Linux Today: Linux News On Internet Time.

53 Pages, 10 Months, 1295 Infected Hosts, 103 Countries, And They Still Can't Say "Windows Malware"

| | Comments (17)

"Vast Spy System Loots Computers in 103 Countries"-- sounds promising, right? In the New York Times, no less, so it should be good. Well, no, I was rather disappointed at yet another security analysis that left out vital information-- which operating systems and applications were vulnerable. If it were Linux or Mac do you think they would be so tight-lipped? Why is the Dalai Lama running Windows?


I received a reply from John Markoff, the New York Times reporter. See below...

"A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded."

Wow, this has to be good. Two pages in the New York Times, and the report itself is 53 pages. But don't get your hopes up. In all of those 53 pages, which go into detail on packet sniffing, HTTP methods, malicious binaries, honeypots, ghOst RAT, and cool maps of the Ghost Net, not once is any operating system or vulnerable application named.

They identified compromised systems by location and IP address, and made a nice pie chart showing the distribution by country. They identified high, medium, and low-value targets. They witnessed machines being profiled and sensitive documents stolen. They witnessed keystroke loggers, and Webcams and microphones activated on the sneak. They learned that the malware that fuels the Ghost Net is spread via Web sites and email attachments. The investigation took 10 months and covered 103 countries.

After all that, I am puzzled why they would omit such basic information as what software was vulnerable on the infected hosts. It sure looks like a growing trend to not name names, doesn't it. Except when they're blaming end users. Though in this report it appears to be as much political as technological.

The NY Times article links to another report, http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf "The Snooping Dragon." They don't name names either, but use a new term I'm seeing more of: social malware. Not Windows malware, nooo, social malware. Nothing is new but the name, it's the same old Windows vulnerabilities we've been rolling our eyes at for over a decade.

"The Snooping Dragon" gives some recommendations for hardening security, but none of them are worth a darn since they won't admit that Windows is the core problem, and everything else is a weak bandage.

What if there were a way to infect Linux, Mac, or UNIX computers and Borg them into botnets via email attachments and drive-bys on infected Web sites? Everyone who believes this would be plastered all over front pages with no ambiguities whatsoever, raise your hands.

Oh-- and amusingly, after everything I've written recently on Flash Cookies, the report is published in Flash-- yes, really!-- and you have to allow Flash cookies for it to work. Setting your ~/.macromedia directory to read-execute (no write) works OK; the /dev/null trick doesn't.

I have some inquiries out but I'm not holding my breath.


John Markoff, author of the New York Times article, replied to my inquiry:

"On Mon, Mar 30, 2009 at 8:20 PM, NYTimes.com




> You have received reader mail via nytimes.com. To respond to this reader,

> simply 'reply' to this message.



> Carla Schroder



> cschroder@internet.com



> Dear Mr. Markoff, I was disappointed with "Tracking GhostNet: Investigating

> a Cyber Espionage Network". Such a promising title, and then so few

> specifics. What computer operating systems and application software are

> vulnerable? You do know that there are at least several dozen operating

> systems, and that there are five that are widely-used: UNIX, Linux, FreeBSD,

> Mac OS X, and MS Windows. Are the exploits used in the Ghost Net

> cross-platform? I suspect they are not, especially after reading the equally

> uninformative Security Focus article,

> http://www.securityfocus.com/blogs/1809, which mentions some common

> Windows file formats. This is a common flaw in tech reporting and I don't

> understand it. When a car is recalled the brand and model are named. When

> food is contaminated the supplier and distributors are all named. Why this

> reluctance to be as specific with something as important as our computers?

> I'm not real happy with the linked research paper, "Tracking GhostNet"

> either.

> For gosh sakes, why publish it in a a manner that requires Adobe Flash,

> and even worse, will not function when Flash cookies are disabled? I would

> appreciate an on-the-record response. thanks and best regards, Carla

> Schroder managing editor, Linux Today and LinuxPlanet

> cschroder@internet.com"

Dear Carla,

This wasn't a computer security story so much as an espionage story. It's

not about you, or about Linux. Its about a systematic espionage effort

against Governments.


John Markoff"


Vast Spy System Loots Computers in 103 Countries

Tracking GhostNet: Investigating a Cyber Espionage Network

The Snooping Dragon: social malware surveillance of the Tibetan movement

Adobe Flash Cookies: Yes They Are Dangerous, and More Cool Linux Hacks(Mar 30, 2009)

Getting Rid of Nasty Adobe Flash Cookies the Cool Linux Way(Mar 27, 2009)

Getting Rid of Nasty Flash Cookies on Linux(Mar 24, 2009)

Comment and Contribute

    (Maximum characters: 4000). You have 4000 characters left.