Malware Networks: Cooperation Appreciated

Maybe it was The Jackal who revealed a top Chinese state secret. This is how it went, according to Germany’s weekly Die Zeit [links within quotes by JR], in February this year:

Being Copied

... I'm Being Copied

The Dalai Lama, he of all people, had asked a group of security experts from the surroundings of Toronto University for help. The Tibetan government in exile was worried. Were their computers in Dharamsala and those in London, Brussels, and New York, infiltrated by hackers? Even by military state security? A colleague of [Nart Villeneuve] went there and soon noticed soon that some well-known bugs were on the computers, among them the Chinese spyware gh0st Rat. […]

While the Canadians examined the computers, they realized that someone remote was at work indeed. Documents were copied and taken to an unknown place on the internet, and when the team around Nart Villeneuve made a virus scan, only eleven out of 34 anti-virus programs found something objectionable at all. “A lot of this stuff simply rushes past the protection software”, says the maestro.

Even when the American military had developed the internet, it was meant to be a system that should work and maintain data communication even under difficult conditions. Security wasn’t a big issue then, writes Die Zeit. And when commercial companies later developed the internet further, it had to be easy for the users, rather than secure. From Dharamsala, Villeneuve learned about the scope of Ghostnet – reaching into several foreign ministries, embassies, banks, and news agencies.

Then Villeneuve started collecting data, from the internet, of course. He patiently combined bits of seemingly disparate information – a name here, a string of code there, a domain registration, a recurring handle, an e-mail address, all pieced together by searching Google results. He located the hackers’ computers somewhere on Hainan island – and found that officially, they didn’t belong to any military or state organization. According to Die Zeit, Nart Villeneuve played an essential role in the Gh0stnet discovery. From the smallest data traces – urls, e-mails, other hackers’ vain pseudonyms, and possibly connected places, names, and even phone numbers – he could decipher how security software is arranged, and where malware is being sent. Once someone makes a mistake, Villeneuve can watch their actions live, writes Die Zeit.

But while the internet is no safe connection, business people travel the world and exchange business secrets with their headquarters. People use their mobile phones for shopping and banking. Waterworks, traffic light networks, energy grids are connected through the internet, and every small electric meter will itself be a small internet computer soon.

The internet attacks on Google and its gmail accounts reportedly originated from two prominent schools within ChinaShanghai Jiaotong University and Lanxiang Vocational School – an allegation the China Global Times took issue with, also in February.  According to  Die Zeit again, a command server*) in Taiwan had been identified some time earlier as playing a role in the attacks on Google. Now the designers seem to be located in Shanghai – and the Taiwan command server had been used once again, as “hackers have their habits”, Die Zeit quotes Eli Jellenc, head of the iDefense Research Laboratories near Washington, D.C..

Some analysts have privately circulated a document asserting that the vocational school is being used as camouflage for government operations, but other computer industry executives and former government officials said the schools may be cover for a “false flag” intelligence operation being run by a third country,

according to the Taipei Times.

Cyberwar endangers the global economy, writes Die Zeit. The low cost of data communication had been an important driver for globalization. But that could only continue to work with genuine international cooperation to contain hacking and espionage, the paper quotes another cyberwar expert from Toronto.

China’s official media seem to agree that hacking and espionage endanger the global economy, but puts the blame for the attacks on Western media:

Earlier there was a rumor saying that Chinese hackers had intruded into the Dalai Lama’s office computer. Nevertheless, the Canadian security consulting firm which discovered the “major Chi-nese spying operation” was the Dalai Lama’s security consultant.

Information Warfare Monitor and the Shadowserver Foundation have reportedly found another malware network. Villeneuve writes that compromised computers had been directed to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in China.

We started by exploring one of the malware networks described in the GhostNet report but was an entirely separate malware network that had also compromised computers at the Dalai Lama’s office. I cannot stress just how important the trust, collaboration and information sharing across all those involved in this report from the Citizen Lab, SecDev , and Shadowserver, along with the Dalai Lama’s Office were to the success of the project.

As a result we were able to document another network of compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations as well as numerous other institutions, including the Embassy of Pakistan in the United States.

Villeneuve writes that

we were unable to determine any direct connection between these attackers and elements of the Chinese state. However, it would not be implausible to suggest that the stolen data may have ended up in the possession of some entity of the Chinese government.

In short, Villeneuve sees his discovery mission as a documentation in progress – and counts on Chinese cooperation: Now having reported this incident to the China CERT — which handles security incidents in China — I look forward to working with them to shut down this malware network.


*) a command server may control a few hundred to tens of thousands of computers in companies or private living rooms which have previously been infiltrated.


Biggest Hacker Training Site shut down, China Daily, Febr 8, 2010
Serve your Country – Become a Network Security Advisor, July 31, 2009

3 Trackbacks to “Malware Networks: Cooperation Appreciated”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: