Of Tailored Attacks and Chinese Trojans

On June 25, 2009, CYBERsitter CEO Brian Milburn received an e-mail message that appeared to come from his director of sales and marketing.

The e-mail subject announced, “This is the Jinhui Computer Systems Engineering Inc’s report about China’s Green Dam Youth Escort screening software,” and contained a link to a zip file hosted online. Opening the zip file displayed an article from the Chinese state news service, Xinhua.

Yet, the sender’s e-mail address was not quite correct; it was missing a single letter. And, the Word document was not the attachment, it was a Trojan horse.

In the background, the real file — a malicious program, known as a downloader — connected to a compromised Web site, searching for comments in the HTML code of a Web page where the spies attempting to infiltrate CYBERsitter left behind instructions. The attackers, apparently Chinese, could modify the comments to send encrypted commands to the now-compromised PC, instructing it to download additional software and further compromise the company.

“These were one-offs specifically created for us,” Milburn said in an interview after the attacks. “It was something that was created to get information from our systems.”

This week, Google announced that attacks originating in China surveilled some of its GMail users and stole intellectual property from the company. While information about the methods of the attackers is scarce, the attacks carried out against CYBERsitter — and, as announced this week, it’s law firm — shed some light on how such cyberspies operate.

What’s a little copying between friends?

On June 11, 2009, three University of Michigan researchers published an analysis of the filtering software that China’s government intended to have installed on every computer in the country.

The Chinese government claimed that the software, known as Green Dam Youth Escort, would filter out objectionable Internet content. However, the software also blocks politically sensitive material and has the ability to report any user that attempts to browse blocked sites. In their research, the University of Michigan students and their advisor found two other issues of interest: The software contained security vulnerabilities that could allow an attacker to compromise the scanning engine and take control of the users’ PC, and a number of the blacklists included in the program were taken from a U.S.-made program, CYBERsitter.

The next day, Brian Milburn, CEO of CYBERsitter, which does business as Solid Oak Software, told the press that the company was investigating the apparent copying.

“From the stuff (the researchers have) posted, I’m 100 percent certain they’re using our proprietary code,” Milburn told PC Magazine.

Two weeks later, two e-mail messages targeted Milburn and another employee at CYBERsitter. One included the link to a zip file, and the other carried a Microsoft PowerPoint document, which exploited a vulnerability to drop a malicious file, according to an analysis of the two e-mails conducted by Nart Villeneuve, a researcher at University of Toronto’s Citizen Lab, who is best known for his work investigating the GhostNet cyberespionage network.

Comments and commands

In both cases, the installed malicious code attempted to connect to a compromised Web site where attackers left behind commands to be carried out by the remote spying program. Villeneuve found the base64 encoded instructions — examples include <!– {/*jgJ-.J} –> and <!– czozMDA= –>  – but the attackers’ suspicions were likely raised as no further code was downloaded.

The highly targeted nature of the attacks, as well as the attackers attempts to validate that the Trojan connecting into their server was from the targeted firm, suggests that the spies were a cut above the average cybercriminal, Villeneuve says.

“Unlike a lot of other groups, they are pretty sneaky,” he says. “These guys definitely noticed (what I was doing). They let (the software) connect in many times and then they banned my IP address.”

Several bits of evidence suggest that the attackers were Chinese. CYBERsitter and a second target, against which the same tactics were used, were both of interest to Chinese nationals. (Villeneuve would not reveal anything about the second target.) In addition, the documents created as bait for CYBERsitter employees were both created on the Chinese version of Windows.

“In a contextual way, it seems likely that you can say this is Chinese,” Villeneuve says.

Not everything is Adobe’s fault

Last week, CYBERsitter sued China, two Chinese developers and seven PC makers for allegedly infringing its intellectual property. A week later, the software maker’s law firm, Gipson Hoffman & Pancione, announced that at least ten different e-mails containing malicious trojans had been sent to its attorneys. The source of each message appeared to be other attorneys in the law firm, but the addresses contained slight misspellings, similar to the previous attack on CYBERsitter.

The firm’s lawyers were forewarned and likely did not fall prey to the attacks, said Elliot Gipson, a principal attorney at the firm.

“Our attorneys and staff were warned to be suspicious of e-mails that asked you to open attachments,” he says.

The files carrying the attacks were in various formats, but none of the attacks used Adobe’s portable document format (PDF) files, a popular vector for attacks. PDF files were initially fingered as the vector used to attack Google and 33 other companies, but at least some of those attacks used a vulnerability in Internet Explorer, and security firm McAfee has stated that none of the attack samples it has analyzed have been PDF files.

On Thursday, Adobe issued its most strongly worded statement to date regarding the attacks’ possible use of PDF files.

“We are continuing our investigation into the incident, but to date, none of the work done by Adobe or any third party has uncovered evidence to indicate that Adobe technology was an attack vector,” the company said.

Feel free to contact me with comments or more information.