The Null Device

Malware attacks against pro-Tibet groups

Someone is sending pro-Tibet groups documents infected with keylogging malware, configured to send back keystrokes to a server in China. The documents are sent from addresses forged to resemble human rights groups, and purport to be details of Chinese massacres in Tibet and similar information.
The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.
The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.
Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.
Of course, the pro-Tibet groups could avoid being pwn3d by the Chinese by the simple expedient of not using Windows or common software to open documents.

There are 2 comments on "Malware attacks against pro-Tibet groups":

Posted by: Greg http://spill-label.org Sun Mar 30 14:11:54 2008

re avoiding viruses by not using Windows ... After reading your piece on the anti-emo riots, I wonder if Windows fans (I don't mean actual MS employees) might take up writing Linux / MacOs / OpenOffice viruses just to harass the do-gooders?

Posted by: acb http://dev.null.org/acb/ Sun Mar 30 14:48:09 2008

Given that hobbyist virus writing has largely disappeared (increasing penalties and the involvement of for-profit criminal enterprise have assured this), I doubt whether many would be written without financial motives (be they from botnets, identity theft or fees from intelligence agencies).

Knocking over Linux servers for use as redirectors for untraceable websites or botnet command hosts is big business, though pwning Linux on the desktop is unlikely to have much money in it.

Want to say something? Do so here.

Post pseudonymously

Display name:
URL:(optional)
To prove that you are not a bot, please enter the text in the image into the field below it.

Your Comment:

Please keep comments on topic and to the point. Inappropriate comments may be deleted.

Note that markup is stripped from comments; URLs will be automatically converted into links.