Posts tagged “Botnet”

Koobface: Inside a Crimeware Network

The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) announce the release of Koobface: Inside a Crimeware Network by Nart Villeneuve, with a foreword by Ron Deibert and Rafal Rohozinski.

The full report can be accessed here (local mirror):

Globe and Mail coverage of the report can be accessed here:

Koobface is a notorious botnet that leverages social networking platforms to propagate. Since, people are much more likely to execute a malicious file if it has been sent to them by someone they know and trust, the Koobface operators, known as “Ali Baba and 40 LLC” have developed a system that that uses social networking platforms such as Facebook to send messages containing malicious links. These links redirect users to false YouTube pages that encourage users to download malicious software masquerading as a video codec or a software upgrade.

In late April 2010, I discovered archive files on a well known Koobface servers that provided an inside look at the operations and monetization strategies of the Koobface botnet. The contents of these archives revealed the malware, code, and database used to maintain Koobface. It also revealed information about Koobface’s affiliate programs and monetization strategies. There are three main issues that have stood out for me throughout this investigation.

The first is the level of Koobface’s financial success. The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud. This, of course, does not occur in a vacuuum but within a malware ecosystem that sustains and monetizes botnet operations.

The second concerns the countermeasures taken by Koobface against the security community.Koobface maintains a banlist of IP addresses that are forbidden from accessing Koobface servers. In addition, Koobface operators carefully monitor whether any of their URLs have been flagged as malicious by or Facebook and they also monitor their malware links with the Google Safe Browsing API. This is part of a trend where malware authors check their malicious software against a variety of security products to ensure that there is only limited protection.

Finally, botnets such as Koobface present significant, but not impossible, challenges for law enforcement. Botnet operators leverage geography to their advantage, often exploiting Internet users from all countries but their own. While the total amount of criminal activity that the botnet operators engage in may be significant, the distribution of that criminal activity across multiple jurisdictions means that the criminal activity in any one jurisdiction is minimal. In addition, botnet operators leverage Internet infrastructure around the world, making it difficult to interfere with their operations.

However, botnet operators, such as those behind Koobface, do make mistakes. Information sharing and persistent monitoring can uncover the details of botnet operations. Therefore, it is important that the law enforcement and security community continue to share information and work closely together. An understanding of the inner workings of crimeware networks allows law enforcement to pursue leads and the security community to develop better defenses against malware attacks.

This report was made possible thanks to the guidance and encouragement of Ron Deibert and Rafal Rohozinski, the principal investigators of the Information Warfare Monitor. This report is built upon the research of members of the security community and I would like to thank all those who have documented the operations of Koobface over the years, especially Dancho Danchev and Trend Micro’s Threat Research Team. I would like to acknowledge and thank Chris Davis and Jose Nazario for sharing their knowledge and providing advice. In addition, I would like to thank the RCMP, the FBI, the UK Police, and AusCERT for their assistance. Finally, a special thanks is due to Jan Droemer who discovered the same data and shared his analysis and insights.

For more information on Koobface, see:

The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained

“The Heart of KOOBFACE: C&C and Social Network Propagation

Show Me the Money! The Monetization of KOOBFACE

Web 2.0 Botnet Evolution: KOOBFACE Revisited

Koobface Gang Responds to the “10 Things You Didn’t Know About the Koobface Gang Post”

Koobface – the social network trojan

The Ambler Botnet

[UPDATED to include and]

In the past, the operators of large botnets sought to expand the size of their operations and cared little for the details of any individual compromised computer — one bot was as good, for the most part, as any other. Any one of the thousands of computers under their control could be used to send spam or participate in a denial of service attack. But now not all compromised computers are of equal value to botnet operators. As the focus of botnet activity becomes increasingly extractive — with an emphasis on stolen credit card numbers, credentials and private information — the geographic location of compromised computers has become an important factor for botnet operators. The geographic origin or stolen credit cards, or “dumps”, for example, is an important factor in pricing.

Geographic location is also important when botnet operators attempt to monetize their operations. The various compensation rates for pay-per-click and pay-per-install schemes — especially RogueAV/FAKEAV — are specific to the geographical location of the victim. Some of these schemes even restrict propagation in certain countries. There are botnets with victims that are highly concentrated by geographic location as well as targeted efforts to propagate botnets within specific regions.

This development may also be an effort by botnet operators to improve their operational security in response to the efforts by security researchers. As the risk of “take down” increases, botnet operators may be partitioning their operations to minimize the damage. As Dancho Danchev explains, this may also obscure the work of a single group by making it appear as if these disparate operations are the work of many unaffiliated groups.

The Ambler botnet is based on a trojan, Win32/Ambler, that has been actively spreading since at least October 2008. There are a variety of Win32/Ambler variants and many command and control servers. Win32/Ambler itself is a keylogger — malware that captures the keystrokes entered on a compromised computer — but also specifically targets those that use the online banking services of Bank of America. Win32/Ambler is also often found bundled with other malware.

The following post is the result of an investigation of six command and control servers –,,, and and – associated with Win32/Ambler. From these servers 1.8 gigabytes of data was collected. This data contains sensitive and private information from 11,251 compromised computers (38,920 unique IP addresses). It is not clear to me if the operators of these command and control servers are connected to each other, or if they are four separate botnets that happen to be using Win32/Ambler. Three of the C&C’s are hosted in China, and three are hosted in the US.

Geographic focus
These six control servers appear to be very focused with the vast majority of compromises in Italy, Russia and the United Kingdom, with one C&C focusing on the US. The majority of the compromised computers checking in with’s two Ambler installations are from Italy (and the ones detected as EU may be Italian as well.) Those checking in with and are almost entirely Russian. The compromised computers checking in with are mostly from the US. Finally, those checking in with and are primarily from the United Kingdom. There appears to be an effort to segment compromised computers at the country level among these command and control servers.

IP’s vs. Hosts
Estimating botnet size is not simply counting IP addresses. When looking at IP addresses, 38,920 unique IP addresses were found. But when counting the unique identifiers the malware assigns to each machine, the actual size of the botnet is 11,251 compromised machines. And even that number contains all machines that “checked in” with the C&C. It may include machines that are no longer compromised or no longer exist. The timestamps associated with the capture of information range from 04/16/2010 to 08/08/2010.

Captured data
The keylogger captured the keystrokes typed by the user as well as the location of the resource into which the the users entered the information. As a result broad range of content was captured including logins and passwords to email accounts, ftp accounts social networking sites and corporate and government web portals. The text of what users were searching for in search engines as well as chat conversations were also captured.

Two malware samples were found on the command and control servers:

The malware connects to the command and control server and a text file is created for each individual compromised computer. Captured information, primarily keystrokes, is uploaded and stored in these text files. There are some specific tags that delineate types of data. For example, “****BOAEMAIL****” and “****BOAQUES****” are used to identify the email address and answers to security questions for Bank of America (BOA) online banking clients. It also retrieves any stored information in protected storage, such as passwords, and marks it with “*******PROTECTED STORAGE*******” in order to identify it. the files also contain a listing of file paths for specified directories “****GETFILE PATHS****” as well as a list of the volumes available “****VOLUMES LIST****”. This allows the botnet operators to target specific files and directories for extraction.

The details for each command and control server are displayed below. (
( had two instances of the Ambler command and control backend at different directory locations). has address
inetnum: –
netname: DIGILAND
descr: Beijing Digiland media technology Co. Ltd
descr: Apt2 No5 Jinyuanzhuang AVE shijingshan district Beijing
country: CN ( has address
NetRange: –
OriginAS: AS32475
Country: US ( has address
inetnum: –
netname: SUNINFO-MDC
descr: Beijing Sun Rise Technology CO.LTD
descr: Tedatimes Center, Suite 1908, Tower4, No.15 Guanghua Road,
descr: Chaoyang District, Beijing, 100026, PRC
country: CN ( has address
inetnum: –
netname: SUNINFO-MDC
descr: Beijing Sun Rise Technology CO.LTD
descr: Tedatimes Center, Suite 1908, Tower4, No.15 Guanghua Road,
descr: Chaoyang District, Beijing, 100026, PRC
country: CN ( has address
OrgName: Layered Technologies, Inc.
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US ( has address
OrgName: Layered Technologies, Inc.
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US

In order to get a sense of the crimeware neighbourhood in which these control servers reside, is a great resource that can be used to identify other malicious domain names registered with the same email address and other domain names hosted on the same IP address.

The email addresses and used to register and were also used to register a variety of domain names that are hosting ZeuS elements as well as the Eleonore, Phoenix and Nuclear exploit kits. The IP addresses, and are also hosting a variety of malware including ZeuS, Russkill and YES exploit kit.

This does not mean that all of these activities are directly connected, but rather, that these activities are taking place within a malware ecosystem designed to maintain and monetize the operations of botnets. Botnets often rely on crimeware friendly hosting services, so it is not uncommon to see malicious activity concentrate around particular servers or networks. However, it does indicate that the botnet operators are connected with the malware ecosystem and leveraging the services offered within it to sustain and monetize their operations.

Shadows in the Cloud

Last year, at just about this time, the InfoWar Monitor (IWM) released the “Tracking GhostNet” report which detailed our investigation into a cyber-espionage network that has compromised 1200+ computer systems spread across 103 countries, including ministries of foreign affairs, embassies, international organizations, news organizations, and even a computer located at NATO headquarters.

I remember when I stumbled upon the GhostNet attacker’s command and control interface by Googling a string of text from the network traffic obtained during our field investigation from a compromised computer at the Dalai Lama’s office in Dharamsala , India. To my surprise Google returned several results, which I clicked, and was suddenly looking at an interface that allowed the attackers to fully control a network of compromised computer system. When the report came out and I realized the significance of the find I thought that there was no way it would happen again. I was wrong.

Today the IWM and the Shadowserver Foundation have released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” (mirror) in which we document another targeted malware network. (NYT coverage here). We started by exploring one of the malware networks described in the GhostNet report but was an entirely separate malware network that had also compromised computers at the Dalai Lama’s office. I cannot stress just how important the trust, collaboration and information sharing across all those involved in this report from the Citizen Lab, SecDev , and Shadowserver, along with the Dalai Lama’s Office were to the success of the project.

As a result we were able to document another network of compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations as well as numerous other institutions, including the Embassy of Pakistan in the United States.

In the report we enumerated a complex and tiered command and control infrastructure. The attackers misused a variety of services including Twitter, Google Groups, Blogspot, Baidu Blogs, and Yahoo! Mail in order to maintain persistent control over the compromised computers. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in China.

This time, unlike GhostNet, we were able to recover data, some of which are highly sensitive, from a drop zone used by the attackers. One day, while exploring open directories on one of the command and control servers I noticed that there were files in a directory that was normally empty. It turned out that the attackers were directing compromised computers to upload data to this directory; the attackers subsequently moved the data off to another location and deleted the files at fairly rapid, but intermittent time intervals.

We recovered a wide variety of documents including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED” and five as “CONFIDENTIAL” which appear to belong to the Indian government. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.

Based on the character of the documents (and not IP addresses) we assessed that we recovered documents from the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. In addition, we recovered documents from India’s Military Engineer Services (MES) and other military personnel as well as the Army Institute of Technology in Pune, Maharashtra and the Military College of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh. Documents from a variety of other entities including the Institute for Defence Studies and Analyses as well as India Strategic defence magazine and FORCE magazine were compromised.

Questions regarding those who are ultimately responsible for this cyber-espionage network remain unanswered. We were, however, able to benefit from a great investigation by The Dark Visitor who tracked down lost33, the person who registered some of the Shadow network’s domain names that we published in the GhostNet report and his connections ot the underground hacking community in China. Based on the IP and email addresses used by the attackers we were able to link the attackers to several posts on apartment rental sites in Chengdu.

This, of course, does not reveal the role of these specific individuals nor the motivation behind the attacks. However, the connection that The Dark Visitor drew between lost33 and the underground hacking community in China does indicate that motivations such as patriotic hacking and cybercrime may have played a role. Finally, the nature of the data stolen by the attackers does indicate correlations with the strategic interests
of the Chinese state. But, we were unable to determine any direct connection between these attackers and elements of the Chinese state. However, it would not be implausible to suggest that the stolen data may have ended up in the possession of some entity of the Chinese government.

Now having reported this incident to the China CERT — which handles security incidents in China — I look forward to working with them to shut down this malware network.

This is an investigation in progress. There are many threads in this investigation that have still to be fully explored. I hope that this report provides enough detail to allow others with different specializations to continue to explore aspects of the Shadow network enriching our collective understanding of this incident and the broader implications regarding both cyber-crime and cyber-espionage.

Adventures in Russian Malware

I just posted an analysis of a pcap file from a political figure. While I expected to find targeted malware tat was possibly associated with political activities, I found a bunch of Russian/Ukrainian malware. What I found interesting, and which seems to match what key security community folks are seeing (here and here), is a “bundling” of malware. In this case, a Black Energy bot was bundles with with the “Oficla/Sasfis” Trojan downloader as well as RogueAV (Win32.FakeScanti).

Another interesting issues was the use of Chinese IP addresses by the Russian malware (which given the political figure whose computer was infected, Chinese IP addresses were contextually relevant). This is certainly not new, (see here, here etc…) but I think it hits home the point that simply relying on GeoIP to determine attribution and/or motivation is misguided.

I tried to link part of this operation to someone who appears to be some sort of “middleman” who propagates a variety of malware. There are a variety of posts on forums by “rundll32” in which he advertises an “affiliate program” that “is not detected by any antivirus.” In the ad he uses the domain which is registered to “” which was also used by Alexander V. Prokhorov (or Prochorov) in a paper submitted at Moscow State University.

I find the relationships between the various groups and how different individuals and groups within the malware ecosystem get ultimately paid very interesting.

GhostNet in Portugal

A new report from documents their investigation into GhostNet in Portugal. I’ve only been able to read it via Google translate but it seems very interesting. During the GhostNet investigation we found several Portuguese infections including:

  • Embassy of Portugal, Germany
  • Embassy of Portugal, France
  • Embassy of Portugal, Finland
  • CEGER, Management Center for the Electronic Government Network, Portugal

The investigated further and found two control servers and access the attacker’s admin interface:

In September 2009 it had full access to the two administration interfaces of “GhostNet, one on each controller. The administration interface is an application in php, rather crude but effective, at home we can see all computers that have taken place in these drivers, in this case were 730, from 67 countries The interface allows complete control over the infected machine. Through something like “modules” can be added to the infected machines new features such as keyloggers, trojans remote control in real time ( “GhostRAT”), execute remote commands, send and receive files, and view the files sent automatically by computers infected.

This is exactly what we found. However, was able to view the documents pilfered from the infected machines and provided this summary:

It was investigated and found to exist in “GhostNet” of 1.1 gigabytes of information from computers with IP addresses associated with the Ministry of Foreign Affairs – An. Pst Ambassador of Portugal in India – JPEG procedures for employees, including passage of visas was searched and found the existence of the “GhostNet” of 7.9 gigabytes of information from computers with IP addresses associated with the Ministry of Justice:

– Multiple files. pst ITIJ employees with diverse and sensitive.
– Documents describing the procedures, configurations, and topologies of the main services of the ministry of justice, including passwords (modules keylogger) for remote access to servers.
– Documents relating to the electoral process, action plans and contingency plans, descriptions of settings and network topology election, including any data source from the civilian governments, passwords, configuration of routers, switches and other equipment.
– Various. Pst files and passwords for employees of the Directorate General of Registration and Notary, which allow a total view of how the services work, including conservatories of civil status and property. Passwords for access to the applications used.
– In the Judiciary Police, including working procedures – Several technical information for the computer systems of courts and their applications (SITAF, habilus).
– Several files of cases that we think have been removed from computers officials or judges – Documents relating to the prosecutor.
– Computer Applications as Habilus.

In fact and in view of the files found concrete strip to the frightening conclusion that the spying by “GhostNet in Portugal was able to reach key bodies of the Portuguese as the courts, and there (and there?) A serious infection in various organisms containing valuable and sensitive information that should in theory is well protected. An attempt was made during the time it gained access to the two drivers “GhostNet” beyond the operating system hosting the interface, but you do not find any fault in it that we can make the most important information about the reasons and people behind this network of highly dangerous espionage, and our access was lost about 72 hours after first contact.

Very interesting stuff.

Russian Botnet Readme.txt

A recent Malware Lab investigation I’ve been working on led me to two interesting files on a Russian botnet:

I don’t know if these are well known or not, but they describe how to install the botnet backend as well as what’s been added between version 1.0 to 6.0.

Here are the executables that were on the same server:





pwn3d botnets

Two recent reports have been published that document how the C&C servers of two large botnets were accessed by researchers. The first comes from Finjan which discovered a botnet, dubbed Hexzone, with 1.9 million infected hosts. (Also see Jose Nazario’s post on this.) The second report documents the exploitation of the Torpig botnet by researchers at the University of California, Santa Barbara. They took control of Torpig for 10 days and discovered 182,800 bots on 1,247,642 IP addresses. (As a result the caution against relying on IP addresses and other measures such as unique ID’s assigned by the malware as a measure of the total number of infected hosts).

In the Hexzone case, Finjan was able to access a web interface to the control server located in Ukraine. Since, “folders on this server were left open” — which presumably means there was no password protection — they were able to access the web interface. The University of California researchers were able to crack the scheme used by Torpig to generate domain names that the attackers would register and use as control servers. The researchers registered the domain names that Torpig infected hosts were to connect to before the attackers did and we thus able to seize control of the bot net.

The Torpig botnet focused on collected financial information form infected hosts such as banking information, online trading, investment and payment services as well as credit card numbers. It also turns the infected host into a “proxy” that could be used for a variety of malicious purposes including pushing spam. The infected hosts could also be used to perform DDOS attacks. Torpig also collects:

messages that users of infected machines send, for example, through webmail systems, forums, and chats. Since the full content of these messages is captured by Torpig, they often contain detailed (and private) descriptions of the lives of their authors.

One of the most interesting observations in the report for me concerns the potential collaboration among multiple actors to exploit the information obtained from Torpig. The University of California note that there are a variety of “builds” and that the data collected is associated with particular builds.

Therefore, the most convincing explanation of the build type is that it denotes different “customers” of the Torpig botnet, who, presumably, get access to their data in exchange for a fee. If correct, this interpretation would mean that Torpig is actually used as a “malware service”, accessible to third parties who do not want or cannot build their own botnet infrastructure.

The Finjan also notes that Hexzone relied on partnerships to propagate:

These cybercriminals established a vast affiliation network across the Web to successfully distribute and operate their malware install-base.

Interesting stuff.

“Debunking” GhostNet

If by “debunking” you mean “validating” the GhostNet report you should listen to Paul Ducklin from Sophos discuss GhostNet in this interview. To be fair to Ducklin, I think that his comments are pretty much spot on but the host appears to be confused between our GhostNet report and the “Snooping Dragon” report by the folks at Cambridge.

Ducklin spanks us for relying on VirusTotal which is a point well taken. He also raises the attribution issue but in the context of the sophistication and availability of the tools the attacker used in the GhostNet case. We too raise this issue noting that while the individual tools used by the attackers were technically unsophisticated they were still able to infect and control high value targets in many cases for long period of time.

This report serves as a wake-up call. At the very least, a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet…These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.

Tibet is the starting point of our story because that is where we (and by we I mean all the hard work of Greg Walton over the years) had samples of socially engineered emails with malicious attachments that were sent to Tibetan-related organizations and individuals. (Maarten Van Horenbeeck has done great work in this area concerning Tibet and the Falun Gong.) Greg also developed the trust relationships that allowed him (and Shishir from the Cambridge team) to travel to Dharmsala and collect network traffic from the OHHDL. Greg also collected samples from Tibetan-related organizations around the world.

Were people at these organizations really becoming infecting as a result of falling for these socially engineered attacks? Was there anything more we could find out about the control servers other than that these pieces of malware connect to IP addresses that are often in China? In many cases we were not able to find out much other than the obvious: a malware infected computer that connects to a control server in China. In fact, in many cases the control servers were identified in the field.

But when analyzing the data collected at the OHHDL back in the Citizen Lab, we were able to identify traffic to a control server in China (in Hainan Province) that was not identified in the field research and were able to find the attackers web-interface on it and several additional control servers. By carefully going through the data we were able to identify two distinct malware infections on the same computer at the OHHDL. While each piece had more than one control server, we were able to identify commonalities that allowed us to group the control servers into two distinct networks.

The infection we focused on issued HTTP GET requests to several PHP files on a server. There were connections to two domain names on the same server IP address. A lookup in APNIC shows that this IP address is assigned to a range belonging to Hainan-TELECOM in Hainan Province in China. One particular request stood out since it contained a parameter that appeared to contain a date while rest of the parameters in the request were encoded with base64. We took that string and put it in Google, and were surprised to see results.

Since it was not secured with a password we were able to click directly on a link from Google which took us straight to the attackers’ web interface. There was no “hacking” involved. I have a healthy fear of prison and stay clearly within the limits of the law.

Now that we knew the file names and paths favoured by the attacker we were able to guess the location of 26 such interfaces including several on the server to which the infected OHHDL computer connected.

It became clear that the attackers’ had a wide interest of targets that extended far beyond the Tibetans. When Ducklin discusses the wide range of malicious documents he’s seen that are similar to the ones used by the attackers we focused on it corroborates information that some of those who have been infected (that are not Tibetan related) are telling us. Non-Tibetan targets receive socially engineered emails that are contextually relevant to them. Many of the most interesting GhostNet victims are embassies, government ministries and international organizations. These are not Tibet specific targets.

GhostNet is *not* Tibet specific.

In our report we devoted a significant portion to alternative explanations and a discussion of the attribution problem. We do *not* say that we can prove that the Chinese government is behind GhostNet. In fact, we raise several plausible scenarios. Moreover, we suggest that this network is probably *not* unique and that there are many more like it out there.

One thing I’ve pointed out and will do so again is that just because tools used by the GhostNet attackers are widely available does not necessarily preclude government involvement. I mean what would that look like any way? A trojan labeled “Developed by the Government of China”? If I wanted to meld into the crowd, if I wanted to leverage the attribution problem, I’d use available tools and common methods. The GhostNet attackers showed that using such less sophisticated methods can be quite successful. Why reinvent the wheel and possibly provide a ‘smoking gun’ that points directly to you? Furthermore, if you could leverage independent actors to do the dirty work for, even better. There’s even less traceabilty.

That is why we stated right in the beginning of the report that “the study clearly raises more questions than it answers.”

GhostNet & CasperNet

DarkVisitor picked up on some information in the GhostNet report that we didn’t really focus on — the email addresses and other information in the domain name registration records — and were able to track down the owner of the email address listed in the registry information associated with the control servers and An infected computer at the OHHDL connected to these domain names and Greg and Shishir were able to observe sensitive documents being transmitted to while collecting data in Dharmsala, India. Greg later found that a computer at the Tibetan NGO Drewla aslo connected to Both these domains were registered to “zhou zhao jun” using the email address (I recall Greg and Jaymz working on this for a time, but I think we lost focus when we found the web-interface to the control servers used by a different piece of malware that had infected a computer at the OHHDL which we dubbed GhostNet.)

In a fascinating post, The folks at DarkVisitor were able to track down the owner of that email address as well some forum posts and blog entries that allowed them to acquire the QQ id of the owner of the email address and initiate contact with him. It was really great to see DarkVisitor explore this further.

I’d been calling this malware family “CGI” after their use of CGI scripts, but I like the DarkVisitor’s “CasperNet” better.

In addition to a GET request that appears to be a simple “check in” there were some POST connections: –
– POST /cgi-bin/Report.cgi HTTP/1.1
– POST /cgi-bin/serverlog.cgi HTTP/1.1

These also appear to be “check ins” — the connections to serverlog.cgi are 15 bytes and contain basically the same information that appears in the GET requests. The connections to Report.cgi are larger (104 bytes) and contain some binary data in addition to text that is similar to the other connections. All these connections occur with a high degree of frequency. –
– POST /cgi-bin/Auto.cgi HTTP/1.1
– POST /cgi-bin/AutoTrans.cgi HTTP/1.1

There are significantly fewer connections to the this server and its function appears to be directly related to the retrieval of documents from infected computers. The POST connections to Auto.cgi contain a file name and the command “@@@@begin” which is followed by a POST to AutoTrans.cgi which actually uploads the targeted document. After several connections the entire document is uploaded and another POST is issued to Auto.cgi with the command “@@@@end”.

The packet dumps we analyzed showed two documents being uploaded and according to the person using the infected computer one of these documents was related to the Dalai Lama’s negotiating position with China and the other contained a list of numerous email addresses.

One of the things I really like about the DarkVisitor investigation is that it reminds us to be careful on the question of attribution. There are a variety of actors operating in this space with a variety of motives. Individuals and groups may be engaging in systematic exploitation of political targets for a variety of reasons that are completely divorced from state intelligence services (even if they appear to be aligned with such interests).

The fact that the DarkVistor research points to the possibility that the CasperNet is the work of a “cracker” (I prefer this definition of “hacker“), and not the Chinese Government as the context alone might suggest, simply shows the complications of attribution. There are numerous scenarios a variety of which we explore in “Tracking GhostNet” that focus on the “privateer” model but there are others as well. An intelligence agent could be tasked compromising political targets using only the tools and methods available within the community. Conversely, attackers may pillage compromised machines for credit card numbers, lists of email addresses to conduct further social engineering attacks as well as politically sensitive information that can be sold.

This is the “attribution problem”. Rather than rely on unconfirmed anecdotes and unnamed sources, political context and speculation and/or the fact that control servers are hosted on IP addresses in ranges assigned to China to produce a “smoking gun” pointing at the Chinese government we included a section focused on “alternative explanations” in order to explore variety of scenarios. As noted above, these alternative explanations, even those that focus on the acts of private individuals and groups, do not necessarily absolve the Chinese government but they provide an honest analysis of the variety of possibilities.

Symantec & GhostNet

Symantec has put out a nice video demonstrating how gh0stRAT works. We gave the name “GhostNet” to the network of infected computers we uncovered because of the attackers’ use of the gh0stRAT tool but it is important to bear in mind how the whole operation works as gh0stRAT is just one part of it.

One of infection vectors that we can confirm that the attacker uses is sending contextually relevant emails with malware packed attachments (.doc’s and .pdf’s) to potential targets. (If you are interested check out Maarten Van Horenbeeck’s work here here and definitely here — it really is the best research on this stuff out there).

When the the attachment is opened a trojan is dropped on the system. This trojan “checks in” with a control server. In this case, it was an HTTP connection to a webserver. The infected computer retrieves various files from the control server some of which contain “commands” — one of the commands the attacker issues instructs the infected computer to download and install gh0stRAT. While gh0stRAT allows the attacker to take “real time” control of a compromised computer — the attacker is online and the victim is online at the same time. — the initial infection allows the attacker to maintain control when either party is offline.

Once infected with gh0stRAT the compromised computer connects out to a URL (a file on the control server) in order to retrieve the IP address of the attacker’s gh0stRAT client. When the attacker is offline, the IP will often be and will be replaced by another IP when the attacker is online and ready to receive connections from the compromised computers running gh0stRAT.

This Symantec video shows how gh0stRAT works.

Also, check out this post at F-Secure.

GhostNet Update

Starting on March 30 2009 the GhostNet starting coming down. The attacker began removing the files and directories being used and then began to configure the domain names of some the control servers to point to Files hosted on other (probably compromised) “command” servers also started disappearing at the same time. It’ll be interesting to see if, when and where the network pops up again.

Tracking GhostNet: Investigating a Cyber Espionage Network

Tracking GhostNet: Investigating a Cyber Espionage Network

Tracking GhostNet: Investigating a Cyber Espionage Network Tracking GhostNet: Investigating a Cyber Espionage Network The SecDev Group This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention.

Publish at Scribd or explore others: Published Research Academic Work malware information warfare


Tracking GhostNet: Investigating a Cyber Espionage Network.

Researchers at the Information Warfare Monitor uncovered a suspected cyber espionage network of over 1,295 infected hosts in 103 countries. This finding comes at the close of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions that consisted of fieldwork, technical scouting, and laboratory analysis.

Close to 30% of the infected hosts are considered high-value and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The investigation was able to conclude that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama.

Who is ultimately in control of the GhostNet system? While our analysis reveals that numerous politically sensitive and high value computer systems were compromised in ways that circumstantially point to China as the culprit, we do not know the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. One of the characteristics of cyber-attacks of the sort we document here is the ease by which attribution can be obscured.

Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most. Indeed, although the Achilles’ heel of the GhostNet system allowed us to monitor and document its far-reaching network of infiltration, we can safely hypothesize that it is neither the first nor the only one of its kind.

As Information Warfare Monitor principal investigators Ron Deibert and Rafal Rohozinski say in the foreword to the report, “This report serves as a wake-up call. At the very least, a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet…These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.”

Download the full report here:

The report has been co-timed for release with an exclusive story by the New York Times’ John Markoff. Download the New York Times story here: