'Night Dragon' attacks: Another reason to care about consumer malware

'Night Dragon' attacks: Another reason to care about consumer malware

Summary: When security experts talk about "securing critical infrastructure," they often talk about the direct threats, but you rarely hear anyone mention securing websites and consumer PCs. Yet success in cleaning up the Web and the endpoints is just as important.

TOPICS: Malware, Security

Guest editorial by Maxim Weinstein

On Wednesday, McAfee reported on a series of cyber espionage attacks dubbed "Night Dragon":

Here's a snip from their report (.pdf):

Starting in November 2009, covert cyberattacks were launched against several global oil, energy, and petrochemical companies. The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations. This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry.

McAfee has identified the tools, techniques, and network activities used in these attacks, which continue on to this day. These attacks have involved an elaborate mix of hacking techniques including social engineering, spear-phishing, Windows exploits, Active Directory compromises, and the use of remote administration tools (RATs).follow Ryan Naraine on twitter

Hacking attacks from China hit energy companies worldwide ]

This was a sophisticated effort that likely was coordinated or sponsored by a government, a large corporation, or a well-organized criminal group. So what does this complex, targeted attack against energy companies have to do with consumer malware? The answer, it turns out, is plenty.

Attacks like Night Dragon require specialized tools, expertise, and experience. The group behind Night Dragon needed to find -- or in some cases build --  backdoors, command & control servers, and other malware components. They had to apply figure out which SQL injection attacks would work effectively without detection. They needed the resources and the knowledge of how to purchase (likely with fake/stolen credentials) web hosting accounts around the world. And they needed to know how to put it all together into something that would work.

The key to an open, transparent malware filtering system ]

If an organization had to start from scratch to acquire all this, it would be a nearly insurmountable task. But, of course, they don't. And one of the main reasons they don't is because there's a robust criminal malware ecosystem already in place for them to draw upon. According to McAfee's more detailed report, Night Dragon relied on several off-the-shelf components for their dirty work. Probably they found them in the same forums used by the people that inject drive-by downloads into unsuspecting consumer and small business websites. Whoever built the custom components for Night Dragon probably learned their trade through the criminal underground. Or, perhaps, the component was outsourced to someone currently in the criminal underground.

That criminal underground has developed around desktop malware, phishing, and spam of the kind that consumers and businesses deal with every day. This criminal activity has been successful enough over time to support an entire economy. We're beginning to see the ripple effects of such an economy in attacks like those on Google last year and this more recent spate of espionage. When policymakers and security experts talk about "securing critical infrastructure," they often talk about the direct threats, but you rarely hear anyone mention securing websites and consumer PCs. Yet success in cleaning up the Web and the endpoints might be as important for defending high-profile targets as developing the targets' own defenses.

* Maxim Weinstein is executive director of StopBadware, a non-profit anti-malware organization based in Cambridge, Massachusetts.

Topics: Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Two types of attacks here

    Take you're typical trojan bank attack.
    1. Compromise a server by looking for unpatched vulnerabilities, try injecting SQL into edit fields and see if its run.
    2. Once you get access to a server, stick your trojan .exe on there, the URL might fool people to think its legit.
    3. Use any mailing service on that server to SPAM the world with a Phishing email inviting them to download this trojan .exe as a 'urgent fix' or similar.
    4. Rely on the numbers, send 1 billion phishing emails to get 10 idiots who are fooled by the email and think the URL is legit, thus run the trojan.
    5. Grab whatever data of value you can get from those 10 idiots, bank data, spreadsheets, passwords, anything. Install appropriate malware based on what you find, using the trojan.

    Then there's the cyber anti-malware attack:

    1. Take a thing that happens to everyone all the time right across the net.
    2. Filter out a group that sound related, e.g. 'energy' companies.... as if a Kazakhstan oil pumping company is technically the same as a Czech carbon trading company.
    3. Invent a name for this group of attackers that sounds sinister... 'EvilEnergyCrew'
    4. Try to convince anyone who will listen, to pay way over the odds for basic firewall and virus checking.
    5. Rinse and repeat with a different subset, lets select Government services this time, lets infer that this is a different specialist group, called, erm 'DarkAnarchyComrades', infer they spy for the Russians, repackage your crappy virus checker as a 'cyber defence' product and your crappy network monitor as a 'cyber battlefield awareness monitor' and sell it to suckers in the military.

    You see my point? What McAfee did was to take a [subset] of malware attacks that *they* selected, apply a name to those 'Night Dragon' to group them, then assert that these attacks are special because of their [subset] properties (the ones McAfee originally filtered for!). Yet the malware they listed was the same malware I see right across the net, nothing special there, your typical script kiddie stuff.
  • RE: 'Night Dragon' attacks: Another reason to care about consumer malware

    <i>"Starting in November 2009"</i>

    I wonder why McAfee didn't report it last 2009 or 2010 at least.

    Why wait until it's 2011?
    • RE: 'Night Dragon' attacks: Another reason to care about consumer malware

      Most likely reported to there direct customers.
  • Ryan, I'm curious...

    How much of the "we're in danger" headlines we've seen this past week (Nasdaq, Energy companies, now this) are just 'fear journalism' directed at combatting the exposure and disapproval that Lieberman's "kill switch" bill got last week, after Egypt shutdown their internet access?

    Since Egypt did that, and the details of Lieberman's bill 'came to light'...we've seen an array of stories, vulnerabilities, dangers, etc. Not only on this website, but on others as well.

    Is there a correlation? Are we being sold another bill of goods like we were with the WMDs to muster support for invading Iraq?

    I'm not accusing you or your site of this, I'm just asking...how much of the recent headlines we've seen are new, legitimate threats, and how much are politics?

    Now, I don't think the average American has any idea that 1) [i]any[/i] system can be breached, and 2) legislation has not been able to keep with the cyber arena, like it should have been...

    but, it seems to me that most Americans are about to be scared into passing a bill that will give government more control than it should have?
    • Exactly

      @chmod 777

      ...and how's that search for Dancho going anyway?
  • I still...

    ...don't care.
  • Trying way to hard

    Given that every motherboard is made in China, external attacks are a waste. Just get some folks hired if, if not already, at every MB manufacturer.
    • RE: 'Night Dragon' attacks: Another reason to care about consumer malware

      @TheSaint777 True, a lot of mother boards ARE manufactured overseas. But it's not the ckt board that's at fault.
      ANY MB could be made to carry malware and it's happened a couple times. But take a broad look and do the research: the sofware NOT written there, it's not put ON the MB there, nor does it even ever reach the Chinese manufacturers. The MB with everything but SW is what exits China in all but a few cases which of course should be brands you'd never consider anyway. It's just research ... and not that hard to do to figure out these things. "Manufacturing" is NOT where the code comes from either, BTW.
  • RE: 'Night Dragon' attacks: Another reason to care about consumer malware

    I think most readers here need to learn a lot more about the several manufacturer's and writers of code and where/how they are married. There is way too much guessing going on in response to a fear-hyped subject.
    There isn't even a clear understanding of some of the difference between email malware and malware in a newly created product.
    I know I sound negative here but misinformation or lies of omission tend to get my ire up. And the article author certainly left an opening for that.
  • RE: 'Night Dragon' attacks: Another reason to care about consumer malware

  • RE: 'Night Dragon' attacks: Another reason to care about consumer malware


    <a href="http://www.panamacitydoctors.net>Panama City Doctors</a>