GhostNet is watching

In Monday's IT Blogwatch, GhostNet researchers unravel spyware from China; some do, and some do not, blame the Chinese government. Not to mention Bet Smart ...

Jeremy Kirk fills us in on the details:

A 10-month cyberespionage investigation has found that 1,295 computers in 103 countries and belonging to international institutions have been spied on, with some circumstantial evidence suggesting China may be to blame.

The 53-page report, released on Sunday, ... describes a network which researchers have called GhostNet, which primarily uses a malicious software program called gh0st RAT (Remote Access Tool) to steal sensitive documents, control Web cams and completely control infected computers.


Although evidence shows that servers in China were collecting some of the sensitive data, the analysts were cautious about linking the spying to the Chinese government. Rather, China has a fifth of the world's Internet users, which may include hackers that have goals aligning with official Chinese political positions.

John Markoff maps those details:

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.

New York Times Graphic

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York. 


At the same time, two computer researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans, are releasing an independent report. They do fault China, and they warned that other hackers could adopt the tactics used in the malware operation.

F-Secure notes the server access:

But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were.

Lidija Davis is listening:

Dubbed GhostNet, the operation is notable. Not only can it phish for information, it has remote access capabilities that can quickly and easily turn any computer into a giant listening device.

ThreatChaos sees a Trojan similarity:

You will notice the similarity between the methodologies described and the techniques used by Private Investigators in Israel back in 2005. They sent emails to their targets, sometimes after engaging them in phone conversations first. They used a customized Trojan horse crafted by Michael Haephrati.

Kim Zetter suspects a Tor connection:

The Times doesn't mention this, but I suspect the spy network is related to an issue that Threat Level reported in 2007 involving a Swedish researcher named Dan Egerstad who found documents and login and password information for dozens of embassy workers and political rights groups in Asia, including the office of the Dalai Lama, being leaked over a Tor network.


I contacted the researchers to ask them if they might have missed something about the Tor connection since it seems clear that the attacks they researched are related to the information the Swedish researcher uncovered. One of them responded that they had looked only at the list of Tor nodes on the Tor directory from mid-2008 onwards and had not looked at nodes from 2007, when the Swedish researcher had captured the logins and passwords on his node.

Jack Loftus explains the simplicity of it:

Other GhostNet highlights include the ability to turn on webcams and microphones remotely, and a browser-based "dashboard" that the spies use to control their network of 1,295 computers. And yes, I mean a dashboard as in what you use to post those American Idol rants to your Wordpress blog. Researchers discovered the spynet using, of all things, a Google search.

And finally...

Previously in IT Blogwatch:

Buffer overflow:

Other Computerworld bloggers:

Like this stuff? Subscribe to the RSS feed.

Today's post was compiled by Joyce Carpenter. Richi Jennings is on vacation.

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon