Russian Hacker Gets a Taste of His Own Malware
Oct 31, 2012 10:52 AM PT
After a persistent series of attacks on its government computers by a Russian hacker, the Republic of Georgia got mad and refused to take it anymore.
Source: Georgian CERT team report
In a reversal of roles, members of the country's Computer Emergency Response Team (CERT) suckered the cybermiscreant into downloading a file infected with his own spyware that allowed CERT to photograph the alleged hacker with his computer's webcam and ransack its hard drive for files.
The Georgian CERT team discovered the hacker's activity in March 2011. He was planting advanced malicious software on computers in Georgia and elsewhere that collected sensitive, confidential information about Georgian and American security documents, the team said.
"After investigating attackers' servers and malicious files, we have linked this cyberattack to Russian official security agencies," Georgian CERT reported.
In the course of his espionage campaign, the report notes, the suspected Russian cyberspy infected 390 computers -- 70 percent of them in Georgia, 5 percent in the United States and another 10 percent in Canada, Ukraine, France, China, Germany and Russia.
Organizations targeted in Georgia included government ministries, its parliament, critical information infrastructures, banks and non-governmental organizations, the report says.
The attacks were highly targeted. For example, Web pages at Georgian news websites were infected based on content. Stories about NATO and Georgia, meetings and agreements between the United States and Georgia and Georgian military news were popular targets of the hacker.
The infected pages transferred malicious software to the computers of anyone who visited them, according to the report. When executed, the malware took control of an infected computer, searched documents it held for sensitive words, and captured video and audio from any computer that had a built-in camera and microphone.
Russian Secret Service Connection
The attacker had connections to the notorious Russian Business Network, a well-known perpetrator of nefarious activities on the Web, as well as to the Russian Ministry of Internal Affairs, which includes the Federal Security Service (FSB), formerly the KGB, CERT alleged.
This site used by the hacker to control computers infected in Georgia belongs to the Russian Business Network, the CERT report asserts. A link to the network was also found embedded in the malware code used by the hacker.
In addition, the domain used by the hacker to send infected emails to Georgian targets during the phishing phase of his campaign was registered to someone with an address in the department of logistics at the Russian Ministry of Internal Affairs, the report says. Prior to launching a military campaign against Georgia in 2008, the Russians subjected the country to a cyberattack.
The phishing phase of the spy campaign began after Georgian CERT blocked the connections to the servers receiving documents stolen by the hacker's spyware and cleaned up computers it had infected, according to a report by the IDG News Service.
Obscure File Evades Detection
The infected attachments in those phishing messages, IDG reported, were in a file format, XDP, that didn't raise red flags in antivirus scanners. XDP -- XML Data Package -- allows PDF files to be represented as XML. An XDP file can be opened in Adobe Reader and viewed as if it were a PDF file.
"It's a clever idea," Sophos Security Advisor Chet Wisniewski told TechNewsWorld. "It's a really obscure format. It's not used commonly, which means it's unlikely that an administrator would explicitly block it from an email."
The PDF specification supports many different functions and features, explained Kaspersky Lab Senior Researcher Roel Schouwenberg. Just the base PDF specification document is about 800 pages long.
"What the bad guys try to do is find and use features which aren't yet supported by the anti-malware PDF scanners," he told TechNewsWorld.
Antivirus Free Pass
Ironically, if the hacker had embedded his malware in a PDF file, most antivirus programs would have likely identified the attachment as malicious, because PDF files are often used to deliver malware, and antivirus programs are conditioned to treat them with suspicion, Wisniewski explained.
"Because XDP is still read and interpreted by Adobe Reader," he continued, "if there's a vulnerability in Adobe Reader that you might exploit in a PDF you can put that same exploit code into a XDP file, but an antivirus scanner would most likely not know what it was, and pass it through."
XDP has been linked in the past to targeted attacks, like those in Georgia. In his analysis of the format in June, security researcher Brandon Dixon discovered a number of infected attachments that appeared to be focused on sensitive government targets. The attachments had filenames like "military planning.xdp "and "secret service training.xdp."
"These were never disseminated through crimeware," he told TechNewsWorld. "It appeared to be targeted malware."
"It was someone trying to compromise a specific target, as opposed to a larger audience, such as your typical computer user," he added.