Errata: Mourad Ben Lakhoua Plagiarism

Sat Oct 22 01:56:02 CDT 2011

Mourad Ben Lakhoua writes articles for his blog SecTechno, and frequently cross posts many to InfosecIsland. After Lakhoua posted an article on 'Graphing Suspicious URL Relationships', one of the authors of the book The Malware Cookbook commented that some of the material was taken straight from the book without proper credit. They noted that it was obvious the material was lifted because of cut/paste errors and leaving in characters that should have been removed in his usage. The comment goes on to point out that another of Lakhoua's articles, "Capturing and Analyzing Malicious Network Traffic" also contained material from the book, again without proper citation.

The copy of the 'Graphing Suspicious URL Relationships' article on InfosecIsland was updated to include a note from the editor of the site:

EDITORS NOTE: The author initially had mistakenly failed to credit a source for this article, the Malware Analysts Cookbook. The book's author contacted Mr. Lakhoua and made him aware of the error. Mr. Lakhoua has since apologized for the omission.

This in turn lead attrition.org and one other person to start digging into other articles written by Lakhoua to determine if this lack of citation was an exception, or a pattern. [Update: Four days after this article, Lakhoua published an apology for his actions. Infosec Island also published their stance on plagiarism.]

The Plagiarism

After reviewing almost a dozen articles by Lakhoua, it became clear that many of his articles used material from other sources without proper citation. In some cases, it was a sentence or two mixed in with original work. In other cases, it was entire paragraphs or lists of bullet points. In each case, Lakhoua did not properly cite where the material was from, that it was not original, or link to an original source. Due to the number of occurrences, it is clear that Lakhoua is using plagiarism as a short cut to churn out articles for his blog.

The following table demonstrates a large sampling of the plagiarism found. This does not represent an exhaustive audit of his work, just a good representation of the plagiarism based on spot checking text from each article examined.


Article Description Original Source
Graphing Suspicious URL Relationships Unspecified amount of text. An author of the Malware Analyst's Cookbook replied in comments indicating the blog came from the book. In response, Lakhoua adds a reference link to the book. Malware Analyst's Cookbook by Ligh, Adair, Hartstein and Richard
"It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:", 5 bullets, "This project contains the source code ..", command example, "Optionally, you can specify the ..." and a second command example. (~50% of the article) Text verbatim from jsunpack-n home page
Capturing and Analyzing Malicious Network Traffic "You can visit the Snort project's home page for additional documentation..." & 4 bullets, and several command examples. An author of the Malware Analyst's Cookbook replied in comments indicating the blog came from the book. In response, Lakhoua adds a reference link to the book. Page 249 of Malware Analyst's Cookbook by Ligh, Adair, Hartstein and Richard
iScanner Utility for Cleaning Infected Websites "iScanner is a free open source tool lets you detect and remove malicious code and web page malware from your website easily and automatically. It will not only show you the infected files in your server, it's also able to clean these files by removing the malware." Text verbatim from iScanner home page.
Will Windows 8 be the Safest Operating System? "Windows will authenticate boot components to prevent any attempt to start malware before the operating system is up and running." Text verbatim from Windows 8 Secure Boot.
"Now for malware, Microsoft added in Windows 8 UEFI Secure Boot which is designed to make the OS more resilient to malicious code. Secured boot stops malware in its tracks and makes Windows 8 significantly more resistant to low-level attacks. Windows will authenticate boot components to prevent any attempt to start malware before the operating system is up and running."

"Here is how Microsoft details the secured boot feature of the next major iteration of Windows: Secured boot stops malware in its tracks and makes Windows 8 significantly more resistant to low-level attacks. Even when a virus has made it onto your PC, Windows will authenticate boot components to prevent any attempt to start malware before the operating system is up and running." (Softpedia.com)
"Windows Defender will also have a new file system filter to provide real time protection against malware." Text verbatim from Techie-buzz.com.
10 Ways a Computer Virus is Like the Flu Entire article cross posted from sectechno.com, where Lakhoua credits the source URL only. The InfosecIsland copy did not provide a reference to the original source or author (Coleen Torres). The article on phonetvinternet.com does not appear to credit the author by name (while other copies on different sites do), suggesting it may not be the original post. 10 Ways a Computer Virus is Like the Flu. Lakhoua contacted attrition.org saying "I have recived from [InfosecIsland editor] that there is a problem with Coleen Torres article while I posted this article after a request from the Author." We find it odd that the author would ask him to post the article on his blog or InfosecIsland sans proper credit.
DeepSAFE: Hardware-Assisted Malware Protection "With the rollout of DeepSAFE, McAfee delivers:" and 4 bullets

"... we can expect an increase in the new age malware in three classes:" and 3 bullets
Text verbatim from mcafee.com

List taken from "Hacking exposed malware & rootkits" by Michael A. Davis, Sean Bodmer, and Aaron LeMasters. First two bullets have minor rewording, third bullet verbatim.
Independent Antivirus Software Testing Resources Image: RAP averages quadrant Feb-Aug 2011

"Selecting an antivirus is a very important step..." and 3 bullets

"Another independent Antivirus testing lab is The AV-TEST Institute. AV-TEST provides an informative and customer-friendly illustration of trends, forecasts and long-term developments based on a comprehensive inventory of recently collected data and data gathered on a long-term basis."
Image is copyright Virus Bulletin Ltd www.virusbtn.com.

Microsoft Troubleshooting Windows 7 Inside Out by Mike Halsey. Three bullets taken verbatim.

"AV-TEST provides an informative and customer-friendly illustration of trends, forecasts and long-term developments based on a comprehensive inventory of recently collected data and data gathered on a long-term basis. (av-test.org)
Top 5 Most Dangerous Malwares TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which appeared back in 2008. However, unlike its predecessors, TDL4 is able to bypass code signing protection in 64-bit versions of Windows Vista and 7. By default these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts.

TDSS is one of the most complex and dangerous malicious programs family in the world and it continues to evolve.
Text almost verbatim from hspig.org with minor tweaks.
Asprox is a small botnet has been used in password stealing, spam, and phishing attacks. This botnet based attack is innovative. It interfaces with Google's search engine to locate vulnerable web pages. When a weakness is found, Asprox injects an iFrame based redirectional link on the vulnerable website in order to spread Malware. A small botnet known as Asprox has been used in password stealing, spam, and phishing attacks. [..] This new botnet based attack is innovative. It interfaces with Google's search engine to locate vulnerable web pages. When a weakness is found, Asprox injects an iFrame based redirectional link on the vulnerable website. (msmvps.com)
ZEUS Botnet is still active in 2010. On July 14, 2010, security firm Trusteer filed a report which says that the credit cards of more than 15 unnamed US banks have been compromised. A recent outbreak is being called Kneber.

On 1 October 2010, FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m. More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.
It was still active in 2010. On July 14, 2010, security firm Trusteer filled a report, which says that the credit cards on more than 15 unnamed US banks have been compromised.

On October 1, 2010, FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m. More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine. (insecurestuff.in)
ZeroAccess / Max++ Rootkit New Variants ZeroAccess rootkit has been firstly identified back in 2009 and when this rootkit had been discovered in the wild. It was the time of MBR rootkit and TDL2 rootkit while on the TDL we are currently at the fourth version. when security researchers came across a new, previously unknown, rootkit able to kill most of security software as soon as they tried to scan specified folders in the system.

ZeroAccess was creating a new kernel device object called __max++> , this is the reason why the rootkit has quickly become known in the security field as the max++ rootkit, also known as ZeroAccess due to a string found in the kernel driver code, presumably pointing to the original project folder called ZeroAccess (f:\VC5\release\ZeroAccess.pdb).
Text almost verbatim from preface of ZeroAccess - an advanced kernel mode rootkit by Prevx Research.
Steganography and Digital Watermarking Tools Still images, video, music, text, and software are all easily copied and illegally distributed, causing the authors to lose out on considerable income in royalties. By embedding identifying information in a file, watermarking software enables authors to control the distribution of and to verify ownership of their digital information. Text verbatim from StegoArchive
The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Text almost verbatim from Wikipedia.org
Idenifying the real ip address of a hidden Hacker "The decloaking engine uses eight techniques to identify the ip address" and 8 steps (~ 50% of article) Text verbatim from Metasploit Decloaking Engine. Note: While Lakhoua references this site in the article, he does not indicate the text comes from it.



main page ATTRITION feedback