There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.
These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.
The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. In some cases, messages have also been distributed to mailing lists. These messages however contain malicious attachments. These are either:
Here's a sample attachment and its AV coverage at the time it was distributed:
AhnLab-V3 2008.3.20.2 2008.03.20 -
As you can see, Anti virus is generally not proving effective against the samples distributed in this ongoing attack. We often see similar samples returning, only to have been edited slightly to prevent them from being picked up.
Most of the time, the samples then drop very raw trojans that are not restricted much in ability. This means that just investigating the trojan does not always reveal the target data. When investigating such attack, it's actually necessary to find out which commands were submitted to discover what data was actually targeted So far, we have seen attacks that specifically searched the file system for Word documents, e-mail contents and, most interestingly PGP keyrings.
If you’re interested in this, you may like to read Crouching Powerpoint, Hidden Trojan, a presentation I gave earlier in the year on similar attacks against Falun Gong. Mikko at F-Secure, Sophos and McAfee AVERT also have very interesting blog postings up on the topic.
It's important not to panic: many of the malware is not well developed and would even fail on proxied networks, or can be detected by equipment already in place. However, things are unfolding in these events daily that do have important repercussions. As we do with all threats, we plan on writing diary entries regularly to cover some of these findings.
Mar 21st 2008
1 decade ago