Beijing Olympics 2008: Winning Press Freedom - World Press ...

More documents

Recommendations

Info

Beijing Olympics 2008: Winning Press Freedom 56 technology behind these attacks on our organizations. In the second I part I try to address the question that journalists most often ask, that is, “Who is responsible?” I have subdivided the technology section to include comments on: the message that carries the exploit, the exploit itself, the back door, the control connection, and the control server. Similarly, I have subdivided the second section to consider whether the attackers have government affiliation, the state’s cost-benefit analysis in allowing hackers to operate within its borders, the political context, and evidence of recruitment from China’s computer underground. First, the message designed to carry the payload. The content is to persuade the user to click on it, so the malicious code can execute. The writing style of the message content imitates the spoofed sender. The content of the document is appropriate to the topic of the e-mail message. In some cases, users are convinced to return a message back to the attacker or forward to other users. We have seen memes 1 redistributed to the targeted communities. For example, a Word document was collected from a compromised mailing list, edited to include an exploit, and forwarded to other members of the targeted community. Here is a sample of a message that transports a targeted attack: Date: Tue, 1 Apr 2008 02:22:57 -0700 (PDT) From: Beijing Conference Subject: Invitation to conference "Beijing Olympics 2008: Winning Press Freedom" To: ………. Dear Sir/Madam We are cordially inviting you to the conference "Beijing Olympics 2008: Winning Press Freedom" which will be held from the 18th - 19th of April, 2008 in Maison de la Chimie Paris. […] The schedule of the conference is in the attachment. Email ……..@wan.asso.fr OR ………@wan.asso.fr By TEL: +33 (0)1 47 42 85 37 By FAX +33 (0)1 47 42 49 48 This message was sent to potential participants of this conference. The English is good, the message is factually correct, the organization’s footers are correct. The recipient is encouraged to download a pdf attachment. The attachment exploits a client-side vulnerability. The most common attack vectors so far have been, CHM help files, Adobe Acrobat Reader, PDF, Microsoft Word, Powerpoint, Excel, and Access. The file then exploits the vulnerability, and executes shell code which usually unpacks two components: the actual Trojan, and a non-malicious file which, rather than crashing the system, opens a non-malicious file.
Beijing Olympics 2008: Winning Press Freedom 57 The non-malicious file tends to be relevant to the message content, such as a Power Point presentation on Tibet. In the background of a landscape, it dropped a Trojan. The file had already been circulated in the Tibetan community, and this an example of attackers appropriating existing message content and republishing it with an embedded Trojan. Such activity is a strong indication that mailing lists and forums have previously been compromised, and the attackers are recycling information. It is important to realize that such low-volume malware attacks, such as used in cyberespionage, have poor anti-virus coverage. In this case, only six out of 32 (18.75 per cent) of anti-virus programs detected the Trojan Researchers working on analyzing these attacks have identified at least eight different Trojan families. Common ones include, Enfal, Riler and Protux. Control over some machines is maintained using the Gh0st RAT remote administration tool. Gh0st RAT allows essentially unrestricted access to the compromised machine. Remember, many machines targeted in these incidents are home desktops, which provide the attacker with access to the administrator account. The next stage is for the Trojan to connect back to the control server. This usually consists of two steps: domain name server (DNS) lookup to get the address of the control server, and the actual connection. The DNS lookup comes from a host-name embedded in the Trojan. To date, researchers have tracked more than 50 unique host-names. Some are used once against a single targeted organization, others are reused against multiple targets, as we will see in a moment. The overwhelming majority of control servers were identified as being located on People’s Republic of China netblocks. The host-names pointing to these servers are, more often than not, configured on dynamic DNS services such as 3322.org. It should be noted, that while these services are not in themselves malicious, they are frequently used in these types of attacks. Interestingly, it appears for now that at least some of these control servers have themselves been compromised. Let us now turn to look at some concrete examples of actual control servers behind these attacks. I will use examples from organizations sponsoring today’s conference. An attack on the World Association of Newspapers was traced to www.vic2088.com, which is currently 202.155.203.250, hosted at a company in Hong Kong. An attack on Reporters Sans Frontières: hi222.3322.org (117.14.210.181) on port 143 was traced to the following: inetnum: 117.8.0.0 - 117.15.255.255 netname: CNCGROUP-TJ descr: CNC Group Tianjin province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN
Page 1 and 2:
Beijing Olympics 2008 : Winning Pre
Page 3 and 4:
Beijing Olympics 2008: Championing
Page 5 and 6:
6. How does China deal with foreign
Page 7 and 8: Beijing Olympics 2008: Winning Pres
Page 57: Beijing Olympics 2008: Winning Pres
Page 109 and 110:
Beijing Olympics 2008: Winning Pres
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129:
show all

Beijing Olympics 2008: Winning Press Freedom - World Press ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?