Original URL: http://www.theregister.co.uk/2013/03/01/sinkhole_research_uncovers_cyberspy_victims/

Sinkholes reveal more Chinese-hacked biz - and piggybacking crims

It's not just state-backed spies using snoop-ware armies

By John Leyden

Posted in Security, 1st March 2013 09:27 GMT

Researchers have identified yet more high-profile organisations attacked by spying Chinese hackers after seizing hold of the miscreants' command-and-control servers.

Dell SecureWorks Counter Threat Unit (CTU) said that its tactic of "sinkholing" spyware-controlled systems is great for identifying custom malware and warning victims. It typically involves taking over the criminals' domain names to trick their armies of malware-infected computers - known as botnets - into communicating with the researchers' servers. While holding the reins, security experts can study a botnet, find out what sort of snooping the malware is capable of, learn more about its masters and potentially disrupt its villainous activities.

According to Dell SecureWorks, the technique has shed a light on several highly targeted espionage efforts that might otherwise have gone undetected. Victims include a US university conducting military research, we're told.

Sinkholing is not new in computer security: Dell SecureWorks applied it against the Kelihos spam-spewing botnet last year and Polish researchers applied it against Virut last month, for example. Using the tactic against groups dubbed advanced persistent threats (APTs) is a new twist, however: multiple botnets, each using a different Trojan or virus strain to infect machines, could be sharing the same command server.

"You may know eight malware facilities but by sink-holing an APT domain you can find out about another two," explained Silas Cutler, a security researcher at Dell SecureWorks CTU.

This information can be useful in linking malware families based on the shared infrastructure that attackers use to control the infected computers as well as providing proof that an entire network has been compromised.

Ordinary cybercrooks caught using cyber-espionage tools

Dell SecureWorks has linked 300 different families of malware to cyber-espionage attacks. And it's clear that conventional online crooks are using malware primarily designed for cyber-espionage for their own nefarious purposes, such as attacks apparently aimed at stealing online gaming login IDs.

One case identified by Dell SecureWorks uncovered evidence that Protux - a software nasty first detected in spear-phishing expeditions against Tibetan activists in 2008 and attacks against US government agencies - was used in an attack primarily geared against Indian ISP customers. Sinkholing three expired web domains associated with Protux revealed that two of the addresses had been used for regular cybercrime while another was employed in a much more limited and targeted espionage project.

Joe Stewart, director of malware research at Dell SecureWorks CTU, explained that in most cases security researchers take control of a hacker's domain because it either expired or was seized in an internet property ownership dispute. Domains used in APT campaigns sometimes mimic those of the industrial firms and others they target.

On the trail of the Comment Crew

The sinkholing approach allowed Dell SecureWorks CTU to identify several organisations under active attack by the so-called Chinese Comment Crew (also known as the Shanghai Group or APT1), a group of hackers exposed by a highly publicised report by computer security incident response firm Mandiant last week.

APT1 - believed to be a unit in China's People's Liberation Army and based in a nondescript multi-storey block in the suburbs of Shanghai - has targeted at least 141 organisations within 20 industries in the US and other English-speaking countries since 2006, according to Mandiant. China dismissed the allegations but Dell SecureWorks reckons the biz's findings are "broadly accurate".

According to the latest research from Dell SecureWorks, organisations targeted by the Comment Crew include an American university with a military research programme as well as plenty of other corporations. Dell SecureWorks will not name the targets of the cyber-attacks, only the industries they operate within.

In late 2012, Dell SecureWorks researchers took control of a domain used by the Comment Crew following the address's expiration. Subsequent analysis of the network traffic sent to the domain from malware-controlled computers revealed that machines in a large US university were phoning home to the domain using SSL encryption as the result of infection by a then unknown malware pathogen.

Dell SecureWorks researchers got in touch with the university's security team and passed on their research data. The university supplied DNS logs, which enabled Dell's researchers to link the malign activity to other malware deployed by Comment Crew.

A university seemed an odd target for the Shanghai-based e-spies. Why would APT1 ransack PCs belonging to students and professors? However after examining the data to the command server, and looking closer into the university's work, Dell SecureWorks researchers were able to conclude that the intended target of the campaign was the institution's warfare research laboratory.

Other victims of the same campaign identified by Dell SecureWorks, partly using data supplied by the university, included a US defence contractor, an American energy firm, and an international IT corporation.

Dell SecureWorks would never have discovered the university was a target without sinkholing, according to Cutler, who added that "sinkhole data shows successful compromises".

The security firm released its latest research into cyber-espionage attacks at the RSA conference in San Francisco on Wednesday.

Counterstrike

Dell SecureWorks began its sinkholing operation in 2011 with the successful takeover of a set of domains used to direct software nasties RegSubsDat and Enfal. It has taken down multiple botnets and alert numerous victims in the months since, releasing its previous findings in reports titled The Sin Digoo Affair in February 2012 and The Mirage Campaign last September.

At times, Dell SecureWorks reanimated botnets that had been inactive for months, finding victims who had remained infected for months in the process. Its security researchers took control of domains that were used in ongoing assaults and development of new types of malware. The biz utilised this intelligence to offer its customers defences against previously unknown malware threats.

Figures from a confirmed infiltration of the New York Times suggest that antivirus defences are poor at detecting cyber-espionage threats. Only one of the 45 malware samples thrown against the NYT over a four-month period was detected and blocked by its antivirus provider Symantec.

Stewart agreed that "commodity" antivirus was not particularly effective in dealing with APT invasions but argued that organisations are far from defenceless in the face of state-sponsored spies.

Intelligence-driven security procedures that include deep packet inspection, app whitelisting and sandboxing for links and attachments in incoming email can be effective. "You need to maintain a high alert and watch everything," Stewart concluded, adding that greater collaboration and information sharing was also important. ®