topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Sunday December 15, 2024, 8:17 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: GhostNet - The Facts  (Read 12825 times)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
GhostNet - The Facts
« on: April 18, 2009, 08:09 PM »
In much the same way as they handled Conficker, the mass media have had a field day spreading sensationalism regarding the so-called "GhostNet". For those of you interested in a more factual report, give this and read and let me know what you think.

GhostNet was discovered by a research outfit called Infowar Monitor (IWM), who represent a joint venture between two Canadian entities, the Secdev Group and the Citizen Lab at the University of Toronto to follow the use of cyberspace as a strategic domain. IWM had been working with the Tibetan government in exile, who suspected that their computer network had been infiltrated.

Over the course of a 10 month long investigation, IWM managed to trace infections across 103 countries. GhostNet seems to mark high-profile political and economic targets (known as whaling or spearphishing, as opposed to standard phishing) for infection, accomplishing their goal via social engineering techniques which they use to convince the victim to open an infected email attachment.

During their investigation of GhostNet, IWM determined that the attackers, and the infection itself originated from Chinese IP addresses geographically located on the island of Hainan. It is perhaps worth mentioning that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the Chinese People’s Liberation Army. IWM also determined one of the servers used to coordinate the infection was stationed at a Chinese Government run facility.

The Remote Access Trojan/Tool (RAT) used in GhostNet is known as gh0st. It is open source software, and can be obtained in full with a quick internet search. A machine infected by gh0st RAT can be controlled and/or viewed in almost any manner by the attacker. gh0st RAT is fitted with remote desktop, webcam and microphone monitoring, and keylogging capabilities. gh0st RAT reports back from the infected machine to what's known as "command and control" servers, which send instructions to, and receive data from the Trojan.

In the specific case of GhostNet, the infection is spread via social engineering, which is a method used by potential attackers to gain the trust of the target such that they are convinced to follow the attackers directions. The attackers monitor email or verbal communication between two parties, one of which is already infected thus making said monitoring possible. The attackers monitor the exchanges until an opportunity presents itself for the attackers to pass themselves off as the infected party. At this point, the attackers craft an email to the uninfected party, posing as the infected party, containing material that appears relevant to the original exchange. Attached to the email is (usually) a PowerPoint presentation which, once opened, infects the previously uninfected party with gh0st.

Despite a substantial lack of evidence to implicate the Chinese government in the operation of GhostNet, some reports have taken the standpoint that they are behind it. It could be argued that, given the press this story has received, and the high profile of the victims, that the Chinese Government is perhaps complicit with the acts of those running GhostNet.It is also possible that they're being fed valuable confidential information retrieved via GhostNet. There have been reports of people held in Chinese custody being shown transcripts of private email conversations by Chinese officials. None of these possibilities have, or can be, confirmed.

Sources:
http://en.wikipedia.org/wiki/GhostNet and source reports
http://www.f-secure....rchives/ghostnet.pdf
http://www.cl.cam.ac...s/UCAM-CL-TR-746.pdf
http://en.wikipedia....wiki/Infowar_Monitor
http://en.wikipedia.org/wiki/Ghost_Rat

Ehtyar.
« Last Edit: April 20, 2009, 10:53 PM by Ehtyar »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: GhostNet - The Facts
« Reply #1 on: April 18, 2009, 08:25 PM »
Woohoo!!!!

I'm safe!!!!!



I have no social life!!!!!!


Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: GhostNet - The Facts
« Reply #2 on: April 18, 2009, 08:33 PM »
ROFL. By that logic most DC regulars are safe (no offence guys/gals) ;). Still, I'm not sure any of us are quite important enough to be targeted in the first place :P

Ehtyar.

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,566
    • View Profile
    • Donate to Member
Re: GhostNet - The Facts
« Reply #3 on: October 16, 2009, 01:20 PM »
Don't such important people use firewalls, anti-this&that, etcetera?


Hmm.. maybe I really was important then, when I was younger...

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: GhostNet - The Facts
« Reply #4 on: October 16, 2009, 06:14 PM »
Don't such important people use firewalls, anti-this&that, etcetera?

Truly important people have minions to take care of all that stuff for them.


Wish I had a minion....  :(

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: GhostNet - The Facts
« Reply #5 on: October 16, 2009, 06:35 PM »
I am a minion. However, even minions are aware that a firewall gets you just about nowhere against a determined attacker...

Ehtyar.

nite_monkey

  • Member
  • Joined in 2006
  • **
  • Posts: 753
    • View Profile
    • Just Plain Super
    • Read more about this member.
    • Donate to Member
Re: GhostNet - The Facts
« Reply #6 on: October 19, 2009, 10:08 AM »
Yay for us DCers! ...or more to the point yay for people who spend all their social life on forums in general!  ;D
[Insert really cool signature here]

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: GhostNet - The Facts
« Reply #7 on: October 19, 2009, 11:05 AM »
Anyone that would send me a "powerpoint" file, infected or not, deserves to be beat over the head.  :D

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: GhostNet - The Facts
« Reply #8 on: October 19, 2009, 02:30 PM »
You'd rather they sent you a Keynote file april? :P

Ehtyar.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: GhostNet - The Facts
« Reply #9 on: October 19, 2009, 09:43 PM »
You'd rather they sent you a Keynote file april? :P

Ehtyar.

If you are sending me files, it better be plain text...or we need to talk....and not through email.