What is GhostNet? The Facts.

In much the same way as they handled Conficker, the mass media have had a field day spreading sensationalism regarding the so-called "GhostNet". For those of you interested in a more factual report, give this and read and let me know what you think.

GhostNet was discovered by a research outfit called Infowar Monitor (IWM), who represent a joint venture between two Canadian entities, the Secdev Group and the Citizen Lab at the University of Toronto to follow the use of cyberspace as a strategic domain. IWM had been working with the Tibetan government in exile, who suspected that their computer network had been infiltrated.

Over the course of a 10 month long investigation, IWM managed to trace infections across 103 countries. GhostNet seems to mark high-profile political and economic targets (known as whaling or spearphishing, as opposed to standard phishing) for infection, accomplishing their goal via social engineering techniques which they use to convince the victim to open an infected email attachment.

During their investigation of GhostNet, IWM determined that the attackers, and the infection itself originated from Chinese IP addresses geographically located on the island of Hainan. It is perhaps worth mentioning that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the Chinese People’s Liberation Army. IWM also determined one of the servers used to coordinate the infection was stationed at a Chinese Government run facility.

The Remote Access Trojan/Tool (RAT) used in GhostNet is known as gh0st. It is open source software, and can be obtained in full with a quick internet search. A machine infected by gh0st RAT can be controlled and/or viewed in almost any manner by the attacker. gh0st RAT is fitted with remote desktop, webcam and microphone monitoring, and keylogging capabilities. gh0st RAT reports back from the infected machine to what's known as "command and control" servers, which send instructions to, and receive data from the Trojan.

In the specific case of GhostNet, the infection is spread via social engineering, which is a method used by potential attackers to gain the trust of the target such that they are convinced to follow the attackers directions. The attackers monitor email or verbal communication between two parties, one of which is already infected thus making said monitoring possible. The attackers monitor the exchanges until an opportunity presents itself for the attackers to pass themselves off as the infected party. At this point, the attackers craft an email to the uninfected party, posing as the infected party, containing material that appears relevant to the original exchange. Attached to the email is (usually) a PowerPoint presentation which, once opened, infects the previously uninfected party with gh0st.

Despite a substantial lack of evidence to implicate the Chinese government in the operation of GhostNet, some reports have taken the standpoint that they are behind it. It could be argued that, given the press this story has received, and the high profile of the victims, that the Chinese Government is perhaps complicit with the acts of those running GhostNet.It is also possible that they're being fed valuable confidential information retrieved via GhostNet. There have been reports of people held in Chinese custody being shown transcripts of private email conversations by Chinese officials. None of these possibilities have, or can be, confirmed.

Sources:
http://en.wikipedia.org/wiki/GhostNet and source reports
http://www.f-secure....rchives/ghostnet.pdf
http://www.cl.cam.ac...s/UCAM-CL-TR-746.pdf
http://en.wikipedia....wiki/Infowar_Monitor
http://en.wikipedia.org/wiki/Ghost_Rat

Ehtyar.