GhostNet – Organized Threat or Random Hack?

According to an article published in the New York Times on March 28, 2009, there is a rather large spy system at work that has targeted government organizations and private businesses around the world. The article reports that at least 1,295 computers in 103 countries we successfully breached.

4 Toronto academic researchers who are studying GhostNet.

While it is unknown who is behind these attacks, the source IP addresses trace back to computer systems based in China. The attacks follow a similar approach:

1. The victim receives a spoofed e-mail with an attachment
2. The e-mail appears to come from a trusted source
3. The contents seem logical and make sense
4. There is an attachment that is a PDF, DOC, PPT, or XLS
5. When the victim opens up the attachment, the document appears valid but actually launches an exploit
6. The exploit drops the malware

The mechanism “dropper” used to infect the attachments and install the malware onto targeted systems is described by F-Secure at The heart of this attack is the malware being used. It is known as Gh0st RAT and is based on a previous Trojan know as Poison Ivy which is provided free by the developers. Such tools are typically open source and are easy to modify and adapt to make it more difficult for anti-virus to detect. Once installed, it gives the attacker full control of the victim’s computer. Gh0st RAT can not only capture key strokes but also controls the webcam and microphone. What makes this particular attack so important is the ease at which it was deployed and the number of particularly critical systems it was installed on. If you are responsible for securing your organization’s systems or simply interested in IT security, I suggest you read the in-depth report issued by Cambridge University titled, “The snooping dragon.”

From Michael Gregg

Photo taken by Tim Leyes of the New York Times

In this article

Join the Conversation

1 comment

  1. Allan Reply

    I’m tired of having so many hackers that it boggs down my DLINK because it is unsecure. Don’t ask me why I can’t put a security password but I’ve seen many IP addresses tagged into my dlink.