Malware probes find a China angle

China is coming under scrutiny as the possible source of malicious software and Internet attacks directed at foreign governments and other institutions.

A pair of recent research reports have cast some light on shadowy online initiatives with roots in China. Completed separately, both reports--"Tracking GhostNet," from the Munk Centre for International Studies in Toronto, and "The snooping dragon," from the University of Cambridge Computer Laboratory--address the Chinese government's efforts to monitor the activities of the Dalai Lama and the governing of Tibet.

Asked about the reports, analysts in China say that such claims are exaggerated and politically motivated, according to CNN.

Meanwhile, Vietnamese security firm BKIS says it has come across clues suggesting that the Conficker worm, which is supposed to start communicating with computers on April 1, may have Chinese origins. BKIS reported Monday that it spotted similarities between Conficker's code and that of the 2001 Nimda virus, though in both cases the findings are not at all definitive.

In "Tracking GhostNet: Investigating a Cyber Espionage Network," issued over the weekend, the Canadian researchers say that the GhostNet comprises 1,295 infected computers in 103 countries, almost one third of them being "high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs."

Despite going into great detail about how the GhostNet operates, and acknowledging the Chinese government's interest in the strategic exploitation of cyberspace, the Munk Centre researchers stop short of pointing fingers directly at a perpetrator:

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The breaches tended to stem from a so-called social-engineering exploit, in which targets in the Tibetan community were sent an e-mail that appeared to be from the address campaigns@freetibet.org and that carried an attached Word document titled "Translation of Freedom Movement ID Book for Tibetans in Exile"--and that Word document was infected with the malicious code.

The compromise of targeted systems could be substantial:

The < i=""> system directs infected computers to download a Trojan known as gh0st RAT that allows attackers to gain complete, real-time control. These instances of gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan, People's Republic of China.

Our investigation reveals that GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras.

About 70 percent of the control servers behind the attack had Internet Protocol addresses assigned to China, but researchers also found such servers in the U.S., Sweden, South Korea, and Taiwan. Of the nearly 1,300 infected computers, Taiwan had the most, followed by the U.S., Vietnam, and India.

Given that China has the world's largest Internet population, the researchers say, "the sheer number of young digital natives online can more than account for the increase in Chinese malware. With more creative people using computers, it's expected that China (and Chinese individuals) will account for a larger proportion of cybercrime."

And while the Tibetan computer systems were "conclusively compromised," the report says, "it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value."

The University of Cambridge report, "The snooping dragon: social-malware surveillance of the Tibetan movement," doesn't refrain from charging that the Chinese government was directing malware attacks: "(I)t was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed."

Both reports also addressed the broader implications of the practices and behaviors observed in the Tibet-related malware efforts, and warn of the need for increased vigilance by both IT professionals and everyday computer users. As in many other breaches, from the Melissa virus 10 years ago to the Conficker worm today, breaches succeeded in part because people using the computer systems failed to take precautions when surfing the Web or opening e-mail messages.

The costs could be significant, according to the Cambridge University report:

As social-malware attacks spread, they are bound to target people such as accounts-payable and payroll staff who use computers to make payments. Prevention will be hard. The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defences against social-malware attacks will be a real challenge.

See also:

• Conficker worm might originate in China
• '60 Minutes': What's next for Conficker worm?
• U.K. parliament computers get Confickered
• FAQ: Conficker time bomb ticks, but don't expect boom
• Melissa virus turns 10