The Null Device

Malware attacks against pro-Tibet groups

Someone is sending pro-Tibet groups documents infected with keylogging malware, configured to send back keystrokes to a server in China. The documents are sent from addresses forged to resemble human rights groups, and purport to be details of Chinese massacres in Tibet and similar information.
The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a keylogger that collects and sends everything typed on the affected machine to a server running at And is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.
The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.
Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.
Of course, the pro-Tibet groups could avoid being pwn3d by the Chinese by the simple expedient of not using Windows or common software to open documents.

There are 2 comments on "Malware attacks against pro-Tibet groups":

Posted by: Greg Sun Mar 30 13:11:54 2008

re avoiding viruses by not using Windows ... After reading your piece on the anti-emo riots, I wonder if Windows fans (I don't mean actual MS employees) might take up writing Linux / MacOs / OpenOffice viruses just to harass the do-gooders?

Posted by: acb Sun Mar 30 13:48:09 2008

Given that hobbyist virus writing has largely disappeared (increasing penalties and the involvement of for-profit criminal enterprise have assured this), I doubt whether many would be written without financial motives (be they from botnets, identity theft or fees from intelligence agencies).

Knocking over Linux servers for use as redirectors for untraceable websites or botnet command hosts is big business, though pwning Linux on the desktop is unlikely to have much money in it.