DHS: Pays Attention Domestically, But Ignores Chinese Intrusions
Granted, folks, this is a technical article, and it was posted on F-Secure’s site 1 June, 2008 but it is quite worth the time to pay attention to for several reasons.
The first of which is that it is being publicly distributed by DHS, or was. Second, it was being distributed without the Department of Homeland Security being aware that it was being distributed. Third, it was only being distributed by DHS because the Chinese had infiltrated their servers, illegally. Fourth, why is the only way we even hear about these attacks through “obscure” technical websites?
The question is this: If the DHS can pay particular attention to what is happening right here, in our country, and target citizens who simply want to voice their opinions that are contrary to the administration, why then, can they not pay attention to their own electronic security?
I highly recommend checking in with the guys at F-Secure often. They often have insightful posts about the tech industry, and the online industry in general.
Posted by Mikko at F-Secure.com
We get samples — lots of samples — every day. Like tens of thousands of them.
They come from various sources: from our customers; from honeypots and honeynets; via our online scanners; submitted directly from our products; from operators and ISPs; via sample exchange with our competitors; and so on.
We also get copies of samples that people submit to online virus scanning services such as VirusTotal, Jotti, and VirSCAN. We’d like to give big thanks to these services for their valuable cooperation.
When we get samples via such online services, we have absolutely no idea where the sample is coming from and who submitted it. Sometimes such samples can be real mysteries.
Take for example this PDF file that we got a sample of via VirusTotal. The only information we have on this 130kB file is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after its MD5 hash) and that it was submitted on the 23rd of May.
When you open this document, this is what you’ll see:
Looks like a Department of Homeland Security form G-325A.
Look again.
What’s the filename?
It’s not f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It’s 0521.pdf.
This is not the document we opened.
So what happens here?
Apparently this PDF has been used in a targeted attack against an unknown target.
When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files.
Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf.
Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user into thinking that everything is all right.
D50E.tmp.exe is a backdoor that creates lots of new files with innocent sounding filenames, including:
\windows\system32\avifil16.dll
\windows\system32\avifil64.dll
\windows\system32\drivers\pcictrl.sys
\windows\system32\drivers\Nullbak.dat
\windows\system32\drivers\Beepbak.dat
The SYS component is a rootkit (A file, or collection of files, that operate in the background on an operating system, invisible to the user of that operating system and typically out of reach of virus scans.)that attempts to hide all this activity on the infected machine.
nbsstt.3322.orgThe backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anyone operating this machine would have full access to the infected machine.
Well, 3322.org is one of the well known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something? Beats us, but Google will find a user with this nickname posting to several Chinese military related web forums, such as bbs.cjdby.net.
Where does nbsstt.3322.org point to?
IP address 125.116.97.19 is in Zhejiang, China.
And it’s live right now, answering requests at port 80.
 |
|
We’re simply easier targets, and we are standing in the way of enacting a huge social agenda. That’s all there is to it.
Get a Mac
It does not matter if the ‘pdf’ exploit works on Mac’s as well.
All machines with an un-patched Adobe Acrobat program is vulnerable to this ongoing attack.
This article is talking about TCP/IP, or Internet Protocol port exploits. Port 80 is one of 64,000+ ports available to any ip address, bi-directionally. Port 80 is the common ‘world wide web’ port used by our browsers, ALL browsers.
If you open the tampered with ‘pdf’ file, and your version of Adobe Acrobat has this vulnerability, the people on the other end of that LIVE Chinese Web Address have full access to your machine, in this case, Department of Homeland Security machines.
They can get on your machine, as YOU, and add other listening or key trap devices to catch passwords and such. Not to mention the ability to capture, read and alter whatever documents or executables are available to that machine and or user.
If the DHS network is on the ball, they are looking for these types of attacks via port 80 and filter them out. But, it sounds like this exploit is ongoing and has not been shut down yet, so…
And where does this file come from? The name of the g-325a file from the official USCIS website is g-325a.pdf. So it’s some crap that somebody else made somewhere on the internet.
JCD nailed it. To the DHS of the ObamaNation WE AMERICANS are the terrorists.
And “arrogant” ones at that.