NEWS FROM THE LAB - Monday, March 30, 2009

Behind GhostNet Posted by Mikko @ 15:32 GMT

The GhostNet spy network was built by infecting sensitive computers with backdoor/Remote Administration Tools (RAT). Most of these are modified and obfuscated versions of Poison Ivy (description) or Gh0st RAT.

These tools are open source backdoors, maintained by loose gangs of hackers.

And these gangs operate openly.

Here's the website for Poison Ivy:

Poison Ivy

With a nice collection of screenshots:

Poison Ivy

And the gang behind Gh0st RAT is known as C.Rufus aka Wolfexp:

C.Rufus Wolfexp

Some quotes from the above page:

  •  "Our�desire for success is like wolf's desire for blood..."
  •  "We work together against the enemy like a pack of wolves…"

Wolfexp website also feature a demo video on how to use Gh0st RAT to take over computers:

C.Rufus Wolfexp

Amazingly, the video ends by showing 10 live webcam sessions, snooping on unsuspected victims without their knowledge.

C.Rufus Wolfexp

On a related note, see this CNN video which interviews of the Chinese underground in 2008. Some of the hackers claim that they were paid by the Chinese government.