Ghostnet Mac OS

The DIR's 265 employees remain on Windows XP and Mac OS X, Duncan said. Windows users are likely to skip Vista entirely and upgrade to the upcoming Windows 7 operating system, he added, because of the timing of the agency's regular upgrade cycle. 'We're not holding off as a reaction to what Microsoft is producing,' he said. Sameera De Alwis Ph.D. DBA,EnCE,CEH,CHFI,GCIH,IAM,IEM,GCFE,GREM'S profile on LinkedIn, the world's largest professional community. Sameera De Alwis Ph.D. Has 40 jobs listed on their profile. See the complete profile on LinkedIn and discover Professor. Sameera De Alwis Ph.D.'s connections and jobs at similar companies. Symantec security products include an extensive database of attack signatures. An attack signature is a unique arrangement of information that can be used to identify an attacker's attempt to exploit a known operating system or application vulnerability.

The IWM dubbed the system GhostNet, after the ghOst RAT Trojan horse malware at the heart of it and which the researchers traced back to commercial Internet access providers on Hainan, an island.

Researchers have uncovered a malware-based espionage campaign that subjects Mac users to the same techniques that have been used for years to surreptitiously siphon confidential data out of Windows machines.

The recently discovered campaign targets Mac-using employees of several pro-Tibetan non-governmental organizations, and employs attacks exploiting already patched vulnerabilities in Microsoft Office and Oracle's Java framework, Jaime Blasco, a security researcher with AlienVault, told Ars. Over the past two weeks, he has identified two separate backdoor trojans that get installed when users open booby-trapped Word documents or website links included in e-mails sent to them. Once installed, the trojans send the computer, user, and domain name associated with the Mac to a server under the control of the attackers and then await further instructions.

'This particular backdoor has a lot of functionalities,' he said of the most recent trojan he found. Victims, he said, 'won't see almost anything.'

Blasco's findings, which are documented in blog posts here and here, are among the first to show that Macs are being subjected to the same types of advanced persistent threats (APTs) that have plagued Windows users for years—not that the shift is particularly unexpected. As companies such as Google increasingly adopt Macs to limit their exposure to Windows-dependent exploits, it was inevitable that the spooks conducting espionage on them would make the switch, too.

'What [attackers] have been installing via APT-style, targeted attack campaigns for Windows, they're now starting to do for Macs, too,' said Ivan Macalintal, a security researcher at antivirus provider Trend Micro. Macalintal has documented some of the same exploits and trojans Blasco found.

Another researcher who has confirmed the findings is Alexis Dorais-Joncas, Security Intelligence Team Leader at ESET. In his own blog post, he documented the encryption one of the trojans uses to conceal communications between infected Macs and a command and control server. He also described a series of queries sent to a test machine he infected that he believes were manually typed by a live human at the other end of the server. They invoked Unix commands to rummage through Mac folders that typically store browser cookies, passwords, and software downloads.

'The purpose here clearly is information stealing,' he wrote.

He noted that the backdoor he observed was unable to survive a reboot on Macs that weren't running with administrator privileges. That's because the /Library/Audio/Plug-Ins/AudioServer folder used to stash one of the underlying malware files didn't allow unprivileged users to save data there. A more recent trojan analyzed by AlienVault's Blasco has overcome that shortcoming, by saving the file in the less-restricted /Users/{User}/Library/LaunchAgents/ folder, ensuring it gets launched each time the user's account starts.

The backdoors are installed by exploiting critical holes in two pieces of software that are widely used by Mac users. One of the vulnerabilities, a buffer overflow flaw in Microsoft Office for the Mac, was patched in 2009, while the other, an unspecified bug in Java, was fixed in October. The Java exploit is advanced enough that it reads the user agent of the intended victim's browser, and based on the results unloads a payload that's unique to machines running either Windows or OS X.

Reports of malware that target Macs have risen steadily over the past 36 months. Most of the reported infections rely on the gullibility of users, tricking them into believing their systems are already compromised and can be disinfected by downloading and installing a piece of rogue antivirus software. Others have exploited software weaknesses to install a reference to a huge malware-based spy network uncovered three years ago that infiltrated government and private offices in 103 countries. The Word exploit works by embedding Mac-executable files known as 'Mach-Os' into the booby-trapped document file, Macalintal added.

Seth Hardy, a Senior Security Analyst who has been monitoring espionage attacks on pro-Tibetan groups for an organization called Citizen Lab, said it's too early to know if the recent campaign is related to Gh0stRat. Hardy—whose Citizen Lab was a principal organization for the research and publication of the Tracking Ghostnet and Shadows in the Cloudcyber espionage reports and is based at the Munk School of Global Affairs—went on to say that Macs are likely to play are growing role in future attacks. Boxed in (itch) mac os.

'While APT-for-Mac (iAPT?) isn't exactly new, it does seem like the attackers are catching on that many of these organizations use Macs more than the general public,' he wrote in an e-mail. 'It's also interesting that the attackers are developing multi-platform attacks: we've seen the Mac malware bundled with similar Windows malware, and the delivery system will identify the user's operating system and run the appropriate program.'

GhostNet (simplified Chinese: 幽灵网; traditional Chinese: 幽靈網; pinyin: YōuLíngWǎng) is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying^[1][2] operation discovered in March 2009. The operation is likely associated with an advanced persistent threat, or a network actor that spies undetected.^[3] Its command and control infrastructure is based mainly in the People's Republic of China and GhostNet has infiltrated high-value political, economic and media locations^[4] in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile centers in India, London and New York City were compromised.

Discovery[edit]

GhostNet was discovered and named following a 10-month investigation by the Infowar Monitor (IWM), carried out after IWM researchers approached the Dalai Lama's representative in Geneva^[5] suspecting that their computer network had been infiltrated.^[6] The IWM is composed of researchers from The SecDev Group and Canadian consultancy and the Citizen Lab, Munk Centre for International Studies at the University of Toronto; the research findings were published in the Infowar Monitor, an affiliated publication.^[7] Researchers from the University of Cambridge's Computer Laboratory, supported by the Institute for Information Infrastructure Protection,^[8] also contributed to the investigation at one of the three locations in Dharamshala, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by The New York Times on March 29, 2009.^[7][9] Investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, such as instances where email correspondence and other data were extracted.^[10]

Compromised systems were discovered in the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan and the office of the Prime Minister of Laos. The foreign ministries of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan were also targeted.^[1][11] No evidence was found that U.S. or UK government offices were infiltrated, although a NATO computer was monitored for half a day and the computers of the Indian embassy in Washington, D.C., were infiltrated.^[4][11][12]

Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.^[13]

Technical functionality[edit]

Ghostnet Mac Os 11

Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, enable a trojan horse to access the system.^{[citation needed]} This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a trojan known as Gh0st Rat that allows attackers to gain complete, real-time control of computers running Microsoft Windows.^[4] Such a computer can be controlled or inspected by attackers, and the software even has the ability to turn on camera and audio-recording functions of infected computers, enabling attackers to perform surveillance.^[7]

Origin[edit]

The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network.^[14] However, a report from researchers at the University of Cambridge says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.^[15] Get off! mac os.

Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States.^[7] The Chinese government has stated that China 'strictly forbids any cyber crime.'^[1][10]

The 'Ghostnet Report' documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to Chengdu. He identifies the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China, and currently connected with the Chinese hacker underground.^[16]

Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer intrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama from his representatives.^[15]

Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.^[14][17] However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means.^[18]

IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of Hainan, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army.^[4] Furthermore, one of GhostNet's four control servers has been revealed to be a government server^[clarify].^[19]

See also[edit]

• RedHack (from Turkey)

Ghostnet Mac Os X

References[edit]

1. ^ ^abc'Major cyber spy network uncovered'. BBC News. March 29, 2009. Retrieved March 29, 2009.
2. ^Glaister, Dan (March 30, 2009). 'China Accused of Global Cyberspying'. The Guardian Weekly. 180 (16). London. p. 5. Retrieved April 7, 2009.
3. ^Sean Bodmer; Dr. Max Kilger; Gregory Carpenter; Jade Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. McGraw-Hill Osborne Media. ISBN978-0071772495.
4. ^ ^abcdHarvey, Mike (March 29, 2009). 'Chinese hackers 'using ghost network to control embassy computers''. The Times. London. Retrieved March 29, 2009.
5. ^'Tracking GhostNet: Investigating a Cyber Espionage Network'.
6. ^'China denies spying allegations'. BBC News. March 30, 2009. Retrieved March 31, 2009.
7. ^ ^abcdMarkoff, John (March 28, 2009). 'Vast Spy System Loots Computers in 103 Countries'. New York Times. Retrieved March 29, 2009.
8. ^Shishir Nagaraja, Ross Anderson (March 2009). 'The snooping dragon: social-malware surveillance of the Tibetan movement'(PDF). University of Cambridge. p. 2. Retrieved March 31, 2009.
9. ^'Researchers: Cyber spies break into govt computers'. Associated Press. March 29, 2009. Retrieved March 29, 2009.
10. ^ ^abChina-based spies target Thailand. Bangkok Post, March 30, 2009. Retrieved on March 30, 2009.
11. ^ ^ab'Canadians find vast computer spy network: report'. Reuters. March 28, 2009. Retrieved March 29, 2009.
12. ^'Spying operation by China infiltrated computers: Report'. The Hindu. March 29, 2009. Archived from the original on April 1, 2009. Retrieved March 29, 2009.
13. ^'Foreign hackers attack Canadian government'. CBC News. February 17, 2011. Retrieved February 17, 2011.
14. ^ ^abTracking GhostNet: Investigating a Cyber Espionage Network. Munk Centre for International Studies. March 29, 2009
15. ^ ^abNagaraja, Shishir; Anderson, Ross (March 2009). 'The snooping dragon: social-malware surveillance of the Tibetan movement'(PDF). Computer Laboratory, University of Cambridge.
16. ^Henderson, Scott (April 2, 2009). 'Hunting the GhostNet Hacker'. The Dark Visitor. Archived from the original on April 6, 2009. Retrieved April 2, 2009.
17. ^U of T team tracks China-based cyber spiesToronto Star March 29, 2009 Archived March 31, 2009, at the Wayback Machine
18. ^BREACHING TRUST: An analysis of surveillance and security practices on China's TOM-Skype platform
19. ^Meet the Canadians who busted GhostnetThe Globe and MailMarch 29, 2009

External links[edit]

Ghostnet Mac Os Catalina

• Citizen Lab at the University of Toronto
• F-Secure Mirror of the report PDF
• Kelly, Cathal (March 31, 2009). 'Cyberspies' code a click away - Simple Google search quickly finds link to software for Ghost Rat program used to target governments'. Toronto Star (Canada). Toronto, Ontario, Canada. Retrieved April 4, 2009.
• Lee, Peter (April 8, 2009). 'Cyber-skirmish at the top of the world'. Asia Times Online. Archived from the original on April 10, 2009. Retrieved April 9, 2009.CS1 maint: unfit URL (link)
• Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. ISBN0071772499, ISBN978-0071772495

Ghostnet Mac Os Download