Hi guest, Register | Login | Contact Us
Welcome to Phayul.com - Our News Your Views
Mon 25, Jul 2016 03:28 PM (IST)
Search:     powered by Google
2016 ELECTION RESULT
 MENU
Home
News
Photo News
Opinions
Statements &
Press Releases

Book Reviews
Movie Reviews
Interviews
Travels
Health
Obituaries
News Discussions
News Archives
Download photos from Tibet
 Latest Stories
3 Xinhua journalists asked to leave India after intelligence red flag
Former Miss Tibet Tsering Chungtak passes away
In conversation with the reel Dalai Lama, Tenzin Dalha
Human Rights Watch says tolerance against peaceful protest in Tibet diminishing
Latest solo protestor from Ngaba identified as Kunchok Dolma
Dharamshala NGOs rally to condemn Kalachakra by China - picked Panchen
China begins demolition of Larung Gar
Two Tibetans in Chinese contingent for Rio Olympics
Monk gets three-years' prison for staging solo protest
Dalai Lama expresses shock over killings in Nice
 Latest Photo News
Ven. Thupten Ngodup, the medium of State Oracle Nechung participates in the official ceremony of the Trelo Tsechu (Guru Padmasambhava's birth anniversary) conducted by the Nechung Drayang Ling monastery, Dharamsala. July 18, 2016, Phayul Photo/Geleck Palsang
President Barack Obama greets His Holiness the Dalai Lama at the entrance of the Map Room of the White House on June 15, 2016. (Official White House Photo by Pete Souza)
The head of the Karma Kagyu tradition of Tibetan Buddhism, the 17th Karmapa Ogyen Trinley Dorje addresses devotees including Tibetans in Paris during his first visit to the city. Attended by over 2000 Tibetans from different parts of France, the Karmapa addressed on the importance of preserving Tibetan language and Tibetan Buddhist tradition. June 05, 2016. Phayul photo/Norbu Wangyal
more photos »
Advertisement
Malware targeting Tibetan activists discovered
Phayul[Monday, May 27, 2013 14:16]
DHARAMSHALA, May 27: Researchers at the global security software company ESET have discovered a cyberespionage malware targeting Tibetan activists which could have been active unnoticed for several years.

The threat, which has been named Win32/Syndicasec.A, bears characteristics very similar to previous campaigns of espionage against Tibetan activists but uses unusual techniques to evade detection and achieve persistency on infected systems, ESET said last week.

According to Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET, the malware bypasses the UAC (User Account Control) mechanism in Windows to run arbitrary commands with elevated privileges without prompting users for confirmation.

This technique is used to execute a second malicious component that registers a piece of Javascript code in the Windows Management Instrumentation (WMI) subsystem.

“This technique has the excellent property (from the attacker’s point of view) of not requiring any malicious code to be stored as a regular file on disk. This causes standard dynamic analysis tools such as Process Monitor to fail to clearly highlight the malicious activity,” Dorais-Joncas said.

The rogue WMI script added by the malware makes HTTP requests to hardcoded URLs that point to the RSS feeds of free blog sites. The title tags of RSS entries in those feeds contain encrypted commands that, when decoded, reveal the URLs of the actual command-and-control (C&C) servers.

“The threat uses fake blogs to discover its C&C servers, which are hosted on Tibet-related domains,” Dorais-Joncas said.

The ESET researchers infected a test machine with Win32/Syndicasec in order to monitor its traffic and found that the interactions between the C&C server and the malware didn’t appear to be automated.

“Every day would bring different commands sent at non-regular time intervals, making it look just as if someone was sitting behind a console and manually controlling infected hosts,” Dorais-Joncas said.

The domain names used for the C&C servers included references to Tibet, for example tbtworld.info and tbtsociety.info. The most recent C&C domain, which was set up in late April, is called nedfortibt.info.

According to the ESET researchers, the infection scale of Win32/Syndicasec is small and strictly limited to Nepal and China.

“The lack of built-in commands [in the master script] prevents us from discovering the real end-goal of this operation,” Dorais-Joncas said. “However, we can affirm that the various characteristics observed around this threat are similar to other espionage campaigns against Tibetan activists that we have observed.”

Last year, security software company AlienVault had made rare revelations linking the long-running malware assault on Tibetan groups with a Chinese programmer connected to the Chinese government.
Print Send Bookmark and Share
  Readers' Comments »
Be the first to comment on this article

 Other Stories
Tibetan Youth Congress convenes 15th GBM
Malware targeting Tibetan activists discovered
Lobsang Tenzin still under house arrest: TCHRD
Advertisement
Advertisement
Photo Galleries
Advertisement
Community Hall Project Coordinator - Tibetan Community of New York & New Jersey
Phayul.com does not endorse the advertisements placed on the site. It does not have any control over the google ads. Please send the URL of the ads if found objectionable to editor@phayul.com
Copyright © 2004-2016 Phayul.com   feedback | advertise | contact us
Powered by Lateng Online
Advertisement