by Maarten Van Horenbeeck

Part of the targeted attack research I've been doing has involved working together with many Tibetan non-profits as well as human rights organizations that operate within China. Together with the latest unrests in Lhasa, the amount of attacks we have been seeing has sharply increased.

Today, various media outlets are reporting on these findings:

Brian Krebs at the Washington Post: Cyber attacks target pro-Tibet groups
The BBC - Tibet: the cyber wars
SANS ISC - Overview of Cyber attacks against Tibetan communities
UPI - Analysis: Cyber attacks on Tibet groups

While most concentrate on the Tibetan groups, the findings for them are virtually identical to the work we've done on other targeted attacks. In some cases, as referenced in the UPI article, there is significant overlap in methodology, and even control servers, between the various groups.

While the source of the attacks cannot be identified using the technical data available, it is clear that these groups are under a coordinated attempt to spy on their digital communications, or a clever attempt at discouraging them from trusting these communications. Given many such groups work in a network-centric manner, both can be equally serious problems.

Cheers,
Maarten

The targeted attacks which I research are used by several groups, just about anywhere in the world. However, the techniques were probably seen executed in their most refined form by a number of Chinese groups, amongst others including the NCPH (Network Crack Program Hacker group) and HUC (Hunkers Union of China).

If these acronyms do not yet sound familiar, of if you're interesting in learning more on them, I can highly advise the book "The Dark Visitor" by Scott Henderson. The book, written by a Chinese linguist with experience in intelligence, offers some of the best insight currently available into Chinese hacker culture. In addition, he publishes a most excellent and regularly updated blog here. These are findings you do not want to miss out on.

by Maarten Van Horenbeeck

Hi everyone,

I just finished my talk at 24C3 on targeted attack patterns, dubbed "Crouching Powerpoint, Hidden Trojan". The short agenda of this talk:

Targeted Attacks and Information Operations
Value and distribution of information
Information Operations: Deny, Deceive and Destroy
Cultural differences in IO
Contemporary methodology

A targeted attack incident
Background on the issue space
Overview of attacks
Link analysis between objects of attack

Defence against the dark arts
Technical Controls
Security Intelligence

In essence, I looked into targeted attacks against the Falun Gong community, as they are still taking place today. I list some of the unique features (such as "domain parking") some of these attacks have, and briefly touch on ways to better defend corporate networks. Naturally, there was too little time in one hour to cover it all. Finally, I show a small map that illustrates the complexity of a single attack series over a total of 8 months.

If you were there, thanks for hopping in and I hope you enjoyed it. You can now find the slides available for download here.

By Maarten Van Horenbeeck

Over the last few months, a relatively significant number of RAR files have shown up in various targeted attacks we've looked at. Archivers are very interesting targets. Generally, you upgrade software when you require new functionality, or when the software informs you that an upgrade has been made available.

WinRAR, a very popular archiver, hasn't really added significant new functionality to its feature set. The reason is quite easy to understand: you expect your archiver to create archives. It doesn't need to do much more. It also doesn't trigger you to upgrade all that often. Over all, it's a useful tool, but it remains just that. A tool.

This may explain the following little graph, which shows you the different pieces of software that were targeted in one ongoing attack, focused against one organization, which we've been tracking for quite some time now:

Quite popular indeed, WinRAR.

Winrar has been affected by quite a few vulnerabilities in the versions leading up to WinRAR 3.6. In February of this year, a vulnerability was found in the handling of password encrypted RAR archives using the unrar command line tool. Another bug, identified in 2006, was rooted in incorrect handling of LHA archives by WinRAR. In 2005, two bugs in Winrar 3.51 each allowed an attacker to create malicious RAR files which then executed code on affected systems.

Yesterday, an interesting sample called "pictures.rar" was attached to an otherwise benign e-mail message. To people using the vast majority of file scanning based AV solutions, the file didn't even look all that suspicious. Below is a list of coverage at the time of distribution. Note that the engines which did identify the file actually share engines:

AhnLab-V3 2007.11.24.0 2007.11.23 -
AntiVir 7.6.0.34 2007.11.25 -
Authentium 4.93.8 2007.11.24 -
Avast 4.7.1074.0 2007.11.25 -
AVG 7.5.0.503 2007.11.25 -
BitDefender 7.2 2007.11.25 -
CAT-QuickHeal 9.00 2007.11.24 -
ClamAV 0.91.2 2007.11.25 -
DrWeb 4.44.0.09170 2007.11.25 -
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5324 2007.11.24 -
Ewido 4.0 2007.11.25 -
FileAdvisor 1 2007.11.25 -
Fortinet 3.14.0.0 2007.11.25 -
F-Prot 4.4.2.54 2007.11.25 -
F-Secure 6.70.13030.0 2007.11.25 Exploit.Win32.WinRar.g
Ikarus T3.1.1.12 2007.11.25 Exploit.Win32.WinRar.g
Kaspersky 7.0.0.125 2007.11.25 Exploit.Win32.WinRar.g
McAfee 5170 2007.11.23 -
Microsoft 1.3007 2007.11.25 -
NOD32v2 2684 2007.11.25 -
Norman 5.80.02 2007.11.23 -
Panda 9.0.0.4 2007.11.25 -
Prevx1 V2 2007.11.25 -
Rising 20.19.61.00 2007.11.25 -
Sophos 4.23.0 2007.11.25 -
Sunbelt 2.2.907.0 2007.11.24 -
Symantec 10 2007.11.25 -
TheHacker 6.2.9.141 2007.11.24 -
VBA32 3.12.2.5 2007.11.23 -
VirusBuster 4.3.26:9 2007.11.25 -
Webwasher-Gateway 6.0.1 2007.11.25 -

When opened on a recent WinRAR 3.6, the application refused to open the file. On an older WinRAR 3.4.2 on an XP system however, more interesting things happened.

The RAR archive triggered a buffer overflow vulnerability in WinRAR, after which code was executed which dropped an Alternate Data Stream (ADS) at:

C:\windows\system32:system32.exe

While it’s trivial to extract ASCII files from ADS streams, it’s relatively difficult to do the same with binaries. There are several freeware tools available which can do this, but the free versions generally restrict you from reading ADS from within the Windows directory. The easiest command-line solution is CAT.exe from the Windows 2000 resource kit, or you can copy file and accompanying ADS to another directory using Robocopy (a command line replacement for xcopy which does support data streams) and then use whatever tool you wish.

Once extracted, the UPX packed file could easily be unpacked. It had virtually no AV detection, and injects code into the Internet Explorer process. Next, iexplore.exe performs a DNS lookup for the following host:

sds.bi-apple.net

This host currently resolves to 63.64.63.64, which is really a fictional IP address that is used by this specific group (I like to refer to them as "threat agents") quite regularly, apparently to "park" their attack hosts when not in use. Finally, the tool attempts to set up an obfuscated connection to that server on port 3460.

While we're still looking at the backdoor, a member of the DarkMoon family, it appears to have at least some keylogging functionality. Most interesting, it does almost all from memory, with only a 9k binary stored on-disk.

By Maarten Van Horenbeeck

While I was driving to work this morning, there was a great song on the radio. "Silent Running" is a classic Mike & The Mechanics hit, dated 1985. It was their first song, and hit 6th place in the US Billboard Hot 100 and 21st place in the UK charts.

It was written in the same era as Sting's "Russians", which has perhaps after all these years has retained a little bit more of its hit value. Dated in the mid eighties, both songs had very much of a cold war feel to them. They were written at a time when the prospect of foreign dominance (not so much invasion) was a real threat, even in the United States and Western Europe.

The lyrics of  "Silent Running" make you think about some aspects of information warfare:

"Swear allegiance to the flag
Whatever flag they offer
Never hint at what you really feel
Teach the children quietly
For some day sons and daughters
Will rise up and fight while we stood still."

This piece of pop culture clearly identifies an important warfare aspect that everyone knows and believs they understand, but is generally not taken into account. You can dominate militarily, without actually repressing people's souls. The latter is what comes back to haunt you, especially if you have alienated  the population. People made songs of this in the 80's, when they were at risk themselves. When it applies to others, it's disregarded. Despite cultural differences and simplification, this is an important lesson.

Another brilliant piece of text:

"Take the children and yourself
And hide out in the cellar
By now the fighting will be close at hand
Don't believe the church and state
And everything they tell you
Believe in me, I'm with the high command"

Hide out in the cellar, and only come out when opportunity rises. Believe in the High Command. This is typical for network centric operations - groups are only linked through a central ideology, and arise when they feel their assistance is required to further it.

Click on the links above to see the Youtube videos for these tracks, and enjoy a completely different view of the world than the common one today. If you then feel like reading an insightful piece of work on the issue of persuasion and winning "hearts and minds", have a look at RAND's Strategic Influence and the Struggle against Terrorism.