This report documents the inner workings of Koobface—a botnet that spreads by compromising the computers of users of social networking platforms and placing them under the control of the botnet’s operators for the purpose of monetization.

The full report can be accessed here.

The Globe and Mail coverage of the report can be accessed here.

For press inquiries, please e-mail: info@infowar-monitor.net.

Overview

Between April and November 2010, the Information Warfare Monitor conducted an investigation into the operations and monetization strategies of the Koobface botnet. The researchers discovered archived copies of Koobface’s infrastructure on a well-known Koobface command and control server. The data revealed a wealth of information about the inner workings of the botnet, including information on the malware, code, and database used to maintain the botnet as well as its monetization strategies. With this data, the Information Warfare Monitor was able to gain an in-depth understanding of how Koobface worked.

Koobface: Inside a Crimeware Network details Koobface’s propagation strategies, counter-security measures, and business model. The report contributes to the cybercrime literature by shedding light on the malware ecosystem that enables and sustains cybercriminal activity, and by demonstrating that it is possible to leverage the mistakes made by cybercriminals in order to better understand the scope of their operations.

Main Findings:

• Koobface relies on a network of compromised servers that are used to relay connections from compromised computers to the Koobface command and control server. This creates a complex and tiered command and control infrastructure.

• Koobface maintains a system that uses social networking platforms, such as Facebook, to send malicious links. Social networking platforms allow Koobface to exploit the trust that humans have in one another in order to trick users into installing malware and engaging in click fraud.

• Koobface exists within a crime-friendly malware ecosystem that consists of buyers and sellers of the tools and infrastructure required to maintain a botnet. Koobface operators rely on relationships with other botnet operators and cybercriminals to sustain their operations.

• The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, the Koobface operators earned over US$2 million between June 2009 and June 2010.

• The operators of Koobface are employing technical countermeasures to ensure that the operations of the botnet remain undisrupted. The operators regularly monitor their malicious links to ensure that they have not been flagged as malicious.

• Botnet operators benefit from the fact that their criminal acts spread across multiple jurisdictions. Issues of overlapping jurisdictions and international politics often complicate investigations and hinder law enforcement and takedown efforts. Furthermore, cross-border investigations are at times hampered by a lack of priority and willingness to respond. This is because criminal activity in any one jurisdiction appears minimal while in fact the sum of Koobface’s criminal activities is significant.

About the Information Warfare Monitor

The Information Warfare Monitor is a public-private venture between two Canadian institutions: the Citizen Lab at the Munk School of Global Affairs, University of Toronto and the SecDev Group, an operational think tank based in a Ottawa (Canada). The Information Warfare Monitor is an advanced research activity tracking the emergence of cyberspace as a strategic domain. We are an independent research effort. Our mission is to build and broaden the evidence base available to scholars, policy makers, and others. We aim to educate and inform. The research of the Citizen Lab and the Information Warfare Monitor is supported by the Canada Centre for Global Security Studies (University of Toronto), a generous grant from the John D. and Catherine T. MacArthur Foundation, in-kind and staff contributions from the SecDev Group, and a generous donation of software from Palantir Technologies Inc.

October 21, 2010

Information Warfare Monitor (Citizen Lab and SecDev Group) Announces RIM Monitoring Project

Recently a number of governments have threatened to ban Research in Motion’s BlackBerry services if the company does not make encrypted BlackBerry data and other content available to state authorities. A major concern of these regimes is that BlackBerry data can be encrypted and routed through servers located outside of their jurisdictions. Unconfirmed reports have circulated that RIM has made data sharing agreements with India and Saudi Arabia and the United Arab Emirates. Other countries are also requesting the company locate data centres within their jurisdictions.

The RIM Check (https://rimcheck.org/) Web site is a research project designed to gather information on how traffic exits the BlackBerry network depending on the country in which the user is located. The findings from this project will be published and made publicly available.

The project is being conducted by the Information Warfare Monitor and the Web site is maintained by the Citizen Lab at the Munk School of Global Affairs, University of Toronto.

The RIM Check project is inspired by a broad need to monitor the activities of private sector actors that own and operate cyberspace, particularly as they come under increasing pressure to cooperate with governments on national surveillance and censorship laws, policies, and requests. Decisions taken by private sector actors, often at the behest of governments seeking access to their data or assistance blocking Web sites, can have major consequences for human rights. These decisions can lack transparency and public accountability. This project is meant to address that lack of transparency.

The project is exploratory in nature and meant to test hypotheses. Researchers of the Information Warfare Monitor project will analyze the data collected from the Web site over an extended period of time. Other methods are in development to supplement data collected through the RIM Check Web site. Field research and policy analysis will also be employed to complement the technical collection activities. The Information Warfare Monitor will also be analyzing for evidence of content filtering on Blackberry devices.

For further reading see:

Ron Deibert, Cyberspace Confidential, August 6 2010, Globe and Mail

Danny O’Brien, Why governments don’t need RIM to crack the BlackBerry, August 3, 2010, Committee to Protect Journalists

Full RIM customer statement on BlackBerry security issues

About the Information Warfare Monitor

The Information Warfare Monitor is public-private venture between two Canadian institutions: the Citizen Lab at the Munk School of Global Affairs, University of Toronto and The SecDev Group, an operational think tank based in a Ottawa (Canada). The Information Warfare Monitor is an advanced research activity tracking the emergence of cyberspace as a strategic domain. We are an independent research effort. Our mission is to build and broaden the evidence base available to scholars, policy makers, and others. We aim to educate and inform.

Inquiries: r.deibert@utoronto.ca

The Information Warfare Monitor/ (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce the release of Shadows in the Cloud: An investigation into cyber espionage 2.0. FULL REPORT.

The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.

The full report can be accessed here

A New York Times story by John Markoff on the report can be accessed here

Members of the research team are holding a news conference at 11 a.m. on Tuesday, April 6, to discuss their latest findings and to answer questions from the media. The news conference will also be webcast live from: here.

The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment, and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltated by the attackers.

The report analyzes the malware ecosystem employed by the Shadows’ attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.

Summary of main findings:

Complex cyber espionage network – Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.

Theft of classified and sensitive documents – Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied by Indian officials onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.

Evidence of Collateral Compromise – A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.

Command-and-control infrastructure that leverages cloud-based social media services – Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the PRC.

Links to Chinese hacking community – Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC.

About the Researcher Collaboration:

This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. The Information Warfare Monitor (http://infowar-monitor.net/) is a joint activity of the Citizen Lab, Munk School of Global Affairs, University of Toronto, and the SecDev Group, an operational consultancy based in Ottawa specialising in evidence-based research in countries and regions under threat of insecurity and violence. The Shadowserver Foundation (http://shadowserver.org/) was established in 2004 and is comprised of volunteer security professionals that investigate and monitor malware, botnets, and malicious attacks. Both the Information Warfare Monitor and the Shadowserver Foundation aim to inform the field of cyber security through accurate, evidence-based assessments and investigations.

Posted by Dorothy Chou, policy analyst [ Monday, December 14, 2009 at 4:54 PM ET ]

Last week, Dr. Ron Deibert, Director of the Citizen Lab at the University of Toronto, came to the Googleplex in Mountain View to give a presentation on the Open Internet Initiative’s recent studies on the policies and technologies that repressive governments are using to censor Internet content.

They found that Internet filtering is a growing phenomena around the world. The number of governments that censor has grown from 3 to 4 in 2002 to more than 30 countries today. And in efforts to restrict information for their citizens, governments focus more on targeting local language content rather than global content.

It’s interesting that many countries that are just starting to explore the possibilities of Internet connectivity already have sophisticated tools for blocking and filtering content. We are seeing cross-border replication, where some governments are adopting the practices of others who have cracked down on their citizens. Repressive regimes are finding ways to install more advanced tools against dissidents. As Berkman Center fellow Ethan Zuckerman has said, these governments are “baking in” tools to co-opt Web 2.0 features rather than play catch-up after criticism has been aired.

The lack of transparency and accountability in blocking and filtering is a concern to the ONI. Often governments, even democratic ones, choose to blacklist certain sites that they deem harmful without an easy way for others to see what was blocked, so citizens never know if what’s blocked is actually harmful content. In the next few years, the ONI predicts that we will see more targeted surveillance and malware tactics like spamming to make monitoring and documenting government censorship more difficult.

Given the urgency of this issue, we’re hoping to bring online free expression to the forefront of policy discussions by hosting similar events at our DC office in the coming months. Stay tuned!

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention.

Download the report here.

The questionable security practices of TOM-Online led to the disclosure of millions of records containing personal information regarding mobile phone accounts, SMS messages, and the usage of TOM-Skype. However, this disclosure also confirms that TOM-Skype is censoring and logging text chat messages that contain specific, sensitive keywords and may be engaged in more targeted surveillance.

These findings raise key questions. To what extent do TOM Online and Skype cooperate with the Chinese government in monitoring the communications of activists and dissidents as well as ordinary citizens? On what legal basis is TOM-Skype capturing and logging this volume and detail of personal user data and communication, and who has access to it?

Major Findings

* The full text chat messages of TOM-Skype users, along with Skype users who have
communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and
if present, the resulting data are uploaded and stored on servers in China.

* These text messages, along with millions of records containing personal information, are
stored on insecure publicly-accessible web servers together with the encryption key required to
decrypt the data.

* The captured messages contain specific keywords relating to sensitive political topics such
as Taiwan independence, the Falun Gong, and political opposition to the Communist Party
of China.

* Our analysis suggests that the surveillance is not solely keyword-driven. Many of the
captured messages contain words that are too common for extensive logging, suggesting
that there may be criteria, such as specific usernames, that determine whether messages are
captured by the system.

Download the report here.