Last Updated: 2008-03-24 13:25:22 UTC
by Maarten Van Horenbeeck (Version: 4)
There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.
UPDATE: We published an extended diary with additional tech info here.
These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.
The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. Some impressive social engineering tricks are used:
- Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' is invoked between the reader's pre-existent beliefs and the statement. There's a natural urge to click on the attachment to confirm that belief;
- The writing style of the purported sender is usually well researched to have the message look as believable as possible;
- The content of the document actually matches closely what was discussed in the e-mail message;
- Having legitimate, trusted, users actually forward along a message back into the community.
The messages contain an attachment which exploits a client side vulnerability. Generally these are:
- CHM Help files with embedded objects;
- Acrobat Reader PDF exploits;
- Microsoft Office exploits;
- LHA files exploiting vulnerabilities in WinRAR;
- Exploitation of an ActiveX component through an attached HTML file.
Here's a sample attachment and its AV coverage at the time it was distributed:
AhnLab-V3 2008.3.20.2 2008.03.20 -
AntiVir 220.127.116.11 2008.03.20 EXP/Office.Dropper.Gen
Authentium 4.93.8 2008.03.20 -
Avast 4.7.1098.0 2008.03.20 MPPT97:CVE-2006-3590
AVG 18.104.22.1686 2008.03.20 -
BitDefender 7.2 2008.03.20 Exploit.PPT.Gen
CAT-QuickHeal 9.50 2008.03.20 -
ClamAV 0.92.1 2008.03.20 -
DrWeb 4.44.0.09170 2008.03.20 -
eSafe 22.214.171.124 2008.03.18 -
eTrust-Vet 31.3.5629 2008.03.20 -
Ewido 4.0 2008.03.20 -
F-Prot 126.96.36.199 2008.03.19 File is damaged
F-Secure 6.70.13260.0 2008.03.20 -
FileAdvisor 1 2008.03.20 -
Fortinet 188.8.131.52 2008.03.20 -
Ikarus T184.108.40.206 2008.03.20 -
Kaspersky 220.127.116.11 2008.03.20 -
McAfee 5256 2008.03.20 -
Microsoft 1.3301 2008.03.20 -
NOD32v2 2964 2008.03.20 PP97M/TrojanDropper.Agent.NAI
Norman 5.80.02 2008.03.20 -
Panda 18.104.22.168 2008.03.20 -
Prevx1 V2 2008.03.20 -
Rising 20.36.32.00 2008.03.20 -
Sophos 4.27.0 2008.03.20 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.20 -
TheHacker 22.214.171.124 2008.03.19 -
VBA32 126.96.36.199 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.20 -
Webwasher-Gateway 6.6.2 2008.03.20 Exploit.Office.Dropper.Gen
As you can see, Anti virus is generally not proving effective against the samples distributed in this ongoing attack. We often see similar samples returning, only to have been edited slightly to prevent them from being picked up.
Most of the time, the samples then drop very raw trojans not restricted much in ability. This means that only investigating the trojan does not always reveal the data targeted. To investigate, it's necessary to find out which commands were submitted So far, we have uncovered attacks that specifically searched the file system for Word documents, e-mail contents and, most interestingly PGP keyrings.
If you’re interested in this, you may like to read Crouching Powerpoint, Hidden Trojan, a presentation I gave earlier in the year on similar attacks against Falun Gong. Brian Krebs at the Washington Post has also written on the unfolding events. Mikko at F-Secure, Sophos and McAfee AVERT also have very interesting blog postings up on the topic.
We've been working with several groups on these attacks since early 2007. If you or your organization has also been targeted, now or in the past, please get in touch. We will not publish any data on your specific attacks without your permission.
Maarten Van Horenbeeck