To begin, Information Warfare Monitor (IWM) is a well-regarded research team consisting of the SecDev Group and the Citizen Lab, Munk Center for International Studies, University of Toronto. The following skill set will explain why the Tibetan government asked the IWM for help:

Operational Case Studies: Consisting of active operational research employing a cross-disciplinary fusion of intelligence gathered at the field level with advanced network monitoring/visualization techniques.
Analytical products: Generate case study data that illustrate the strategic significance of cyberspace and highlight the opportunities, challenges, and threats implicit to a militarization of cyberspace, including effects generated by third-party actors.
From the beginning

This compelling story about the Dalai Lama and the Tibetan Government in Exile started almost a year ago. That’s when office workers began to complain about misbehaving computers. To us IT types that may seem like business as usual, yet it was the first clue of something being drastically wrong.

After some initial troubleshooting by the Tibetan IT personnel, the IWM group was called into help. It didn’t take analysts from IWM long to determine that several computers were indeed victims of a Trojan program called Gh0st RAT. For those interested, it’s an offspring of the famous Poison Ivy trojan.

Infection via e-mail

The next step was to figure out how the computers were being compromised. IWM researchers eventually determined that opening an attached document (containing malware) was the catalyst for becoming infected. I couldn’t find any mention as to what dropper program was used. Moot point I guess, as the goal was to successfully get Gh0st RAT on the intended computer. The research paper did mention:

“Only 11 of the 34 anti-virus programs provided by Virus Total recognized the malware embedded in the document. Attackers often use executable packers to obfuscate their malicious code in order to avoid detection by anti-virus software.”

Even so, malicious attachments are a well-known attack vector and that method shouldn’t have worked, right? Maybe, except these attackers were very creative, using appropriate e-mail addresses and realistically-named attachments like “Translation of Freedom Movement ID Book for Tibetans in Exile.doc”. Honestly, the following example looks official to me:

Even sneakier

Misleading the office workers became easier for the attackers once several computers were infected, simply because the attackers then have authentic documentation and contact information:

“Once compromised, files located on infected computers may be mined for contact information, and used to spread malware through e-mail and document attachments that appear to come from legitimate sources, and contain legitimate documents and messages.”

Something I didn’t think about was the coincidental spreading of Gh0st RAT. Since the attachments looked real and Gh0st RAT typically doesn’t affect normal computer operations, workers may have inadvertently sent the malicious attachments to others, hastening the trojan’s propagation:

“It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental, spread by contact between individuals who previously communicated through e-mail.”

I’m not sure how you combat social-engineering; it’s been around a long time and appears here to stay.

Sadly enough, that wasn’t the Tibetan system administrator’s only problem. They had the exploitable operating system vulnerabilities (we all know and love) to deal with. The report didn’t offer any more detail, so I’m not sure whether the attackers used zero-day exploits or if the computers weren’t fully updated.

What’s Gh0st RAT capable of?

Ghost RAT (Poison Ivy) is considered a Remote Administration Tool (RAT), basically a remote access program like VNC. Allowing the attacker almost complete control over the victim computer. Poison Ivy/Gh0st RAT is capable of the following:

  • Files can be manipulated completely and the attacker can upload/download files to and from the system.
  • The registry can be viewed and edited.
  • Active services can be viewed, suspended, or shut off.
  • Enabled network connections can be determined and shut disabled.
  • Installed devices can be viewed and some devices can be disabled
  • Installed applications can be viewed and entries can be deleted or programs uninstalled.

Being recently updated, Gh0st RAT has a few additional features that make it an effective spy tool:

  • Screenshots of the desktop can be taken,
  • Web cams, microphones, and audio/visual recording programs can be enabled to act as surveillance devices.
  • Passwords and password hashes are saved.
  • Key loggers can be used in conjunction with other devices to steal information.

All and all, it appears to be an efficient remote admin tool. If you aren’t convinced, check out Symantec’s detailed video that explains Gh0st RAT’s capabilities.

Many Gh0st RATs equal GhostNet

I consider the discovery of the GhostNet to be exemplary detective and forensic work. Initially the IWM team didn’t know what to expect as they worked their way from individual computers infected with Gh0st RAT back to the GhostNet control servers:

“During this process we were able to find and access web-based administration interfaces on the control server identified from the OHHDL data. These servers contain links to other control servers as well as command servers, and so therefore we were able to enumerate additional command and control servers.”

Once they had penetrated the control servers they began to get an idea as to how many computers were members of the GhostNet:

“In total, we found 1,295 infected computers located in 103 countries. We found that we were able to confidently-on a scale of low, medium, high-identify 397 of the 1,295 infected computers (26.7%), and labeled each one as a high-value target. We did so because they were either significant to the relationship between China and Tibet, Taiwan or India, or were identified as computers at foreign embassies, diplomatic missions, government ministries, or international organizations.”

Further insight

I’d recommend listening to Jesse Brown’s ( podcast titled, “Exposing the world’s biggest cyberspy ring“, as he interviews members of the IWM team who were directly involved with the project. I’d also like to recommend the IWM’s official report, “Tracking GhostNet: Investigating a Cyber Espionage Network“; I consider it to be an exceptional document, offering proof as well as a definitive explanation of the entire investigative process. It’s the report that I’ve quoted numerous times in this article.

Final thoughts

It sounds like the Internet is slowly becoming a war zone. How prevalent is this type of electronic espionage? Who’s involved, or is it easier to say who isn’t involved? Depressing isn’t it. Odd as it sounds, I remain hopeful because of organizations like IWM. Their hard work is making the Internet a safer place.

TechRepublic’s IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.