[liberationtech] Local spike in human rights malware attacks from China

Sat Nov 13 11:16:54 PST 2010

virustotal.com supports SSL: https://virustotal.com/ . That said, I'm
not sure relying on a virus scanner, much less an external virus
scanner, is a good idea. The idea of virus scanning has deep and
fundamental flaws, namely that detecting malicious behavior with any
reliability in a binary is essentially impossible, and _certainly_
beyond the abilities of anything resembling the artificial intelligences
we have now. Existing virus scanners use a signature-based detection
approach, which is obviously flawed in that only software for which the
scanner has rules for is detected. This process is slow, difficult, and
potentially impossible in a given scanner if the right sort of
polymorphism is used. In short, it mostly gives a false sense of
security.

On Sat, 2010-11-13 at 09:22 -0500, Nathan Freitas wrote:
> >From a tactical perspective, one service I would make sure people who are at risk know about is VirusTotal.com. It is an online virus/malware scanning tool that you can submit suspicious files to simply by forwarding an email. It also stores hashes of previously scanned files so that you can see if others have received the same attack.
> 
> This also means you can check a file from your mobile device before you forward it on to others, or even open your desktop mail app.
> 
> HTTP://virustotal.com
> 
> If anyone on the list has reasons why not to use this service or knows of similar tools please let me know.
> 
> I have also been considering building a similar tool that analyzes mail headers to look for inconsistencies or possible threats. For instance I have one script now that tells me if a mail was sent from a Chinese domain/IP but the display name/domain on the message content does not show a dot CN address. Not necessarily malware but in my case, something good to be aware of.
> 
> +n
> 
> "Danny O'Brien" <DObrien at cpj.org> wrote:
> 
> >I just wanted to point everyone onlist to the recent increase in hacking attacks against (or using as a proxy) human rights groups who do work in China, or who are connected to the Nobel Peace Prize. If you do work in this area, you should be aware that a group or groups are particularly targetting Western NGOs to distribute malware to vulnerable groups (and other NGOs). 
> >
> >I'm sure you all run anti-virus software on incoming mail and your desktop machines, keep your software up to date, and guard and monitor your websites against the insertion of malware, but if you don't, now might be an excellent time to do so (or make an argument to decision-makers that your organization should).
> >
> >The chain of incidents so far are:
> >
> >On October 26th, the Nobel Prize site was hacked, and a new vulnerability used to infect viewers using Firefox on Windows:
> >http://www.zdnet.com/blog/security/firefox-zero-day-under-attack-at-nobel-peace-prize-site/7550
> >
> >This weekend, CPJ and others received an email, ostensibly from Alex Gladstein and the Oslo Freedom Forum, with an included PDF attachment with a convincing looking invitation to the Peace Prize Ceremony. The PDF used a Flash exploit from September (fixed in the very latest versions) to infect those opening the attachment on Windows. (AV software scanning incoming mail should have been able to catch this).
> >
> >These mailed invites were based on a template email that we believe was taken from the incoming mail of a Chinese dissident based in the US, whose computer was previously compromised. There's apparently some evidence to suggest that the distribution list was taken from the same individual, but I'm still checking that out. I wrote a brief summary of the situation here: http://www.cpj.org/internet/2010/11/that-nobel-invite-mr-malware-sent-it.php
> >
> >Then on Wednesday, the Hong Kong site of Amnesty was hacked to server several 0day exploits, including an unpatched Explorer exploit. http://www.nartv.org/2010/11/12/nobel-peace-prize-amnesty-hk-and-malware/
> >
> >I imagine if this is anything like what happened around the Beijing Olymptics, that we're going to see similar attempts right up to the award ceremony itself. The malware these attacks deliver has unknown capabilities, It's function is controlled by remote servers, but almost certainly can intercept incoming and outgoing mail, files, keypresses (including passwords) and relay all this information to its controllers. If you let yourself be infected, the security and privacy of your organization and those you work with is at risk, so take care!
> >
> >(On the brighter side, there's never been a better time to be a malware computer security analyst with an interest in human rights issues. Do get in touch if that's who you are...)
> >
> >Best,
> >
> >d.
> >
> >
> >
> >
> >
> >
> >_______________________________________________
> >liberationtech mailing list
> >liberationtech at lists.stanford.edu
> >
> >Should you need to change your subscription options, please go to:
> >
> >https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> >If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> >
> >You will need the user name and password you receive from the list moderator in monthly reminders.
> >
> >Should you need immediate assistance, please contact the list moderator.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20101113/c9a17d82/attachment.asc>