Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
JR02-2009 <strong>Tracking</strong> <strong>GhostNet</strong> - PART TWO<br />
40<br />
Analysis of list of infected computers<br />
A detailed analysis of the list of infected computers revealed an overwhelming number of unique<br />
infections in many countries. The same malware that infected computers at the Dalai Lama’s office<br />
and other Tibetan organizations had a much more extensive set of targets. The list of entities and<br />
locations of those targeted was quite varied.<br />
In total, we found 1,295 infected computers located in 103 countries. We found that we were able to<br />
confidently—on a scale of low, medium, high—identify 397 of the 1,295 infected computers (26.7%),<br />
and labelled each one as a high-value target. We did so because they were either significant to the<br />
relationship between China and Tibet, Taiwan or India, or were identified as computers at foreign<br />
embassies, diplomatic missions, government ministries, or international organizations.<br />
Of the remaining infected computers, 536 appear to be computers on private broadband Internet<br />
providers. The remaining IP addresses do not reverse resolve and available information on these<br />
hosts does not allow us to make judgements regarding the identity or purpose of these computers.<br />
Methodology<br />
We compiled a unified and comprehensive list of infected computers from all the control servers,<br />
as there was considerable duplication across them. There were several duplicate entries in the list<br />
of infected computers—in some cases, the same infected computer was logged multiple times as it<br />
was connecting from a different IP address. In other instances, multiple infected computers were<br />
assigned different internal IP addresses and had different computer names but shared the same<br />
external IP address. This signifies that there were multiple infected computers sharing Internet<br />
access. Where possible, we filtered the results by unique computer name, and if no computer name<br />
was present, we filtered by unique external IP address. 48 (See Fig. 12 - p. 41)<br />
On the surface, the names of the infected computers in the sample are provocative. There are references<br />
to ministries of foreign affairs, foreign embassies, and other government entities. Some contains names of<br />
officials or their positions/titles. However, we recognize that a computer name can be anything its owner<br />
wishes, and may be completely unrelated to the location, function, or owner of that particular computer.<br />
Therefore, in order to be more confident as to the true identity or purpose of the infected computer,<br />
we relied on reverse DNS look-ups and each IP address’ record from the Regional Internet Registries.<br />
Using these two pieces of information we were able to confirm the validity of the identity of several<br />
infected computers with a high (H) degree of confidence.<br />
In some cases the computer name associated with the infected computer is actually a domain<br />
name or an acronym for a recognizable institution or organization. In these cases we classified our<br />
identification of the target with either a medium (M) or low (L) level of confidence. Medium<br />
confidence refers to instances where we have otherwise identified a related high confidence target,<br />
48 In one case we removed 117 unique IP addresses from Mexico that appeared to belong to the same computer connecting in to the<br />
control server from a DSL provider.