Trojans attacking the UK come from China

Malicious programs the UK government has said are attacking key business and government bodies are being sent from servers in China, according to an email security firm.

But experts at MessageLabs said it would be inaccurate to conclude Chinese hackers are responsible for the Trojan horse attacks as the servers could be controlled remotely from anywhere.

Mark Sunner, CTO for MessageLabs, said: "MessageLabs can confirm that the source of the IP addresses originates in China. But there's a much bigger and broader problem here. The 'China' word is not meaningless but it doesn't mean they are the perpetrators."

Earlier this month the UK government's National Infrastructure Security Co-ordination Centre (NISCC) claimed that waves of "industrial-strength" Trojan attacks were hitting 300 organisations in the critical national infrastructure (CNI). The CNI is made up of key financial, transport, military, health, energy and government organisations.

Although the NISCC would not disclose the exact origin of the Trojan attacks, it said they were coming from the Far East.

Yesterday MessageLabs said it had intercepted 17 new Trojans that appeared to be the sort NISCC had warned of. But they were targeted at one company, not at the whole CNI. Sunner said these attacks always aim at a small number of organisations, and the terms "information warfare" and "industrial strength" were misleading in this context.

"We are not making these claims," he said. "We need to be careful that we are not influencing people that way. In the case of these targeted attacks, it's one-offs. The reality is that we've seen a number of source IP addresses in China. But when you try and trace a botnet, quite frequently you often find that it originates from another botnet."

But Bob Ayers, former director of the Computer Emergency Response Team for the US Department of Defense and MD of consulting firm Ayers & Associates, was sceptical that the attacks were coming from China.

He said: "I'm not entirely of the opinion that 'these attacks are coming from China' is accurate. It's not what I would call a government initiative - I don't see how they can know who's doing it. There's no way you can differentiate."

He added: "You can spoof a site address and make it look as if it's coming from China. The question is what is NISCC doing about it? Is it just sending out alerts? I have a feeling that it is and is providing a citizen's advice bureau."

silicon.com also contacted antivirus companies Computer Associates, F-Secure, Kaspersky and Sophos but none would say where the Trojan attacks stemmed from. Sophos denied silicon.com access to the Trojans they had blocked.