Reports Conclude Social Malware Surveillance Used on Organizations in 103 Countries.

In an effort to set up a meeting with a foreign diplomat on behalf of the Dalai Lama, staff at the Office of His Holiness the Dalai Lama (OHHDL) sent a private email to the invited the guest. When the Chinese allegedly approached the foreign diplomat and discouraged the meeting, the OHHDL knew the email somehow landed in the wrong hands.

But how?

To find out, researchers with the University of Cambridge Computer Laboratory conducted on-site research at the OHHDL to determine if a computer compromise caused the leak.

The resulting technical report, The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement, revealed a number of successful logins to the OHHDL’s email servers came from IP addresses belonging to ISPs within China and Hong Kong, two places where none of the email users would have been associated.

Specifically, the March 2009 report indicates these logins came from Xinjiang Uyghur Autonomous Region, the home-base of intelligence units dealing with Tibetan movement.

But how did the Chinese gain access to the secret login information of the OHHDL?

“Email attachments appear to have been the favorured strategy to deliver malicious payloads,” according to the report. “This worked because the attackers took the trouble to write emails that appeared to come from fellow Tibetans and indeed from co-workers.”

The hacker set up the emails to look like they were coming from other monks, according to the report. These emails spread malware using infected attachments and links to infected websites. Because the recipients thought the emails came from fellow monks, they clicked on attachments or links that downloaded the malware, which came in the form of a rootkit.

Rootkits enter your computer as trojans, hide themselves deep inside your operating system, and open a secret backdoor through which anyone can enter and hide files and processes, alter your operating system, hide registry keys, steal personal information, intercept emails and more.

“Once installed, rootkits are almost undetectable by traditional security software solutions,” says Himanshu Sonkar, chief technologist and researcher at X-Wire Technology, the company which developed Tizer Rootkit Razor™, a free tool that detects and removes most kinds of rootkits.

Larger Network of Rootkits

The rootkits found at the OHHDL were only the beginning. The University of Cambridge field research in India was the first leg of an overall University of Toronto investigation, which included additional field research in India, Europe and North America.

Upon analyzing the gathered data, University of Toronto researchers and partners uncovered a large cyber espionage network called GhostNet that infected 1,295 computers in 103 countries. The project, titled Tracking GhostNet: Investigating a Cyber Espionage Network, found that 30% of those infected computers were considered high-value diplomatic, political, economic and military targets.

Just as at the OHHDL, the GhostNet system uses contextually relevant emails directed at specific recipients who unwittingly downloaded Trojan programs and malicious code attached to these emails. Once the so called gh0st RAT infects these computers, attackers gain complete, real-time control over these computers via commercial internet accounts located on the island of Hainan in the People’s Republic of China.

That means attackers can operate attached devices—including web cameras and microphones—to see and hear what’s happening in the target offices. Worse yet, attackers can download specific files to mine for contact information. Once attackers secure this contact information, they can use it to spread more malware through additional email documents that appear to come from legitimate sources.

Malware-Based Crime Spree

“The industrialization of online crime over the past five years means that capably-written malware, which will not be detected by anti-virus programs, is now available on the market,” reports the Cambridge study. “All an attacker needs is the social skill and patience to work the malware from one person to another until enough machines have been compromised to complete the mission.”

The Cambridge report, therefore, concludes that social malware is unlikely to remain a tool of well-funded, developed countries. In time, low-budget criminals from less developed countries will likely follow their lead.

Researchers at X-Wire Technology want to prevent such a vast criminal network in the future.

“To prevent such widespread criminal activity, we've developed a new tool to handle such malicious rootkits,” says X-Wire Technology's Sonkar. “Unlike traditional antivirus software, Tizer Rootkit Razor™ works at the driver level to find the hidden rootkits through the processes they hide.”

Detecting and removing rootkits using this method assures your system will not become part of the next wave of rootkit-based computer crimes.

--- X-Wire Technology