SANS ISC: Cyber attacks against Tibetan communities

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.

These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.

The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. In some cases, messages have also been distributed to mailing lists. These messages however contain malicious attachments. These are either:

• CHM Help files with embedded objects;
• Acrobat Reader PDF exploits;
• Microsoft Office exploits;
• LHA files exploiting vulnerabilities in WinRAR;
• Exploitation of an ActiveX component through an attached HTML file.

Here's a sample attachment and its AV coverage at the time it was distributed:

reports_of_violence_in_tibet.ppt
MD5 977a4ac91acf5d88044a68f828154155

AhnLab-V3 2008.3.20.2 2008.03.20 -
AntiVir 7.6.0.75 2008.03.20 EXP/Office.Dropper.Gen
Authentium 4.93.8 2008.03.20 -
Avast 4.7.1098.0 2008.03.20 MPPT97:CVE-2006-3590
AVG 7.5.0.516 2008.03.20 -
BitDefender 7.2 2008.03.20 Exploit.PPT.Gen
CAT-QuickHeal 9.50 2008.03.20 -
ClamAV 0.92.1 2008.03.20 -
DrWeb 4.44.0.09170 2008.03.20 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5629 2008.03.20 -
Ewido 4.0 2008.03.20 -
F-Prot 4.4.2.54 2008.03.19 File is damaged
F-Secure 6.70.13260.0 2008.03.20 -
FileAdvisor 1 2008.03.20 -
Fortinet 3.14.0.0 2008.03.20 -
Ikarus T3.1.1.20 2008.03.20 -
Kaspersky 7.0.0.125 2008.03.20 -
McAfee 5256 2008.03.20 -
Microsoft 1.3301 2008.03.20 -
NOD32v2 2964 2008.03.20 PP97M/TrojanDropper.Agent.NAI
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.20 -
Prevx1 V2 2008.03.20 -
Rising 20.36.32.00 2008.03.20 -
Sophos 4.27.0 2008.03.20 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.20 -
TheHacker 6.2.92.250 2008.03.19 -
VBA32 3.12.6.3 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.20 -
Webwasher-Gateway 6.6.2 2008.03.20 Exploit.Office.Dropper.Gen

As you can see, Anti virus is generally not proving effective against the samples distributed in this ongoing attack. We often see similar samples returning, only to have been edited slightly to prevent them from being picked up.

Most of the time, the samples then drop very raw trojans that are not restricted much in ability. This means that just investigating the trojan does not always reveal the target data. When investigating such attack, it's actually necessary to find out which commands were submitted to discover what data was actually targeted So far, we have seen attacks that specifically searched the file system for Word documents, e-mail contents and, most interestingly PGP keyrings.

If you’re interested in this, you may like to read Crouching Powerpoint, Hidden Trojan, a presentation I gave earlier in the year on similar attacks against Falun Gong. Mikko at F-Secure, Sophos and McAfee AVERT also have very interesting blog postings up on the topic.

It's important not to panic: many of the malware is not well developed and would even fail on proxied networks, or can be detected by equipment already in place. However, things are unfolding in these events daily that do have important repercussions. As we do with all threats, we plan on writing diary entries regularly to cover some of these findings.

--
Maarten Van Horenbeeck