Last Updated: 2008-03-24 20:40:40 UTC
by Maarten Van Horenbeeck (Version: 1)
On Friday we reported on targeted attacks against various pro-Tibet non-gouvernmental organizations (NGO) and communities, as well as Falun Gong and the Uyghurs. In this somewhat long diary entry, I’ll break down those attacks and identify the things we’ve seen in working on these since early 2007.
This hopefully helps you identify the risk similar attacks would pose to your organization. The diary does not deal with one incident, but looks at overall findings.
1. The message
The sole goal of the message is to transport the exploit, and to convince the reader to click on it, so the malicious code can execute.
Several social engineering tricks have been seen:
- Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' arises between the reader's pre-existent beliefs and the statement. This urges the reader to click the message;
- The writing style of the purported sender is well researched and mimicked;
- The content of the document matches the topic of the e-mail message;
- Legitimate, trusted, users are sometimes convinced to actually forward along a message back to specific targets;
- In a number of cases, “memes” distributed within the community have been reused. For instance, in a “viral” Word document was grabbed from a forum, edited to include the exploit and Trojan code, and forwarded onto other members of the community.
Here’s a sample. This message was sent to someone very active within the Tibetan community, and was spoofed as originating from the Secretary of International Relations of the Central Tibetan Administration, the government in exile in Dharamshala, India. The name and contact details of the official were accurate:
Attached here is the update Human Rights Report on Tibet issued by
Department of State of U.S.A on March 11, 2008.
You may also visit the site:
Secretary of International Relations
Department of Information & International Relations
Central Tibetan Administration
E-mail: [obfuscated]@gov.tibet.net or email@example.com
In some cases, messages were sent which addressed the recipient by his first name, and provided “clarification on a topic” which had previously been discussed between the sender and the recipient. While not evidence, there are specific instances in which it appears previously compromised accounts were re-used to engage in better social engineering.
2. The exploit
The messages contain an attachment which exploits a client side vulnerability. The most common vectors so far have been:
- CHM Help files with embedded objects;
- CVE-2008-0655: Acrobat Reader PDF exploit
- CVE-2006-2492, CVE-2007-3899: Word
- CVE-2006-3590, CVE-2006-0009: Powerpoint
- CVE-2008-0081: Excel
- CVE-2005-0944: Microsoft Access
- CVE-2006-3845: LHA files exploiting vulnerabilities in WinRAR.
The file exploits the vulnerability, and executes shellcode which generally unpacks at least two embedded components:
- The actual Trojan binary: Which can be packed (using UPX, Armadillo, FSG or PE-ARMOR), but in most cases is unpacked and easily retrievable from the file. It is described further in chapter 3 of this diary entry.
- A benign, non-malicious document of the same file type: upon successful execution of the exploit code, it generally “cleans up” and instead of showing an indication that the application has crashed, it drops a clean file to disk (be it either RAR, DOC, PPT or any of the other files affected) and opens it.
The second file shows context very valid to the message initially sent. An example image is included for reference below. This was grabbed from what was sent as a promotional flyer on a book on Tibet. In the background, it dropped a Trojan. Both the flyer and the book exist in real-life form, unbugged. This was an example of taking something which "exists" within the community, and republishing it with trojaned contents.
These files usually have very low AV coverage. Below is sample Virustotal output for the malicious PDF sample:
AhnLab-V3 2008.3.22.1 2008.03.21 -
AntiVir 126.96.36.199 2008.03.21 -
Authentium 4.93.8 2008.03.20 -
Avast 4.7.1098.0 2008.03.21 -
AVG 188.8.131.526 2008.03.21 -
BitDefender 7.2 2008.03.21 -
CAT-QuickHeal 9.50 2008.03.20 -
ClamAV 0.92.1 2008.03.21 -
DrWeb 4.44.0.09170 2008.03.21 -
eSafe 184.108.40.206 2008.03.18 -
eTrust-Vet 31.3.5631 2008.03.21 -
Ewido 4.0 2008.03.21 -
F-Prot 220.127.116.11 2008.03.20 -
F-Secure 6.70.13260.0 2008.03.21 -
FileAdvisor 1 2008.03.21 -
Fortinet 18.104.22.168 2008.03.21 -
Ikarus T22.214.171.124 2008.03.21 -
Kaspersky 126.96.36.199 2008.03.21 -
McAfee 5257 2008.03.21 -
Microsoft 1.3301 2008.03.21 -
NOD32v2 2966 2008.03.21 -
Norman 5.80.02 2008.03.20 -
Panda 188.8.131.52 2008.03.21 -
Prevx1 V2 2008.03.21 -
Rising 20.36.42.00 2008.03.21 -
Sophos 4.27.0 2008.03.21 Mal/JSShell-B
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.21 -
TheHacker 184.108.40.206 2008.03.19 -
VBA32 220.127.116.11 2008.03.21 -
VirusBuster 4.3.26:9 2008.03.21 Exploit.PDF.A
Webwasher-Gateway 6.6.2 2008.03.21 Exploit.PDF.ZoneBac.gen (suspicious)
3. The backdoor
Upon successful exploitation, the dropper installs a Trojan. We have monitored over 8 different Trojan families in use. Quite common are Enfal, Riler and Protux. In addition, control over some machines is maintained using the Gh0st RAT remote access tool.
These trojans generally allow close to unrestricted access to the system under the user account which installed the Trojan. Many machines involved in this incident are home desktops, as such this is often the administrator account. The Backdoor generally triggers a few generic signatures, but has very low AV coverage at the time of distribution.
Below is a sample extracted from a malicious Excel document:
AhnLab-V3 2008.3.4.0/20080310 found nothing
AntiVir 18.104.22.168/20080310 found [HEUR/Malware]
Authentium 4.93.8/20080307 found nothing
Avast 4.7.1098.0/20080309 found nothing
AVG 22.214.171.1246/20080310 found nothing
BitDefender 7.2/20080310 found nothing
CAT-QuickHeal 9.50/20080308 found nothing
ClamAV None/20080310 found nothing
DrWeb 4.44.0.09170/20080310 found nothing
eSafe 126.96.36.199/20080309 found nothing
eTrust-Vet 31.3.5597/20080307 found nothing
Ewido 4.0/20080310 found nothing
F-Prot 188.8.131.52/20080309 found nothing
F-Secure 6.70.13260.0/20080310 found [Suspicious:W32/Malware!Gemini]
FileAdvisor 1/20080310 found nothing
Fortinet 184.108.40.206/20080310 found nothing
Ikarus T220.127.116.11/20080310 found nothing
Kaspersky 18.104.22.168/20080310 found nothing
McAfee 5247/20080307 found nothing
Microsoft 1.3301/20080310 found nothing
NOD32v2 2935/20080310 found nothing
Norman 5.80.02/20080307 found nothing
Panda 22.214.171.124/20080309 found nothing
Prevx1 V2/20080310 found [Heuristic: Suspicious Self Modifying File]
Rising 20.35.02.00/20080310 found nothing
Sophos 4.27.0/20080310 found [Mal/Behav-116]
Sunbelt 3.0.930.0/20080305 found nothing
Symantec 10/20080310 found nothing
TheHacker 126.96.36.199/20080309 found nothing
VBA32 188.8.131.52/20080305 found nothing
VirusBuster 4.3.26:9/20080309 found nothing
Webwasher-Gateway 6.6.2/20080310 found [Heuristic.Malware]
4. The control connection
In order for the Trojan to be effective, it needs to “phone home”. This usually (but not always) consists of two steps:
- A DNS lookup to acquire the address of the control server;
- The actual connection.
The DNS lookup occurs for a hostname embedded in the Trojan. So far, we have tracked over 50 unique hostnames. Some are used against a single organization or individual, others are used across the spectrum to many different targets.
Interestingly, attacks are “timed”. Let’s look at some DNS resolution logs:
+ 2008-03-22 06:05 | dns3.westcowboy.com | 184.108.40.206
- 2008-03-22 06:05 | dns3.westcowboy.com | 127.0.0.1
+ 2008-03-22 15:07 | dns3.westcowboy.com | 127.0.0.1
- 2008-03-22 15:07 | dns3.westcowboy.com | 220.127.116.11
+ 2008-03-23 07:18 | dns3.westcowboy.com | 18.104.22.168
- 2008-03-23 07:18 | dns3.westcowboy.com | 127.0.0.1
+ 2008-03-23 09:54 | dns3.westcowboy.com | 127.0.0.1
- 2008-03-23 09:54 | dns3.westcowboy.com | 22.214.171.124
When the hostname resolves to one of the above IP addresses, a connection is set up. When it resolves to 127.0.0.1 however, the compromised machine will no longer connects out.
As several IDS rules are available to trigger on lookups that result in 127.0.0.1, we are also seeing samples that contain a check for a specific ‘code’ IP. When the control server resolves to this address, the Trojan holds for a few minutes, then does another lookup. These “parking addresses” have included 126.96.36.199 and 188.8.131.52.
In the above example, this indicates that the team behind these attacks was busy gathering data from 06:05 till 15:07, only to start again almost exactly one day later, 07:18.
In a few cases, the control connection has been regular HTTP or HTTPS, set up using code injected into the Internet Explorer process. This allows the Trojan to be proxy-aware. In other instances, there have been control connections that were fully binary (such as Gh0st RAT) or encrypted using an obvious XOR key.
Some control connections can be detected on the network or proxy level, such as those of certain Riler and Enfal families:
When started, Enfal issues HTTP POST requests to the controller for:
The Riler Trojan family can also be identified through its connection protocol (bold is the infected client submitting data):
NAME: [hostname].VER: Stealt h 2.6 MARK: fl510 OS: NT 5.0.L_IP: 10. 2.0.18.ID: NoID.
ERR code = 02
ERR code = 02
It also has a recognizable command set:
LOCK SEND WAKE NAME MOON KEEP DISK FILE
DONE DOWN LONG MAKE ATTR KILL LIKE SEEK
READ DEAD DDLL AUTO READY
5. The control server
The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as 3322.org. While these services in themselves are not malicious, they are heavily used in these specific attacks.
At the moment, it appears at least a number of the control servers have been compromised using open Terminal Services (RDP/3389) combined with weak passwords.
Based on the technical data, it is impossible to say who is the culprit in these attacks. What is however clear is that these NGOs are systematically hampered using malicious code, either with as goal to gain access to their communications, or to make them reluctant to use e-mail to begin with.
While this is not the full picture on the attacks, we hope this overview already proves useful, and please get in touch if you have questions or additional feedback.
Maarten Van Horenbeeck
Maarten at daemon.be