Tibet Trojan attacks connected to Chinese programmer
Security firm AlienVault thinks it has identified a key Chinese programmer with connections to the Chinese Government who could be behind a long-running malware assault on pro-Tibet campaigners, including with the recent PlugX RAT Trojan.
Security firm AlienVault thinks it has identified a key Chinese programmer with connections to the Chinese Government who could be behind a long-running malware assault on pro-Tibet campaigners, including with the recent PlugX RAT Trojan.
It's extremely rare that security companies are able to put a name and a face to specific pieces of malware so the connection it stumbled upon when researching PlugX could attract some attention.
While researching PlugX's binaries, the company started noticing similarities in some of the software's debug paths.
Searching for similar debug paths in the User folder, the firm noticed the same 'whg' subfolder in a program called SockMon distributed from a named domain connected to a company, Chinansl.com Technology Ltd that had published security vulnerabilities in the past.
The domain contact info turned out to be for a Chengdu-located security company. 'Whg' turned out to work for the company with references to which described him as "Virus expert. Pro?cient in assembly."
"At this point you can be thinking we cannot accuse whg of being related to the Xplug RAT and the targeted campaigns just for a couple of debug paths inside the binary, can we?," AlienVault said.
"With the information we have, we can say that this guy is behind the active development of the Xplug RAT and he probably has some inside on the operations since this path."
AlienVault also found web references, including referenced Wikipedia entries mentioning a 'WHG', as being connected to a string of important Chinese hacker attacks stretching back some years, including the infamous Titan Rain from 2007. A source named the sponsor of the WHG's company as being the PLA.
The connection of WHG's company to the PLA is built on circumstantial evidence but the coincidences are still unsettling.
The PlugX RAT, meanwhile, has been used in attacks in Asia but also against pro-Tibet campaigners, exploiting Java vulnerabilities and digital certificates that let it masquerade as legitimate driver files.
Trend Micro reckons that PlugX is part of a longer-running campaign that has been around since early 2008 and probably takes in remote access Trojans including this year's Poison Ivy.
The modus operandi is also very similar to the Gh0st RAT attacks. All of these campaigns have a theme of attacking pro-Tibet campaigners and are widely assumed to be connected to the Chinese Government in some way.
- Senator introduces legislation targeting patent trolls
- Dunkin' Donuts brews up strong social response to Boston bombings
- Buyers Beware, Many BlackBerry 10 Apps Aren't Compatible with Q10 Smartphone
- Magicka for iPad is a fun port of its PC counterpart
- Obama nominates Wheeler as new FCC chairman
- ESEA gaming client hijacks GPUs for Bitcoin mining
- Blackberry CEO's comments ignite debate on future of personal computing
- Windows 8 grows slow, XP just won't go
- AT&T's new trade-in program for smartphone buyers
- Netflix lost more than 1100 streaming titles Wednesday, but does it matter?
- Digg's replacement for Google Reader due in June; might cost money
- Airbnb's new Verified ID system makes guests to prove they are real people
- AirPort interference? Leave it alone
- Hands on: Briefs is an ambitious tool for prototyping iOS apps
- How to Craft the Best BYOD Policy
- Google Nexus 11 leaked along with more Samsung Galaxy tablets
- BlackBerry CEO unfairly mocked for questioning tablets’ dominion
- MIT entrepreneur automates e-commerce ordering process
- Asana adds enterprise features to its task management app
- Oracle takes stake in ingestible health sensor maker
- Action! Big Blue enters film biz with atomic movie
- Groups criticize FBI plan to require Internet backdoors for wiretaps
- Microsoft's browser auto-update pays off as IE10 share doubles
- Crisp your desktop with a window manager utility
- Benchmarking Amazon EC2: The wacky world of cloud performance
- Numbers game: Why analyst says iPhone market share will exceed Android
- iTunes music downloads we regret
- The Macalope Weekly: Off with his head!
- A week with Taptu: A Google Reader junkie's journey
- Make your Twitter feed less annoying in 3 simple steps
-
Senator introduces legislation targeting patent trolls
A U.S. senator has introduced legislation allowing the U.S. Patent and Trademark Office to review and invalidate controversial patents challenged by technology startups in an effor(...) -
Dunkin' Donuts brews up strong social response to Boston bombings
When Dunkin' Donuts executives were deciding how to respond on Twitter and Facebook to the Boston Marathon bombings, they acted like what they are - members of a grieving Boston(...) -
Buyers Beware, Many BlackBerry 10 Apps Aren't Compatible with Q10 Smartphone
When I reviewed the first BlackBerry 10 smartphone, the Z10, in January, I had mostly good things to say but also expressed concern that big-name app publishers were not throwing t(...) -
Magicka for iPad is a fun port of its PC counterpart
The original Magicka, Arrowhead Studios' inaugural release for Windows PCs, was--for a while--the best possible excuse for killing your friends. It is a comical action-adventure ga(...) -
Obama nominates Wheeler as new FCC chairman
U.S. President Barack Obama has nominated telecom trade group veteran Tom Wheeler to be the next chairman of the U.S. Federal Communications Commission.
Copyright 2009 IDG Magazines Norge AS. All rights reserved
Postboks 9090 Grønland - 0133 OSLO / online@idg.no / Telefon 22053000
Ansvarlig redaktør Morten Kristiansen / Utviklingsansvarlig Ulf H. Helland / Salgsdirektør Jon Thore Thorstensen
