Sophos Warns: Don’t AutoBlame China

The BBC has posted a story on malware issues of the Indian Navy.

a virus had collected data from computers not linked to the internet and had sent it to IP addresses in China.

Not on the network, yet sending data on the network? Perhaps they mean not directly connected to the Internet? Need more detail. I’m totally ready to start assuming the worst. Did the malware also install network interface cards and make cables? Did it install a router? ZOMG. NICware!


Update: It turns out to only be a case of shared infected removable storage. Some systems were taken off-line to protect them from infection; and then storage was shared with on-line systems. The storage device collected data after it was plugged in. When it detected network access it also attempted to send data.


Sophos, however, says not to get excited yet. There isn’t much detail.

Although those IP addresses were reportedly traced to China, an analyst from security firm Sophos warned against reading too much into the detail.

“Even if a hack is traced back to a Chinese IP address, it doesn’t necessarily mean that Chinese hackers are behind the hack,” Graham Cluley, senior technology consultant, told the BBC.

“It’s very hard to prove who is behind an attack because hackers can hijack computers on the other side of the world and get them to do their dirty work for them. In fact, they often do this to cover their tracks.

Thanks Sophos for throwing a wet blanket on my sometimes pastime of poking fun anti-virus companies. McAfee has had some really good examples of jumping to wild conclusions, as I wrote a year ago.

Earlier, in February of 2011, I made pointed out in several presentations that the urge of Americans to instinctively blame the Chinese was getting ridiculous.

To be fair, this is not only an American habit. The Finnish company F-Secure desperately wants to fault America every time malware in the Middle East is a topic of conversation, as I pointed out recently. If you want a good laugh, you can watch Mikko Hypponen’s analysis of international political issues.

Alas, I should give a giant thank you to Sophos and Graham Cluley. I would love to see them spar with the other vendors on this issue.

Sophos’ argument, not exposed in the BBC report, is supported by some common sense facts. There are a vast number of out-of-date, un-patched, pirated, un-licensed, poorly managed computers in China. So systems there are no only far more numerous lately but also rife for exploitation by automated attacks, which often install remote-control and bot capabilities.

There also is a big complication of getting details out of the attack paths. Unfortunately after tracing an attack to a random PC (let’s say a point-of-sale in a tiny noodle-shop in Chengdu) the next steps for a (civilian) investigator can be controversial and even difficult.

That is why it used to be common to throw up a “the Chinese did it” (if you are American) or a “the Americans did it” (if you are Finnish).

If you want historic parallels this is a lot like how medicine and forensic science was practiced in America in the early 1900s. Doctors rushed to conclusions, perhaps with intent to prescribe a wonder-product from a giant company. Do you have a cough? Bayer once was happy to sell you a “harmless” cure with diacetylmorphine, also known as Heroin. It was even pushed on mothers to give to restless babies, often killing them. A tragic assessment of cause and solution.

In short, the commercial sector did not really understand causality as much as they led the public to believe. And people did not have details or skill enough to find causality themselves. The author of the Poisoner’s Handbook gives us some perspective on the birth of forensic science as a public practice.

Pulitzer Prize-winning journalist Deborah Blum talks about her new work, The Poisoner’s Handbook, a look at how easy it used to be to kill someone with poison and the researchers who made poisoning much harder to get away with.

[…]

“I was looking for coverage and you could not open up a paper in that period without seeing accidental poison death, spectacular poison suicides and really some very bizarre murders; and you’re right, a real acceptance of which I have to remember that this was in an era where a lot of these chemicals were just being introduced, they were the backbone of the industrial age. People regarded them as this scientific magic for which you had to somehow pay a price. And there was a bizarre acceptance of that. I’m not saying we’ve entirely outgrown that. People still die of carbon monoxide poisoning. We still have industrial chemicals that we haven’t figured out.”

And we have malware that we haven’t figured out, with an IP in China, but at least we know who created the Heroin problem, right?

Blum’s book, by the way, is a brilliant look into the damage to society when trained professional investigators rush to conclusions or fail to be thorough in their analysis.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.