NEWS FROM THE LAB - Sunday, March 29, 2009

GhostNet Posted by Mikko @ 14:21 GMT

Typical document used in a targeted attack.

The University of Toronto published today a great research paper on targeted attacks.

We've talked about targeted attacks for years. These cases usually go like this:

1. You receive a spoofed e-mail with an attachment
2. The e-mail appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you get a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically a Poison Ivy or Gh0st Rat variant
8. No one else got the e-mail but you
9. You work for a government, a defense contractor or an NGO

gh0st rat

But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were.

Click the image above to read John Markoff's article.

The release of the paper was synchronized with the New York Times article. University of Cambridge released a related research paper at the same time as well. The Cambridge paper goes all the way to point the finger directly at the Chinese Government. Most other parties, us included, have not done such direct accusations without concrete proof of government involvement.

For a reason or another, infowar-monitor.net has been down all day. So we've made a mirror of the research papers available here:

GhostNet.doc GhostNet.doc

More resources: Here's a video that we posted earlier about targeted attacks:


And here are selected blog posts on the topic: