Non-Profit Tech Blog

UPDATE: Please Digg this story at http://snurl.com/22s1n

We haven’t discussed security very much on this blog for two simple reasons: I’m not a computer security expert and despite the Convio security breach, I rarely get wind of security issues that occur in the non-profit sector. However, we’ve had a few non-profits go public recently with a sustained series of cyberattacks that have been perpetrated on pro-Tibet advocacy nonprofits. Unfortunately, the Washington Post writer didn’t have enough specifics for us techies to take action on the problems there. NOTE: Be aware that much of the discussion that follows was written with a technical audience in mind.

I delved deeper and had the luck to do an e-mail interview with Nathan Dorjee of Students for a Free Tibet and their IT security advisor, Maarten Van Horenbeeck.

Here are some of the most important findings for e-mail administrators in our sector as told to me by Nathan:

1. Create invite-only mailing lists that aren’t forwarded or shared beyond the list membership
2. Don’t use email attachments unless necessary. Use web file sharing or online office systems to share documents.
3. Teach your users how to recognize suspicious emails – “why would the Tibetan Gov’t in Exile send an email from an @yahoo address?” “Why is this person suddenly sending emails from a new address?” “did i ask for this file they are sending?”
4. If you aren’t funding rich, use free AV tools such as Avira or ClamAV, and keep them updated DAILY
5. Web mail is your friend – for many reasons: spam filtering, virus checking, document previewing, login securing, and you also never know when your laptop might be confiscated or stolen

As you can see, these are fairly simple rules that you can carry out on your own as an administrator. Unfortunately, point #5 will be an issue of contention for many of us. As you know, I have been recommending that nonprofits make the switch to Web-hosted e-mail for quite some time. Those of you still on Outlook and unwilling to change should have by now started to use Postini or Microsoft Continuity Services to at least filter out spam and viruses. I’m sure you’ll also remark, “If my nonprofit is being hit by a targeted customized virus like the ones that Students for a Free Tibet are receiving, Gmail, Yahoo and Hotmail and even Postini won’t be able to stop these custom virus payloads.” I asked Nathan Dorjee why he made that remark:

“You are right, they do not, generally. However, Gmail has a handy one-click feature for previewing attachments in HTML. Often, if it cannot open a file that way, it is often corrupt and/or contains a trojan.”

And that my dear readers, is why I choose Gmail over Exchange Server. Outlook makes users much too prone to opening up attachments and gives them little control over the way they can consume their e-mail. I think you can create a Group Policy in Windows 2003 Server to disallow users from opening attachments but that’s clearly going too far. If any of you have suggested workarounds, I’d love to hear them.

I asked this question regarding the viruses themselves:

I understand some of this virus code was looking for PGP keys. Was some of this code in the payload of a Word .doc as a VBA (Visual Basic for Applications)? Is that how you found out what this code was doing? Or was it reverse-compiled? If it is a VBA virus, would you mind sharing the code so that the rest of the community can take a look at it?

Nathan Dorjee responded:

We have countless infected files of this variety. I have been sharing them with Maarten and other researchers, who do the work to analyze them, and then share their findings and fingerprints with AV companies and governmental organizations as appropriate.

As you can tell, VBA code is a culprit here. It’s remarkably easy to write VBA virus code and has been since the early days of e-mail borne computer viruses. For instance, the I Love You virus was written in VBA. It’s both incredibly useful and easy to exploit as a virus writer since the code can implement all sorts of calls to disk and operating system functions. Just so you know, using Open Office in this situation would render VBA viruses useless as Open Office’s Writer, the Open Office version of Word, cannot execute VBA code. Be aware that .xls and attachments are somewhat suspect as it seems that Math, the Open Office version of Excel, can execute VBA code.

However, VBA isn’t the only problem. There are buffer overflow attacks as well.

Nathan also chimes in on the matter of buffer overflow attacks:

…these are DLL payloads executed via buffer overruns. Much more serious business since these types of attacks can occur without requiring a scripting environment to be present. It is this approach that has allowed the diversity of infected attachments to increase.

Maarten adds:

There have been a small number of instances of VBA code being used in these Word documents, but this has been quite limited. The majority actually exploits a vulnerability in the application software. They exploit e.g. a buffer overflow and then execute so-called “shellcode”, which is binary code that in these attacks really decrypts the actual trojan, which is stored encrypted in the document.

This means that an additional step in keeping machines secure is to ensure that the latest updates are applied. This does not only mean Windows updates, but also those for e.g. Acrobat Reader. The latter are quite often forgotten, as these are “tools” that do not always prompt you to update as Windows does.

For more information about buffer overflow attacks, there are quite good explanations at this Windows Security site and at Wikipedia.

Those of you who have administrator accounts on hosted NT servers using Terminal Services must also change your administrator password from time to time to prevent brute force attacks against your hosted servers. Apparently, some of the cyberattacks are using weak administrator passwords on hosted servers as a vector for entry. This is a relatively easy thing to protect. Don’t do things like using “admin” for a password.

Those of you who are receiving e-mail attachments like those following at the end of this article are advised to e-mail your findings to mvx@daemon.be so that further research can be done. Another site with good security recommendations is Ironcove, a blog about IT security and NGOs.

One really important note has to be made. There is a large social engineering component to these attacks (just like the I Love You virus was a socially engineered virus). Attempts to impersonate a legitimate e-mail address and then include that with a rootkit payload have been made. It’s clearly an attempt to exploit existing social relationships and the trust that goes with them. As you can see, even the filenames have been tailored to fit the particular situation that is occurring right now in Tibet. I find this a bit of an affront to me as a human being to see this kind of nasty political trick played on an NGO. I strongly urge you to make a donation to Students for A Free Tibet. I have done so already.

---

The following is a representative sample of the malicious payloads and the kind of activities that they are meant to carry out. Maarten Van Horenbeeck also notes:

…in the cases listed, the trojan actually gave virtually unfettered access to the compromised system. In most cases this includes downloading and uploading files, as well as installing additional code. As a control connection is maintained to a server under control of the attackers, they are able to submit specific commands to undertake a specific action on the machine.

[1] Green-Silence.chm
MD5 a63839f66bee29199963c4af5f29fd17

This CHM file was initially distributed as a RAR file in an attempt to bypass weak anti virus filters. This CHM file contains an embedded music.exe, which is called as a hidden object. It then registers with a control server at 202.134.124.178, Dyxnet Hong Kong.

[2] truth_of_darfur-china_and_2008_olympics.pps
MD5 4c38db4e554ec204e76a9100942bd5a7

Drops windex.exe and winup.exe. The actual trojan is an Enfal which connects to top10.51happyfund.com, being the notorious 60.10.1.244.

[3] about_money.pps
MD5 28de51b4455b919299084e1d003b4e15

Drops VsTskMgr.exe and iislogmgr.dll, an Enfal trojan that connects to bsek1.ggsddup.com, being the machine 60.10.1.244.

[4] tibetans_olympic_torch.doc
MD5 424188528643359fe5ecbc51734a8d26

Drops a driver rrnjks.dll and a binary 1516.exe. It then connects to miccrasoft.com, a host at 211.147.251.52. There, it retrieves the actual location of the control server:

125.89.19.31:80

Next, a request is issued to register with this server, hosted at ChinaNet Guangdong:

POST /DDD/DDD/D.JSP HTTP/1.1

[5] 2008_beijing_olympic_a_.doc
2008_beijing_olympic_games__b_.doc

Both files taken together exploit a vulnerability in the JetDB4 engine and drop to disk sysqaz.exe. This trojan contains code to connect to posere.flower-show.org, the host 202.59.153.220 on FirstNetCom in Hong Kong.

beijingolympic.mdb
MD5 e3a6e5f553f9672765a4f8ab6fa06b72

beijingolympic.doc
MD5 ffd3d51f09d00ab14b0e98023c0e6736

[6] the_art_of_illness.pps
MD5 48dccf4e74ed2cd7b4a7477b1d61f29c

This Powerpoint drops an Enfal trojan (VsTskMgr.exe + iislogmgr.dll) which connects to bsek5.ggsddup.com.

[7] tibet_government_leader_confirms_protest.doc
MD5 7c89cf7c9cc24627eaa5dbed4b8ddf95

Drops conpre.exe to disk, which looks up connection to dnsname.3322.org (222.129.67.65), then submitting data over port 53 UDP.