Chapter 1 / Empty Cup Mind

Wondershare

Some anti-virus vendors have been evasive in terms of stating how they

would respond if a government agency asked them to whitelist its binaries.

This brings up a disturbing point: Assume that the anti-virus vendors agreed

to ignore a rootkit like Magic Lantern. What would happen if an attacker

found a way to use Magic Lantern as part of his own rootkit?

Industrial Espionage

As I discussed in this book's preface, high-ranking intelligence officials like

the KGB's Vladimir Kryuchkov are well aware of the economic benefits

that industrial espionage affords. Why invest millions of dollars and years of

work to develop technology when it's far easier to let someone else do the

work and then steal it? For example, in July 2009, a Russian immigrant who

worked for Goldman Sachs as a programmer was charged with stealing the

intellectual property related to a high-frequency trading platform developed

by the company. He was arrested shortly after taking a job with a Chicago

firm that agreed to pay him almost three times more than the $400,000 salary

he had at Goldman,��'�

In January 2010, both Google�� and Adobe��® announced that they had been

targets of sophisticated cyberattacks. Although Adobe was rather tight-lipped

in terms of specifics, Google claimed that the attacks resulted in the theft of

intellectual property. Shortly afterward, the Wall Street Journal published an

article stating that "people involved in the investigation" believe that the at¬

tack included up to 34 different companies.

According to an in-depth analysis of the malware used in the attacks,the

intrusion at Google was facilitated by a javascript exploit that targeted Inter¬

net Explorer (which is just a little ironic, given that Google develops its own

browser in-house). This exploit uses a heap spray attack to inject embed¬

ded shellcode into Internet Explorer, which in turn downloads a dropper.

This dropper extracts an embedded Dynamic-Link Library (DLL) into the

%SystemRoot%\System32 directory and then loads the DLL into a svchost.exe

34. Matthew Goldstein, "A Goldman Trading Scandal?" Reuters, July 5, 2009.

35. http://googleblog.blogspot.coiTi/2010/01 /new-approach-to-china.html.

36. http://blogs.adohe.coniyconversatioiis/2010/0 l/adobe_iiivestigates_corporate_ii.htnil.

37. Jessica Vascellaro, Jason Dean, and Siobhan Gorman, "Google Warns of China Exit Over

Hacking," Wall Street Journal, January 13, 2010.

38. http://www.hbgary.com/wp-contcnt/tliemcs/blackhat/imagcs/hbgthrcatrcport_aurora.pdf.

22 I Part I