Apr 03 2009
UPDATE: Added further comment by Nart Villeneuve at the bottom (Great guy!)
Yep, that would be us…
According to researchers at IWM, Lost33′s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network. However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.
From the report by Robert Lemos at Security Focus:
However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.
“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.
So it looks like we are now investigating a massive network intrusion of two computers. One, two. We will call our project CasperNet.
Spoke with Jumper earlier today and he still feels it is worthwhile to pursue. So, he will continue his conversation with Lost33 tonight.
UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him. I botched up his report but he was still kind enough to stop by and offer these words of encouragement:
“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”
3 Responses to “Children of a lesser malware”