A debugger tool mistakenly left in a traffic bounce tool led Dell SecureWorks researchers to identify several networks in China used by attackers behind APTs.
In a project to classify
more than 60 custom malware families used in advanced persistent threat
attacks, a security researcher discovered several of them originated from
command and control servers based in "a few networks" in China,
namely in Beijing and Shanghai.
The attack on RSA Security
earlier this year when attackers stole information relating to the SecurID
two-factor authentication technology was also traced back to two APT malware
families and tied to a network in Shanghai, Joe Stewart, director of malware
research at the Dell SecureWorks Counter Threat unit, told eWEEK.
Stewart released his
findings during the Black Hat conference on Aug. 3. He defined APTs as
"cyber-espionage activity targeted at government, industry or activists."
While the perpetrators used
60 different types of customized malware to launch their attacks, each
cyber-gang had a certain set of tools that they preferred-sort of as their
signature, Stewart said. Based on the kind of malware being used in an attack,
researchers were able to classify similar ones to get an idea of various gangs
Dell SecureWorks analyzed
the code extracted from malicious Excel spreadsheets that RSA had provided to
the United States Computer Emergency Response Team, or US-CERT, after the
breach and discovered that two of the components were based on a commonly used
Chinese hacker tool, Stewart said.
"rudimentary" bouncer tool written by a well-known Chinese hacker 10
years ago, was being used by various attackers to redirect traffic from
infected computers to command and control servers. A piece of code used for
debugging purposes in HTran would return an error message to the infected
computer if the C&C server was unavailable, Stewart said. That error
message revealed the final IP address of the server.
The redirect tool routes
traffic through several proxy servers to make it look like it is going through
servers in the United States, Norway, Japan and Taiwan in order to obscure where
the attack is originating, Stewart said. The botnet owners and attackers
"didn't realize fully how HTran works," and very clearly were unaware
of the debugger or the fact that the error message was being displayed, Stewart
Dell researchers uncovered a
few networks, all of which had China-based addresses, according to Stewart. The
team scanned a list of 1,000 IP addresses that had previously been identified
as being used in an advanced persistent threat attack and uncovered a
"short list" of Chinese networks hosting the C&C servers, according
to Stewart. While it was not 100 percent certain that the 18 servers it
uncovered are the final destination, the fact that so many campaigns traced
back to a handful of IP addresses seems promising, Stewart said.
The addresses appear to
belong to ISPs in Beijing and Shanghai, such as state-owned telecommunications
giant China Unicom, but the carriers are big enough that it would be difficult
to identify the individuals without assistance from the Chinese government,
according to the Dell SecureWorks report.
His research answered the
question of "where" some of the advanced persistent threats
originated, but not "who" the perpetrators were, Stewart said.
However, organizations now
have a signature that can be used to identify some of the APT activity in their
networks. Not all attackers use this tool, but by looking for the error
messages and using the Snort-based signatures the team developed to detect this
particular Trojan, the IT department would at least be able to stop this
particular APT, Stewart said. He also acknowledged that hackers using HTran
would likely abandon the tool or fix the bug now that Dell SecureWorks has
publicized the issue.
"It is our hope that every
institution potentially impacted by APT activity will make haste to search out
signs of this activity for themselves before the window of opportunity closes,"
Stewart wrote in the report.