This weekend, staff at CPJ received a personal invitation to attend the Oslo awards ceremony for Nobel Peace Prize winner Liu Xiaobo. The invite, curiously, was in the form of an Adobe PDF document. We didn’t accept. We didn’t even open the e-mail. We did, however, begin analyzing the document to see was really inside that attachment, and what it was planning to do to our staff’s computers.
NGOs and journalists who work or report on human rights issues in China now regularly receive e-mailed attachments, often PDFs, which on closer examination prove to be malicious code sent from unknown sources. These attachments contain embedded programs that execute when the file is opened, and take advantage of local security flaws to install concealed software on their victims’ machines.
This secret software can delete or create files, commandeer the computer for cyber-attacks on other targets, or just sit and record keystrokes and network traffic, which it will then report to a remote “command-and-control” server elsewhere on the Net. A computer with this malware installed is an open book to whoever is controlling the program.
Malware is a problem for everyone. We’re all used to shady characters spamming us e-mail with enticing subject titles. But vulnerable journalists and activists receive far more sophisticated, customized messages that use narrow intelligence about their contacts and interests in order to trick their recipients into opening them. This Nobel e-mail, for instance, was sent from a colleague at a known NGO who I’ve personally met and who has invited CPJ to events in Oslo previously. The PDF, when opened, showed a legitimate-looking invitation with the organization’s logo and the signature of the NGO’s founder.
We weren’t the only ones to receive this e-mail. Mila Parkour, a D.C. computer security analyst who runs the Contagio Blog, was sent a sample of the message from another victim, and has provided a full analysis of it on her site.
Let me give a brief summary of what Parkour found. Our own limited analysis confirms her description.
The attack exploits a known bug that appears in all but the very latest versions of Adobe Acrobat Reader. (Such bugs pose a serious risk, but are not as dangerous as what’s known as a “0 day” attack, where a previously unknown bug in the most current version of the vulnerable program is exploited for the first time. Last month, the Nobel Peace Prize site itself was hacked, and a 0 day Firefox exploit was used to attack anyone who visited it.
The invite PDF doesn’t contain the invitation text. Instead, it has a simple test message, “Hello World!”, and a complex set of extra data that exploits the bug and runs an additional piece of code which has no connection to displaying a PDF. This code saves a new file on the users’ hard drive and runs it. It also displays a convincing fake invite, on the organizations letterhead and signed by its founder, to cover its tracks. Finally, the new file is run, connects to a server in Bengbu, China and awaits further instructions.
By the time security experts had examined the malware, the command-and-control server in Bengbu had shut down. It’s likely that we’ll never know what the intention behind the attack was, who devised it, or how many people were infected.
I spoke to the person whose identity was used as the sender of the mail. He theorized that the template for the e-mail originally came from a genuine message he sent to a Chinese dissident, whose computer was compromised by an earlier cyber-attack. The same attackers used their capability to read this activist’s e-mail to copy it and then sent their version to the dissident’s contact list, which they had also obtained.
Is there anything we can learn to better protect those targeted for these attacks?
Firstly, the danger of customized attacks by e-mail should not be overstated. Just because these files are custom-made for a small group doesn’t mean that mass-market computer security software can’t spot them.
While the e-mail, PDF and payload are all unique in this case, there are still many characteristics of the PDF that will trigger warnings in most anti-virus software. If you’re a vulnerable journalist, use anti-virus software that can scan incoming mail. Keep your software updated, especially programs like Adobe Acrobat Reader, Adobe Flash, and your web browser. And, of course, you should be on the lookout for suspicious attachments, even sent by people you know.
We all need to be more aware of the risks that compromised computer security can create for our colleagues and contacts.
My sense is that the motive for this attack was to expand a small set of compromised systems to a much wider network of “persons of interest”. Such a network is useful, not because any of the recipients are specific targets, but because collectively their computers can provide valuable intelligence — either gathered directly by a nation’s security services, or by a group that trades in such intelligence to interested parties.
Journalists need to protect their computer security for their own safety, but also to prevent them becoming unwitting accomplices to the surveillance, and worse, of their contacts and sources.