Welcome Guest.   Make a donation to an author on the site July 30, 2014, 08:21:07 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2010! Download 24 custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: GhostNet - The Facts  (Read 4504 times)
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« on: April 18, 2009, 08:09:51 PM »

In much the same way as they handled Conficker, the mass media have had a field day spreading sensationalism regarding the so-called "GhostNet". For those of you interested in a more factual report, give this and read and let me know what you think.

GhostNet was discovered by a research outfit called Infowar Monitor (IWM), who represent a joint venture between two Canadian entities, the Secdev Group and the Citizen Lab at the University of Toronto to follow the use of cyberspace as a strategic domain. IWM had been working with the Tibetan government in exile, who suspected that their computer network had been infiltrated.

Over the course of a 10 month long investigation, IWM managed to trace infections across 103 countries. GhostNet seems to mark high-profile political and economic targets (known as whaling or spearphishing, as opposed to standard phishing) for infection, accomplishing their goal via social engineering techniques which they use to convince the victim to open an infected email attachment.

During their investigation of GhostNet, IWM determined that the attackers, and the infection itself originated from Chinese IP addresses geographically located on the island of Hainan. It is perhaps worth mentioning that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the Chinese People’s Liberation Army. IWM also determined one of the servers used to coordinate the infection was stationed at a Chinese Government run facility.

The Remote Access Trojan/Tool (RAT) used in GhostNet is known as gh0st. It is open source software, and can be obtained in full with a quick internet search. A machine infected by gh0st RAT can be controlled and/or viewed in almost any manner by the attacker. gh0st RAT is fitted with remote desktop, webcam and microphone monitoring, and keylogging capabilities. gh0st RAT reports back from the infected machine to what's known as "command and control" servers, which send instructions to, and receive data from the Trojan.

In the specific case of GhostNet, the infection is spread via social engineering, which is a method used by potential attackers to gain the trust of the target such that they are convinced to follow the attackers directions. The attackers monitor email or verbal communication between two parties, one of which is already infected thus making said monitoring possible. The attackers monitor the exchanges until an opportunity presents itself for the attackers to pass themselves off as the infected party. At this point, the attackers craft an email to the uninfected party, posing as the infected party, containing material that appears relevant to the original exchange. Attached to the email is (usually) a PowerPoint presentation which, once opened, infects the previously uninfected party with gh0st.

Despite a substantial lack of evidence to implicate the Chinese government in the operation of GhostNet, some reports have taken the standpoint that they are behind it. It could be argued that, given the press this story has received, and the high profile of the victims, that the Chinese Government is perhaps complicit with the acts of those running GhostNet.It is also possible that they're being fed valuable confidential information retrieved via GhostNet. There have been reports of people held in Chinese custody being shown transcripts of private email conversations by Chinese officials. None of these possibilities have, or can be, confirmed.

Sources:
http://en.wikipedia.org/wiki/GhostNet and source reports
http://www.f-secure.com/w...log/archives/ghostnet.pdf
http://www.cl.cam.ac.uk/t...eports/UCAM-CL-TR-746.pdf
http://en.wikipedia.org/wiki/Infowar_Monitor
http://en.wikipedia.org/wiki/Ghost_Rat

Ehtyar.
« Last Edit: April 20, 2009, 10:53:03 PM by Ehtyar » Logged
4wd
Supporting Member
**
Posts: 3,269



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: April 18, 2009, 08:25:46 PM »

Woohoo!!!!

I'm safe!!!!!



I have no social life!!!!!!

Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: April 18, 2009, 08:33:39 PM »

ROFL. By that logic most DC regulars are safe (no offence guys/gals) Wink. Still, I'm not sure any of us are quite important enough to be targeted in the first place tongue

Ehtyar.
Logged
Curt
Supporting Member
**
Posts: 6,308

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #3 on: October 16, 2009, 01:20:56 PM »

Don't such important people use firewalls, anti-this&that, etcetera?


Hmm.. maybe I really was important then, when I was younger...
Logged
Innuendo
Charter Member
***
Posts: 1,905

View Profile Give some DonationCredits to this forum member
« Reply #4 on: October 16, 2009, 06:14:16 PM »

Don't such important people use firewalls, anti-this&that, etcetera?

Truly important people have minions to take care of all that stuff for them.


Wish I had a minion....  Sad
Logged
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: October 16, 2009, 06:35:22 PM »

I am a minion. However, even minions are aware that a firewall gets you just about nowhere against a determined attacker...

Ehtyar.
Logged
nite_monkey
Member
**
Posts: 681


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: October 19, 2009, 10:08:57 AM »

Yay for us DCers! ...or more to the point yay for people who spend all their social life on forums in general!  Grin
Logged

[Insert really cool signature here]
app103
That scary taskbar girl
Global Moderator
*****
Posts: 5,117



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: October 19, 2009, 11:05:25 AM »

Anyone that would send me a "powerpoint" file, infected or not, deserves to be beat over the head.  cheesy
Logged

Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: October 19, 2009, 02:30:13 PM »

You'd rather they sent you a Keynote file april? tongue

Ehtyar.
Logged
app103
That scary taskbar girl
Global Moderator
*****
Posts: 5,117



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: October 19, 2009, 09:43:05 PM »

You'd rather they sent you a Keynote file april? tongue

Ehtyar.

If you are sending me files, it better be plain text...or we need to talk....and not through email.
Logged

Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.049s | Server load: 0.34 ]