apple-Mail-72-792033377-- From - Sat May 21 19:24:08 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Delivered-To: khijazi@unveillance.com Received: by 10.223.79.78 with SMTP id o14cs230312fak; Tue, 1 Mar 2011 14:39:42 -0800 (PST) Received: by 10.213.15.135 with SMTP id k7mr5671651eba.26.1299019181779; Tue, 01 Mar 2011 14:39:41 -0800 (PST) Return-Path: Received: from mail-ey0-f173.google.com (mail-ey0-f173.google.com [209.85.215.173]) by mx.google.com with ESMTPS id w16si11718717eei.65.2011.03.01.14.39.40 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 14:39:40 -0800 (PST) Received-SPF: neutral (google.com: 209.85.215.173 is neither permitted nor denied by best guess record for domain of mmolloy@unveillance.com) client-ip=209.85.215.173; Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.215.173 is neither permitted nor denied by best guess record for domain of mmolloy@unveillance.com) smtp.mail=mmolloy@unveillance.com Received: by eyb6 with SMTP id 6so1975312eyb.4 for ; Tue, 01 Mar 2011 14:39:39 -0800 (PST) MIME-Version: 1.0 Received: by 10.213.16.67 with SMTP id n3mr2983278eba.46.1299019179685; Tue, 01 Mar 2011 14:39:39 -0800 (PST) Received: by 10.213.10.144 with HTTP; Tue, 1 Mar 2011 14:39:39 -0800 (PST) Date: Tue, 1 Mar 2011 17:39:39 -0500 Message-ID: Subject: Thanks! From: Meaghan Molloy To: Karim Hijazi Content-Type: multipart/alternative; boundary=0015174c0e6ec2f60d049d73783f --0015174c0e6ec2f60d049d73783f Content-Type: text/plain; charset=ISO-8859-1 Hi Karim, Thanks for getting the email addresses set up! Signed in as soon as I got it :) We still on for a chat later this evening? Cheers, Meg --0015174c0e6ec2f60d049d73783f Content-Type: text/html; charset=ISO-8859-1 Hi Karim,

Thanks for getting the email addresses set up! Signed in as soon as I got it :)

We still on for a chat later this evening?

Cheers,
Meg
--0015174c0e6ec2f60d049d73783f-- From - Sat May 21 19:24:08 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Delivered-To: khijazi@unveillance.com Received: by 10.223.79.78 with SMTP id o14cs230383fak; Tue, 1 Mar 2011 14:43:03 -0800 (PST) Received: by 10.227.157.201 with SMTP id c9mr6635167wbx.216.1299019383072; Tue, 01 Mar 2011 14:43:03 -0800 (PST) Return-Path: Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by mx.google.com with ESMTPS id r5si9428230wby.83.2011.03.01.14.43.01 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 14:43:02 -0800 (PST) Received-SPF: neutral (google.com: 74.125.82.53 is neither permitted nor denied by best guess record for domain of mthompson@unveillance.com) client-ip=74.125.82.53; Authentication-Results: mx.google.com; spf=neutral (google.com: 74.125.82.53 is neither permitted nor denied by best guess record for domain of mthompson@unveillance.com) smtp.mail=mthompson@unveillance.com Received: by wwb29 with SMTP id 29so4191642wwb.10 for ; Tue, 01 Mar 2011 14:43:01 -0800 (PST) MIME-Version: 1.0 Received: by 10.216.246.74 with SMTP id p52mr6561971wer.26.1299019381653; Tue, 01 Mar 2011 14:43:01 -0800 (PST) Received: by 10.216.254.153 with HTTP; Tue, 1 Mar 2011 14:43:01 -0800 (PST) Date: Tue, 1 Mar 2011 17:43:01 -0500 Message-ID: Subject: update From: Matt Thompson To: Karim Hijazi Content-Type: multipart/alternative; boundary=e0cb4e3851ecccbfc0049d738465 --e0cb4e3851ecccbfc0049d738465 Content-Type: text/plain; charset=ISO-8859-1 Hi Karim, Logged in to google with no problem. What time is good for you to have an update call? Cheers, Matt --e0cb4e3851ecccbfc0049d738465 Content-Type: text/html; charset=ISO-8859-1 Hi Karim,

Logged in to google with no problem. What time is good for you to have an update call?

Cheers,
Matt
--e0cb4e3851ecccbfc0049d738465-- From - Sat May 21 19:24:08 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 From: Karim Hijazi Mime-Version: 1.0 (iPhone Mail 8C148) Bcc: "mmolloy@unveillance.com" , "mthompson@unveillance.com" Date: Tue, 1 Mar 2011 18:12:20 -0500 Delivered-To: khijazi@unveillance.com Message-ID: <-7169044976342022749@unknownmsgid> Subject: Cooperative Reaearch To: "jaroslav.vorlicek@accenture.com" , "adam.sindelar@accenture.com" Cc: jason.lewkowicz@accenture.com, Jerry Tubbs Content-Type: text/plain; charset=ISO-8859-1 Hello Jerry (Jaroslav), We have completed development on our new malware analysis team (formerly of Defence Intelligence) and would like to discuss ways whereby we might be able to help each other. Whether it is new binary samples or suspected new botnet infrastructure, it would be a pleasure to co-research with you. Please let me know your and Adam's thoughts. Thank you and looking forward to working with you. -- All the best, Karim Hijazi CEO | President Unveillance O. (800) 540-8478 M. (561) 542-5704 www.unveillance.com khijazi@unveillance.com ******************************************** CONFIDENTIAL & PRIVILEGED COMMUNICATION This message is for the named person's use only. The information contained in this communication is confidential and/or privileged, proprietary information that is transmitted solely for the purpose of the intended recipient(s). No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender or any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. ******************************************** From - Sat May 21 19:24:08 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Delivered-To: khijazi@unveillance.com Received: by 10.223.79.78 with SMTP id o14cs231193fak; Tue, 1 Mar 2011 15:16:44 -0800 (PST) Received: by 10.227.138.15 with SMTP id y15mr6660826wbt.186.1299021404240; Tue, 01 Mar 2011 15:16:44 -0800 (PST) Return-Path: Received: from ememr1002.accenture.com (ememr1002.accenture.com [170.252.72.94]) by mx.google.com with ESMTPS id j7si9474268wbj.51.2011.03.01.15.16.43 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 15:16:44 -0800 (PST) Received-SPF: pass (google.com: domain of jaroslav.vorlicek@accenture.com designates 170.252.72.94 as permitted sender) client-ip=170.252.72.94; Authentication-Results: mx.google.com; spf=pass (google.com: domain of jaroslav.vorlicek@accenture.com designates 170.252.72.94 as permitted sender) smtp.mail=jaroslav.vorlicek@accenture.com Received: from EMEXV1002.dir.svc.accenture.com (EMEXV1002.dir.svc.accenture.com [10.130.16.105]) by ememr1002.accenture.com (8.13.8/8.13.8) with ESMTP id p21NGcrO008956; Tue, 1 Mar 2011 23:16:42 GMT Received: from EMEXH3003.dir.svc.accenture.com ([10.134.3.24]) by EMEXV1002.dir.svc.accenture.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 Mar 2011 00:16:37 +0100 Received: from EMEXM3115.dir.svc.accenture.com ([10.134.3.3]) by EMEXH3003.dir.svc.accenture.com ([10.134.3.24]) with mapi; Wed, 2 Mar 2011 00:16:37 +0100 From: To: , CC: , Date: Wed, 2 Mar 2011 00:16:36 +0100 Subject: RE: Cooperative Reaearch Thread-Topic: Cooperative Reaearch Thread-Index: AcvYZiOuiOWqQ2o3THaKV+SZ//mDqAAADiJg Message-ID: References: <-7169044976342022749@unknownmsgid> In-Reply-To: <-7169044976342022749@unknownmsgid> Accept-Language: cs-CZ, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ, en-US x-ems-proccessed: vrAiQuOOcsXVFhS7ec6D4A== x-ems-stamp: n11RJbYXaRPn/7f1Kk/2Yg== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 01 Mar 2011 23:16:37.0785 (UTC) FILETIME=[B6F34090:01CBD866] Hi Karim, Jerry, That's great news! We'll discuss it internally and we'll definitely bring s= uggestions to discuss.=20 Thank you=20 Jerry ISIRT Information Technology Risk Accenture=20 Prague (Czech Republic) Office Phone: +420.225.07.7756 e-mail: jaroslav.vorlicek@accenture.com OCS: jaroslav.vorlicek@accenture.com ------------------------------------------------------------------------- Accenture Confidential This message is for the designated recipient only and may contain privilege= d, proprietary, or otherwise private information. If you have received it i= n error, please notify the sender immediately and delete the original. Any = other use of the email by you is prohibited.=20 -----Original Message----- From: Karim Hijazi [mailto:khijazi@unveillance.com]=20 Sent: Wednesday, March 02, 2011 12:12 AM To: Vorlicek, Jaroslav; Sindelar, Adam Cc: Lewkowicz, Jason; Jerry Tubbs Subject: Cooperative Reaearch Hello Jerry (Jaroslav), We have completed development on our new malware analysis team (formerly of= Defence Intelligence) and would like to discuss ways whereby we might be a= ble to help each other. Whether it is new binary samples or suspected new b= otnet infrastructure, it would be a pleasure to co-research with you. Please let me know your and Adam's thoughts. Thank you and looking forward = to working with you. -- All the best, Karim Hijazi CEO | President Unveillance O. (800) 540-8478 M. (561) 542-5704 www.unveillance.com khijazi@unveillance.com ******************************************** CONFIDENTIAL & PRIVILEGED COMMUNICATION This message is for the named perso= n's use only. The information contained in this communication is confidenti= al and/or privileged, proprietary information that is transmitted solely fo= r the purpose of the intended recipient(s). No confidentiality or privilege= is waived or lost by any mistransmission. If you receive this message in = error, please immediately delete it and all copies of it from your system, = destroy any hard copies of it and notify the sender. You must not, directly= or indirectly, use, disclose, distribute, print, or copy any part of this = message if you are not the intended recipient. The sender or any of its sub= sidiaries each reserve the right to monitor all e-mail communications throu= gh its networks. ******************************************** From - Sat May 21 19:24:08 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 References: From: Karim Hijazi Mime-Version: 1.0 (iPhone Mail 8C148) Date: Tue, 1 Mar 2011 18:20:34 -0500 Delivered-To: khijazi@unveillance.com Message-ID: <688564104697136292@unknownmsgid> Subject: Fwd: Cooperative Reaearch To: "mmolloy@unveillance.com" , "mthompson@unveillance.com" Content-Type: multipart/alternative; boundary=0023547915d4066fa7049d740b85 --0023547915d4066fa7049d740b85 Content-Type: text/plain; charset=ISO-8859-1 :) talk about eager! -- All the best, Karim Hijazi CEO | President Unveillance O. (800) 540-8478 M. (561) 542-5704 www.unveillance.com khijazi@unveillance.com ******************************************** CONFIDENTIAL & PRIVILEGED COMMUNICATION This message is for the named person's use only. The information contained in this communication is confidential and/or privileged, proprietary information that is transmitted solely for the purpose of the intended recipient(s). No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender or any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. ******************************************** Begin forwarded message: *From:* *Date:* March 1, 2011 6:16:36 PM EST *To:* , *Cc:* , *Subject:* *RE: Cooperative Reaearch* Hi Karim, Jerry, That's great news! We'll discuss it internally and we'll definitely bring suggestions to discuss. Thank you Jerry ISIRT Information Technology Risk Accenture Prague (Czech Republic) Office Phone: +420.225.07.7756 e-mail: jaroslav.vorlicek@accenture.com OCS: jaroslav.vorlicek@accenture.com ------------------------------------------------------------------------- Accenture Confidential This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -----Original Message----- From: Karim Hijazi [mailto:khijazi@unveillance.com] Sent: Wednesday, March 02, 2011 12:12 AM To: Vorlicek, Jaroslav; Sindelar, Adam Cc: Lewkowicz, Jason; Jerry Tubbs Subject: Cooperative Reaearch Hello Jerry (Jaroslav), We have completed development on our new malware analysis team (formerly of Defence Intelligence) and would like to discuss ways whereby we might be able to help each other. Whether it is new binary samples or suspected new botnet infrastructure, it would be a pleasure to co-research with you. Please let me know your and Adam's thoughts. Thank you and looking forward to working with you. -- All the best, Karim Hijazi CEO | President Unveillance O. (800) 540-8478 M. (561) 542-5704 www.unveillance.com khijazi@unveillance.com ******************************************** CONFIDENTIAL & PRIVILEGED COMMUNICATION This message is for the named person's use only. The information contained in this communication is confidential and/or privileged, proprietary information that is transmitted solely for the purpose of the intended recipient(s). No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender or any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. ******************************************** --0023547915d4066fa7049d740b85 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
:) talk about eager!

--
All the best,

Karim Hijazi
CEO |= President
Unveillance
O. (800) 540-8478
M. (= 561) 542-5704

www.unveillance.com
khijazi@unveillance.com

********************************************
<= div> CONFIDENTIAL & PRIVILEGED COMMUNICATION This message is for the named
person's use only. The information contained in this communica= tion is
confidential and/or privileged, proprietary information t= hat is

transmitted solely for the purpose of the intended recipient(s). No
confidentiality or privilege is waived or lost by any
mis= transmission. =A0If you receive this message in error, please
imm= ediately delete it and all copies of it from your system, destroy

any hard copies of it and notify the sender. You must not, directly or=
indirectly, use, disclose, distribute, print, or copy any part o= f this
message if you are not the intended recipient. The sender = or any of

its subsidiaries each reserve the right to monitor all e-mail
communications through its networks.
**************************= ******************

Begin forwarded message:

From: <jaroslav.vorlicek@accenture.com>
Date: March 1, 2011 6:16:36 PM EST
To: <khijazi@unveillance.com>, <jtubbs@unveillance.com>
Cc: <jason.lewko= wicz@accenture.com>, <adam.sindelar@accenture.com>
Subject: RE: Cooperati= ve Reaearch

Hi K= arim, Jerry,
That's great news! We'll discuss it in= ternally and we'll definitely bring suggestions to discuss.

Thank you

Jerry

ISIRT
Information Technology= Risk
Accenture
Prague (Czech Republic)

Office Phone: =A0+420.225.07.7756
e-= mail: jaroslav.vorlicek@accenture.com
OCS: jaroslav.vorlicek@accenture.com

---------------------------------------= ----------------------------------
Accenture Confidential
This message is for the design= ated recipient only and may contain privileged, proprietary, or otherwise p= rivate information. If you have received it in error, please notify the sen= der immediately and delete the original. Any other use of the email by you = is prohibited.

-----Original Message-----From: Karim Hijazi [mailto:khijazi@unveillance.com]
Sent: Wednesday, March 02,= 2011 12:12 AM
To: Vorlicek, Jaroslav; Sindelar, Adam
Cc: Lewkowicz,= Jason; Jerry Tubbs
Subject: Cooperative Reaearch
Hello Jerry (Jaroslav),

We have completed development on our new malware analysis team (forme= rly of Defence Intelligence) and would like to discuss ways whereby we migh= t be able to help each other. Whether it is new binary samples or suspected= new botnet infrastructure, it would be a pleasure to co-research with you.=

Please let me know your and Adam's thoughts. Tha= nk you and looking forward to working with you.

= --
All the best,

Kar= im Hijazi
CEO | President
Unveillance
O. (800) = 540-8478
M. (561) 542-5704
www.unveillance.com
khijazi@unveillance.com

********************************************<= br>CONFIDENTIAL & PRIVILEGED COMMUNICATION This message is for th= e named person's use only. The information contained in this communicat= ion is confidential and/or privileged, proprietary information that is tran= smitted solely for the purpose of the intended recipient(s). No confidentia= lity or privilege is waived or lost by any mistransmission. =A0If you recei= ve this message in error, please immediately delete it and all copies of it= from your system, destroy any hard copies of it and notify the sender. You= must not, directly or indirectly, use, disclose, distribute, print, or cop= y any part of this message if you are not the intended recipient. The sende= r or any of its subsidiaries each reserve the right to monitor all e-mail c= ommunications through its networks.
********************************************
<= br>
--0023547915d4066fa7049d740b85-- From - Sat May 21 19:24:08 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Delivered-To: khijazi@unveillance.com Received: by 10.223.79.78 with SMTP id o14cs232876fak; Tue, 1 Mar 2011 16:13:20 -0800 (PST) Received: by 10.236.184.165 with SMTP id s25mr12988495yhm.34.1299024800000; Tue, 01 Mar 2011 16:13:20 -0800 (PST) Return-Path: Received: from mail-gw0-f49.google.com (mail-gw0-f49.google.com [74.125.83.49]) by mx.google.com with ESMTPS id x80si2158643yhn.64.2011.03.01.16.13.18 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 16:13:18 -0800 (PST) Received-SPF: neutral (google.com: 74.125.83.49 is neither permitted nor denied by best guess record for domain of jtubbs@unveillance.com) client-ip=74.125.83.49; Authentication-Results: mx.google.com; spf=neutral (google.com: 74.125.83.49 is neither permitted nor denied by best guess record for domain of jtubbs@unveillance.com) smtp.mail=jtubbs@unveillance.com Received: by gwj15 with SMTP id 15so2379417gwj.36 for ; Tue, 01 Mar 2011 16:13:18 -0800 (PST) Received: by 10.91.93.8 with SMTP id v8mr1355843agl.75.1299024797934; Tue, 01 Mar 2011 16:13:17 -0800 (PST) Return-Path: Received: from [192.168.1.72] (99-1-188-105.lightspeed.tukrga.sbcglobal.net [99.1.188.105]) by mx.google.com with ESMTPS id u20sm7202531anu.14.2011.03.01.16.13.16 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 16:13:17 -0800 (PST) Subject: Re: Cooperative Reaearch References: <-7169044976342022749@unknownmsgid> From: "J." Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (8C148) In-Reply-To: <-7169044976342022749@unknownmsgid> Message-Id: <4E50168A-15A1-4B72-B70E-8292F9EB8346@unveillance.com> Date: Tue, 1 Mar 2011 19:13:13 -0500 To: Karim Hijazi Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (iPhone Mail 8C148) I take it that you had a good follow-up conversation with Paul? On Mar 1, 2011, at 18:12, Karim Hijazi wrote: > Hello Jerry (Jaroslav), > > We have completed development on our new malware analysis team > (formerly of Defence Intelligence) and would like to discuss ways > whereby we might be able to help each other. Whether it is new binary > samples or suspected new botnet infrastructure, it would be a pleasure > to co-research with you. > > Please let me know your and Adam's thoughts. Thank you and looking > forward to working with you. > > -- > All the best, > > Karim Hijazi > CEO | President > Unveillance > O. (800) 540-8478 > M. (561) 542-5704 > www.unveillance.com > khijazi@unveillance.com > > ******************************************** > CONFIDENTIAL & PRIVILEGED COMMUNICATION This message is for the named > person's use only. The information contained in this communication is > confidential and/or privileged, proprietary information that is > transmitted solely for the purpose of the intended recipient(s). No > confidentiality or privilege is waived or lost by any > mistransmission. If you receive this message in error, please > immediately delete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. The sender or any of > its subsidiaries each reserve the right to monitor all e-mail > communications through its networks. > ******************************************** From - Sat May 21 19:24:08 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Delivered-To: khijazi@unveillance.com Received: by 10.223.79.78 with SMTP id o14cs233734fak; Tue, 1 Mar 2011 16:52:09 -0800 (PST) Received: by 10.150.66.10 with SMTP id o10mr8057995yba.235.1299027128549; Tue, 01 Mar 2011 16:52:08 -0800 (PST) Return-Path: Received: from mail-yw0-f45.google.com (mail-yw0-f45.google.com [209.85.213.45]) by mx.google.com with ESMTPS id p2si10377547ybk.25.2011.03.01.16.52.06 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 16:52:07 -0800 (PST) Received-SPF: neutral (google.com: 209.85.213.45 is neither permitted nor denied by best guess record for domain of jtubbs@unveillance.com) client-ip=209.85.213.45; Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.213.45 is neither permitted nor denied by best guess record for domain of jtubbs@unveillance.com) smtp.mail=jtubbs@unveillance.com Received: by ywl41 with SMTP id 41so2328712ywl.4 for ; Tue, 01 Mar 2011 16:52:06 -0800 (PST) Received: by 10.147.136.16 with SMTP id o16mr9525349yan.35.1299027126307; Tue, 01 Mar 2011 16:52:06 -0800 (PST) Return-Path: Received: from [192.168.1.72] (99-1-188-105.lightspeed.tukrga.sbcglobal.net [99.1.188.105]) by mx.google.com with ESMTPS id z12sm2617949anp.39.2011.03.01.16.52.04 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 16:52:05 -0800 (PST) Subject: @SecurityWeek, 3/1/11 17:31 From: "J." Content-Type: multipart/alternative; boundary=Apple-Mail-1-744858424 Message-Id: <2B1D9E92-6A65-414D-9B59-42B8BCB4CC1E@unveillance.com> Date: Tue, 1 Mar 2011 19:52:01 -0500 To: Karim Hijazi Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (iPhone Mail 8C148) X-Mailer: iPhone Mail (8C148) --Apple-Mail-1-744858424 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii SecurityWeek (@SecurityWeek) 3/1/11 17:31 Google Acquires Malware Analysis Tools Provider, Zynamics http://bit.ly/gmsF9= N #google #dev --Apple-Mail-1-744858424 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=utf-8
SecurityWeek (@SecurityWeek)
3/1/11 17:31
Google Acquires Malware Analysis Tools Provider, Zynamics http://bit.ly/gmsF9N #google #dev

--Apple-Mail-1-744858424-- From - Sat May 21 19:24:09 2011 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Delivered-To: khijazi@unveillance.com Received: by 10.223.79.78 with SMTP id o14cs234267fak; Tue, 1 Mar 2011 17:27:23 -0800 (PST) Received: by 10.43.70.193 with SMTP id yh1mr4001446icb.300.1299029242400; Tue, 01 Mar 2011 17:27:22 -0800 (PST) Return-Path: <3-JxtTQcPB1A446336GC5Dw033s5uw.u642z01sH0C5Dw033s5uw.u64@doclist.bounces.google.com> Received: from mail-iy0-f199.google.com (mail-iy0-f199.google.com [209.85.210.199]) by mx.google.com with ESMTPS id e15si13883864icb.90.2011.03.01.17.27.20 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 17:27:21 -0800 (PST) Received-SPF: pass (google.com: domain of 3-JxtTQcPB1A446336GC5Dw033s5uw.u642z01sH0C5Dw033s5uw.u64@doclist.bounces.google.com designates 209.85.210.199 as permitted sender) client-ip=209.85.210.199; Authentication-Results: mx.google.com; spf=pass (google.com: domain of 3-JxtTQcPB1A446336GC5Dw033s5uw.u642z01sH0C5Dw033s5uw.u64@doclist.bounces.google.com designates 209.85.210.199 as permitted sender) smtp.mail=3-JxtTQcPB1A446336GC5Dw033s5uw.u642z01sH0C5Dw033s5uw.u64@doclist.bounces.google.com Received: by iym10 with SMTP id 10so5614331iym.10 for ; Tue, 01 Mar 2011 17:27:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.42.228.2 with SMTP id jc2mr602134icb.28.1299029240289; Tue, 01 Mar 2011 17:27:20 -0800 (PST) X-Originating-IP: 99.246.180.148 Message-ID: <20cf3054ab4f6b9c55049d75d068@google.com> Date: Wed, 02 Mar 2011 01:27:20 +0000 Subject: Domain Conviction, Registrars Contact Info.txt (khijazi@unveillance.com) From: mmolloy@unveillance.com To: khijazi@unveillance.com Content-Type: multipart/alternative; boundary=20cf3054ab4f6b9c1c049d75d065 --20cf3054ab4f6b9c1c049d75d065 Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes I've shared some documents with you: Domain Conviction https://spreadsheets.google.com/a/unveillance.com/ccc?key=0AnR9lOyynMsodGx5Z2JFT0Q2MVY3bHFCWDRrWTBaYnc&hl=en Registrars Contact Info.txt https://docs.google.com/a/unveillance.com/document/d/14Hns2ep-7JEuiRu5_eVm-mcu1R-asSs-hbWP1X-KQQI/edit?hl=en They're not attachments -- they're stored online at Google Docs. To open these documents, just click the links above. The domain conviction spreadsheet is still a work in progress, expect there to be changes as I work it out. Also, I suggest you don't attempt to sinkhole any domains that are missing either a 'Malware Type' (ie ZeuS/Artro) or an MD5 - without those I likely don't have enough proof for you to provide a registrar - I think there's only a couple on this list. We want to be very careful about being 'sure' the domain is in fact C&C. --20cf3054ab4f6b9c1c049d75d065 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I've shared som= e items with you

Message from mmolloy@unveillance.com:
The domain conviction spreadsheet is still a work in progre= ss, expect there to be changes as I work it out. Also, I suggest you don= 9;t attempt to sinkhole any domains that are missing either a 'Malware = Type' (ie ZeuS/Artro) or an MD5 - without those I likely don't have= enough proof for you to provide a registrar - I think there's only a c= ouple on this list. We want to be very careful about being 'sure' t= he domain is in fact C&C.

Click to open:
Domain Conviction

Registrars Contact Info.txt=

Google Docs makes it easy to create, store = and share online documents, spreadsheets and presentations.
--20cf3054ab4f6b9c1c049d75d065--