There have been two recent attacks involving human rights and malware. First, on November 7, 2010, contagiodump.blogspot.com posted an analysis of a malware attack that masqueraded as an invitation to attend an event put on by the Oslo Freedom Forum for Nobel Peace Prize winner Liu Xiaobo. The malware exploited a known vulnerability (CVE-2010-2883) in Adobe Reader/Acrobat. The Committee to Protect Journalists was hit by the same attack.
On November 10, 2010 Websense reported that website of Amnesty Hong Kong was compromised and was delivering an Internet Explorer 0day exploit (CVE-2010-3962) to visitors. In addition, Websense reports that the same malicious server was serving three additional exploits: a Flash exploit (CVE-2010-2884), a QuickTime exploit (CVE-2010-1799) and a Shockwave exploit (CVE-2010-3653).
The malicious domain name hosting the exploits mailexp.org (18.104.22.168) has been serving malware since Sept. 2010. The domain mailexp.org was registered in May 2010 to firstname.lastname@example.org. mailexp.org was formerly hosted on 22.214.171.124 which now hosts the Zhejiang University Alumni Association website.
The malware dropped from the Internet Explorer exploit (CVE-2010-3962)
MD5: ca80564d93fbe6327ba6b094ae3c0445 VT: 2 /43
The malware dropped from the Flash exploit (CVE-2010-2884)
MD5: 0da04df8166e2c492e444e88ab052e9c VT: 2 /43
The malware dropped from the QuickTime exploit (CVE-2010-1799)
MD5: 3e54f1d3d56d3dbbfe6554547a99e97e VT: 16 /43
The malware dropped from the Shockwave exploit (CVE-2010-3653)
MD5: 3a459ff98f070828059e415047e8d58c VT: 0/43
Both ca80564d93fbe6327ba6b094ae3c0445 and 3a459ff98f070828059e415047e8d58c perform a DNS lookup for ns.dns3-domain.com, which is an alias for centralserver.gicp.net which resolves to 126.96.36.199 (China Unicom Beijing province network).
The domain name “ns.dns3-domain.com” has been associated with a variety of malware going back to May 2010. This domain name, dns3-domain.com is registered to email@example.com, the developer of the NetThief RAT.
Malware attacks leveraging human rights issues are not new. I have been documenting them for some time (see, Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, “0day”: Civil Society and Cyber Security). However, one of the issues that Greg Walton and I raised last year, is a trend toward using the real web sites of human rights organizations compromised and as vehicles to deliver 0day exploits to the visitors of the sites – many of whom may be staff and supporters of the specific organization. Unfortunately, we can expect this to continue.