NEWS FROM THE LAB - Friday, March 21, 2008

Targeted Malware Attacks Against Pro-Tibet Groups Posted by lab @ 16:24 GMT

There's unrest on the streets of Tibet — clashes between Tibetans and the Chinese military.

Copyright Getty Images - CNN.COM Quoting Wikipedia, "Tibet was once an independent kingdom, which later became a part of China. The government of the People's Republic of China and the Government of Tibet in Exile, however, disagree over when Tibet became a part of China, and whether this incorporation into China is legitimate according to international law."

There's also unrest on the net. Groups supporting the freedom of Tibet have been attacked with highly targeted and technically advanced attacks.

Quoting an Asia Free Press news report: "AFP received an email Tuesday from someone claiming to be in Denmark, who had attached a file they said were pictures of Tibetans shot by the Chinese army. When AFP tried to open the attachment, a virus warning appeared."

So… what do these attacks look like in practice? Lets take an example.

Here's an e-mail that was mailed to a pro-Tibet mailing list three days ago.

It looked as if it was coming from the Unrepresented Nations and Peoples Organization (UNPO). However, the e-mail headers were forged and the mail was coming from somewhere else altogether.

Seemingly, the mail issued a statement of solidarity for the people of Tibet:

Fake e-mail

If you open the attached PDF file, you actually get a real PDF document with a relevant statement:


However, this is not a normal PDF document. It contains a modified version of a PDF-Encode vulnerability
to exploit Adobe Acrobat when the document is opened.

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.

The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.

Somebody is trying to use pro-Tibet themed e-mails to infect computers of the members of pro-Tibet groups to spy on their actions.

And this is not an isolated incident. Far from it.

Groups working for the freedom of Tibet all over the world have been targeted. These e-mails have been sent to mailing lists, private forums and directly to persons working inside pro-Tibet groups. Some individuals have received targeted attacks like this several times a month.

The mails are almost always forged to look like they would be coming from trusted persons or organizations, making it more likely they'll be opened by the recipient.

Just the filenames of some of the recent malicious attachments tell a lot:

   UNPO Statement of Solidarity.pdf
   Daul-Tibet intergroup meeting.doc
   Updates Route of Tibetan Olympics Torch Relay.doc
   Talk points.chm
   China's new move on Tibetans.doc
   Support Team Tibet.doc
   Photos of Tibet.chm
   News ReleaseMassArrest.pdf
   Whole Schedule and Routing for Torch Relay.xls

As you can see there's a variety of "trusted" file types used in these targeted attacks, including DOC, XLS, PPT, PDF, CHM.

The contents of these bait documents have been crafted very well. Below are some examples of what the user sees after he has been duped into opening one of these files. The content is mostly recycled from real announcements and messages of the pro-Tibet groups.








Updated to add — Links to media coverage:

Washington Post