Monday, March 30, 2009

Targetted Attack, A True Story

While there is nothing new on the technical side of it, however this story is now circulating everywhere on the internet, just because it is a true story, the details are available to the public, and the infected machines are considered high value.
The report might be part of political efforts targeting China.



Here are some points from the report:

- Almost 30% of infected computers are high-value and include ministries of foreign affairs of different countries, embassies, news organizations, a Bank, an unclassified computer at NATO headquarter and Office of the Dalai Lama.

- Infected computers reached 1,295 in 103 countries

- The attacker used several infection vectors, infected web page serving exploit code to infect computers visiting it, and used also emails carrying infected pdf and doc files with trojan.

- Once the computer is infected, it will create a backdoor and try to contact the controlling servers, waiting for orders.

- The targets themselves may infect others by forwarding infected documents to their contacts

- The controlling servers are located in China

- The trojan used is known as gh0st RAT

- The 1st family of malware used HTTP connections to connect to PHP files, while the 2nd family used HTTP POST to connect to CGI

- The most recent sample in the report was on March 12, 2009


http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf

Updated:
The next chapter of the story is now released by shadowserver.


No comments: