Beijing Olympics 2008: Winning Press Freedom - World Press ...
Beijing Olympics 2008: Winning Press Freedom - World Press ...
Beijing Olympics 2008: Winning Press Freedom - World Press ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Beijing</strong> <strong>Olympics</strong> <strong>2008</strong>: <strong>Winning</strong> <strong>Press</strong> <strong>Freedom</strong><br />
57<br />
The non-malicious file tends to be relevant to the message content, such as a Power Point<br />
presentation on Tibet. In the background of a landscape, it dropped a Trojan. The file had<br />
already been circulated in the Tibetan community, and this an example of attackers<br />
appropriating existing message content and republishing it with an embedded Trojan.<br />
Such activity is a strong indication that mailing lists and forums have previously been<br />
compromised, and the attackers are recycling information.<br />
It is important to realize that such low-volume malware attacks, such as used in cyberespionage,<br />
have poor anti-virus coverage. In this case, only six out of 32 (18.75 per cent)<br />
of anti-virus programs detected the Trojan<br />
Researchers working on analyzing these attacks have identified at least eight different<br />
Trojan families. Common ones include, Enfal, Riler and Protux. Control over some<br />
machines is maintained using the Gh0st RAT remote administration tool. Gh0st RAT allows<br />
essentially unrestricted access to the compromised machine. Remember, many machines<br />
targeted in these incidents are home desktops, which provide the attacker with access to<br />
the administrator account.<br />
The next stage is for the Trojan to connect back to the control server. This usually<br />
consists of two steps: domain name server (DNS) lookup to get the address of the control<br />
server, and the actual connection. The DNS lookup comes from a host-name embedded in<br />
the Trojan. To date, researchers have tracked more than 50 unique host-names. Some are<br />
used once against a single targeted organization, others are reused against multiple<br />
targets, as we will see in a moment.<br />
The overwhelming majority of control servers were identified as being located on People’s<br />
Republic of China netblocks. The host-names pointing to these servers are, more often<br />
than not, configured on dynamic DNS services such as 3322.org. It should be noted, that<br />
while these services are not in themselves malicious, they are frequently used in these<br />
types of attacks. Interestingly, it appears for now that at least some of these control<br />
servers have themselves been compromised.<br />
Let us now turn to look at some concrete examples of actual control servers behind these<br />
attacks. I will use examples from organizations sponsoring today’s conference. An attack<br />
on the <strong>World</strong> Association of Newspapers was traced to www.vic2088.com, which is currently<br />
202.155.203.250, hosted at a company in Hong Kong.<br />
An attack on Reporters Sans Frontières: hi222.3322.org (117.14.210.181) on port 143 was<br />
traced to the following:<br />
inetnum: 117.8.0.0 - 117.15.255.255<br />
netname: CNCGROUP-TJ<br />
descr: CNC Group Tianjin province network<br />
descr: China Network Communications Group Corporation<br />
descr: No.156,Fu-Xing-Men-Nei Street,<br />
descr: <strong>Beijing</strong> 100031<br />
country: CN