Malware Behind RSA Breach, Other Attacks Traced Back to Chinese Networks

A debugger tool mistakenly left in a traffic bounce tool led Dell SecureWorks researchers to identify several networks in China used by attackers behind APTs.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

In a project to classify more than 60 custom malware families used in advanced persistent threat attacks, a security researcher discovered several of them originated from command and control servers based in "a few networks" in China, namely in Beijing and Shanghai.

The attack on RSA Security earlier this year when attackers stole information relating to the SecurID two-factor authentication technology was also traced back to two APT malware families and tied to a network in Shanghai, Joe Stewart, director of malware research at the Dell SecureWorks Counter Threat unit, told eWEEK.

Stewart released his findings during the Black Hat conference on Aug. 3. He defined APTs as "cyber-espionage activity targeted at government, industry or activists."

While the perpetrators used 60 different types of customized malware to launch their attacks, each cyber-gang had a certain set of tools that they preferred-sort of as their signature, Stewart said. Based on the kind of malware being used in an attack, researchers were able to classify similar ones to get an idea of various gangs in operation.

Dell SecureWorks analyzed the code extracted from malicious Excel spreadsheets that RSA had provided to the United States Computer Emergency Response Team, or US-CERT, after the breach and discovered that two of the components were based on a commonly used Chinese hacker tool, Stewart said.

HTran, a "rudimentary" bouncer tool written by a well-known Chinese hacker 10 years ago, was being used by various attackers to redirect traffic from infected computers to command and control servers. A piece of code used for debugging purposes in HTran would return an error message to the infected computer if the C&C server was unavailable, Stewart said. That error message revealed the final IP address of the server.

The redirect tool routes traffic through several proxy servers to make it look like it is going through servers in the United States, Norway, Japan and Taiwan in order to obscure where the attack is originating, Stewart said. The botnet owners and attackers "didn't realize fully how HTran works," and very clearly were unaware of the debugger or the fact that the error message was being displayed, Stewart said.

Dell researchers uncovered a few networks, all of which had China-based addresses, according to Stewart. The team scanned a list of 1,000 IP addresses that had previously been identified as being used in an advanced persistent threat attack and uncovered a "short list" of Chinese networks hosting the C&C servers, according to Stewart. While it was not 100 percent certain that the 18 servers it uncovered are the final destination, the fact that so many campaigns traced back to a handful of IP addresses seems promising, Stewart said.

The addresses appear to belong to ISPs in Beijing and Shanghai, such as state-owned telecommunications giant China Unicom, but the carriers are big enough that it would be difficult to identify the individuals without assistance from the Chinese government, according to the Dell SecureWorks report.

His research answered the question of "where" some of the advanced persistent threats originated, but not "who" the perpetrators were, Stewart said.

However, organizations now have a signature that can be used to identify some of the APT activity in their networks. Not all attackers use this tool, but by looking for the error messages and using the Snort-based signatures the team developed to detect this particular Trojan, the IT department would at least be able to stop this particular APT, Stewart said. He also acknowledged that hackers using HTran would likely abandon the tool or fix the bug now that Dell SecureWorks has publicized the issue.

"It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes," Stewart wrote in the report.