DarkVisitor picked up on some information in the GhostNet report that we didn’t really focus on — the email addresses and other information in the domain name registration records — and were able to track down the owner of the email address listed in the registry information associated with the control servers www.lookbytheway.net and www.macfeeresponse.org. An infected computer at the OHHDL connected to these domain names and Greg and Shishir were able to observe sensitive documents being transmitted to www.macfeeresponse.org while collecting data in Dharmsala, India. Greg later found that a computer at the Tibetan NGO Drewla aslo connected to www.lookbytheway.net. Both these domains were registered to “zhou zhao jun” using the email address firstname.lastname@example.org. (I recall Greg and Jaymz working on this for a time, but I think we lost focus when we found the web-interface to the control servers used by a different piece of malware that had infected a computer at the OHHDL which we dubbed GhostNet.)
In a fascinating post, The folks at DarkVisitor were able to track down the owner of that email address as well some forum posts and blog entries that allowed them to acquire the QQ id of the owner of the email address and initiate contact with him. It was really great to see DarkVisitor explore this further.
I’d been calling this malware family “CGI” after their use of CGI scripts, but I like the DarkVisitor’s “CasperNet” better.
In addition to a GET request that appears to be a simple “check in” there were some POST connections:
www.lookbytheway.net – 126.96.36.199
– POST /cgi-bin/Report.cgi HTTP/1.1
– POST /cgi-bin/serverlog.cgi HTTP/1.1
These also appear to be “check ins” — the connections to serverlog.cgi are 15 bytes and contain basically the same information that appears in the GET requests. The connections to Report.cgi are larger (104 bytes) and contain some binary data in addition to text that is similar to the other connections. All these connections occur with a high degree of frequency.
www.macfeeresponse.org – 188.8.131.52
– POST /cgi-bin/Auto.cgi HTTP/1.1
– POST /cgi-bin/AutoTrans.cgi HTTP/1.1
There are significantly fewer connections to the this server and its function appears to be directly related to the retrieval of documents from infected computers. The POST connections to Auto.cgi contain a file name and the command “@@@@begin” which is followed by a POST to AutoTrans.cgi which actually uploads the targeted document. After several connections the entire document is uploaded and another POST is issued to Auto.cgi with the command “@@@@end”.
The packet dumps we analyzed showed two documents being uploaded and according to the person using the infected computer one of these documents was related to the Dalai Lama’s negotiating position with China and the other contained a list of numerous email addresses.
One of the things I really like about the DarkVisitor investigation is that it reminds us to be careful on the question of attribution. There are a variety of actors operating in this space with a variety of motives. Individuals and groups may be engaging in systematic exploitation of political targets for a variety of reasons that are completely divorced from state intelligence services (even if they appear to be aligned with such interests).
The fact that the DarkVistor research points to the possibility that the CasperNet is the work of a “cracker” (I prefer this definition of “hacker“), and not the Chinese Government as the context alone might suggest, simply shows the complications of attribution. There are numerous scenarios a variety of which we explore in “Tracking GhostNet” that focus on the “privateer” model but there are others as well. An intelligence agent could be tasked compromising political targets using only the tools and methods available within the community. Conversely, attackers may pillage compromised machines for credit card numbers, lists of email addresses to conduct further social engineering attacks as well as politically sensitive information that can be sold.
This is the “attribution problem”. Rather than rely on unconfirmed anecdotes and unnamed sources, political context and speculation and/or the fact that control servers are hosted on IP addresses in ranges assigned to China to produce a “smoking gun” pointing at the Chinese government we included a section focused on “alternative explanations” in order to explore variety of scenarios. As noted above, these alternative explanations, even those that focus on the acts of private individuals and groups, do not necessarily absolve the Chinese government but they provide an honest analysis of the variety of possibilities.