Weapons of Information disclosure:Ghostnet & Conflicker

There are two fascinating developments in the world of online security that are so sensational as to seem right out of a cyberpunk thriller.The first, the resilience of the Conficker worm, which culminates in some kind of action on April 1st 2009.The second is an incredible espionage initiative called GhostNet, which the Citizen's Lab in Toronto have helped unearth and expose to the public.

Combined these two stories depict something I've been describing as an Weapons of Information Disclosure, in which proxy forces develop new types of information based weapons and test them live on the internet. While it's never clear who the players are behind this information war, researchers are able to dissect the tools and compromised systems to portray a fascinating tale of computer-based cloak and dagger.

In the case of Conficker, we have another one of these super worms, following in the success of the Storm Worm, that is able to infect millions of windows machines and act on the bidding of it's mysterious owners. As the latest and greatest, Conficker employs a sophisticated p2p command and control system that uses military grade encryption to cover it's tracks.

The one thing that researchers have been able to determine so far is that on April 1st 2009 the Conficker infected machines are programmed to download new instructions. These instructions might be as basic as a software update, or a prank, although given the potential power of all these infected machines the possibility of a large scale attack also has to be considered.

The power that we see manifesting in these types of super worms and related phenomena forces me to ask the question of who is responsible and who benefits.How do you develop new internet based weapons in an open environment? Once you reach a certain scale of weaponry you cannot leave the testing to the laboratory alone. This is why they exploded nuclear weapons in the Pokhran deserts. Is this what we're now seeing online in terms of the latest iterations of these advanced botnets?

While there are numerous hidden layers to the internet, and multiple means by which to hide, eventually all ghosts become visible.
This is wonderfully illustrated by the report Tracking GhostNet: Investigating a Cyber Espionage Network produced by the Citizen Lab of Toronto and the SecDev group in Ottawa.

A New York Times story by John Markoff about the report is here

This report is the culmination of a 10 month investigation of alleged Chinese cyber spying against Tibetan institutions. It documents a vast suspected cyber espionage network of over 1,295 infected computers in 103 countries, referred to in the report as GhostNet. Close to 30% of the infected hosts are considered high-value political and economic targets, and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of the attack tools used by the GhostNet system were far-reaching, and include the ability to retrieve documents, and turn on web cameras and audio systems. The investigation was able to conclude that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama.

While this does seem sensational it should not be surprising. One also has to assume that a system like this which can be discovered is certainly not the most sophisticated or effective which would continue to go on undetected. However there is both a tension towards transparency and a power found in the openness of the internet. The more the internet is used as infrastructure as part of these larger espionage initiatives, the greater the chances they will be discovered by researchers committed to an open and democratic society.
Similarly the open source movement holds many lessons and examples that provide insight into how technology evolves and influences the tools that people choose to use. We have to remember that as these new weapons are developed we can only speculate on who will choose to use and help further refine their capabilities.

This is well summarized by a quote I found via the NYtimes article

“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement.

Credit :-
Jesse Hirish