Computer Scientists Believe a Trump Server Was Communicating With a Russian Bank

In light of the Democratic National Committee hack by the Russians earlier this year, a "tightly knit community of computer scientists" working in a variety of fields came up with the hypothesis, "which they set out to rigorously test: If the Russians were worming their way into the DNC, they might very well be attacking other entities central to the presidential campaign, including Donald Trump's many servers." In late July, one of the scientists who asked to be referred to as Tea Leaves discovered possible malware emanating from Russia, with the destination domain having Trump in its name. What the researcher saw "was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue": Slate Magazine reports: More data was needed, so he began carefully keeping logs of the Trump server's DNS activity. As he collected the logs, he would circulate them in periodic batches to colleagues in the cybersecurity world. Six of them began scrutinizing them for clues. The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn't the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation -- conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn't an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank. The server was first registered to Trump's business in 2009 and was set up to run consumer marketing campaigns. It had a history of sending mass emails on behalf of Trump-branded properties and products. Researchers were ultimately convinced that the server indeed belonged to Trump. But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. That wasn't the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses. A small portion of the logs showed communication with a server belonging to Michigan-based Spectrum Health.

Re:Clinton's desperation

[quantaman]

Hey, Slashdot gets visited by Russian IP addresses too! Maybe Slashdot is working with Putin to leak Clinton's E-mails as well?

Seriously, this bullshit coming from Clinton and her minions only shows how desperate they are.

FTA:

I also spoke with academics who vouched for Tea Leaves’ integrity and his unusual access to information. “This is someone I know well and is very well-known in the networking community,” said Camp. “When they say something about DNS, you believe them. This person has technical authority and access to data.”)

The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn’t the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation—conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.

[...]

Earlier this month, the group of computer scientists passed the logs to Paul Vixie. In the world of DNS experts, there’s no higher authority. Vixie wrote central strands of the DNS code that makes the internet work. After studying the logs, he concluded, “The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project.”

The real interesting thing is when people started asking about the server the Trump org took it down, renamed it, and somehow the Russian server knew exactly which hostname to access (suggesting someone from Trump org told them).

Four days later, on Sept. 27, the Trump Organization created a new host name, trump1.contact-client.com, which enabled communication to the very same server via a different route.

These aren't political hacks, nor the result of reporters misunderstanding basic concepts. These are qualified experts with reputations to protect who understand hackers, malware, and misconfigured mail servers. They have looked at the evidence and think this is a secret communication channel.

Re: BULL SH!T

[grcumb]

Without having read TFA, often even as a network engineer, I'll use the term "ping" even when not referring to ICMP. For example, I'll refer to an SNMP walk (of any kind) as a "ping".

Exactly. The term 'ping' may appear unfortunate to those of us who know what the ICMP protocol actually is, but it'll be suitably edgy to a tech-ignorant audience who need to feel that the writer actually knows what he's talking about.

Still though, this doesn't come off as suspicious to me at all. Since when is it odd or otherwise unusual that a server belonging to a billionaire talks to a server belonging to a bank in a foreign country?

When the bank is one of only a very few addresses the server communicates with.

Look, it's circumstantial at best, no more of a smoking gun than any number of other things. But if I were a US-based journalist, I'd consider it worth digging into. I don't know that I'd publish something based on the logs alone, but I would certainly be willing to follow wherever they lead. Even if the conclusion is that Trump has investments in Russian companies, that's a notable fact, given his constant and explicit denial that he has any financial ties to Russia.

That's like saying that it's odd that there's dog piss on a fire hydrant.

Kind of. It's more like saying it's odd that this dog doesn't seem to want to piss anywhere except at this particular fire hydrant, which he insists he would never piss on if you gave him a thousand years and a fire hose.

So yeah, the circumstances are curious, but there's nothing here that would make me jump out of my chair and shout, 'Aha!!!' And trust me, I'd be the first to do that if it took Trump down a notch.

Re:I've seen things at least that strange

It's a well-researched and written story.

What a fucking joke. This is still slashdot, right? There are still people here that understand TCP/IP and DNS, right? I only ask because the author of the slate article makes it abundantly clear that he is unaware of the difference between a server and a domain.

The server was first registered to Trump’s business in 2009

Does that look well researched to anyone here? If you were consulting with a reporter writing a story about servers and DNS, would you let him leave that sentence in the story? Or would you correct him?

More:

But what he saw was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue.

What is on 5th Avenue? I'll give you a hint, it isn't the bank, the server or the domain. Someone go stop the presses, I think we just found the mailing address of Trump's office.

But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. “I get more mail in a day than the server handled,” Davis says.

That wasn’t the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses.

Ok, so the server isn't advertising itself with a banner that says "I am a beowolf cluster, and these chumps have be running 5 emails a day." How do these "researchers" know what it is inside? Did they commit some felonies to find out? Do I sense yet another batch of Democrats taking the 5th in the near future?

Assuming they get in through some means, what do they find? Is it a capacious server with huge operating costs, like geothermal liquid cooling? Or is it a 1U stuffed into a rack somewhere and forgotten until someone walks past and notices that the idiot light is lit, 6 months after it shuts itself off because the PSU fan failed? Or is this server just an A record in DNS somewhere, in a domain that exists mostly so that recipient mailservers have a SPF record to look at? They don't tell us any specifics. My guess is that the "well-researched" writer thinks that each domain name needs a big dedicated server, at least to the extent that he is able to recognize them as distinct concepts and objects.

I don't know about you guys, but I check my domain names and purge stale domains about once per decade. The $15 per year to leave them on autopilot autorenewal mode is literally less expensive than my effort to sift through the list plucking out the ones that I no longer need.