Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/13/2012
02:48 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Is 'Virus Expert' Tied To PlugX RAT Malware?

Security firm AlienVault believes "whg0001" helped create malware used to attack targets in Japan, South Korea, Taiwan, and Tibet.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
A virus expert who may be responsible for the development of PlugX, a Remote Access Tool, or RAT, used for several years to attack computers and steal data from targets in Asia, did not adequately clean and anonymize his code, one security researcher says.

Jaime Blasco, labs manager at AlienVault, has been tracking the activities of a group using PlugX and believes he has identified at least one of the people behind the malicious software.

Blasco in a phone interview said he was able to extract the debug file path from some PlugX malware binaries and then match those file paths to other PlugX samples, samples that included a username in the file path: "whg." The samples also suggested the author was using two separate systems for his work, a Windows XP system and a Vista/7 system.

Blasco scanned other binary files for similar debug file paths and identified an application called SockMon at the Chinese website cnasm.com. The website lists contact information for "whg0001," along with an email address and a QQ number, an identifier used on China's popular QQ messaging service.

[ Learn more about RATs. Read DarkComet Developer Retires Notorious Remote Access Tool. ]

InformationWeek sent an email to "whg0001" asking if he had a hand in the creation of PlugX, as Blasco alleges. We have not heard back.

As Blasco relates in a blog post about his findings, the email address associated with "whg0001" was used as an administrative contact to register a website in China in 2000. The company, Chinansl Technology Co. LTD is listed at Chengdu National Information Security Production Industrialization Base, 2nd Floor, No.8 Chuangye Road, Chengdu, China.

The company appears to have ties to the security industry in China, Blasco observes.

Blasco has found this same file path in components of Chinasl software called "Parent Carefree Filter" and that information about "whg0001" on the Internet identifies him as a "virus expert" who is "proficient in assembly."

A CSDN profile associated with the same whg0001" email address includes a picture.

Searching for more versions of the PlugX RAT reveals a connectivity test URL that points to another picture of the same individual.

Blasco concludes that based on this research, "we can say that this guy is behind the active development of the PlugX RAT."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
9/15/2012 | 10:03:55 PM
re: Is 'Virus Expert' Tied To PlugX RAT Malware?
From the sound of it, this appears to have been a spying product - possibly created for the Chinese government, especially considering the targeted countries.

Get used to it folks, cyber weapons are all around us these days.

Remember, it's only malware if it does bad things to you. It's software if it does things for you.

Andrew Hornback
InformationWeek Contributor
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...