Sunday, November 14, 2010

Nobel Peace Prize, Amnesty HK and Malware

From Nart Villeneuve at SecDev.cyber ...

There have been two recent attacks involving human rights and malware. First, on November 7, 2010, contagiodump.blogspot.com posted an analysis of a malware attack that masqueraded as an invitation to attend an event put on by the Oslo Freedom Forum for Nobel Peace Prize winner Liu Xiaobo. The malware exploited a known vulnerability (CVE-2010-2883) in Adobe Reader/Acrobat. The Committee to Protect Journalists was hit by the same attack.

On November 10, 2010 Websense reported that website of Amnesty Hong Kong was compromised and was delivering an Internet Explorer 0day exploit (CVE-2010-3962) to visitors. In addition, Websense reports that the same malicious server was serving three additional exploits: a Flash exploit (CVE-2010-2884), a QuickTime exploit (CVE-2010-1799) and a Shockwave exploit (CVE-2010-3653).

The malicious domain name hosting the exploits mailexp.org (74.82.168.10) has been serving malware since Sept. 2010. The domain mailexp.org was registered in May 2010 to y_yum22@yahoo.com. mailexp.org was formerly hosted on 74.82.172.221 which now hosts the Zhejiang University Alumni Association website.

The malware dropped from the Internet Explorer exploit (CVE-2010-3962)
scvhost.txt
MD5: ca80564d93fbe6327ba6b094ae3c0445 VT: 2 /43

The malware dropped from the Flash exploit (CVE-2010-2884)
hha.exe
MD5: 0da04df8166e2c492e444e88ab052e9c VT: 2 /43

The malware dropped from the QuickTime exploit (CVE-2010-1799)
qq.exe
MD5: 3e54f1d3d56d3dbbfe6554547a99e97e VT: 16 /43

The malware dropped from the Shockwave exploit (CVE-2010-3653)
pdf.exe
MD5: 3a459ff98f070828059e415047e8d58c VT: 0/43

Both ca80564d93fbe6327ba6b094ae3c0445 and 3a459ff98f070828059e415047e8d58c perform a DNS lookup for ns.dns3-domain.com, which is an alias for centralserver.gicp.net which resolves to 221.218.165.24 (China Unicom Beijing province network).

The domain name “ns.dns3-domain.com” has been associated with a variety of malware going back to May 2010. This domain name, dns3-domain.com is registered to zhanglei@netthief.net, the developer of the NetThief RAT.

Malware attacks leveraging human rights issues are not new. I have been documenting them for some time (see, Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, “0day”: Civil Society and Cyber Security). However, one of the issues that Greg Walton and I raised last year, is a trend toward using the real web sites of human rights organizations compromised and as vehicles to deliver 0day exploits to the visitors of the sites – many of whom may be staff and supporters of the specific organization. Unfortunately, we can expect this to continue.

2 comments:

Ryan said...

I found this article extremely interesting because it is not one-bit surprising. It clearly proves the point that hackers will go to any extreme to leverage their underlying argument, and connect to their targeted audience. Human rights is obviously always an issue that many people have a soft spot for, and what would excite someone more than being invited to attend an event with a Nobel Peace Prizer winner.

At the end of the day I think this only confirms we have to be on our toes now, more than ever. Whether it be an email from our bank, a friend, or an invitation or intriguing email out of the blue (such as in the blog post) we cannot trust anything. Reilly was able to disguise an email in class as the Registrar in 10 minutes which would have fooled 90% of the class--what if as a prank it was sent out that class was cancelled from that email address, nobody showed up, and as a result all of grades were impacted; not a very funny joke. It just shows how targeting an attack from the right person or right point-of-view, hackers and criminals can be more and more successful.

Meredith Mangold said...

I agree with Ryan. If the recipients of the invitation mentioned in the post were the kind of people to receive such an invitation, I would be surprised if the majority of them did not open the e-mail. It is the perfect phishing/malware scheme. Unless there was some glaring tell as to the fraudulent and dangerous nature of the invitation, most people would immediately open it.

I also agree that we need to be on our toes more than ever now. However, the problem lies in the fact that most people are not aware of the cyber-dangers out there. As we discussed in class, most of the internet-surfing public is too trusting. Just a few days ago I saw a weird post on a friend's Facebook wall - "haha check this out. she is soo busted - CLICK HERE to see the status update that got a girl expelled from school." Coming from a trusted friend (as this post was I think), most people would click on the link. Only after taking this class do I know not to click on the link. A few days later, I saw the same post on another friend's wall --proof. I fear for the increased success and creativity of hackers in creating these schemes in the future. What will we be able to trust?