Beijing Olympics 2008: Winning Press Freedom - World Press ...
Beijing Olympics 2008: Winning Press Freedom - World Press ...
Beijing Olympics 2008: Winning Press Freedom - World Press ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Beijing</strong> <strong>Olympics</strong> <strong>2008</strong>: <strong>Winning</strong> <strong>Press</strong> <strong>Freedom</strong><br />
56<br />
technology behind these attacks on our organizations. In the second I part I try to address<br />
the question that journalists most often ask, that is, “Who is responsible?”<br />
I have subdivided the technology section to include comments on: the message that<br />
carries the exploit, the exploit itself, the back door, the control connection, and the control<br />
server. Similarly, I have subdivided the second section to consider whether the attackers<br />
have government affiliation, the state’s cost-benefit analysis in allowing hackers to operate<br />
within its borders, the political context, and evidence of recruitment from China’s<br />
computer underground.<br />
First, the message designed to carry the payload. The content is to persuade the user to<br />
click on it, so the malicious code can execute. The writing style of the message content<br />
imitates the spoofed sender. The content of the document is appropriate to the topic of<br />
the e-mail message. In some cases, users are convinced to return a message back to the<br />
attacker or forward to other users. We have seen memes 1 redistributed to the targeted<br />
communities. For example, a Word document was collected from a compromised mailing<br />
list, edited to include an exploit, and forwarded to other members of the targeted<br />
community.<br />
Here is a sample of a message that transports a targeted attack:<br />
Date: Tue, 1 Apr <strong>2008</strong> 02:22:57 -0700 (PDT)<br />
From: <strong>Beijing</strong> Conference <br />
Subject: Invitation to conference "<strong>Beijing</strong> <strong>Olympics</strong> <strong>2008</strong>: <strong>Winning</strong> <strong>Press</strong> <strong>Freedom</strong>"<br />
To: ……….<br />
Dear Sir/Madam<br />
We are cordially inviting you to the conference "<strong>Beijing</strong> <strong>Olympics</strong> <strong>2008</strong>: <strong>Winning</strong> <strong>Press</strong> <strong>Freedom</strong>" which<br />
will be held from the 18th - 19th of April, <strong>2008</strong> in Maison de la Chimie Paris.<br />
[…]<br />
The schedule of the conference is in the attachment.<br />
Email ……..@wan.asso.fr OR<br />
………@wan.asso.fr<br />
By TEL: +33 (0)1 47 42 85 37<br />
By FAX +33 (0)1 47 42 49 48<br />
This message was sent to potential participants of this conference. The English is good,<br />
the message is factually correct, the organization’s footers are correct. The recipient is<br />
encouraged to download a pdf attachment. The attachment exploits a client-side<br />
vulnerability. The most common attack vectors so far have been, CHM help files, Adobe<br />
Acrobat Reader, PDF, Microsoft Word, Powerpoint, Excel, and Access. The file then<br />
exploits the vulnerability, and executes shell code which usually unpacks two components:<br />
the actual Trojan, and a non-malicious file which, rather than crashing the system, opens<br />
a non-malicious file.