Cyber-espionage botnet tied to country of Georgia website remains a mystery
- 23 March, 2012 02:27
A security firm in Slovakia is asserting that a website operated by the country of Georgia has been used as part of a botnet to conduct cyber-espionage against that country's residents.
But does that mean Georgia is conducting the cyber-espionage, or that its website run by the Georgia government is compromised by enemies of the country? Because the botnet's command-and-control operations lack some elements of stealth that might be expected, the Slovakian security firm that spotted it -- ESET -- reports it may simply be "a group of cyber criminals trying to find sensitive information in order to sell it to other organizations."
MORE SECURITY NEWS: Most fraud against business from bad checks, not electronic payments
Win32/Georbot has a command-and-control structure that has exploited the website of the Georgian government for some time to drive some controls, says ESET researcher Righard Zwienenberg. When ESET detected evidence of Georbot as malware in January, it contacted the Georgian CERT. As it turns out, the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and have been monitoring Georbot, now in cooperation with ESET.
Georbot is primarily a cyber-espionage botnet that has infected only about 200 computers that appear to be mainly in the country of Georgia, though about 30% of them are in the U.S., Germany and Russia. It's not clear who these individuals are, Zwienenberg says, but Georbot is "looking on their hard drives for documents," and can also capture audio and video when the computer's webcam and microphone are in use.
Georbot is also remotely controlled to steal documents and certificates, and look for certain words in documents, among them "ministry," "service," "secret," "top," "agent," "army," "USA," "Russia," "Georgia," "major," "Colonel," "FBI," "CIA," "phone number," "east," "program," "KGB," "FSB" and other political and personal information.
Based on ESET's analysis, Georbot does have features to hide itself. But it's not especially sophisticated since it has left some information unencrypted, lending doubt to whether a capable government spy operation from any country would be operating this. ESET got a look at the control panel for it to analyze what it was doing.
"The most likely hypothesis is that Win32/Georbot was created by a group of criminals trying to find sensitive information in order to sell it to other organizations," ESET's report on this concludes. "They might be operating from Georgia or any country nearby and have been 'lucky' enough to gain control of a government website and are now using it as part of their operation."
The development of the Georbot malware seems to be ongoing, with fresh variants discovered as recently as March 19, says ESET.
Zwienenberg acknowledges he doesn't know why the government of Georgia has allowed it to operate so long, and says there's only so much the Georgian CERT or anyone else that ESET has contacted in Georgia will say about it. "It's possible someone from the Georgian government was running it," he says, adding that is pure speculation on his part. But Georbot has so far shown to be very targeted against a fairly small number of individuals associated with the country of Georgia.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- New Demands for Real-time Threat Management
- Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data
- Guiding the Cloud Application Decision with the IBM Cloud Transformation Advisor
- Getting a Better Grip on Mobile Devices
- Bring ‘em on!‖ – The Consumerisation of Enterprise Mobility
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Saving Time and Money with Savvy Use of Flash in Automated Storage Tiering
In a sluggish economy, getting the best ROI on every IT dollar spent is the top priority for almost every business. Storage budgets in most IT environments continue to remain flat or are capped as a percentage of the overall IT spend, while data storage requirements continue to grow at an unsustainable pace. Download now to learn about the benefits of using flash in automated storage tiering.
Securing the Road to Virtualization and Beyond
Traditional security controls for enterprise don’t necessarily translate into the new world of virtualisation and cloud environments. When mapping out a secure virtualisation roadmap, click to find out about pave a more secure, risk free path.
Endpoint Security and Virtualisation
Besides form factor, virtual systems are not really that different than physical systems. They both use the same operating systems and applications. They both present users with computing resources such as RAM and hard drives. Consequently, the ability to exploit vulnerabilities in a physical environment will present a significant threat to virtualised environments as well. This paper examines the different endpoint security methods for virtualised environments and presents how Endpoint Protection security provides optimal performance, protection and manageability.