A security start-up, TrapX Security, made a splash this week with the story of a new piece of malware, Zombie Zero, which wormed its way into logistics and shipping firms on shipping scanners sold by a Chinese firm.
The malware was discovered during a trial demonstration of TrapX’s technology at a shipping and logistics firm. It was implanted on embedded versions of Windows XP that ran on the scanning hardware and in a software image that could be downloaded from the manufacturing firm’s website.
“This malware was shipped to large logistics companies embedded in the operating system,” Carl Wright, an Executive Vice President at TrapX told The Security Ledger.
TrapX declined to name the firm on whose behalf it worked or the manufacturer whose scanners were compromised. It said 16 of 64 scanners sold to the victim firm were found to contain malware. Published reports also note that malware say scanners with another variant of the same malware were sold to eight other firms, including a “large robotics firm,” thought TrapX declined to name the firms, as well.
The Zombie Zero malware was described as sophisticated and typical of a ‘state sponsored’ attack. Once activated, the malware connected to the firm’s wireless network and attacked machines belonging to the firm, with a focus on systems related to finance and ERP (enterprise resource planning) systems, TrapX said in its report. A “stage 2” malware also contained in the compromised scanner software established a link between compromised networks and a botnet command and control (C&C) network based in China.
The botnet communications terminated at the Lanxiang Vocational School (previously linked to on-line attacks of Google and was implicated in the famous Operation AURORA attack two years ago). TrapX notes that the site is just a block away from where the compromised scanners were being manufactured.
While active, the Zombie Zero malware copied all the inventory entering and leaving specific countries. After compromising the target firm’s finance system, the criminals behind Zombie Zero had access to the firm’s corporate financial data, customer data, detailed shipping and manifest information. They were also able to monitor and control (that is: modify) the firm’s global shipping and logistics operations, TrapX said.
TrapX, formerly known as CyberSense, makes threat detection software that uses automated “honeypots” that lure malware by emulating vulnerable environments, then observing its behavior in a secure, virtual container.
This is just the latest example of hardware shipped from China that is found to contain malware. In June, researchers at the firm GData discovered Android phones shipping direct from a factory in China that contained spyware. In October, Russian customs authorities seized teapots shipped from China that contained wireless “spy chips” that were capable of spreading malicious software. And, 2010, Dell acknowledged that replacement motherboards for its PowerEdge Servers contained the Spybot worm within the flash storage on the factory-shipped hardware.