The Legacy Sunbelt Software Blog

Bloomberg news is reporting that the government of China on August 1 will make it illegal for companies that operate Web sites that deal in virtual currency to allow minors access. The ban will not affect the way virtual currency is used to buy items within online games, the Chinese Ministry of Culture said.

Business analysts say the ban won’t affect the gaming operators, but could have an effect on sites that provide traders with a place to exchange the virtual currency for real money.

Story here: “China Government Bans Online Virtual-Currency Dealing Platforms for Minors”

This is possibly about two things.

— The Chinese government wants to control (and tax) the huge shadow economy that results from exchange of virtual gold
— and possibly control an industry that could be using child labor.

We blogged about “gold farming” in January: “Gaming Trojans: ‘because that’s where the money is.’”

Gold farming has grown incredibly in recent years and become a source of employment in China and other parts of Asia. An estimated 400,000 people, work for gold farming companies, spending as much as 12 hours per day playing online games in order to accumulate virtual goods which can be sold to some of the 50 million on-line game players world wide for real cash. There’s a pretty good chance that some of those gold farmers are minors.

It is hard to imagine many kids who would complain about playing video games all day for pay, although it could be so attractive they’d be inclined to skip school to “work.”

Tom Kelchner

MyWebSearch, the old familiar toolbar, is still around

The team came across these yesterday on a file-sharing network in a file “Power DVD 8 Cracked.rar.”

It installs, without proper notice, MyWebSearch, FLV Direct Player and other garbage. Adam Thomas found a similar surreptitious install of FLV in April – clearly that was part of an affiliate program scheme in which someone was getting paid each time FLV got installed.

See Sunbelt Blog: “Bot installs adware along with video player”

The MyWebSearch Toolbar is a customizable Internet Explorer search toolbar which installs other tools, including pop-up blockers, screensavers, and cursors. Searches entered into the toolbar search field are directed to MyWebSearch.com. MyWebSearch has been around for five years.

(Click images below to enlarge.)

It does have the URL to an end user licensing agreement buried in its code http://www.stasga.com/view-eula.php which pretty much describes what it’s going to do:

“7. By pressing ‘Accept’ you agree to the terms of the following: You allow us to modify your HTTP packets in your packet filters. This will allow us to modify your URL in your browser. “

For some strange reason, the EULA has no section six.

Thanks Adam,

Tom Kelchner

It seems the last week or so has been a fun time to promote not only the World Cup, but also various bits of software you might not want on your PC. Here’s a collection of Shakira uploads on Youtube, all related to her “Waka Waka” song created for the World Cup:

As you can see, there’s everything from the official video to ripped copies of her performing live. There are many more of these videos floating around Youtube, but all of them point to flvpro(dot)com and ask you to download “free movies and TV shows” with the aid of their “direct downloader”.

What happens when you try to download the executable from that site?

Oh dear – bit of an own goal, there.

It wasn’t so long ago that there was a “hilarious video” scam on Facebook – recognise the filename?

Be careful when rummaging around sites such as Youtube for World Cup related songs, replays and things of a similar nature. You won’t have any problems as long as you stay on the site playing the video, but wandering off into the wide blue yonder could mean an early substitution and a PC full of junk.

Nobody wants that, do they?

Christopher Boyd

The U.S. Intellectual Property Enforcement Coordinator Victoria Espinel, (AKA “copyright czar”) has made public an ambitious new federal government strategy to combat online piracy and the sale of counterfeit products.

Espinel said the plan will improve government efforts at prevention and detection as well as the prosecution of intellectual property thieves. It takes aim at the foreign websites that violate U.S. intellectual property laws.

The plan lays out responsibilities of federal government agencies including the Food and Drug Administration, the FBI and the Department of Justice. The agencies will get added manpower and other resources to detect and intellectual property theft and prosecute the thieves, Espinel said.

Story here.

I would like to think that this initiative, coupled with added vigilance by domain registrars will go a long way toward cleaning up the illegal pharma and product knock-off sites that are so extensively advertised by spam email. Hopefully, the KnujOn report we blogged about yesterday will bring pressure on Domain Registrars to shut down the ISPs that protect crminal Internet operators.

Tom Kelchner

Carries return email address on Belarus server with blocked Whois

It seems that Mr. Liu Yan of the Bank of China Ltd. in Hong Kong has sent me an email message (from dogyoungshop.com – which is in Taiwan, oddly enough) to inform me that the estate of the late General Mohammed Jassim Ali is up for grabs and I just might be able to become the beneficiary.

It seems that General Ali was with the Iraqi forces and he and his family died in the war, leaving a fortune secretly deposited in the Bank of China… oh, you know the shtick.

Business Notification !!! (3.6.10)
From:”Liu” < Yan@Dogyoungshop.com>

FROM: Liu Yan
Bank of China Ltd.
13/F. Bank of China Tower
1 Garden Road
Hong Kong,

I sincerely ask for forgiveness for I know this may seem like a complete
intrusion to your privacy but right about now this is my best option of
communication. . . .

Best Regards

Liu Yan

Please reply to this email: liuyanch@tut.by

Tom Kelchner

Not so long ago, I wrote about a Botnet creation tool that allowed you to insert your Twitter username into your bots and control the infected computers via commands posted to Twitter feeds. This time around, we have something a little different:

Isn’t it cute? This program places the tools of destruction into the hands of the victims, which is never a good thing.

It’s distributed as a kind of “free for all” kit on hacking forums, where individuals are encouraged to take the code, files and graphics then improve upon the basic package:

Here’s what some of the code from one of the many files included looks like:

Note the “edit this / don’t edit that” lines in the code, and also that there is a Twitter account listed. This is the account of the creator, so at a minimum the bare bones package will always follow orders assuming that account isn’t deleted. Of course, the real fun begins when users add in their own Twitter account(s), and also add new commands to the program.

Here’s a very basic example of what the program can do: once I’ve added my own Twitter account to the code in the executable, I start posting commands to my Twitter feed.

At that point, all I need to do is send the nice looking TwitterBot file to the victim and convince them to run it. When that happens, the “Message box” command will pop this on their desktop:

Pulling a message from Twitter and opening it on the desktop is fun, but we’ve already seen versions out there with more malicious uses for Twitter commands like downloading rogue executables, opening up files on the C drive and a particular favourite…hunting for login credentials:

To coin a phrase…”Whoops”.

Of course, much like the Twitternet creator program this suffers from a few drawbacks of using Twitter to “do bad things”(TM). If the account named in the code goes AWOL, then the progam is a dead duck (or in this case, a dead friendly looking blue bird). It also won’t obey commands from a private Twitter account so for the moment, hiding in plain view isn’t really an option and users will have to accept their shenanigans could well be monitored and shut down accordingly.

Still, there are enough people out there who will unfortunately run any random file sent to them that the threat from those lurking Twitter commands is quite real. We detect this as Backdoor.Win32.Vortwix.A.

Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional research.

Christopher Boyd

Anti-spam group KnujOn (“NoJunk” backwards), a member of the Internet Corporation for Assigned Names and Numbers (ICANN), has issued a nearly 100-page report detailing how some domain name registrars are actively shielding pharma and other illegal groups by protecting their web sites from takedown. The report names names.

ICANN is responsible for managing the assignment of domain names and IP addresses on behalf of the U.S. government.

KnujOn’s report quotes John Horton, President of LegitScript.com: “The Internet rule is straightforward. Domain name registrars are required by ICANN to prohibit domain owners from using their domains for unlawful purposes. Without exception, this rule is also reflected in each registrar’s terms and conditions, thus formalizing and protecting the company’s contractual right to suspend domain names for unlawful activity. Once a registrar becomes aware that a website is engaged in criminal activity, the company has the legal authority and technical ability to suspend the domain name, rendering the illegal and fraudulent content inaccessible. This self-policing is meant to balance freedom of speech with safety and legitimacy as the Internet continues to evolve. But all too often, registrars simply turn a blind eye to criminal activity.”

The third section of the KnujOn report describes “…how the Domain Name System is being manipulated on a massive scale to support illicit drug traffic and details conditions that allow this threat to exist at the expense of the consumer and legitimate business.”

The report says the illicit product traffic gives registrars the opportunity to make money selling illegal domain registrations and domain product service related to them.

The report says: “There is no question that underground pharmaceutical traffic is illegal and kills people. The traffickers may paint themselves as virtual Robin Hoods who defy the greedy hands of government and “big pharma”, but in reality they deliver tainted products and cruelly prey on the sick, elderly, and addicted. In contrast with the popular perception, the underground pharmacy market is far beyond lifestyle drugs like Viagra and Cialis. Tainted and completely fake drugs sold on the Internet include heart, blood-pressure, cancer, diabetes, and AIDS medications. There are multiple documented cases of chalk pressed into painted pills, HIV test kits that give false negatives, “anti-aging” cocktails, and an array of other “snake oils” that give false hope and make the sick sicker.”

Tom Kelchner

For a month or so now, support sites and Question / Answer services such as social.answers.microsoft and Yahoo Questions have been looking like this:

Two common themes: nobody seems to know where they get it from, and nobody can uninstall it. Out of all the threads posted, there seems to be only one that potentially gives some specifics with regards a possible source. If you don’t want to read his long ramble, here is his post in a nutshell:

“Went looking for Limewire, downloaded a version and now I have Tango Toolbar”.

So either he grabbed a cracked version which comes with the toolbar, or he downloaded something from P2P land which came with a few surprises. Regardless of infection route, it took a while to find the file in question because “It’s called Tango Toolbar and there’s a picture of a red hat on it” doesn’t really help much. The search was made more annoying by virtue of there being lots and lots of programs, skins and other things called Tango (or Tango Toolbar) that had nothing to do with this.

Things picked up a bit with this HijackThis log, listing a URL in the file which allowed me to grab a report from Threat Expert stuffed with the technical data I needed to pull the file from our database and have a play.

Shall we take a look? Presenting: The Tango Toolbar installer splash.

Click to Enlarge

I know what you’re thinking. However, despite the strangely similar name this doesn’t have anything to do with Zango. The splash claims it has a popup blocker, a built in search and offers “related keywords” when browsing. I particularly like the popup blocker, which notifies you of every popup blocked with the aid of a popup.

Click to Enlarge

I’m also a fan of the “Do not notify me again” checkbox, which works about as well as you’d expect. Three seconds later, and:

Click to Enlarge

Whoops.

The search results come from bar(dot)adbsearch(dot)com, and all seem to be sponsored. I didn’t see any inline adverts, but where this gets really interesting is when you try to uninstall. The “About” box makes it clear this toolbar has a EULA:

Clicking the link takes you to a site called gettango(dot)com:

There is no EULA there, but the reason for this might be a little strange. See, gettango(dot)com is a site owned by a company called Brand Tango, who seem to be a marketing company dealing with timeshare/real-estate/hospitality. Can you see any connection between that and a random toolbar? Even stranger, if you go to Add / Remove Programs and attempt to uninstall this is what you’ll see:

Click to Enlarge

A popup box with nothing other than a message served up from remove(dot)gettango(dot)com.

“Hello, If you were sent to this page then it is likely that you have downloaded some sort of  adware or malware.  We have recently begun to receive reports from individuals who have installed a toolbar that includes the name ‘tango’ and tells them to go to here to remove it. Our company, Brand Tango, has no association with this software and we do not create any software for individual use. The reported toolbar is attempting to mislead people by sending them to a domain that they don’t own and that can’t help them. We recommend that you ensure your internet security software (anti-virus, firewall, malware/adware protection, etc…) is up to date and then contact their technical support for help removing the toolbar. For your convenience, links to some of the more popular internet security companies are listed below.

Sincerely,
Brand Tango”

It then goes on to list Kaspersky, Symantec and McAfee as methods to remove the Toolbar. The Gettango domain and what appears to be their main website brand-tango(dot)com share similar domain registration data, and everything appears to be on the level. Is someone deliberately trying to mess with the reputation of Brand Tango by pointing a toolbar at their domains?

The secondary search feature accessed by clicking the Tango logo also points traffic to the gettango domain, too:

Interestingly, tangosearch(dot)com (from the HiJackThis logs) also has a message on their site:

That site has different Whois data, showing as being “up for sale” and registered to hugedomains(dot)com.

It seems nobody wants anything to do with this toolbar, but it keeps crashing the party regardless. What we can say is that the toolbar is ultimately a problem for Mirar to resolve, even if registered through Domains By Proxy:

Click to Enlarge

This particular toolbar is a mess of broken uninstallers, disclaimers warding off associations with the product and endless people on support forums wondering how it ended up on their computers in the first place. In a situation such as this, there’s really only one course of action to take:

TANGO DOWN.

Christopher Boyd

(Thanks to Adam Thomas for additional research).

As we were trolling the ugly underbelly of the Web for the latest in malicious gimmickry we couldn’t help but notice the “membership plan” shell game played on a site devoted to helping men find “lonely housewives” to apparently add joy to their empty lives.

The plan prices didn’t seem to add up.

Under each per-month price is a grayed out line that says “Billed at____ USD”

$5.99 x 12 = $71.88 not $107.82

$9.99 x 3 = 29.97, not $39.96

BUT $18.99 x 1 DOES INDEED EQUAL $18.99

Multiplication shouldn’t be beyond the ability of the average guy looking for lonely housewives to fulfill.

In rural areas, sensible drivers are especially alert in deer rutting season (November and December). At that time of year bucks insanely dash across the highway (and into vehicles) in pursuit of the deer equivalent of lonely housewives. They don’t think, they just go! The folks running this site apparently are banking on the same hormone-driven behavior in their human visitors.

It’s apparently nothing new. The site has been around for four years.

Tom Kelchner

Search engine optimization (SEO) poisoning is nothing new, but here’s a nasty new twist. Early this morning someone apparently found a way to game Google Trends, sending an ugly racist string to the number one position on the “Hot Searches” list.

A post on the 4chan.org boards seemed to hint that someone, somewhere discovered something: “omg it works guyz every time”

4chan apparently took down a number of posts that contained the string.

By about 9 a.m. (EDT) Google was showing 269 hits for the string, many of them seemed to be sites that scrape Google Trend Hot Topics.

Searching the Google hits for the string didn’t really turn up much about its origin, but it did show some interesting SEO techniques in which web site owners scraped Google’s Hot Searches to attract visitors to their sites. This has the potential of amplifying any nastiness that anybody can get into the trends.

This site apparently scraped Hot Searches then told visitors they could see the “full un-edited version” by clicking on a link which took them to an anchor on the same page – thus getting (at least) two clicks for the price of one.

http://www.poodlesnatcher.com/comic-book-stores-4841/

This appears to be just nasty old fashioned hacking for (racist) kicks, however, the same mechanism could be used to pass along a link to sites with malicious drive-by downloads.

Bottom line: think twice when you click on Google’s Hot Topics.

Tom Kelchner

Adobe Flash Player in update is out of date

Apple has released its latest security update, 2010-004, which brings the Mac OS X Snow Leopard operating system up to version 10.6.4.

The company is telling users, however, that the version of Adobe Flash Player that ships with it must be updated. The OS X version install will not DOWNGRADE users’ Flash Player installations, so, if they had the latest Flash Player version (10.1.53.64) installed before the Apple update, they’re good to go.

See Apple notice here: “Apple Security Update 2010-004 / Mac OS X v10.6.4 Shipping with Outdated Version of Adobe Flash Player”

Tom Kelchner

CNet is reporting that Gaotse Security group member Andrew Auernheimer, 24, (also known by the handles “Weev” and “Escher”) was arrested by Fayetteville, Ark., police after officers serving an FBI search warrant at his home allegedly found cocaine, ecstasy and LSD. He faces four felony counts and one misdemeanor count of possession of a controlled substance.

Last week the Goatse group publicized their hack of AT&T servers and said they had obtained email addresses and cell ID numbers of 114,000 purchasers of the new 3G Apple iPad. The accounts included those of prominent federal government, military, media and corporate officials.

Auernheimer is being held in Washington County Detention Center in Fayetteville, Ark., without bail awaiting a June 18 preliminary hearing. Authorities have not made public the reason for the search warrant.

Story here: “Hacker in AT&T-iPad security case arrested on drug charges”

See Sunbelt Blog June 11 post “FBI looks into AT&T hack that revealed iPad 3G owner info”

Tom Kelchner

Now this wouldn’t be some kind of rip off spam would it?

You’ve won the sum of NINE HUNDRED AND FIFTY THOUSAND POUND
(&#163;950,000.00) from the UK GOLF INTERNET emails Lottery Edition 2010

TO RECEIVE AND CLAIM YOUR PAYMENT OF PRIZE

The English seems a bit shaky.

You are therefore advised to send the following information to our claims agent(Mr.Piland woods) to facilitate the remittance of your winning prize to you at once from the UK GOLF INTERNET EMAILS LOTTERY.

They want the kind of information that scammers usually want:

1. Full name…………
2. Country…………..
3. Contact Address……..
4. Telephone Number…….
5. Marital Status………
6. Occupation………….
7. Company…………..
8. Age………………..

They don’t really have a company Internet presence. Their “site” is a LinkedIn account.



You can also view our lottery site : http://uk.linkedin.com/in/internetgolflottery

They are “fully special” and they “glob round the world” – yea, that sounds REAL legitimate.

The writer doesn’t seem to know that in English you capitalize last names.

Mr.Piland woods. (VERIFICATION DEPARTMENT MANAGER)

And “Mr.Piland woods” does business from a hotmail email address.

Email: golf_internet222@hotmail.com

LOTTERY VERIFICATION DEPARTMENT MANAGER

Google Maps and Street View reveal that their company headquarters is a billboard advertising the “Sex in the City” movie.

GOLF INTERNET EMAIL LOTTERY 2010
21 Craven Park, Harlesden
London NW20, United Kingdom.
Batch number: 12/25/0340
Ref number: MSN-L/200-26845

Winning number: GQ-667890-D

My guess is that it’s a troll for some kind of Nigerian 419 operation (in spite of the fact that they are “a blessed company.)

Thanks Bharath

Tom Kelchner

The Gobernacion Departmento Central (or “Central Department”) is a curious thing. A Department is (according to Wikipedia) an

“administrative political subdivision of a country established by the cognizant (usually legislative) government authority holding sovereign power for the territory.

Departments are roughly equivalent to a state, province or county”.

Now that’s out of the way, we can take a look at something rather nasty on the Central Department .gov portal which can be found at central(dot)gov(dot)py.

Here’s what the site looks like to the regular vistor:

Click to Enlarge

However, digging around the site reveals something a little disturbing:

No less than fourteen different banking / financial services phishes including Barclays, Abbey, Northern Rock, Halifax and Lloyds TSB. Clearly, someone is desperate to get their hands on as many UK banking credentials as possible. These phishes are all online at the moment although some appear to be flagged in browsers such as Firefox. We’ve contacted the hosts and hopefully all of the above will be offline shortly.

Christopher Boyd

While Runescape is free to play, you can upgrade your account with a variety of billing options in order to gain access to features that free users cannot obtain. As a result, paid up accounts are popular targets of phishers and scammers who like to go trading accounts on forums, and sell all of your pointy wizard hats just to annoy you.

If you run the below program, you’re going to lose your pointy wizard hats.

Presenting the “Runescape Screwover”:

Click to Enlarge

While a very crude looking program, it does have a “Click here to add 30 member days” checkbox on it and that combined with endless fake Youtube comments will mean lots of people throwing their login details away.

“I’m selling membership to people now because of this” is a particularly nice touch.

Only one small problem – the program is a phisher. There are two standout clues:

1) The program has a bunch of email addresses inside it that the data is mailed to once you enter your login details.

2) The executable actually says “phisher” in the description text.

Of course, that won’t prevent some people from running the program and sending their login to Mr Pointy Hat Stealer. One to avoid? Most definitely.

We detect this as Trojan.Win32.Runeover.A.

Christopher Boyd

ReadWriteWeb is citing a story in Russia’s state paper Rossiiskaya Gazeta that said the Russian prosecutor’s office is moving to require Internet service providers to block web sites that carry “extremist” content.

“Freedom of speech advocates in Russia call the extremism laws too vague and sweeping, arguing that they are open for abuse by government officials,” they wrote.

“Surprisingly, surveys show that many Russians actually favor government control of the media. A 2005 study found that 82% of Russians were in favor of censorship on television, though generally that referred to the removal of “ethically questionable” material (such as sex or violence) rather than the suppression of free political thought. It should be noted that Article 29 of the Russian Constitution guarantees freedom of the press.”

Story here: “Internet Censorship Coming to Russia”

It just amazes me that the governments of major countries in this world spend so much time and effort trying to suppress Internet discourse about sex and political dissent. Yet they largely ignore entire “bullet-proof” ISPs that provide services for financial criminal activity, the banking fraud industry, vast numbers of pharma sites and sites selling goods that infringe on patents.

Do they believe that sites with sexual content are low-hanging-fruit? Clearly the suppression of opposition voices helps keep them in power.

The only half effective attack on crime on the Internet seems to be civil litigation against those distributing massive amounts of copyrighted materials and (in the U.S.) regulatory bodies — chiefly the Federal Trade Commission — going after rip-off artists. And those only started in earnest in the last year.

Also in the U.S., the FBI has made one token campaign against money mules — the lynch pin of ACH transfer fraud that rakes in over $100 million per year apparently for residents of the Ukraine. That was probably to get the attention of the idiots who fall for the “work from home” scams and get recruited to wire money out of the country.

China, which seems to shoot itself in the foot every time it tries to do anything (remember Green Dam), at least got something half right when it started requiring real identification of the owners of domains. The half they got wrong was forbidding non-registered business entities from obtaining domains at all.

And, (as long as I’m on a screed) why is the U.S. the second biggest haven for the world’s spammers? At least Brazil – the number one – can claim it’s a developing nation.

Beam me up Scotty! FAST!

Tom Kelchner

Not with a bang but a crackle

Scientists at U.S. National Aeronautics and Space Administration have said that the peaks of two cycles in the Sun will coincide in 2013 to produce massive magnetic storms that could shut down power grids and disrupt the operation of GPS navigation, portable digital devices and even microcomputers. And, the storms could begin very abruptly.

Dr Richard Fisher, director of the Heliophysics division at NASA, said in an interview with the Telegraph of the UK that the Sun’s 22-year magnetic energy cycle and 11-year sunspot cycle will coincide in 2013 and hit the Earth with high levels of magnetic radiation.

It is possible, though unlikely, that large areas could be without power for several months, Fisher said.

“We know it is coming but we don’t know how bad it is going to be,” he said.

Story here: “NASA warns solar flares from ‘huge space storm’ will cause devastation”

Tom Kelchner

Our good friends at Webroot found this: A Trojan that only runs on Windows Vista or Win7.

Andrew Brandt blogged that when Webroot researchers analyzed a sample of Trojan-Downloader-Tacticlol they found it ran on Windows Vista, but wouldn’t run on a Windows XP machine at any patch level. He said it’s one of those utility Trojans that runs after a machine is rebooted and can download a variety of malware.

The Trojan turned up as an infected .zip attachment, disguised to look like a Microsoft Word document, in a spam email with a subject line: “Statement of fees 2009/2010.”

Brandt’s very nicely done analysis is here: “Spammed Trojan Won’t Run Under Windows XP”

Tom Kelchner

There appears to be a bit of a mad dash to infect people by the boatload on Twitter, with a variety of different messages being sent to random targets:

Click to Enlarge

The above account endlessly says “Wow, a marvelous product”. Click the link, and you might be redirected to some sort of paid movie service:

If you’re unlucky, however, you’ll end up at a URL such as fqsmydkvsffz(dot)com/tre/vena(dot)html, where PDF exploits await.

We detect the above as Exploit.PDF-JS.Gen(v). Some of the other phrases used for this spamrun include:

Wow, An incredible Product
Wow, A shocking Discovery
Watch This
I Just Cant Beleive This
Wow, A stunning Product
Wow, A Revolutionary Product
Wow, A fascinating Site

This isn’t the first malicious spamrun on Twitter, and it certainly won’t be the last. With that in mind, it might be best to avoid random links sent to you from strangers. You never quite know what’s at the other end…

Christopher Boyd

/ Hat tip to Ed Bott who sent over one of the links last night.

ZDNet Australia is carrying a story today saying that country’s Attorney-General Robert McLelland said he was NOT considering a controversial data retention policy that would require ISPs to track Australians’ web browsing history.

A spokesman for McLelland’s office said, “This is not about web browser history. It’s purely about being able to identify and verify identities online” He said the initiative was intended to give law enforcement authorities the ability to track criminals.

Friday the AG’s Department said it had been examining the European Directive on Data Retention and considering similar regulations for Australia. “The directive requires telcos to record and retain data such as the source, destination and timing of all emails and telephone calls — even including Internet telephony,” ZDNet said.

Story here: “Govt denies it wants web history records”

For earlier story on Sunbelt Blog see: “Oz AG wants ISPs to retain browsing histories”

Tom Kelchner