California, Santa Barbara.
Espionage in the Cloud: How China-based hackers exploited Web 2.0 services to run a global spy network.
This past spring, researchers uncovered a computer espionage network directed from China by perpetrators who remain unknown. In the map above, circles represent locations of 139 computers known to have been infected with the spyware; they included ones in the National Security Council Secretariat of India, the Office of the Dalai Lama, and the Pakistani embassy in the United States. The infected computers used popular Web 2.0 services (depicted above as a cloud) to check in with attackers’ sites, and these sites then sent the machines the addresses of command-and-control servers to which they would connect and send their data. In one case documented by the researchers, 1,500 of the Dalai Lama’s letters were sent from Dharamsala, India, to a command-and-control server in Chongqing, China. The researchers suspect that the original infections took root when some victims opened virus-laden Word and PDF documents e-mailed to them. Infected computers were also found in China; some were used by the attackers to test their system.
As things worked out, the Nasiri case was a model for a successful transnational botnet investigation. In the United States, the FBI got a tip about the Dutchman and passed it to the high-tech unit of the Dutch National Police, who arrested him. Then, in an unusual touch, the Dutch investigators sought the help of antivirus companies to craft instructions for erasing the infection from victims’ computers and to take over the botnet’s command-and-control system, which operated on servers in the Netherlands. “They wanted to do something novel–to take out the botnet,” recalls Roel Schouwenberg, an antivirus researcher at Kaspersky Lab, whom the Dutch police contacted to perform the task. “There was some risk of it getting stolen by other bad guys.”
Trouble is, the U.S.-Dutch investigation was an exception. Around the time Shadow was being shut down, another botnet, known as Grum, was gaining strength (see “Botnet Snapshot” in slideshow). Grum’s command-and-control system was hosted by a Ukrainian company called Steephost. In November 2009, Alex Lanstein, a researcher at the U.S. computer security firm FireEye, wrote an earnest e-mail to Steephost’s abuse notification address. “Hi Abuse,” he began, “I thought you would be interested to know of a criminal network downstream from you.” He laid out the facts about Grum and other malicious sites it hosted, but he received no reply. A few days later, however, he noticed the appearance of a kind of botnet fig leaf: the malicious sites’ Web addresses now led to phony e-commerce home pages. In March, the computer security firm Symantec said that Grum was responsible for 24 percent of all spam on the Internet, up from 9 percent at the end of 2009.
Steephost’s owners, who could not be reached for comment, had little to worry about in thumbing their noses at the likes of Lanstein. Botnets operate freely across national borders, and law enforcement lags far behind. A treaty that seeks to boost investigative coöperation, the European Convention on Cybercrime, has been signed by 46 countries–mostly in Europe, but including the United States, Canada, South Africa, and Japan. But it has not been signed by China, Russia, or Brazil, which (along with the United States) jockey for leadership as the world’s major hosts of cyber attacks. Some signatories, such as Ukraine, are not known for enthusiastic efforts to stop botnets. And attempts to craft a global version have stalled (see “Global Gridlock on Cyber Crime”). “Botnets are a serious threat, but we’re out of luck until there is international agreement that cyber crime really needs fairly rigorous countermeasures and prosecutions across pretty much all of the Internet-using nations,” says Vern Paxson, a computer scientist at the University of California, Berkeley, who studies large-scale Internet attacks.
Given the poor prospects for a global accord, the United States is trying to forge bilateral agreements with some of the worst sources of attacks, including Russia. Russia coöperates on an ad hoc basis in pursuing homegrown cyber criminals–it recently aided in the arrest of several people in Russia who’d allegedly carried out a $10 million online theft from the Bank of Scotland–but stops short of allowing law enforcement from other nations access to its networks. Still, Sherstyuk, the Russian information security czar, told me: “We want to help set the rules in the information sphere. And I bet that there are many things that we can do together.”
Botnet Snapshot: A botnet called Grum is a leading source of spam on the Internet. Here are some of its vital statistics.
Many Internet service providers, another potential source of defense, are also making a tepid effort. ISPs have the capacity to identify and quarantine infected machines on their networks, thus containing a source of spam and attacks. But in practice, most ISPs ignore all but those machines so noxious that they prompt other ISPs to retaliate by blocking traffic. It’s much cheaper to provide the extra bandwidth than to actually deal with the problem, says Michel van Eeten, a technology policy professor at Holland’s Delft University of Technology, who studies botnets. He describes the case of an Australian ISP that was considering technology to automatically cut off infected computers. The ISP soon abandoned the plan when it realized that 40,000 confused and angry customers would be dialing in to customer support lines every month, wondering why they got cut off and how to cleanse their machines. “ISPs typically take care of the bots that trigger countermeasures against the ISP itself,” van Eeten