Austria Media Reports on Internet Attacks, Cites Falun Gong

Targeted attacks with Trojans through e-mail are an important method to spy on political rivals and commercial competitors. The O1-Magazine “Matrix” demonstrated on Sunday, citing Falun Gong as an example, how such attacks take place and how one can protect oneself against them.

Maarten Van Horenbeeck is a security consultant with a large IT-firm information technology. He was especially interested in the residual risk that leaves a footprint, although the network has the optimum protection against such attackers. Included in the aforementioned are attacks that only have a specific target. The attacker can employ tools that have never been used before and therefore are not publicly known.

The attackers can employ newly found vulnerabilities, the so-called malware “zero-day exploit”. These malwares take advantage of security vulnerability the same day it is developed. It could also be no more than homegrown viruses or Trojans. There is no virus protection against such malware, as they had not been seen before. Such intrusive computer software is barely recognised or not discovered by anti-virus software.

Van Horenbeeck mulled over it and wondered if victims of such attacks would be willing to share information about such attacks with him. It didn’t take him long to meet members of the spiritual practice Falun Gong, which is persecuted in China. It didn’t take Van Horenbeeck very long, once he scrutinised e-mails with malware attachments given to him by Falun Gong adherents, to make inroads in his research.
He could trace back such attacks to 2003 and they have not yet stopped coming in. The malware software opened a back door on the computers owned by Falun Gong members, connected them with another attacked computer, for example in Taiwan or the USA and retransmitted data.

Changing the Tactic after Warnings

Even, after the Falun Gong activists realised that something was clearly wrong and posted an appropriate warning on their Websites, the attacker continued to be successful. Van Horenbeeck discovered that such announcements coincided with modifications of the attack tactics.

The attackers attacked WinRar, PowerPiont and Excel, after warnings were posted not to use Word documents in the future. The researcher is certain that the attackers watch carefully their targets and read the pertinent warnings on the Falun Gong Website.

The Modus Operandi was changed frequently and everything was done to fool the victims. The host-names of the computers used in such attacks were similar to the ones used by Falun Gong. E-mails came from known senders and included credible information.

Analysis of the Attackers Computer Environment

As soon as Van Horenbeeck was provided with newly received materials, the minute it was received by the intended victim, he began to analyse the network of the attack computers.

The researcher found it interesting that some computers were used over time again and again. The most persistent systems appeared to be associates with the “Parking-IPS” [control equipment from International Parking Systems, Ltd., based in Auckland, New Zealand.] These are being used as a simple ruse to link the Trojan net.

Successful installed spy ware reports back to the attackers and searches for a specific domain name. If this one points to a specific IP address, namely the Parking-IP, the Trojan stops its destructive or intrusive activities. The attackers are able to turn on and off their little spies by redirecting the IP-address from their domain.

These Parking-Ips is a useful tool to identify victims vulnerable to such attacks. Once the victims are identified, the log of some compromised firms and organisations can then be searched for information on the respective victim. A clear indication for an attack is once the necessary information has been found.

Collective Defence

Van Horenbeeck discovered that most of the time the attacker uses the security vulnerability he/she discovered in the anti-virus software that was not known at the time of the attack. Against such attacks, even the optimal secured network is vulnerable. Therefore, an element of risk remains against specific targeted attacks, as one is unable to protect against such vulnerabilities.

Van Horenbeeck advocated that vulnerable firms and organisations join forces and share information. He finds that Europe has to catch up concerning such cooperation. In the USA, the ISAC Council [Information Sharing and Analysis Centers Council] has operated for quite some time. It is an information sharing and analytical centre where different business concerns share information about such attacks.

http://futurezone.orf.at/it/stories/255642/

Previously published in German at: http://de.clearharmony.net/articles/200802/41826.html