http://www.f-secure.com/weblog/archives/00001406.html
<<<Friday, March 21, 2008>>>
Targeted Malware Attacks Against Pro-Tibet GroupsPosted
by lab @ 16:24 GMT | Comments (2)
There's unrest on the streets of Tibet ?clashes between
Tibetans and the Chinese military.
Quoting Wikipedia, "Tibet was once an independent kingdom,
which later became a part of China. The government of the
People's Republic of China and the Government of Tibet in
Exile, however, disagree over when Tibet became a part of
China, and whether this incorporation into China is legitimate
according to international law."
There's also unrest on the net. Groups supporting the freedom
of Tibet have been attacked with highly targeted and
technically advanced attacks.
Quoting an Asia Free Press news report: "AFP received an email
Tuesday from someone claiming to be in Denmark, who had
attached a file they said were pictures of Tibetans shot by
the Chinese army. When AFP tried to open the attachment, a
virus warning appeared."
So?what do these attacks look like in practice? Lets take an
example.
Here's an e-mail that was mailed to a pro-Tibet mailing list
three days ago.
It looked as if it was coming from the Unrepresented Nations
and Peoples Organization (UNPO). However, the e-mail headers
were forged and the mail was coming from somewhere else
altogether.
Seemingly, the mail issued a statement of solidarity for the
people of Tibet:
If you open the attached PDF file, you actually get a real PDF
document with a relevant statement:
However, this is not a normal PDF document. It contains a
modified version of a PDF-Encode vulnerability
to exploit Adobe Acrobat when the document is opened.
The exploit silently drops and runs a file called C:\Program
Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the
affected machine to a server running at xsz.8800.org. And
8800.org is a Chinese DNS-bouncer system that, while not rogue
by itself, has been used over and over again in various
targeted attacks.
The exploit inside the PDF file was crafted to evade detection
by most antivirus products at the time it was sent.
Somebody is trying to use pro-Tibet themed e-mails to infect
computers of the members of pro-Tibet groups to spy on their
actions.
And this is not an isolated incident. Far from it.
Groups working for the freedom of Tibet all over the world
have been targeted. These e-mails have been sent to mailing
lists, private forums and directly to persons working inside
pro-Tibet groups. Some individuals have received targeted
attacks like this several times a month.
The mails are almost always forged to look like they would be
coming from trusted persons or organizations, making it more
likely they'll be opened by the recipient.
Just the filenames of some of the recent malicious attachments
tell a lot:
UNPO Statement of Solidarity.pdf
Daul-Tibet intergroup meeting.doc
tibet_protests_map_no_icons__mar_20.ppt
reports_of_violence_in_tibet.ppt
genocide.xls
memberlist.xls
Tibet_Research.exe
tibet-landscape.ppt
Updates Route of Tibetan Olympics Torch Relay.doc
THE GOVERNMENT OF TIBET.ppt
Talk points.chm
China's new move on Tibetans.doc
Support Team Tibet.doc
Photos of Tibet.chm
News ReleaseMassArrest.pdf
Whole Schedule and Routing for Torch Relay.xls
As you can see there's a variety of "trusted" file types used
in these targeted attacks, including DOC, XLS, PPT, PDF, CHM.
The contents of these bait documents have been crafted very
well. Below are some examples of what the user sees after he
has been duped into opening one of these files. The content is
mostly recycled from real announcements and messages of the
pro-Tibet groups.
