The attackers also made innovative use of Yahoo’s e-mail application programming interface, Villeneuve said. Their malware instructed infected computers to connect to attackers’ Yahoo mail accounts through this interface, then report on their name, operating system, and IP address. The attackers also used this connection to install additional malware on the computer, and to issue commands. Villeneuve says that this system served mainly as a backup for the attackers, in case the Web-based infrastructure was disabled.
Brett Stone-Gross, a researcher at the University of California, Santa Barbara, who studies botnets, says the report shows a shift in strategy for controlling botnets. Not only does it make it harder for administrators to see that traffic is going to the botnet, he says, but it also makes it harder for them to stop it. Administrators generally can’t blacklist a site such as Twitter or Google Groups without causing too much pain to legitimate users, he points out. Stone-Gross compares the practice to spammers’ use of legitimate Gmail, Yahoo, and Hotmail accounts, which have so much legitimate activity that organizations can’t block the domains to filter out malicious e-mail.
Deibert added at the press conference that, while the research suggests that the hackers behind the attacks are based in China, there isn’t hard evidence that the Chinese government was involved. “We’re eager to work with those parts of the Chinese government that want to solve this,” he said, adding that they’ve been cooperating with China’s Computer Emergency Readiness Team (CERT).
However, Deibert criticized the governments hoping to engage in cyber espionage and warfare. “There is a very real arms race in cyberspace, of which this report is but one small example,” he said. The researchers expect that some of the information stolen by the botnet will make it to the Chinese government through some channel, even if the government did not order the attacks.