Monday, March 30, 2009

GhostNet or Gh0st RAT: The Cyber Persecution of Tibet

For many members of the non-security research community, the New York Times story this week was big news: "Vast Spy System Loots Computers in 103 Countries". This morning's Google News has more than 750 related articles, and I applaud the work of the University of Toronto's Citizen Lab at the Monk Centre for International Studies at Trinity College for the excellent research and for sharing this story with the general public.

What does it look like to a Security Researcher though? Unfortunately, its a very common story of a very simple case of Spear Phishing that can be accomplished with minimal effort and *IS* being accomplished on a daily basis against various special interests, including government agencies, military contractors, or just people who might have a lot of money to steal. As I've discussed in my presentations on Spear Phishing, including at the 2008 Department of Defense Cyber Crime conference, high-value targets deserve special targeting. But let's look at how special the targeting was in this situation.

The news that someone was creating specifically targeted spear phishing campaigns against Tibet and Tibetan sympathizers first came to my attention in March 24, 2008, when our friends at the SANS' Internet Storm Center released the article, Overview of cyber attacks against Tibetan communities by Maarten Van Horenbeek. This was an in-depth follow-up to Maarten's initial report on March 21, 2008, Cyber attacks against Tibetan communities.

In the original article, Maarten describes the case this way:

The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. Some impressive social engineering tricks are used:
  • Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' is invoked between the reader's pre-existent beliefs and the statement. There's a natural urge to click on the attachment to confirm that belief;
  • The writing style of the purported sender is usually well researched to have the message look as believable as possible;
  • The content of the document actually matches closely what was discussed in the e-mail message;
  • Having legitimate, trusted, users actually forward along a message back into the community.

The messages contain an attachment which exploits a client side vulnerability. Generally these are:
  • CHM Help files with embedded objects;
  • Acrobat Reader PDF exploits;
  • Microsoft Office exploits;
  • LHA files exploiting vulnerabilities in WinRAR;
  • Exploitation of an ActiveX component through an attached HTML file.

At that time he showed how PowerPoint files with names such as "reports_of_violence_in_tibet.ppt" and or "China's Tibet.pdf" contained exploits and were delivered in emails designed to elicit a trust-response from the reader if they were sympathetic to the cause. Here's one email that Maarten shared:


Attached here is the update Human Rights Report on Tibet issued by
Department of State of U.S.A on March 11, 2008.

You may also visit the site:

Tashi Deleg,

Sonam Dagpo

Secretary of International Relations
Department of Information & International Relations
Central Tibetan Administration
Dharamshala -176215
Ph.: [obfuscated]
Fax: [obfuscated]
E-mail: [obfuscated] or

Maarten confirmed that the contact information was correct for a member of the Tibetan Government in exile in Dharamshala, India.

In the case of the Citizen Labs report, the name of the report was the first thing worth mentioning. The report was called "Tracking GhostNet: Investigating a Cyber Espionage Network". Why was it called GhostNet? Because the enabling technology in their investigation was a common Remote Administration Trojan called "Gh0st RAT" (that's Gh0st with a Zero).

It took about 30 seconds to find a copy of Gh0st RAT 3.6 in the Chinese underground community, complete with source code. The program is written in VC++ version 6.0. The source code makes clear that, as is the case with many Chinese distributed malware products, the current distributor is a Chinese speaker speaking to a Chinese audience, although the comments make it quite possible the code was originally authored and designed for English speakers. Here's an example Code Snippet:

// CGh0stApp construction

// TODO: add construction code here,
// Place all significant initialization in InitInstance

// 初始化本进程的图像列表, 为加载系统图标列表做准备
typedef BOOL (WINAPI * pfn_FileIconInit) (BOOL fFullInit);
pfn_FileIconInit FileIconInit = (pfn_FileIconInit) GetProcAddress(LoadLibrary("shell32.dll"), (LPCSTR)660);

HANDLE hFile = CreateFile("QQwry.dat", 0, 0, NULL, OPEN_EXISTING, 0, NULL);

(According to Google Translate, the Chinese here says roughly: 为加载系统图标列表做准备 = Initialize the image list of this process, and 为加载系统图标列表做准备 = Icon to load the system ready to do list

While many of the notes in the source code have been rendered in Chinese, it still reads as those these are after-thought comments, and not the original author's words.

Still, Gh0st RAT China has been in development as a Chinese tool for some time - the version that was popular in China in early 2008 was Beta 2.5. and seems to have been primarily distributed by members of the "C.Rufus Security Team" or "CRST" through their website (which is suddently not online???). While wildenwolf's website seems offline, another CRST member, amxku, still has a great deal of notes available on his blog at

One of the main researchers in the Sec Dev project, Gregory Walton, previewed some of this report at a presentation he did in Dharamshala, India back in 26 August 2008 called "Year of the Gh0st Rat".

The Citizen Lab report investigates a large botnet which was enabled by the Gh0st Remote Administration Trojan. In their technical findings, they reveal that the members of the network of their investigation received emails with malicious attachments, very similar to what Maarten reported at ISC back in March. Here's one of the Citizen Lab report emails:

Something else very interesting emerges as we begin digging into some of the technical information shared in the Citizen Lab report.

For example, they mention two domain names used as Command & Control points for the by Gh0st machines they were tracking: and

At the time the IP address they were tracking was, but now both of those domains are resolving to the IP, in China. Other domain names on that same IP address may be domain names of concern, including: - - - - - - - - - - - - - - -

A simple Google on most of these domain names will reveal that they are all known to be related to malicious software and botnet activity, but they are still sitting live in China.

The Citizens Lab report reveals that documents from a computer in the Dalai Lama's own office were being exfiltrated to "" during the course of the investigation.

While their report focused on traffic related to this Tibet group, it is clear that there are many other groups, with covert traffic being sent back to China and elsewhere, and that it is trivial to create such an infection using commonly unpatched or underpatched exploits, easily downloadable malware, and hard-to-stop social engineering techniques.

If others are seeing data communicating with the domain names listed above, please take action. Report these communications so that we can learn what other groups, besides the Tibet group, may be losing intelligence and internal documents to these data stealing botnets.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.