Foram registados – um pouco por todo o mundo, mas especialmente nos EUA – uma série de ciberataques a grupos de apoio à causa tibetana. Todos estes ataques partiram dos mesmos servidores de acesso à Internet que foram identificados no passado (ver AQUI) como tendo sido originados algures no interior da China Popular. Como os primeiros ataques, existe uma grande probabilidade que estes estejam a ser conduzidos por unidades de guerra cibernética do exército chinês e são aparentemente uma repetição de ataques realizados no passado recente contra outro dos “espinhos” na política externa chinesa: o Darfur dos seus aliados fundamentalistas islâmicos do Sudão.
Os ataques oriundos da China contra o grupo activista “Save Darfur Coalition” tiveram (segundo esta organização) como objectivo: monitorizar, sondar e perturbar as actividades do grupo e foram uma espécie de prenúncio para uma ofensiva muito mais alargada – que decorre neste preciso momento – contra organizações ligadas à defesa dos direitos humanos e à autonomia do Tibete.
Estes ataques consistem fundamentalmente no envio para caixas de correio destas organizações pró-tibetanas de mensagens com “Cavalos de Tróia” que roubam nos computadores de destino dados de mails e contactos, passwords e várias outras informações não especificadas. Os dados assim são reunidos são enviados para servidores situados algures na China, provavelmente imersos nalguma caserna do exército chinês e depois seguem para os serviços de informação onde os elementos sobre opositores internos e externos vão alimentar bases de dados de opositores ao regime.
O argumento de que se tratam de hackers chineses agindo por conta própria, um argumento que o Governo Russo usou no passado para explicar a ciberguerra lançada a partir da Rússia em Maio de 2007 contra a Estónia não colhe, uma vez que a Chioa mantêm um dos controlos mais apertados do mundo sobre a actividade dos seus cibernautas… Uma “guerra privada” e autónoma de um grupo de hackers chineses passaria desapercebida das polícias e dos serviços de informação chineses? E sobretudo, temos que seguir a este respeito uma das regras básicas da criminalística: procure quem beneficiou do crime para encontrar o criminoso. E não é precisamente do mais alto interesse das autoridades chineses identificar dissidentes em actividade no interior do seu território, no Tibete Ocupado ou no Estrangeiro?
Em suma… Se colabora, participa ou conhece alguém envolvido em actividades pró-Tibete e em defesa dos Direitos Humanos na China, cuidado com as mensagens de correio electrónico com anexos em Word, Powerpoint, Acess, Excel (mais uma razão para migrar para o Openoffice 2…) e até em Adobe PDF, mesmo se estas venham de fontes aparentemente confiáveis. É que eles andam aí e querem os vossos dados pessoais, assim como os dos vossos amigos que mantêm nos contactos do Outlook, Firefox, etc.
Eis, no original e em inglês a republicação do alerta SANS para este incidente:
Last Updated: 2008-03-24 20:40:40 UTC
by Maarten Van Horenbeeck (Version: 1)
On Friday we reported on targeted attacks against various pro-Tibet non-gouvernmental organizations (NGO) and communities, as well as Falun Gong and the Uyghurs. In this somewhat long diary entry, I’ll break down those attacks and identify the things we’ve seen in working on these since early 2007.
This hopefully helps you identify the risk similar attacks would pose to your organization. The diary does not deal with one incident, but looks at overall findings.
1. The message
The sole goal of the message is to transport the exploit, and to convince the reader to click on it, so the malicious code can execute.
Several social engineering tricks have been seen:
- Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of ‘cognitive dissonance’ arises between the reader’s pre-existent beliefs and the statement. This urges the reader to click the message;
- The writing style of the purported sender is well researched and mimicked;
- The content of the document matches the topic of the e-mail message;
- Legitimate, trusted, users are sometimes convinced to actually forward along a message back to specific targets;
- In a number of cases, “memes” distributed within the community have been reused. For instance, in a “viral” Word document was grabbed from a forum, edited to include the exploit and Trojan code, and forwarded onto other members of the community.
Here’s a sample. This message was sent to someone very active within the Tibetan community, and was spoofed as originating from the Secretary of International Relations of the Central Tibetan Administration, the government in exile in Dharamshala, India. The name and contact details of the official were accurate:
Attached here is the update Human Rights Report on Tibet issued byDepartment of State of U.S.A on March 11, 2008.
You may also visit the site:
Secretary of International RelationsDepartment of Information & International RelationsCentral Tibetan AdministrationDharamshala -176215H.P., INDIAPh.: [obfuscated]Fax: [obfuscated]E-mail: [obfuscated]@gov.tibet.net or firstname.lastname@example.orgWebsite: http://www.tibet.net/en/diir/
In some cases, messages were sent which addressed the recipient by his first name, and provided “clarification on a topic” which had previously been discussed between the sender and the recipient. While not evidence, there are specific instances in which it appears previously compromised accounts were re-used to engage in better social engineering.
2. The exploit
The messages contain an attachment which exploits a client side vulnerability. The most common vectors so far have been:
- CHM Help files with embedded objects;
- CVE-2008-0655: Acrobat Reader PDF exploit
- CVE-2006-2492, CVE-2007-3899: Word
- CVE-2006-3590, CVE-2006-0009: Powerpoint
- CVE-2008-0081: Excel
- CVE-2005-0944: Microsoft Access
- CVE-2006-3845: LHA files exploiting vulnerabilities in WinRAR.
The file exploits the vulnerability, and executes shellcode which generally unpacks at least two embedded components:
- The actual Trojan binary: Which can be packed (using UPX, Armadillo, FSG or PE-ARMOR), but in most cases is unpacked and easily retrievable from the file. It is described further in chapter 3 of this diary entry.
- A benign, non-malicious document of the same file type: upon successful execution of the exploit code, it generally “cleans up” and instead of showing an indication that the application has crashed, it drops a clean file to disk (be it either RAR, DOC, PPT or any of the other files affected) and opens it.
The second file shows context very valid to the message initially sent. An example image is included for reference below. This was grabbed from what was sent as a promotional flyer on a book on Tibet. In the background, it dropped a Trojan. Both the flyer and the book exist in real-life form, unbugged. This was an example of taking something which “exists” within the community, and republishing it with trojaned contents.
These files usually have very low AV coverage. Below is sample Virustotal output for the malicious PDF sample:
China’s Tibet.pdfMD5 70d0d15041a14adaff614f0b7bf8c428
AhnLab-V3 2008.3.22.1 2008.03.21 -AntiVir 18.104.22.168 2008.03.21 -Authentium 4.93.8 2008.03.20 -Avast 4.7.1098.0 2008.03.21 -AVG 22.214.171.1246 2008.03.21 -BitDefender 7.2 2008.03.21 -CAT-QuickHeal 9.50 2008.03.20 -ClamAV 0.92.1 2008.03.21 -DrWeb 4.44.0.09170 2008.03.21 -eSafe 126.96.36.199 2008.03.18 -eTrust-Vet 31.3.5631 2008.03.21 -Ewido 4.0 2008.03.21 -F-Prot 188.8.131.52 2008.03.20 -F-Secure 6.70.13260.0 2008.03.21 -FileAdvisor 1 2008.03.21 -Fortinet 184.108.40.206 2008.03.21 -Ikarus T220.127.116.11 2008.03.21 -Kaspersky 18.104.22.168 2008.03.21 -McAfee 5257 2008.03.21 -Microsoft 1.3301 2008.03.21 -NOD32v2 2966 2008.03.21 -Norman 5.80.02 2008.03.20 -Panda 22.214.171.124 2008.03.21 -Prevx1 V2 2008.03.21 -Rising 20.36.42.00 2008.03.21 -Sophos 4.27.0 2008.03.21 Mal/JSShell-BSunbelt 3.0.978.0 2008.03.18 -Symantec 10 2008.03.21 -TheHacker 126.96.36.199 2008.03.19 -VBA32 188.8.131.52 2008.03.21 -VirusBuster 4.3.26:9 2008.03.21 Exploit.PDF.AWebwasher-Gateway 6.6.2 2008.03.21 Exploit.PDF.ZoneBac.gen (suspicious)
3. The backdoor
Upon successful exploitation, the dropper installs a Trojan. We have monitored over 8 different Trojan families in use. Quite common are Enfal, Riler and Protux. In addition, control over some machines is maintained using the Gh0st RAT remote access tool.
These trojans generally allow close to unrestricted access to the system under the user account which installed the Trojan. Many machines involved in this incident are home desktops, as such this is often the administrator account. The Backdoor generally triggers a few generic signatures, but has very low AV coverage at the time of distribution.
Below is a sample extracted from a malicious Excel document:
AhnLab-V3 2008.3.4.0/20080310 found nothingAntiVir 184.108.40.206/20080310 found [HEUR/Malware]Authentium 4.93.8/20080307 found nothingAvast 4.7.1098.0/20080309 found nothingAVG 220.127.116.116/20080310 found nothingBitDefender 7.2/20080310 found nothingCAT-QuickHeal 9.50/20080308 found nothingClamAV None/20080310 found nothingDrWeb 4.44.0.09170/20080310 found nothingeSafe 18.104.22.168/20080309 found nothingeTrust-Vet 31.3.5597/20080307 found nothingEwido 4.0/20080310 found nothingF-Prot 22.214.171.124/20080309 found nothingF-Secure 6.70.13260.0/20080310 found [Suspicious:W32/Malware!Gemini]FileAdvisor 1/20080310 found nothingFortinet 126.96.36.199/20080310 found nothingIkarus T188.8.131.52/20080310 found nothingKaspersky 184.108.40.206/20080310 found nothingMcAfee 5247/20080307 found nothingMicrosoft 1.3301/20080310 found nothingNOD32v2 2935/20080310 found nothingNorman 5.80.02/20080307 found nothingPanda 220.127.116.11/20080309 found nothingPrevx1 V2/20080310 found [Heuristic: Suspicious Self Modifying File]Rising 20.35.02.00/20080310 found nothingSophos 4.27.0/20080310 found [Mal/Behav-116]Sunbelt 3.0.930.0/20080305 found nothingSymantec 10/20080310 found nothingTheHacker 18.104.22.168/20080309 found nothingVBA32 22.214.171.124/20080305 found nothingVirusBuster 4.3.26:9/20080309 found nothingWebwasher-Gateway 6.6.2/20080310 found [Heuristic.Malware]
4. The control connection
In order for the Trojan to be effective, it needs to “phone home”. This usually (but not always) consists of two steps:
- A DNS lookup to acquire the address of the control server;
- The actual connection.
The DNS lookup occurs for a hostname embedded in the Trojan. So far, we have tracked over 50 unique hostnames. Some are used against a single organization or individual, others are used across the spectrum to many different targets.
Interestingly, attacks are “timed”. Let’s look at some DNS resolution logs:
+ 2008-03-22 06:05 | dns3.westcowboy.com | 126.96.36.199- 2008-03-22 06:05 | dns3.westcowboy.com | 127.0.0.1+ 2008-03-22 15:07 | dns3.westcowboy.com | 127.0.0.1- 2008-03-22 15:07 | dns3.westcowboy.com | 188.8.131.52+ 2008-03-23 07:18 | dns3.westcowboy.com | 184.108.40.206- 2008-03-23 07:18 | dns3.westcowboy.com | 127.0.0.1+ 2008-03-23 09:54 | dns3.westcowboy.com | 127.0.0.1- 2008-03-23 09:54 | dns3.westcowboy.com | 220.127.116.11
When the hostname resolves to one of the above IP addresses, a connection is set up. When it resolves to 127.0.0.1 however, the compromised machine will no longer connects out.
As several IDS rules are available to trigger on lookups that result in 127.0.0.1, we are also seeing samples that contain a check for a specific ‘code’ IP. When the control server resolves to this address, the Trojan holds for a few minutes, then does another lookup. These “parking addresses” have included 18.104.22.168 and 22.214.171.124.
In the above example, this indicates that the team behind these attacks was busy gathering data from 06:05 till 15:07, only to start again almost exactly one day later, 07:18.
In a few cases, the control connection has been regular HTTP or HTTPS, set up using code injected into the Internet Explorer process. This allows the Trojan to be proxy-aware. In other instances, there have been control connections that were fully binary (such as Gh0st RAT) or encrypted using an obvious XOR key.
Some control connections can be detected on the network or proxy level, such as those of certain Riler and Enfal families:
When started, Enfal issues HTTP POST requests to the controller for:
The Riler Trojan family can also be identified through its connection protocol (bold is the infected client submitting data):
NAME:NAME: [hostname].VER: Stealt h 2.6 MARK: fl510 OS: NT 5.0.L_IP: 10. 2.0.18.ID: NoID.LONG:0501_LOG.txtNULLAUTOERR code = 02SNIFERR code = 02WAKEWAKE
It also has a recognizable command set:
LOCK SEND WAKE NAME MOON KEEP DISK FILE DONE DOWN LONG MAKE ATTR KILL LIKE SEEK READ DEAD DDLL AUTO READY
5. The control server
The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as 3322.org. While these services in themselves are not malicious, they are heavily used in these specific attacks.
At the moment, it appears at least a number of the control servers have been compromised using open Terminal Services (RDP/3389) combined with weak passwords.
Based on the technical data, it is impossible to say who is the culprit in these attacks. What is however clear is that these NGOs are systematically hampered using malicious code, either with as goal to gain access to their communications, or to make them reluctant to use e-mail to begin with.
While this is not the full picture on the attacks, we hope this overview already proves useful, and please get in touch if you have questions or additional feedback.