Ghostnet White Paper | Virus removal security consultant, Portland, Oregon

The "No Network is 100% Secure" series
- The GhostNet -
A White Paper

What is the GhostNet?: GhostNet is the name that has been given to a large scale cyber spying operation discovered in March 2009. It is based mainly in the People's Republic of China and has infiltrated high-value political, economic and media locations throughout the World. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile centers in India, Brussels, London and New York City have all been compromised. Although the network is mostly based in China, there is no conclusive evidence that the Chinese government is involved in its operation although that is the current assumption.

The discovery of the 'GhostNet', and details of its operations, were reported by The New York Times on March 29, 2009. Investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, such as instances where email correspondence and other data were extracted. No evidence was found that U.S. government offices were infiltrated.

GhostNet intrusion method: GhostNet uses a malicious software program called gh0st RAT (Remote Access Tool) to steal sensitive documents and completely control infected computers. Other GhostNet "features" include keystroke logging, the ability to turn on infected computer's webcams and microphones remotely, being able to take and upload screenshots and a browser-based "dashboard" that the spies use to control their network of 1,295 computers.

How GhostNet was discovered: Researchers at the Munk Center for International Studies at the University of Toronto were asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware. The researchers investigation revealed a much broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries.

Method of infection:

1. You receive a spoofed e-mail with an attachment
2. The e-mail appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you see a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically a Poison Ivy or Gh0st Rat variant
8. No one else got the e-mail but you
9. You work for a government, a defense contractor or an NGO

And even today (5/20/09) only 11 out of 34 anti-virus programs tested caught the Trojan and recognized it as malware

What does GhostNet mean to security in the USA? At the very least, the large number of high-value Government targets compromised by GhostNet demonstrates the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet. These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly. A chilly indicator is that the U.S. Defense department has repeatedly warned of China's increasing capabilities in electronic warfare. It said that the Chinese army "often cites the need in modern warfare to control information, sometimes termed 'information dominance.'"

'Fifty Cent Party: We are primarily concerned with computer and Internet security and not with political issues. However, the alleged "50 cent party" is reportedly part of the Chinese Government spy-ring "bigger picture", so information about that has been included here.

BBC Asia Pacific has alleged that the Chinese Communist Party has created broad network of freelance internet commentators that are paid to infiltrate chatrooms, websites and comment areas to shape public opinion in favor of China's policies and to suppress free expression within the Chinese internet.

Commentators are reportedly used by Chinese government departments to scour the internet for bad news - and then negate it. They post comments on websites and forums that spin bad news into good in an attempt to shape public opinion, claims BBC Asia Pacific.

These internet propagandists, said to number around 300,000, are paid 50 Chinese cents or 7 U.S. cents for every post. They have been called the 'Fifty Cent Party,' the 'red vests' and the 'red vanguard.' They are said to have just one mission: to safeguard the interests of the Communist Party by infiltrating and policing a rapidly growing Chinese Internet. They set out to neutralize undesirable public opinion by pushing pro-Party views through chat rooms and Web forums, reporting dangerous content to authorities, says the Far East Economic Review.

This practice is similar to astroturfing, a strategy used by political campaigners, companies and other organizations wherein paid staff or volunteers are used to post messages en masse to create a false impression that the public supports or opposes something.

There is probably at least some credence to the BBC Asia Pacific's claims. Since posting this web page, it regularly receives hits from computers with China IP blocks that found this page using various keyword searches in Google and other search engines.

Skype: Before GhostNet's unearthing, there had been reports about surveillance and security breaches in China's TOM-Skype voice and video chat platform.

Last October, the Monk Group reported discovering a massive security hole in TOM-Skype, the official Skype client in China, which allows the Chinese government to monitor, censor and archive all Skype communications in, into or out of the country. According to the report, researchers at the Monk Centre accessed and downloaded millions of Skype communications, together with personally identifiable information such as IP addresses and phone numbers, stored on eight TOM servers in China. If you like Skype, that's fine. But if you're either in, or calling to, China, don't think the government's not watching you.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting