Interesting People mailing list archives
Cyber attacks against Tibetan communities
From: David Farber <dave () farber net>
Date: Fri, 21 Mar 2008 10:56:44 -0700
________________________________________ From: bobr () bobrosenberg phoenix az us [bobr () bobrosenberg phoenix az us] Sent: Friday, March 21, 2008 1:51 PM To: David Farber Subject: ISC: Cyber attacks against Tibetan communities Dave Perhaps for I.P. Looks like somebody is upset with some Tibetan communities. -- Bob Rosenberg P.O. Box 33023 Phoenix, AZ 85067-3023 Mobile: 602-206-2856 LandLine: 602-274-3012 bob () bobrosenberg phoenix az us ************** "Once a government is committed to the principle of silencing the voice of opposition, it has only one way to go, and that is down the path of increasingly repressive measures, until it becomes a source of terror to all its citizens and creates a country where everyone lives in fear." -- President Harry S. Truman, message to Congress, August 8, 1950 "Civil government cannot let any group ride roughshod over others simply because their consciences tell them to do so." -- Justice Robert H. Jackson While an Associate Justice of the United States Supreme Court, Jackson was appointed Chief United States Prosecutor at the International War Crimes Tribunal in Nuremberg, Germany. ************** Cyber attacks against Tibetan communities Published: 2008-03-21, Last Updated: 2008-03-21 17:08:39 UTC by Maarten Van Horenbeeck (Version: 2) http://isc.sans.org/diary.html?storyid=4177 There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently. These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs. The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. In some cases, messages have also been distributed to mailing lists. These messages however contain malicious attachments. These are either: * CHM Help files with embedded objects; * Acrobat Reader PDF exploits; * Microsoft Office exploits; * LHA files exploiting vulnerabilities in WinRAR; * Exploitation of an ActiveX component through an attached HTML file. Here's a sample attachment and its AV coverage at the time it was distributed: reports_of_violence_in_tibet.ppt MD5 977a4ac91acf5d88044a68f828154155 AhnLab-V3 2008.3.20.2 2008.03.20 - AntiVir 7.6.0.75 2008.03.20 EXP/Office.Dropper.Gen Authentium 4.93.8 2008.03.20 - Avast 4.7.1098.0 2008.03.20 MPPT97:CVE-2006-3590 AVG 7.5.0.516 2008.03.20 - BitDefender 7.2 2008.03.20 Exploit.PPT.Gen CAT-QuickHeal 9.50 2008.03.20 - ClamAV 0.92.1 2008.03.20 - DrWeb 4.44.0.09170 2008.03.20 - eSafe 7.0.15.0 2008.03.18 - eTrust-Vet 31.3.5629 2008.03.20 - Ewido 4.0 2008.03.20 - F-Prot 4.4.2.54 2008.03.19 File is damaged F-Secure 6.70.13260.0 2008.03.20 - FileAdvisor 1 2008.03.20 - Fortinet 3.14.0.0 2008.03.20 - Ikarus T3.1.1.20 2008.03.20 - Kaspersky 7.0.0.125 2008.03.20 - McAfee 5256 2008.03.20 - Microsoft 1.3301 2008.03.20 - NOD32v2 2964 2008.03.20 PP97M/TrojanDropper.Agent.NAI Norman 5.80.02 2008.03.20 - Panda 9.0.0.4 2008.03.20 - Prevx1 V2 2008.03.20 - Rising 20.36.32.00 2008.03.20 - Sophos 4.27.0 2008.03.20 - Sunbelt 3.0.978.0 2008.03.18 - Symantec 10 2008.03.20 - TheHacker 6.2.92.250 2008.03.19 - VBA32 3.12.6.3 2008.03.17 - VirusBuster 4.3.26:9 2008.03.20 - Webwasher-Gateway 6.6.2 2008.03.20 Exploit.Office.Dropper.Gen As you can see, Anti virus is generally not proving effective against the samples distributed in this ongoing attack. We often see similar samples returning, only to have been edited slightly to prevent them from being picked up. Most of the time, the samples then drop very raw trojans that are not restricted much in ability. This means that just investigating the trojan does not always reveal the target data. When investigating such attack, it's actually necessary to find out which commands were submitted to discover what data was actually targeted So far, we have seen attacks that specifically searched the file system for Word documents, e-mail contents and, most interestingly PGP keyrings. If you’re interested in this, you may like to read Crouching Powerpoint, Hidden Trojan, a presentation I gave earlier in the year on similar attacks against Falun Gong. Mikko at F-Secure, Sophos and McAfee AVERT also have very interesting blog postings up on the topic. -- Maarten Van Horenbeeck ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Cyber attacks against Tibetan communities David Farber (Mar 21)