Wednesday, March 26, 2008

Scary attacks

I'd never want to be targeted by people who are well funded, highly skilled and motivated like this:
Groups supporting freedom of Tibet have been attacked with highly targeted and technically advanced attacks.

Quoting an Asia Free Press news report: "AFP received an email Tuesday from someone claiming to be in Denmark, who had attached a file they said were pictures of Tibetans shot by the Chinese army. When AFP tried to open the attachment, a virus warning appeared."

So...what do these attacks look like in practice? Lets take an example. Here's an email that was mailed to a pro-Tibet mailing list three days ago. It looked like it was coming from the Unrepresented Nations and Peoples Organization (UNPO). However, the email headers were forged and the mail was coming from somewhere else altogether.

However, this is not a normal PDF document. It contains a modified version of a PDF-Encode vulnerability to exploit Adobe Acrobat when the document is opened.

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a keylogger that collects and sends everything typed on the affected machine to a server running at And is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.

The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.

No comments: