By now you’ve probably heard about ghostnet, the large-scale operation originating from somewhere within China.  So far, 1,295 computers in 103 countries have been discovered to be infected by the sophisticated rootkit malware (rootkits are particularly tough to detect because they live at a very low level, as close to the actual machine as the operating system itself).  Like most such attacks, ghostnet was launched via ‘trojan’ malware (software embedded into commonly emailed file formats such as Word, Acrobat, or PowerPoint).  The file arrives as an attachment in an email “spoofed” to appear from a trustworthy source, and the malware executes when the user opens the seemingly innocent file.

Ghostnet was primarily directed at the Dalai Lama, Tibetan Buddhism’s leader-in-exile.  Was the Chinese government somehow involved?  Even if the infection could be traced to an IP address via log files on the target network, it’s still a difficult question to answer without the cooperation of the local Chinese internet service provider. Further complicating the matter is a technology called “Dynamic DNS”.  Simply put, these are private services that map dynamically changing IP addresses to static URLs publicly visible on the internet. The technology was originally designed to enable a host with a dynamically assigned address (typical of residential connections) to maintain a fixed public address for remote access from the internet.  However, since dynamic DNS exists outside the internationally sanctioned and administered DNS system, it can also be used malevolently to cloak an IP address (or a series of IP addresses) behind a “spoofed” web or email server – in effect, yet another layer of obfuscation before the forensic technologists even get to the local ISP.  Add to that China’s reputation for non-transparency in all things internet, and you can see how difficult it would be to prove ghostnet’s definitive source of origin.

And there’s more bad news: while the sophistication of this particular rootkit is unprecedented, it’s nothing new. Here’s a short list of other attacks from the past few years (and these are just the ones that were discovered):

• November 6, 2008: US Newsweek reports that several computers on the campaign office networks of both Obama and McCain were compromised during the summer - Trojan malware sends an unknown amount of data detailing candidate policy positions to a “foreign entity”.  FBI launches investigation.
• June 11, 2008: US Virginia Representatives (and longtime China human rights critics) Frank Wolf and announces that four of his Capitol Hill PCs were compromised by malware which copied and transferred an unknown amount of data. FBI announces attack originated from China, declines to comment further.
• December, 2007: UK Director-general of British intelligence agency MI5 sends letter to 300 British companies warning that their networks are under attack. Announcement explicitly names “Chinese state organizations” as source.
• December, 2007: US 37,000+ attempted attacks on both government and private networks reported for the year, US Congress is informed that Chinese espionage represents “the single greatest risk to the security of American technologies”. New 40,000 person US Air Force unit created to combat problem.
• September 24, 2007: US FBI announces that the Department of Homeland Security network had been attacked by malware originating (and communicating with) China. Although from an “unclassified” network, an unknown amount of data copied and transferred over the past 2 (!) years. IT contractor Unisys denies any fault, FBI investigates.
• August 27, 2007: Germany While on a state visit to China, German newsweekly Der Spiegel reports that “many” computers in Chancellor Angela Merkel’s office (as well as those in several other ministries) were found to be infected with trojan malware communicating back to Chinese-registered URLs. A 160GB data transfer stopped in progress, how much data lost previously remains unknown. China denies involvement.

While ghostnet appears politically motivated, a similar attack could be easily mounted on the enterprise: interviewed on NPR this weekend, Ross Anderson (who along with other researchers from the University of Cambridge and the University of Toronto discovered and named ghostnet) said this rootkit could go through a Fortune 500 company “like a knife through butter.”

Scary stuff.