Author Topic: Dalai Lama virus?  (Read 5419 times)

Ensapa

  • Hero Member
  • *****
  • Posts: 4124
    • Email
Dalai Lama virus?
« on: July 03, 2012, 10:28:46 AM »
Okay, now, this is getting really funny. The Chinese making viruses that is targeted to the Dalai Lama? riiightttt why use a virus when there are so many other ways to get information from the Dalai Lama's computer? And mac? Also, what can you really do with the Dalai Lama's emails? He's just a monk. I cannot really understand the logic behind this, seriously. Is the Chinese government really that afraid of the Dalai Lama, or it just happens that someone with too much time on their hands who wants glamor?

Quote
Jun
28
Kaspersky Labs Discovers New Tibet Malware Variation
Uncategorized by zduncan

Share
Kaspersky Labs, one of the top computer security companies in the nation, has just discovered a new variant of the Tibet malware for OS X, which is being distributed to specific Uyghur activist groups as part of a politically motivated advanced persistent threat (APT) attack, as it seems.
The malware is being spread via email to certain Uyghur Mac users and is also contained within a ZIP file known as “matiriyal.zip”. If this file is opened, it will display an image file and a text file that is a disguised OS X application that, if run, will install the malware. Once installed, the malware will connect to a command-and-control server based in China, which will allow a remote attacker to issue local commands and access files.
The Tibet Malware was first discovered back in March and initially used the same Java exploit that allowed the Flashback malware to infect nearly 1% of all Mac users. Since then the malware has been released in different variants that have exploited other known vulnerabilities, like the MS09-027 vulnerability in Microsoft Office that was discovered and patched back in 2009.
This newest version uses a standard Trojan horse approach by luring users to open the file based on curiosity and disguising the malware application as a harmless document. This malware is slightly different than other recent malware attacks on OS X, however. This new Tibet malware appears to be a concentrated political effort from mainland China against Tibet activist groups and isn’t being actively spread to other parts of the world.
Since Mac OS X only makes up a small fraction of the worldwide operating systems out there, it may seem strange that the platform is receiving this kind of attention from malware developers. Kaspersky says the answer is simple and that it may be that groups at political odds with China have revealed themselves using the operating system.
It has been said that the Dalai Lama is a well-known Mac user and regularly participates in conference calls and other online activities. It could be that the Tibet malware is an attempt to spy and steal information about the Dalai Lama and his activities, as well as those in similar groups like the Uyghurs, which have been at political odds with China for some time now.


However, it is an old virus and it appears to be targeting india and japan as well. Hmm.

Vajraprotector

  • Administrator
  • Hero Member
  • *****
  • Posts: 610
Re: Dalai Lama virus?
« Reply #1 on: July 04, 2012, 04:45:04 AM »
Okay, now, this is getting really funny. The Chinese making viruses that is targeted to the Dalai Lama? riiightttt why use a virus when there are so many other ways to get information from the Dalai Lama's computer? And mac? Also, what can you really do with the Dalai Lama's emails? He's just a monk. I cannot really understand the logic behind this, seriously. Is the Chinese government really that afraid of the Dalai Lama, or it just happens that someone with too much time on their hands who wants glamor?
Quote

It just shows you that the Chinese are serious and are devising all methods to 'get' the Dalai Lama. I am not agreeable to what they do, but you must give them the credit that they do try their best.

Also, this is not the first time there is such an APT attack is known. In September 2011, The Canadian Tibetan Committee was targeted in an email attack that tried to infect its computers with a trojan as the Dalai Lama was on his way to Montreal.
 
The Committee's email account received two rogue messages containing malicious attachments sent in the name of the its executive director Dermod Travis. One included a statement he made back in August on the topic of cybercrime.
 
The distributed trojan was clearly designed for cyber spying and has the ability to log keystrokes. Security experts and companies refer to such pieces of malware as advanced persistent threats (APTs).


Ensapa

  • Hero Member
  • *****
  • Posts: 4124
    • Email
Re: Dalai Lama virus?
« Reply #2 on: July 04, 2012, 07:11:22 AM »
Well, the CTA is not the only one targeted with this virus it seems. The virus maker seems to be targeting several other countries as well and it does not seem to be the work of the Chinese government but rather someone who just has too much time on their hands and who wants to do something about China's "enemies" and it has been going on for a very long time and it seems that the Dalai Lama's emails have been compromised before. Hmm. So what does the Chinese government get from that? The Dalai Lama is a monk there is nothing to hide. He was even honest about the CIA funding. I dont think so China will learn anything of importance to them from the mails. It is interesting to know that this is not new.

Quote
SAN FRANCISCO — A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese university — putting a face on the persistent espionage by Chinese hackers against foreign companies and groups.
Enlarge This Image
 
Evelyn Hockstein for The New York Times
Nart Villeneuve of Trend Micro said the attacks were part of a continuous campaign in which hackers “are busy and stay busy.”
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (42) »
The attacks were connected to an online alias, according to a report to be released on Friday by Trend Micro, a computer security firm with headquarters in Tokyo.

The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense.

Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.

“The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A. Lewis, a former diplomat and expert in computer security who is a director and senior fellow at the Center for Strategic and International Studies in Washington. “A private Chinese hacker may go after economic data but not a political organization.”

Neither the Chinese embassy in Washington nor the Chinese consulate in New York answered requests for comment.

The Trend Micro report describes systematic attacks on at least 233 personal computers. The victims include Indian military research organizations and shipping companies; aerospace, energy and engineering companies in Japan; and at least 30 computer systems of Tibetan advocacy groups, according to both the report and interviews with experts connected to the research. The espionage has been going on for at least 10 months and is continuing, the report says.

In the report, the researchers detailed how they had traced the attacks to an e-mail address used to register one of the command-and-control servers that directed the attacks. They mapped that address to a QQ number — China’s equivalent of an online instant messaging screen name — and from there to an online alias.

The person who used the alias, “scuhkr” — the researchers said in an interview that it could be shorthand for Sichuan University hacker — wrote articles about hacking, which were posted to online hacking forums and, in one case, recruited students to a computer network and defense research program at Sichuan University’s Institute of Information Security in 2005, the report said.

The New York Times traced that alias to Mr. Gu. According to online records, Mr. Gu studied at Sichuan University from 2003 to 2006, when he wrote numerous articles about hacking under the names of “scuhkr” and Gu Kaiyuan. Those included a master’s thesis about computer attacks and prevention strategies. The Times connected Mr. Gu to Tencent first through an online university forum, which listed where students found jobs, and then through a call to Tencent.

Reached at Tencent and asked about the attacks, Mr. Gu said, “I have nothing to say.”

Tencent, which is a privately managed and stock market-listed Internet company, did not respond to several later inquiries seeking comment.

The attacks are technically similar to a spy operation known as the Shadow Network, which since 2009 has targeted the government of India and also pilfered a year’s worth of the Dalai Lama’s personal e-mails. Trend Micro’s researchers found that the command-and-control servers directing the Shadow Network attacks also directed the espionage in its report.

The Shadow Network attacks were believed to be the work of hackers who studied in China’s Sichuan Province at the University of Electronic Science and Technology, another university in Chengdu, that also receives government financing for computer network defense research. The People’s Liberation Army has an online reconnaissance bureau in the city.

Some security researchers suggest that the Chinese government may use people not affiliated with the government in hacking operations — what security professionals call a campaign.
For example, earlier this year, Joe Stewart, a security expert at Dell SecureWorks, traced a campaign against the Vietnam government and oil exploration companies to an e-mail address that belonged to an Internet marketer in China.
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (42) »
“It suggested there may be a marketplace for freelance work — that this is not a 9-to-5 work environment,” Mr. Stewart said. “It’s a smart way to do business. If you are a country attacking a foreign government and you don’t want it tied back, it would make sense to outsource the work to actors who can collect the data for you.”

The campaign detailed in the Trend Micro report was first documented two weeks ago by Symantec, a security firm based in Mountain View, Calif. It called the operation “Luckycat,” after the login name of one of the other attackers, and issued its own report. But Trend Micro’s report provides far more details. The two firms were unaware that they were both studying the same operation.

Trend Micro’s researchers said they were first tipped off to the campaign three months ago when they received two malware samples from two separate computer attacks — one in Japan and another in Tibet — and found that they were both being directed from the same command-and-control servers. Over the next several months, they traced more than 90 different malware attacks back to those servers.

Each attack began, as is often the case, with an e-mail intended to lure victims into opening an attachment. Indian victims were sent an e-mail about India’s ballistic missile defense program. Tibetan advocates received e-mails about self-immolation or, in one case, a job opening at the Tibet Fund, a nonprofit based in New York City. After Japan’s earthquake and nuclear disaster, victims in Japan received an e-mail about radiation measurements.

Each e-mail contained an attachment that, when clicked, automatically created a backdoor from the victim’s computer to the attackers’ servers. To do this, the hackers exploited security holes in Microsoft Office and Adobe software. Almost immediately, they uploaded a directory of the victims’ machines to their servers. If the files looked enticing, hackers installed a remote-access tool, or rat, which gave them real-time control of their target’s machine. As long as a victim’s computer was connected to the Internet, attackers had the ability to record their keystrokes and passwords, grab screenshots and even crawl from that machine to other computers in the victim’s network.

Trend Micro’s researchers would not identify the names of the victims in the attacks detailed in its report, but said that they had alerted the victims, and that many were working to remediate their systems.

A spokesman for India’s Defense Ministry, Sitanshu Kar, said he was not aware of the report or of the attacks it described. Fumio Iwai, a deputy consul at the Japanese consulate in New York, declined to comment.

As of Thursday, the campaign’s servers were still operating and computers continue to leak information.

“This was not an individual attack that started and stopped,” said Nart Villeneuve, a researcher that helped lead Trend Micro’s efforts. “It’s a continuous campaign that has been going on for a long time. There are constant compromises going on all time. These guys are busy and stay busy.”



http://www.nytimes.com/2012/03/30/technology/hacking-in-asia-is-linked-to-chinese-ex-graduate-student.html?_r=2&ref=global


Vajraprotector

  • Administrator
  • Hero Member
  • *****
  • Posts: 610
Re: Dalai Lama virus?
« Reply #3 on: July 06, 2012, 03:43:58 AM »
The latest attack is related to His Holiness' birthday. Whoever this is, really is serious about 'getting' the Dalai Lama and supporters of His Holiness/ Tibetan cause.

Dalai Lama's Birthday Used As Bait In Targeted Attacks

Followers and supporters of Tibetan Buddhist leader the Dalai Lama were the targets of an e-mail borne attack that used news of the spiritual leader's birthday to trick recipients into installing a surreptitious monitoring program on their computers.

Researchers at Kaspersky Lab identified a number of e-mail messages sent to supporters of the Buddhist leader containing a Microsoft Word file attachment. When opened, the file exploits a recently discovered hole in Microsoft's Common Controls and installs a downloader program that, in turn, installs variants of the Midhos family of Trojan horse programs on the infected system. The Midhos Trojan has played a part in earlier attacks on supporters of the Dalai Lama. And analysis of the malware by Kaspersky Lab shows that the command and control infrastructure used in the attacks is identical to that used by a Trojan program designed for Mac OS X systems and used in targeted attacks on the Tibetan Government in Exile.

The latest attacks were first identified on July 3 in the form of e-mail messages with the subject "Dalai Lama's birthday on July 6 to be low-key affair." The e-mail messages, sent to supporters, purport to offer details of plans to celebrate the 77th birthday of Tenzin Gyatso, the current Dalai Lama.

Much has been made, in recent months, of the Dalai Lama's use of Apple products. That shift is possibly a response to the so-called GhostNet attacks against the Tibetan Government In Exile that date to 2009. However, those seeking access to the inner planning of the Dalai Lama and the Tibetan Government in Exile merely shifted to more sophisticated attacks, including Mac-based malware and attacks.

This isn't the first time that the Tibetan Government in Exile and organizations supporting the Tibetan cause have been targeted. In 2009, researchers in Canada and the UK raised the alarm about a widespread and long standing espionage campaign, dubbed GhostNet, against governments, human rights organizations and others. Raiu said that, though the Dalai Lama may have shifted to Mac, many of his supporters continue to use Windows systems, necessitating targeted attacks against both platforms.

http://threatpost.com/en_us/blogs/dalai-lamas-birthday-used-bait-targeted-attacks-070512

dsiluvu

  • Hero Member
  • *****
  • Posts: 1272
Re: Dalai Lama virus?
« Reply #4 on: July 06, 2012, 10:02:20 PM »
The latest attack is related to His Holiness' birthday. Whoever this is, really is serious about 'getting' the Dalai Lama and supporters of His Holiness/ Tibetan cause.

Dalai Lama's Birthday Used As Bait In Targeted Attacks

The latest attacks were first identified on July 3 in the form of e-mail messages with the subject "Dalai Lama's birthday on July 6 to be low-key affair." The e-mail messages, sent to supporters, purport to offer details of plans to celebrate the 77th birthday of Tenzin Gyatso, the current Dalai Lama.

This isn't the first time that the Tibetan Government in Exile and organizations supporting the Tibetan cause have been targeted. In 2009, researchers in Canada and the UK raised the alarm about a widespread and long standing espionage campaign, dubbed GhostNet, against governments, human rights organizations and others. Raiu said that, though the Dalai Lama may have shifted to Mac, many of his supporters continue to use Windows systems, necessitating targeted attacks against both platforms.

http://threatpost.com/en_us/blogs/dalai-lamas-birthday-used-bait-targeted-attacks-070512


Oh Dear... And I had this horrible thought after reading this that the CTA is probably going to point their fingers at "us" the Shugden practitioners and associate it with the help/support of China. Geeeezzzz why is it that the nation that preaches peace and harmony and loving kindness get so many attacks if they have been practicing what they preach... unless they have not, the obvious!

kris

  • Hero Member
  • *****
  • Posts: 919
Re: Dalai Lama virus?
« Reply #5 on: July 28, 2012, 09:11:04 PM »
This is indeed quite interesting. As mentioned, Mac OS has only a pretty small market share of operating system (compared to Windows), and usually there is not much virus/malware for Mac OS since the effect is not as great as compare to writing a virus for Windows.

However, from my own experience, there are many virus which seem are from China but they actually are not. As we all know, China has one of the biggest population of online users in the world, and if I am a virus programmer, I would like to "utilize" the China computers to help spread the virus.

I have got a server which I get constant "login attempt" from China (based on IP address), but most of the time, the attempt or attack are unknown to the computer owner himself.

I think this news only make HH Dalai Lama more famous :) more than anything else...