The F-secure blog had a very interesting piece today about targeted malware attacks against pro-Tibet groups.
F-Secure is a security software vendor from Finland, in the same business as Symantec and MacAfee. I hadn’t heard of them until I ran across a link to their blog several months ago, because they don’t seem to have much presence in the US. I have the impression that their product is every bit as good as those others, if not better, and their blog is the best source I’ve found for news about malicious software.
The blog post says, “Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions.” They give examples: a report from Asia Free Press saying, ““AFP received an email Tuesday from someone claiming to be in Denmark, who had attached a file they said were pictures of Tibetans shot by the Chinese army. When AFP tried to open the attachment, a virus warning appeared.”, an email with a PDF attachment that includes a piece of spyware,
and a Word document, an Excel spreadsheet, and a PowerPoint file which F-secure says contain similar spyware. The malware in the PDF document that F-secure analyzed sends everything typed on the victim’s computer to a server in China.
I guess the first question is, do I believe it at all? I think so; I don’t think F-secure is going out of its way to pick a fight. I do think F-secure is confident enough and believes strongly enough in its mission of fighting malicious software that it will print the truth when it sees it.
F-secure doesn’t say who it thinks is behind the spyware, but it does use phrases like “crafted very well”, “technically advanced attacks”, and “crafted to evade detection by most antivirus products at the time it was sent.” It’s not much of a stretch to think that the Chinese government is behind this; in fact, I find it harder to imagine who else would be (assuming of course that you do believe it at all). I’d rather have spyware on my computer than polonium in my tea, but I don’t like this either.
Probably the best way to fight the threat would be to get many more computers affected than the senders expected, so as to overload the resources for reading and analyzing all the data (wouldn’t you think the reason it’s been carefully targeted is to make sure all the captured data is from relevant sources?), and then for people to send disinformation, knowing it was going to be read, such as emails pretending to go to Chinese officials as though they’re part of the resistance.