Security Now 191
Topic: Ghost Net
Recorded: April 8, 2009
Published: April 9, 2009
Security Now 191: Ghost Net
News & Errata
02:30 - 04:40
- Steve might set up a Conficker honey pot to monitor what it does.
04:41 - 05:05
- Spy programs are being found in the national electric infrastructure.
08:40 - 12:55
- US Justice Department decides government are immune from warrantless wire-tapping suits.
- Leo suggests reading The Electronic Frontier Foundations story on the topic.
12:56 - 15:34
- The UK passed EU initiated edict for all ISPs to retain sender / caller, recipient and date / time of all email and VOIP calls for no less than 12 months. Sweden says no and Germany is fighting it.
15:35 - 17:57
- A zero-day, unpatched PowerPoint vulnerability has been found which is being used in targeted attacks.
- An exploit always begins with targeted attacks to keep it hidden for the longest time possible.
20:16 - 28:45
- Anthony from Melbourne Australia blogged about how Spinrite saved his bacon for him, and compared Steve to renowned geneticist Craig Venter.
- Link to the blog post
- A laptop BSOD'd every time he tried to boot it. He ran Spinrite on it and it ran for about an hour and noted it work on certain sectors for a while although it didn't report any errors. The laptop rebooted fine and they could get their data off.
- Spinrite isn't on a website's list of data recovery tools as it does not take a copy of accessible data before running Steve has seen very few cases of the drive dying whilst Spinrite is running and this design feature is due to the program being written in the 1980's and at that time, spare hardrives (to copy data onto) were expensive.
30:45 - 01:04:59
Steve discusses the technology behind GhostNet which is responsible for the recent cyber attacks on embassies, foreign ministries and other government offices including the Dalai Lama's systems in Tibet. Attacks appear to originate from China but they don't appear to be orchestrated by the Chinese government.
30:45 - 36:40
- 9 months ago the Dalai Lama in exile asked the SecDev group in Canada and Citizen Lab in Munk Center for International Studies at the University of Toronto to work on issues of cyber stalking, cyber terrorism, cyber attacks.
- In 2002 they worked with the Dalai Lama on malware attacks against them.
- The group took a look at the Dalai Lama's machines and ran wireshark. They saw a communication to an IP in Hainan in the People's Republic of China
- They then tried to access the Dalai Lamas computer over the network and discovered that the command-and-control system had an open access web interface.
- They found malware content in a number of documents which had been attached to email.
- The documents exploited a problem found in Microsoft Word in 2006 which they had not patched.
- The remote access trojan is called "Ghost Rat"
- Its an open source trojan that you can find by googling "Ghost Rat"
36:41 - 37:55
- The source code has comments in Chinese
- The code contains chunks of code from various Microsoft Tools that has been glued together with some custom code.
- Link to Source Code
- (this link ultimately seems to lead to dong.exe or dong.swf, which I assume are trying to infect me since they're definitely not source code extensions. can someone post a simple text file to drop.io or something?)
37:56 - 40:16
- When GRC was attacked the botnet was based on IRC.
- If your computer became infected by the botnet it would connect to an IRC room somewhere to receive commands.
- IRC made it harder for the bot masters to be caught.
- This is what was happening 6-8 years ago; today they just use HTTP for command and control
40:17 - 45:35
- The client makes a connection to a web server. It does it to a PHP or CGI page the commands are sent back encoded in JPEG images.
- Using HTTP makes it easier to bypass any filters as very few people are going to block HTTP traffic.
- The control and command servers are separate
- Command Servers - Source of updates and images and documents
- Control Server - Returns instructions on how to contact the command server.
- It works by:
The client contacts the control server. The control server returns instructions for how to contact the command server, which the client then autonomously does. It receives commands from this second command server and then returns a status back to the control server once the command has been executed.
- The web interface lists all of the machines that it knows about and shows:
- The date of first contact,
- The date of most recent contact
- Links that you can click on for sending commands to infected machines
- They did reverse DNS look ups on the IP's and found they were networks affiliated with the Dalai Lama or in other Tibetan organizations and non-government organizations
- They found in some cases multiple infections that were contacting multiple control servers
- This allowed them to then expand their search to and access other control servers
- They ended up finding four control servers, all located on the same island in the People's Republic of China, and six command servers that were not otherwise affiliated.
- All of the domain name registrations pointed back to the same single individual.
45:36 - 49:23
- Due to the database each control sever was maintaining they could see:
- This whole network went back to 2006.
- Some machines were not infected for long
- Some machines were infected for several years.
They saw this software could:
- Take an inventory of the client
- Exfiltrate any and all documents on the infected machine
- Turn on a microphone
- Stream audio out of that client to a given target
- Turn on the webcam and stream video in real-time out of there.
- Execute any arbitrary command on the machine that they wanted to as a remote access software.
In some cases they saw evidence of:
- The commander watching an email dialogue between affiliated entities and inserting a spoofed email towards a not-yet-infected endpoint.
- And having been able to see the conversation, the bot master was able to create an email which flowed with the conversation and contained a malicious document.
- The recipient who was expecting an email like this would open the attachment and become infected.
In one case:
- Somebody who had worked in some capacity with the Dalai Lama was attempting to go back to visit her family
- Was stopped at the border held for two months and interrogated.
- When she claimed that she was not involved in politics at all the authorities showed her a complete transcript of her private conversations which she had had previously.
- So this was information that the intelligence agencies of China did have in their possession.
49:24 - 55:20
- The Chinese government denies any involvement and it's hard to prove they are involved.
- Steve comments on how he has received requests to write similar software which he declined and if he did write similar software "no one would find it, and I'd be using packets no one had seen before"
What does it take to perform this attack?
- Having a PC and being a little involved in the underground hacker world.
55:21 - 59:20 These researchers found:
- Four control servers
- Six command servers
- 1,295 discrete machines in 103 countries
- These machines all have IDs. So even if they're on dynamic IPs, the logging technology recognizes the machine is connecting from a different IP. So all machines have been disambiguated independent of whatever IPs they happen to have from time to time.
They confirmed that they found machines that were infected in the ministries of foreign affairs of:
- The Philippines
The embassies of
- South Korea
They found machines in:
- The Association of Southeast Asian Nations Secretariat
- The South Asian Association for Regional Cooperation
- The Asian Development Bank
- A number of news organizations
- An unclassified computer at NATO headquarters
- Deloitte & Touche in New York.
59:21 - 01:04:59
- More suggested reading by Leo: Electricity Grid in U.S. Penetrated By Spies
Steve: Google it. Four clicks away, you've got the source code. And, if you're not quite sure how to compile it, well, just follow along in the forum.
Leo: Yeah, we'll give you binaries, yeah.
Steve: Follow along in the forum because they're all trying to figure it out, too.
Leo: Lots of helpful hackers, ready and willing. You probably get better support on Ghost Rat than you can get on most commercial software.
17:58 - 20:15
- Steve recommends Firefox extension - Tree Style Tabs
Nerds On Site
- I Want to be A Nerd
- Ad Time: 0:33-0:50 and 28:46-30:40
- Go To My PC
- Ad Time: 0:54- 1:08 and 5:00-8:21
- Recorded Date: April 08 , 2009
- Release Date: April 09, 2009
- Duration: 01:05:55
- Log line:
- Edited by: Tony
- Notes: Removed Audible ad and saved it for later. Inserted Nerds ad in place.
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|