JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

JR03-2010

Shadows in the Cloud

PART 3: MAPPING THE

SHADOWS IN THE CLOUD

Table 3: Malware Connecting to Yahoo! Mail Accounts

Filenamesetup.exeMD57e2e37c78bc594342e498d6299c19158C2sonamtenphel@yahoo.comC2www.indexindian.comDownloadsites.google.com/site/wwwox99/Home/Filename20090930165916978MD5abe30396688bca7908bbedac3e0dC2zhengwai@yahoo.com

Although the second binary ailed to connect to a web-based command and control server, a memory dumprevealed three additional email adresses (wwwoxperter@yahoo.com, swwwox@yahoo.in and ctliliwoy5@yahoo.com) as well as the well known domain name www.indexindian.com and the URL o another maliciousbinary hosted on sites.google.com/site/wwwox99/.This malware sample connected to a command and control server and downloaded additional components(docBack.gi, nscthttp.gi, top.gi, tor.gi) that allowed it to connect to the Tor anonymity network. The reasonbehind the attackers integration o Tor into their malware remains unclear.

Table 4: Malware with Tor

Filename20091221165850243MD52ca46bcdda08adc94ab41d3ed049ab6C2cxingpeng.byethost9.com

Tor (www.torproject.org) is an anonymity system that deends users rom trac analysis attacks in whichattackers attempt to monitor users’ online behaviour. Tor is used by journalists, human rights advocates, andthose in locations that are subject to Internet censorship. It is also used by law enorcement and many otherswho require anonymity.In 2007, a computer security researcher, Dan Egerstad collected data and email login credentials or a variety o embassies around the world by monitoring the trac exiting rom Tor exit nodes, an anonymous communicationsnetwork. He was able to obtain user names and passwords or a variety o email accounts, and recovered data associ-ated with the Dalai Lama’s oce as well as India’s Deence Research and Development Organization (Zetter 2007a).Tor does not automatically encrypt everything that a user does online. Unless the end-point o a connectionis encrypted, the data passing through an exit node in the Tor network will be in plain text. Since anyone canoperate a Tor exit node, it is possible or a malicious user to intercept the plain text communications passingthrough it. However, Egerstad believes that the entities whose credentials and data he was able to collect were notusing Tor themselves. Rather, he concluded that attackers may have been using the Tor network as a mechanismto exltrate data:

The embassy employees were likely not using Tor nor even knew what Tor was. Instead, we suspected that the trafc he sniffed belonged to someone who had hacked the accounts and was eavesdropping onthem via the Tor network. As the hacked data passed through Egerstad’s Tor exit nodes, he was able to read it as well (Zetter 2007b).

JR03-2010

Shadows in the Cloud

PART 3: MAPPING THE

SHADOWS IN THE CLOUD

Table 5: Enal

Filename20090924152410520MD590b3d0672425081cb7a988691535cb C2www.indexnews.org

On one o the command and control severs, we also discovered that the attackers were using Enal, a wellknown Trojan. The malware connected to www.indexnews.org and requested the ollowing le paths: /cgi-bin/Owpq4.cgi and /httpdocs/mm/[HOSTNAME]_20090610/Cmwhite. We explore the broader connections andsignicance o use o Enal in section 3.3.1 below.

3.3

Command and Control Infrastructure

Figure 3:The Shadow Network’s Command and Control Inrastructure

This Palantir screen capture demonstrates the integration of social networking and blogging platforms (green), domain names (blue) and web servers (red).

JR03-2010

Shadows in the Cloud

PART 3: MAPPING THE

SHADOWS IN THE CLOUD

The attackers’ command and control inrastructure consists o three interrelated components. The rstcomponent consists o intermediaries that simply contain links, which can be updated, to command and controlservers. During our investigation we ound that such intermediaries included Twitter, Google Groups, Blogspot,Baidu Blogs, and blog.com. The attackers also used Yahoo! Mail accounts as a command and control componentin order to send new malicious binaries to compromised computers. On at least one occasion the attackers alsoused Google Pages to host malware. To be clear, the attackers were misusing these systems, not exploiting anyvulnerability in these platorms. In total, we ound three Twitter accounts, ve Yahoo! Mail accounts, twelveGoogle Groups, eight Blogspot blogs, nine Baidu blogs, one Google Sites and sixteen blogs on blog.com that werebeing used as part o the attacker’s inrastructure. The attackers simply created accounts on these services andused them as a mechanism to update compromised computers with new command and control server inorma-tion. Even a vigilant network administrator looking or rogue connections exiting the network may overlooksuch connections as they are routine and generally considered to be sae web sites. The use o social network-ing platorms, blogs and other services oered by trusted companies allows the attackers to maintain controlo compromised computers even i direct connections to the command and control servers are blocked at therewall level. The compromised computers can simply be updated through these unblocked intermediaries topoint to a new, as yet unknown, control server.Such techniques are not new

per se

, and nothing in and o itsel was invented by the

Shadow

attackers that hadnot been done beore (See Box 3). Rather, the attackers are learning rom the experiences o others and adaptingthe techniques to meet their needs. By using these kind o intermediaries and platorms, the attackers are ableto conceal their activities and maintain a resilient command and control inrastructure. In the

Shadow

case, theattackers did not rely on only one social networking, cloud computing or Web 2.0 service, but rather used avariety o such services in combination with one another.

Box 3: Social Network Sites as Control Channels or Malware Networks

The use of social networking sites as elements of command and control for malware networks is not novel. The attackersleverage the normal operation of these systems in order to maintain control over compromised system. In 2009,researchers found that Twitter, Jaiku, Tumblr, Google Groups, Google AppEngine and Facebook had all been used as thecommand and control structure for malware. In August 2009, Arbor Networks’ Jose Nazario found that Twitter was beingused as a command and control component for a malware network. In this case, the malware was an

information stealer

focused on extracting banking credentials from compromised computers located mostly in Brazil. Twitter was not the onlychannel being used by the attackers. They also used accounts on Jaiku and Tumblr (Nazario 2009a). Furthermore, ArborNetworks found another instance of malware that used the Google AppEngine to deliver malicious URLs to compromisedcomputers (Nazario 2009b). The

Unmask Parasites

blog found that obfuscated scripts embedded in compromised websites used the Twitter API to obscure their activities. While the method was clever, the code was unreliable and appearedto have been abandoned by the attackers (Unmask Parasites 2009). Symantec found that Google Groups were beingused as command and control for another instance of malware. In this case, a private Google group was used by theattackers to send commands to compromised computers which then uploaded their responses to the same Group(Symantec 2009a) Symantec also found an instance of malware that used Facebook status messages as a mechanismof command and control. (Symantec 2009b). The use of these social networking and Web 2.0 tools allows the attackersto leverage the normal operation of these tools to obscure the command and control functions of malware.

One platorm leveraged by the attackers in particularly interesting ways was the webmail service provided byYahoo!. We discovered ve Yahoo! Mail accounts being used by the attackers as a component o command andcontrol. Once a computer was compromised, the malware connected to the Yahoo! Mail accounts using Yahoo’sAPI and created a unique older in the Inbox o the mail account, into which an email was inserted containingthe computer’s name, operating system and IP address. The attacker would then send an email to the accountcontaining a command or a command along with additional malware as an attachment. The next time that a

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,801

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)