Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Cyber attacks against Tibetan communities

From: David Farber <dave () farber net>
Date: Fri, 21 Mar 2008 10:56:44 -0700

________________________________________
From: bobr () bobrosenberg phoenix az us [bobr () bobrosenberg phoenix az us]
Sent: Friday, March 21, 2008 1:51 PM
To: David Farber
Subject: ISC:  Cyber attacks against Tibetan communities

Dave

Perhaps for I.P.

Looks like somebody is upset with some Tibetan communities.

--
Bob Rosenberg
P.O. Box 33023
Phoenix, AZ  85067-3023
Mobile:  602-206-2856
LandLine:  602-274-3012
bob () bobrosenberg phoenix az us

**************

"Once a government is committed to the principle of silencing the voice of
opposition, it has only one way to go, and that is down the path of increasingly
repressive measures, until it becomes a source of terror to all its citizens and
creates a country where everyone lives in fear."
-- President Harry S. Truman, message to Congress, August 8, 1950

"Civil government cannot let any group ride roughshod over others simply because
their consciences tell them to do so."
-- Justice Robert H. Jackson
While an Associate Justice of the United States Supreme Court, Jackson was appointed
Chief United States Prosecutor at the International War Crimes Tribunal in
Nuremberg, Germany.


**************



Cyber attacks against Tibetan communities
Published: 2008-03-21,
Last Updated: 2008-03-21 17:08:39 UTC
by Maarten Van Horenbeeck (Version: 2)
http://isc.sans.org/diary.html?storyid=4177

There is lots of media coverage on the protests in Tibet. Something that lies under
the surface, and rarely gets a blip in the press, are the various targeted cyber
attacks that have been taking place against these various communities recently.

These attacks are not limited to various Tibetan NGOs and support groups. They have
been reported dating back to 2002, and even somewhat before that, and have affected
several other communities, including Falun Gong and the Uyghurs.

The attacks generally start with a very trustworthy looking e-mail, being spoofed as
originating from a known contact, to someone within a community. In some cases,
messages have also been distributed to mailing lists. These messages however contain
malicious attachments. These are either:

    * CHM Help files with embedded objects;
    * Acrobat Reader PDF exploits;
    * Microsoft Office exploits;
    * LHA files exploiting vulnerabilities in WinRAR;
    * Exploitation of an ActiveX component through an attached HTML file.

Here's a sample attachment and its AV coverage at the time it was distributed:

reports_of_violence_in_tibet.ppt
MD5 977a4ac91acf5d88044a68f828154155

AhnLab-V3 2008.3.20.2 2008.03.20 -
AntiVir 7.6.0.75 2008.03.20 EXP/Office.Dropper.Gen
Authentium 4.93.8 2008.03.20 -
Avast 4.7.1098.0 2008.03.20 MPPT97:CVE-2006-3590
AVG 7.5.0.516 2008.03.20 -
BitDefender 7.2 2008.03.20 Exploit.PPT.Gen
CAT-QuickHeal 9.50 2008.03.20 -
ClamAV 0.92.1 2008.03.20 -
DrWeb 4.44.0.09170 2008.03.20 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5629 2008.03.20 -
Ewido 4.0 2008.03.20 -
F-Prot 4.4.2.54 2008.03.19 File is damaged
F-Secure 6.70.13260.0 2008.03.20 -
FileAdvisor 1 2008.03.20 -
Fortinet 3.14.0.0 2008.03.20 -
Ikarus T3.1.1.20 2008.03.20 -
Kaspersky 7.0.0.125 2008.03.20 -
McAfee 5256 2008.03.20 -
Microsoft 1.3301 2008.03.20 -
NOD32v2 2964 2008.03.20 PP97M/TrojanDropper.Agent.NAI
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.20 -
Prevx1 V2 2008.03.20 -
Rising 20.36.32.00 2008.03.20 -
Sophos 4.27.0 2008.03.20 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.20 -
TheHacker 6.2.92.250 2008.03.19 -
VBA32 3.12.6.3 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.20 -
Webwasher-Gateway 6.6.2 2008.03.20 Exploit.Office.Dropper.Gen

As you can see, Anti virus is generally not proving effective against the samples
distributed in this ongoing attack. We often see similar samples returning, only to
have been edited slightly to prevent them from being picked up.

Most of the time, the samples then drop very raw trojans that are not restricted
much in ability. This means that just investigating the trojan does not always
reveal the target data. When investigating such attack, it's actually necessary to
find out which commands were submitted to discover what data was actually targeted
So far, we have seen attacks that specifically searched the file system for Word
documents, e-mail contents and, most interestingly PGP keyrings.

If you’re interested in this, you may like to read Crouching Powerpoint, Hidden
Trojan, a presentation I gave earlier in the year on similar attacks against Falun
Gong. Mikko at F-Secure, Sophos and McAfee AVERT also have very interesting blog
postings up on the topic.

--
Maarten Van Horenbeeck



-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: