Crackpots come in all hues!
Cyber-security experts turned the tables on an alleged hacker by using his own malware to film him through his own laptop webcam.
Specialists from Georgia’s Computer Emergency Response Team (CERT-Georgia) tricked a man they claim has been targeting their networks by hiding the virus inside a file titled ‘Georgian-Nato Agreement’.
After the attacker stole that archive from an infected PC in their lab, they were able to seize control of his computer and capture video of him at work.
The team also claim to have found out his home city, internet service provider and email addresses, as well as information that links him to Russian security agencies and other hackers in Germany.
CERT-Georgia’s experts had been investigating a botnet which had infiltrated the computers of politicians, civil servants, banks and NGOs in Georgia, the U.S., Canada, Ukraine and several other countries.
They found that the attackers had planted malicious links to install the malware on specific news-site webpages that would be of interest to the kinds of people they wanted to target.
‘[The] threat was highly encrypted and used contemporary stealthy techniques, so that none of security tools could identify it,’ the team said in a 27-page report into their investigation.
Once installed, the virus seized control of the targeted computer, rifling its hard drives to search for Word and .pdf documents containing sensitive words like ‘USA‘, ‘NATO‘, ‘Russia’ and ‘CIA’.
_WHAT IS A BOTNET?
A botnet is a collection of internet-connected computers over which a hacker has seized control.
Each compromised machine – known as a ‘bot’ – is created when a computer is infected with malicious software (malware) which allows the hacker to direct its activities remotely.
These infections can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from via email.
This malware will typically install modules that allow the computer to be commanded and controlled by the botnet’s operator.
Depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules.
The malware also scanned the computer’s local network for find other hosts to infect, took screenshots, and took control of embedded webcams and microphones on machines to eavesdrop on targets.
The investigation found the infiltration began as early as March 2011, with the virus undergoing a series of modifications as hackers tried to stay one step ahead of whatever security measures were used against it.
CERT-Georgia’s experts found that whenever they were able to trace the botnet’s command and control servers, to which files were being uploaded, the hackers would switch the destination country and IP address.
To fight the infections, the team blocked these IP addresses as soon as they were detected then cooperated with anti-virus software companies and foreign intelligence agencies to develop countermeasures.
You must be logged in to post a comment.