Friday, April 03, 2009

Conficker and Ghostnet: China, California -- and Israel?

Everyone's talking about the Conficker virus and the Ghostnet cyber-spying network, both of which are said to be of Chinese origin. The NYT offered these widely-reprinted words on Ghostnet:
In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.
It's a little difficult to believe that private hackers would target the Dalai Lama. The choice of targets, more than the location of the servers, may give the best clue as to who is doing what to whom.

As this site notes:
Other GhostNet highlights include the ability to turn on webcams and microphones remotely, and a browser-based "dashboard" that the spies use to control their network of 1,295 computers. And yes, I mean a dashboard as in what you use to post those American Idol rants to your Wordpress blog. Researchers discovered the spynet using, of all things, a Google search.
A computer involuntarily joins the GhostNet family when a user opens an infected document sent as an email attahment, or when he goes to an infected web site. Here's an interesting factoid:
They found that three of the four control servers were in different provinces in China — Hainan, Guangdong and Sichuan — while the fourth was discovered to be at a Web-hosting company based in Southern California.
Which company? Forgive my curiosity, but I'd really like to know. Alas, no one is talking.

The name of the firm is, at present, impossible to discover. We have a bit of a mystery here, since the report (here) never mentions California, yet the NYT article based on that report (here) does. Where did the NYT get the info? And why won't they reveal the name of the company?

(Before you say it: Yes, I am aware that the company may not be a witting participant in any conspiratorial scheme.)

Apparently, the above-linked report was redacted "for security reasons." I wonder what that phrase means? Presumably, the NYT has the full report.

The Conficker worm, which was supposed to unload its payload on April 1, also comes from China, or so say these folks. The Chinese identification was made by the respected Vietnamese security firm BKIS. The alleged date of April 1 may in fact be mere rumor: The real D-Day could be tomorrow, or a month from tomorrow. As this site notes:
In the case of Conficker, we have another one of these super worms, following in the success of the Storm Worm, that is able to infect millions of windows machines and act on the bidding of it's mysterious owners. As the latest and greatest, Conficker employs a sophisticated p2p command and control system that uses military grade encryption to cover it's tracks.
Word has it that Conficker will affect your HOSTS file to assure that you cannot access web sites belonging to Microsoft or any other security firms who can get rid of the problem. The worm exploits a hole in Windows security; you can get the patch here. BKIS offers a free anti-virus which can catch the worm; I have yet to test it.

The obvious question: Is there a linkage between Conficker and GhostNet, aside from the presumed Chinese origin point?

A less obvious question: Could there be an Israeli connection to one or both of these cyber-attacks?

Don't presume that I am the sort of person who reflexively ascribes all of the world's ills to Israel. I don't. In this case, I ask the question because we have a few subtle, but intriguing, shards of evidence pointing toward that country.

Threat Chaos gives a fuller account of the origin of GhostNet than one finds elsewhere:
You will notice the similarity between the methodologies described and the techniques used by Private Investigators in Israel back in 2005. They sent emails to their targets, sometimes after engaging them in phone conversations first. They used a customized Trojan horse crafted by Michael Haephrati.
For background on the Haephrati incident, go here. For the upshot, go here:
To re-cap: Michael Haephrati, a software developer,s created a clever managed service whereby he would provide custom Trojan software to these private investigators who would then use social engineering techniques to get the targets to install the Trojan on internal systems. For a $2,000 fee Haephrati would host any stolen documents and key stroke logs on servers in Germany and the UK. The police discovered the scheme when Haephrati's first wife took her computer in to them under suspicion of it being infected. Sure enough, it was, and the Israeli police tracked down the hosting servers and discovered thousands of documents from dozens of Israeli companies stored there.

Eventually Haephrati and his current wife were extradited from England and supposedly sentenced to jail terms. But in a phone conversation I had with Michael several weeks after the sentencing he claimed that there was no jail time, and that he was completely free. As a matter of fact he was going to continue to offer his Trojan Horse service but this time he would only work with "law enforcement agencies".

Readers in the US will be perplexed by this case. Four PI's are now going to do jail time while the author of the illegal software goes free.
It is fair to posit that he avoided jail by providing service to the state. (Note the cute ploy: He was extradited because the Brits naively thought that Israel would put him in the pokey.)

A few years after Haephrati started working for his new bosses, the world discovered that a more sophisticated version of the same type of cyber-attack is being run out of China. A California firm, which the NYT will not name for "security" reasons, is also involved. Coincidence?

This Jerusalem Post report on GhostNet will reward a close reading:
"I have no information about it," a Foreign Ministry spokesman told The Jerusalem Post. "I'm not aware of it, and even if there had been some sort of breach, I'm not sure that anything would be released, because our relationship with China is so sensitive."
It was unclear on Sunday if Israel was one of the countries whose foreign ministry computers had been compromised.
It is clear that Iran and Pakistan were targeted.

The Chinese are, of course, quite capable of getting up to computerized mischief on their own. Over 300,000 scientists and engineers are graduated from Chinese universities each year. Still, as this site notes...
Israel, on the other hand, has the third highest number of patent filings per capita and, according to IMD's World Report, ranks third in the world in terms of the quality of basic research. Moreover, Israel ranks very high in terms of research 'productivity' (scientific publications per capita) and 'quality' (the frequency with which other scholars cite publications in their own articles).

In computer science, Israel ranks second in the world in productivity and third in the world in quality.
Second, discovering truly superior scientific revelations is contingent on the brilliance of small numbers of researchers. Using the incidence of Nobel Laureates as a proxy for genius, Israel's population stands head and shoulders above the rest of the world. While China and India may have hordes of good but less than phenomenal scientists and engineers, their numbers alone will not mute Israel's advantage in producing transformative breakthroughs.
Those passages betray some braggadocio, but also a copious amount of truth.

Ties between Israel and China are strong and getting stronger, especially in the realm of weapons development and manufacture. Cyber weapons are the weapons of the future.
While it's never clear who the players are behind this perpetual information war, researchers are able to dissect the tools and compromised systems to portray a fascinating tale of computer-based cloak and dagger.
How do you develop new internet based weapons in an open environment? Once you reach a certain scale of weaponry you cannot leave the testing to the laboratory alone. This is why they exploded nuclear weapons in the deserts or in the South Pacific. Is this what we're now seeing online in terms of the latest iterations of these advanced botnets?

4 comments:

tamerlane said...

In this modern era, can a computer virus ever be considered a causus belli?

Are we bold enough to launch surgical strikes on China's T-1 lines?

Will the achilles heel of Western Civilization be its proclivity for downloading porn?

coffee maker said...

a potentially good thing that has resulted from the Conficker scare is an overall heightened awareness of PC security

Jimbo said...

Israeli virus gon' drink yo blood and gitcho mama.

Oogah boogah!

THStone said...

I get the alleged "chain of evidence" against Israel when talking about GhostNet (although, I don't agree about the final conclusion), but how do you connect it all to Conficker? Because it's supposed to be from China and you think that GhostNet is Israeli? Doesn't make real sense...

By the way, why not throw in some more countries, not just Israel and the US... How about Russia? France? UK? They supposedly have these capabilities. And why did you not mention the RBN?

Ahh.... And if you would have done more research, you'd find out that GhostNet was using two open source hacking tools (gh0strat...) that were available to anybody on the net.