53 Pages, 10 Months, 1295 Infected Hosts, 103 Countries, And They Still Can't Say "Windows Malware"
"Vast Spy System Loots Computers in 103 Countries"-- sounds promising, right? In the New York Times, no less, so it should be good. Well, no, I was rather disappointed at yet another security analysis that left out vital information-- which operating systems and applications were vulnerable. If it were Linux or Mac do you think they would be so tight-lipped? Why is the Dalai Lama running Windows?
I received a reply from John Markoff, the New York Times reporter. See below...
"A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded."
Wow, this has to be good. Two pages in the New York Times, and the report itself is 53 pages. But don't get your hopes up. In all of those 53 pages, which go into detail on packet sniffing, HTTP methods, malicious binaries, honeypots, ghOst RAT, and cool maps of the Ghost Net, not once is any operating system or vulnerable application named.
They identified compromised systems by location and IP address, and made a nice pie chart showing the distribution by country. They identified high, medium, and low-value targets. They witnessed machines being profiled and sensitive documents stolen. They witnessed keystroke loggers, and Webcams and microphones activated on the sneak. They learned that the malware that fuels the Ghost Net is spread via Web sites and email attachments. The investigation took 10 months and covered 103 countries.
After all that, I am puzzled why they would omit such basic information as what software was vulnerable on the infected hosts. It sure looks like a growing trend to not name names, doesn't it. Except when they're blaming end users. Though in this report it appears to be as much political as technological.
The NY Times article links to another report, http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf "The Snooping Dragon." They don't name names either, but use a new term I'm seeing more of: social malware. Not Windows malware, nooo, social malware. Nothing is new but the name, it's the same old Windows vulnerabilities we've been rolling our eyes at for over a decade.
"The Snooping Dragon" gives some recommendations for hardening security, but none of them are worth a darn since they won't admit that Windows is the core problem, and everything else is a weak bandage.
What if there were a way to infect Linux, Mac, or UNIX computers and Borg them into botnets via email attachments and drive-bys on infected Web sites? Everyone who believes this would be plastered all over front pages with no ambiguities whatsoever, raise your hands.
Oh-- and amusingly, after everything I've written recently on Flash Cookies, the report is published in Flash-- yes, really!-- and you have to allow Flash cookies for it to work. Setting your ~/.macromedia directory to read-execute (no write) works OK; the /dev/null trick doesn't.
I have some inquiries out but I'm not holding my breath.
John Markoff, author of the New York Times article, replied to my inquiry:
Tracking GhostNet: Investigating a Cyber Espionage Network