Devin Nunes, his Website, and a Trojan Horse

Unhackthevote January 28, 2018

Share:

The story of how Devin Nunes and other GOP candidates may have been compromised.

Part I

In May of 2017, vulnerabilities were discovered on one of Devin Nunes’s campaign websites. The campaign website devinnunes.net had been infected with a virus that caused some internal pages to be indexed by Google, in Russian.

The full report on this discovery is here. The author of the report notified the Nunes campaign of these vulnerabilities on May 19, 2017. Shortly thereafter, it looked like the problem had been resolved. The URL devinnunes.net was redirected to SquareSpace, here: devinnunes.com and the devinnunes.net site was gone.

Was Nunes’s Campaign Website Fixed?

We had a closer look.

It would have been the easiest thing in the world to delete ALL the files related to the now-defunct devinnunes.net website, then do simple domain forwarding with a URL redirect.

Instead of doing this, however, whoever was in control of devinunes.net left the spammy files in place, even after being notified of their existence. When we navigated directly to one of the URLs that Google had indexed last May, we found that the supposed XML file is exactly where it was before the site was “cleaned up”: http://devinnunes.net/images/userfiles/kyt5660-bileti-kiev-nyu-york-tsena-myz3171.xml. This file is not actually an XML file. Clicking on the link briefly displays a (mainly) Russian language html page, before redirecting the visitor to a Russian air ticket broker:

The site wasn’t cleaned up at all. Normal traffic was simply redirected so the spammy files were no longer visible to the normal user or indexed by search engines.

Lets be clear. When they were notified as to the hosting of these files, they immediately changed their website. They changed it in a way that makes no sense in terms of securing it. They changed it in a way to hide the Trojan Horse while giving the appearance they had fixed it. Why?

The ghost of Devin Nunes’s campaign site

This made us curious about what other files may still exist at this url. We checked the service Virus Total to see whether malicious code on devinnunes.net had been detected and reported by others. And indeed it had.

Not only is the ghost of Nunes’s campaign website, devinnunes.net, is still alive, it is serving code that is much more malicious than simple Russian travel spam.

A virus that disguises itself as a JPEG

We downloaded the file that VirusTotal alerted us to. What we found was very disturbing. Disguised as a JPEG image file, it contains a Visual Basic script that downloads code from a domain called alihack.com, executes it on the user’s computer, then destroys its own traces. Why is that code STILL THERE many months later?

What could a malicious file like this be used for? Here are the warnings about this file. It’s a Trojan Agent, for sure, and most virus scanners mark it as a BRRT type. It’s a serious threat to anyone running Windows who clicks on the link to this file.

This particular type of virus is especially frightening and dangerous. It is built to steal information from anyone whose computer is infected by it. In short, this is exactly the type of file that is used for spear phishing — stealing personal data, including emails and address books.

If an unsuspecting victim received an email containing a link that would initiate a download of this file, that person’s computer would most likely be compromised.

How did this happen?

Did Nunes’ emails get hacked? Did his address book get hacked? Were emails then sent out to other GOP in a spear-phishing campaign, being that Nunes was a trusted contact to these people? The damage that could have occurred as this spread is deeply concerning.

The continued existence of this file brings up some serious questions. How could this have happened to Devin Nunes’s campaign website? Who was managing this site? Why did the malicious code stay in place, nearly nine months after it was reported to the campaign?

To answer these questions we dug even deeper. We had a look at the computer hosting the devinnunes.net website. Its IP address comes back to an Microsoft Azure server. Who controls this server? What else is hosted there? This is what we found.