Malware and the Battle for Tibet

"Groups working for freedom of Tibet all over the world have been targeted," says anti-virus supplier F-Secure in blog post. "These emails have been sent to mailing lists, private forums and directly to persons working inside pro-Tibet groups. Some individuals have received targeted attacks like this several times a month."

Names of attached files include UNPO Statement of Solidarity.pdf, Daul-Tibet intergroup meeting.doc and tibet_protests_map_no_icons__mar_20.ppt. Once opened the files deliver documents that appear to contain legitimate content in support of the protests. Behind the scenes, though, the malware is installed.

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.

The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.

The attacks on mailing lists and online forums contain information related to recent events in Tibet and may appear to come from a trusted person or organization.