Want CNET to notify you of price drops and the latest stories?

Watching the crooks: Researcher monitors cyber-espionage ring

Good guys are keeping an eye on large espionage and botnet campaigns that are stealing corporate secrets from government and private industry and money from peoples' bank accounts.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
This graph shows the confirmed espionage malware samples researcher Joe Stewart has been monitoring. The blue dots are malware, the yellow dots are Domain Name System names, and the purple dots are subdomains. Click the image to see a larger version. SecureWorks
This is a small section of the graph up close. Click the image to see a larger version. SecureWorks

LAS VEGAS -- Researchers have uncovered a huge amount of malware and registered domains being used by criminals linked to China who are conducting cyber-espionage on a wide range of government, industry, and human rights activists.

The growing menace from these "Advanced Persistent Threats" is detailed in a report unveiled today called "Chasing APT." In an interview at the Black Hat security conference here, Joe Stewart, director of malware research at Dell Secureworks Counter Threat Unit, said that over the last 18 months he's been monitoring attacks designed to steal data from organizations around the world. Two primary groups, in Shanghai and Beijing, appear to be behind the attack operations, he said.

The groups were using more than 200 unique families of custom malware. They were also using more than 1,100 domain names registered solely to serve as command-and-control servers or to send spear phishing messages targeting specific workers within a company to entice them to open a malicious e-mail attachment or Web link. No one is safe with carefully crafted and targeted messages, Stewart said.

"You have to to have that kind of paranoia to know anything you get that is unsolicited is suspicious," he said. Companies should consider opening any unsolicited attachments and links, even from people who are known and trusted, in a virtual machine or a sanitized workstation in which an infection can be isolated.

Targets include Japanese government ministries, universities, municipal governments, trade organizations, news media, think tanks and manufacturers of industrial equipment. "Now it's not just a limited set of targets," Stewart said. "It's anybody who has a competitor."

Stewart also found a private security organization in Asia, but not in China, that's conducting a powerful cyber-espionage operation against another country's military, while also offering security services and so-called "ethical hacking courses" as part of its legitimate business. He wouldn't name the company.

Attackers are using a tool called HTran to disguise the location of their command-and-control servers and a new piece of malware called "Elirks" that uses a microblogging service called Plurk as a first-stage command-and-control server.

Meanwhile, another SecureWorks researcher has done a deep dive into the Zeus Gameover malware campaign and found 678,205 infections -- including in 14 of the 20 Top Fortune 500 firms -- making it one of the largest financial botnets around. The operation, believed to be based in Russia, uses the Cutwail spam botnet to send out spam to trick people into clicking malicious links and to recruit money mules in the U.S. and Europe, according to a report on the malware.

Once a computer is infected, the malware enlists an arsenal of tools to stay in stealth mode and get as much financial data from the victim as possible, said Brett Stone-Gross of the Dell SecureWorks Counter Threat Unit. It uses Web Injects when it detects a victim visiting particular e-commerce sites to display a pop up window via the browser that prompts for sensitive information such as social security number and credit card number.

It also uses infected machines to launch Distributed Denial-of-Service attacks against financial sites after money has been pilfered from bank accounts so that victims can't reach the site to see if their account is OK. Its peer-to-peer infrastructure makes it impossible to shut down because there is no central command-and-control server running it.