Malware Targeted Against Pro-Tibet Groups

My guess is that it's the Chinese government.

Posted on March 27, 2008 at 6:04 AM • 22 Comments

Comments

GrahameMarch 27, 2008 6:35 AM

Did you have to think hard for that guess? How did you eliminate false-flag?

bobdoleMarch 27, 2008 6:49 AM

Of course, because despite all the forum posts by people who are seriously pissed about what they see as the tibetans being rioting unwashed minorities, there's no subset of those same millions of chinese have any computer skills or are immature enough to put them to use with "patriotic" vigor! Nope. Couldn't be. Not even possible in the wildest ravings of a madman.

WTF is making it so popular to blame a government when the people have much better means? I didn't believe it was the russian govt which did the estonian attacks, because they russian govt didn't NEED to do the estonian attacks. The russian govt has thousands of bot herders and hanger-ons who can get just as mad as anyone in the govt. Oh, and when all was said and done? It was a russian living in estonia who happened to have a botnet. I just checked, you posted it, so why now are you ignoring the precedent?

Your critical thinking skills are lacking as of late bruce.

bobdoleMarch 27, 2008 7:02 AM

Holy crap, I read the link...what were you thinking! You DO know that malware authors *always* use topical emails to spread malware right?! When the anna kournikova virus was spreading I suppose it would have been your theory that it was the US spreading it as a post-cold-war attack on russia?

It's starting to become clear that you've become detached from the security state of the real world...

anonymousMarch 27, 2008 7:07 AM

you mean it's not *magic lantern* being spread by hot blonde pic mass mailings?

what anti-malware app exists that can detect magic lantern type of malware anyway?

AnonymousMarch 27, 2008 7:17 AM

@bobdole

What the hell are you babbling about? The cited article says

"Groups working for freedom of Tibet all over the world have been targeted. These emails have been sent to mailing lists, private forums and directly to persons working inside pro-Tibet groups. Some individuals have received targeted attacks like this several times a month."

Noting that the "malware" is in fact a key-logger that

"[...] that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks."

This level of misrepresentation suggests that you, bobdole, are a Chinese operative of some kind ... however, I'm pretty sure that China has higher standards!

Bruce SchneierMarch 27, 2008 8:10 AM

"Did you have to think hard for that guess? How did you eliminate false-flag?"

I didn't think hard, and I didn't eliminate false-flag. That's why I called it a "guess" and not something stronger.

I'm not sure what @bobdole is going on about.

investigatorMarch 27, 2008 9:54 AM

It's clearly so professionally done that it is produced by a sizable organization, likely government, likely the Chinese.

YongMarch 27, 2008 11:16 AM

This is tricky. Right now, the last thing the Chinese government needs is sympathy to the Pro-Tibet Groups. This kind of attack does not accomplish anything. Either they are incredibly smart, or incredibly stupid. Or there are other players.

MikeAMarch 27, 2008 11:34 AM

Not probitive, but recall that the Chinese government has Windows source-code, and MSFT has always told us that security depends on the attacker not being able to read the source. Any guess how much easier it would be to write malware with access to all gazillion mind-numbing lines of C++?

sooth sayerMarch 27, 2008 11:56 AM

@Bruce the king

"I didn't think hard, and I didn't eliminate false-flag. That's why I called it a "guess" and not something stronger."


Bruce .. you gave up your right to "guess" many long tirades ago.

AnonymousMarch 27, 2008 12:20 PM

To those that somehow doubt the Chinese government is behind this... I'd like some of what you're smoking.

These are highly targeted attacks aimed not only at individual pro-Tibetan organizations, but at individual users within those organizations. They are not designed to bring down their infrastructure like they probably would be if some angry Chinese teenager were sending these out (yes bobdole, this is for you) but to gather massive amounts of intelligence on these groups in a surreptitious way.

Not only are they looking to grab every keystroke a user makes, but in some instances they are going after PGP keys as well.

All of this, not to mention the organized and refined nature of the attacks, points towards intelligence gathering. Which in turn points away from the usual assortment of script kiddies with a chip on their shoulders.

YongMarch 27, 2008 1:12 PM

@Anonymous

I still have doubts. Objectively, any professional hacker could have written the malware. If indeed the government is behind this, it is not some angry teenager, but some angry general.

What concerns me is why now? The intelligence gathering can be done any time, unless there is some real urgency that is worthy.

CordylusMarch 27, 2008 2:00 PM

@sooth sayer

[rant] It's Bruce's blog, he can do what he wants [/rant]

But more to the point, there's no way for anyone to prove who's behind it at this point, so unless you're saying he shouldn't have mentioned it at all (?) I don't see what there is to do but state a guess. It seems likely that it's being encouraged or organized by government elements. It's unlikely to be financially motivated, since it's targeted to a loose political group. The return rate is likely to be low in terms of $-per-infection, I'd guess even lower than a random distribution, plus it's not (obviously) targeted to specific financial info (e.g., Chase bank login), so you'd need a very high click rate to make it worthwhile. While the subject matter looks pretty well put together, it's a lot of effort...

So the question is, who stands to gain by watching Tibet freedom activists? The Chinese regime is the most obvious answer, so it seems like a reasonable guess.

sooth sayerMarch 27, 2008 9:18 PM

@Cordylus

[/rant] He let's me rant on his blog .. so there [rant]

Once you think it thru it's a logical conclusion; without it it's only gut feel .. calling it guess is a gross misuse .. guess must involve "some" evaluation.

Bruce doesn't allow "gut feels" .. something 90% of the law enforcement needs to use every day.

Sometimes I wonder if schizophrenia is more prevalent than 1% .. but I guess I am going too far with this :-)

AnonymousMarch 28, 2008 5:30 AM

@sooth sayer

"Bruce doesn't allow "gut feels" .. something 90% of the law enforcement needs to use every day."

Direct lies do you no good, Sir Sayer.

Roland HeszMarch 29, 2008 5:34 AM

Playing the suspecting, paranoid person:
Or it can be pro-Tibet groups doing it to prove that the Chinese gov. is attacking them everywhere, and raise sympathy.

It can be possible, no?

arlynbabesApril 27, 2008 5:24 PM

Maybe the government can do this one but also the professional hackers could write this malware. We don't blame it to the government because we don't know what really happen behind this event. The more important to do is to make sure it's security.

arlynbabes
---------------------------------------
Need to reach targeted audience in short amount of time? A powerful new way to advertise online! http://www.widecircles.com

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..