Apr 03 2009

Children of a lesser malware

UPDATE: Added further comment by Nart Villeneuve at the bottom (Great guy!)

Yep, that would be us…

According to researchers at IWM, Lost33′s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network.  However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.

From the report by Robert Lemos at Security Focus:

However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.

“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.

So it looks like we are now investigating a massive network intrusion of two computers.  One, two.  We will call our project CasperNet.

Spoke with Jumper earlier today and he still feels it is worthwhile to pursue.  So, he will continue his conversation with Lost33 tonight.

UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him.  I botched up his report but he was still kind enough to stop by and offer these words of encouragement:

“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”

3 responses so far

3 Responses to “Children of a lesser malware”

  1. Narton 04 Apr 2009 at 11:16 am

    I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.

  2. Heikeon 04 Apr 2009 at 4:42 pm

    Nart,

    Great having you here! Once again, fantastic job on GhostNet.

    You guys at IWM have been very supportive of our rather feeble efforts. Very sorry if we caused any confusion or distraction on your project.

  3. every1s0bviouson 10 Apr 2009 at 7:16 pm

    The “Casper” Net thing made me ROFL.

    That is a real cruel jab, lol…

    He’s a nice guy, come on.

    However, his sk1llz are lacking.

    I DEFINITELY like it better. ROFL.