2-Extended Analysis-Full

Recommendations

Info

Communities @ Risk 17EXTENDED ANALYSIS: 2.1 Summary, Methodology and Data <strong>Analysis</strong>This low detection rate we observed isdue in part to the extensive presence ofCVE-2012-0158, which uses a number oftechniques to hide the vulnerability fromAV scanners.One of the simplest of these detectionreducingtechniques is modifying the RTFheader, since Microsoft Word will still beable to open the file, but fewer AV scannerswill detect it as malicious. Anotherbasic technique is encrypting maliciousdocument and providing a passwordto open the file in the associated email.Simply adding a password to maliciousfiles can help prevent AV detection.Since there are four ActiveX controllers—ListView,ListView2, TreeView, andTreeView2—affected by this vulnerabilityand there are no strict syntax restrictions,there can be a large variance in thedocument templates into which maliciouspayloads are inserted. These can causenewer templates to initially have lowerdetection rates.A notable technique observed was the createionof a MIME HTML (MHTML) filethat uses the vulnerable ActiveX controllers.By default, MHTML files are openedby a browser: however, they can also beopened by Microsoft Word, which willtrigger the exploit. Since Microsoft Wordmay not be the default application to openthe file, automated sandbox programsmay fail to detect the file as malicious.The older CVE-2010-3333 vulnerabilityhad similar issues with AV detection,because of the wide number of ways toencode the vulnerability. A small changein the way the vulnerability was writtencould evade signature detection whileremaining functionally the same.Although AV definitions are updated toaccount for evasion tricks, the lag betweenthe use of evasion techniques in the wildand definition updates results in temporarilylow detection rates, and hence thelikelihood of successful compromises.
Communities @ Risk 18EXTENDED ANALYSIS: 2.1 Summary, Methodology and Data <strong>Analysis</strong>EMAIL CONTENT ANALYSISSubject line, body, and attachments: The content of the subject line, body, and attachmentsfor each submitted email were content coded into 134 categories grouped undereight themes:• Country / Region (referring to a specific geographical country or region)• Ethnic Groups (referring to a specific ethnic group)• Event (referring to a specific event)• Organizations (referring to specific organizations)• People (referring to specific people)• Political (reference to specific political issues)• Technology (reference to technical support)• Miscellaneous (content without clear context or categories that did not fall into one ofthe other themes)Email headers: The header of each email was analyzed to determine if the sendingemail address was spoofed, or the email address was otherwise designed to appear tocome from a real person and / or organization (for example, by registering an emailaccount that resembles a legitimate sender’s name from a free email provider). Wedivide the results based on whether they attempted to spoof an organization or aspecific person.Results of this analysis confirm that message contentand fraudulent senders are tailored to the interests of thetarget organizations.Of the 520 total emails received by the Tibet Groups,97% referenced content related to Tibetan issues.Email lures leveraged specific events of interest andrespected persons in the Tibetan community. Emailsreferenced Tibet-related events, including holidays(Tibetan New Year), anniversaries (His Holiness theDalai Lama’s birthday), and protests (see Table 3).The most frequently referenced events were Tibetanself-immolations (31% of the emails leveraging eventrelatedcontent).Some of the attachments actuallycannot be detected as avirus...We’re not even sure ifit...will cause any harm at all.It’s just that the antivirus [is]saying that ‘there’s no threat,’but obviously there’s somethingwrong with it.”—China Group 1
Page 2 and 3: EXTENDED ANALYSIS:2.1Summary, Metho
Page 4 and 5: Communities @ Risk 3EXTENDED ANALYS
Page 12 and 13: Communities @ Risk 11EXTENDED ANALY
Page 20 and 21: Communities @ Risk 19EXTENDED ANAL
Page 30 and 31: EXTENDED ANALYSIS:2.2Cluster Analys
Page 64: Communities @ Risk 63EXTENDED ANALY
Page 69 and 70:
Communities @ Risk 68EXTENDED ANALY
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Communities @ Risk 100EXTENDED ANAL
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
EXTENDED ANALYSIS:2.3Civil Society
Page 111 and 112:
Page 113 and 114:
Communities @ Risk 112duced new ris
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125:
show all

2-Extended Analysis-Full

Create successful ePaper yourself

Delete template?

Save as template?