Chinese Bank Required Two Western Companies to Use Tax Software With a Hidden Backdoor

A Chinese bank required at least two western companies to install malware-laced tax software, according to a new report from the cyber-security firm Trustwave.

"The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China," reports ZDNet: "Discussions with our client revealed that [the malware] was part of their bank's required tax software," Trustwave said Thursday... Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating from its customer's network... Trustwave said the software worked as advertised, allowing its customer to pay local taxes, but that it also installed a hidden backdoor. The security firm says this backdoor, which Trustwave codenamed GoldenSpy and said it ran with SYSTEM-level access, allowed a remote attacker to connect to the infected system and run Windows commands, or upload and install other software...

GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart... The Intelligent Tax software's uninstall feature will not uninstall GoldenSpy. It leaves GoldenSpy running as an open backdoor into the environment, even after the tax software is fully removed. GoldenSpy is not downloaded and installed until a full two hours after the tax software installation process is completed. When it finally downloads and installs, it does so silently, with no notification on the system.

Re: And no one thinks Intuit

[Way Smarter Than You]

No. Can you provide a reference for your whataboutism false accusation?

Re:

[LynnwoodRooster]

I use QB Pro offline quite a bit. No need to even connect to the Internet to make it work. If they have a back-door, then it must not be that important since their software works offline.

Re:

[Slonak Nana]

so even you use the software offline most of the time makes it legit to allow installation of a software capable of relaying your data ? Lucky you aren't in my cyber security team.

Re:

[LynnwoodRooster]

The question is, what makes you think QB relays your data? It has no need to do that, ever - as the files are stored locally. There's no indication that QB relays data, and the fact it can be used 100% offline kind of reinforces that, as using a tool that hacks and reports your data probably wants to make sure you are online, right?

Re:

[kaatochacha]

I think his point is that software that skims your data is more likely to require you to be online, to give easier access to data skimming.

Re:

[MooseTick]

"Is there any indication that it doesn't?"

With that philosophy, any and all software could be exfiltrating your data. I'd say the fact that QB has millions of users on a variety of networks with various level of security tools and zero reports of any odd activity is a good indication.

Re:

[michelcolman]

The fact that the software works without needing an internet connection, does not by itself mean that it has no back door. The back door could simply remain dormant if there's no internet connection. How many computers do you know nowadays that are not constantly connected to the internet? If it works on the vast majority of installs, that's good enough. Of course that doesn't mean QB really has a back door, just that "it works fine offline" is not a valid argument.

Re:

[SirAstral]

"Make Unfettered Capitalism Greedy Again."

Do you how people reading that sentence know they are talking to a complete fucking moron?

Capitalism = You can own a means of productivity.
Socialism = Government owns the means of productivity.

In layman's terms... in Socialism you do not get to own anything you produce as property. If you grow an ear of corn... the government owns that corn, not you! If you grow a tomato... the government owns that tomato, not you.

Capitalism on the other hand... well you grew that

Re:For the sake of greed

[quonset]

In layman's terms... in Socialism you do not get to own anything you produce as property. If you grow an ear of corn... the government owns that corn, not you! If you grow a tomato... the government owns that tomato, not you.

Sounds a heck of a lot like what is happening in this country. It's not your money, it's the corporations money. That's why they keep coming back to the trough and getting handouts and subsidies from the government which has taken money from the people. Don't believe me? Here we have private schools getting money from the government [khou.com] because apparently they are so poorly run, they can only exist if the taxpayers are forced to hand over their money to keep these places alive.

Oh look. Corporations are being kept alive because the government is using taxpayer money to buy corporate debt [thestreet.com]. In fact, when the program was announced, corporations issued even more debt. Apparently all those banks, you know, the heart of capitalism, are so poorly run they can only exist if the taxpayers foot the bill.

Let us not forget the massive loan programs the government put out to keep companies alive during the covid-19 outbreak. Because, you know, capitalism is so great, these companies don't have any money put aside for a rainy day. Instead, the government will just burden the taxpayers with more debt.

Everything that is bad under Capitalism is worse under socialism!

Except for health care and quality of life. Or corporations needing the taxpayer to keep them alive. Or trickle down which seems to work in socialist countries but not in capitalist countries.

Re:

[Required Snark]

Trump's huge tax break to stimulate the economy was used for stock buy backs by many large corporations. Stock buy back programs increase stock prices, but they have nothing to do with long term useful investment. It's just shuffling money around to give the illusion of growth.

Buy backs make stockholders happy but they make executive suite insiders insanely rich. The top execs get stocks at reduced rates so their wealth increase is a multiple of what normal shareholders receive. Additionally execs have tax

Re:

[thegarbz]

Instead, the government will just burden the taxpayers with more debt.

While this sounds bad, taxpayer debt as a single figure isn't nearly as burdensome as a screwed economy and increasing the debt-GDP ratio by reducing the latter. Keeping production going and taking on debt is the sensible move economically.

Karma is only karma when it hurts the people who did the damage, and doesn't take down everyone else with it.

Re:

[MooseTick]

There is no pure socialism or capitalism. It's always an amalgam of multiple policies. The US is socialistic when it comes to the military, roads, schools, etc. Everyone pays taxes to support those things whether they want to or not. People also don't really own their property. You can't build what you want anywhere without following local codes and zoning ordinances. Also, even when you "own" real property, the government will take it away from you if you don't constantly pay property taxes.

Re:For the sake of greed

[Opportunist]

For most people it doesn't really matter whether they don't own a product because it's owned by the government or because it's owned by some corporation. In either case you're just their worker and fully dependent on them.

Same with most other freedoms. Whether you cannot travel because the government doesn't let you or because you cannot afford it doesn't really change a lot in the end.

Corporate

[raymorris]

> For most people it doesn't really matter whether they don't own a product because it's owned by the government or because it's owned by some corporation.

Corporate (adjective)
of or shared by a whole group and not just of a single member
-- Cambridge dictionary

A corporate structure is one in which many people share ownership of the means of production.

  Wait, that sounds like socialism. What's the difference? In the American system you can CHOOSE whether to share ownership in Tesla or in Phillip Morris or Starbucks or Monsanto. In socialism, the politicians decide where your money will be invested. If the leader wants to finance Monsanto and not Tesla, the leader makes that choice. In the American corporate system YOU decide where to invest your money, and how much. It's just socialism by choice as opposed to be mandate.

You mentioned "most people". Most American households choose to own some stock, to own the means of production. They do so because it's a really friggin good idea.

Re:

[youngone]

Man that's stupid.
And idiots modded it Informative?

You people live in a fantasy world.

Re:

[raymorris]

I live in a world where I own most of the 500 largest and best US companies. It's called the S&P 500.

I live in the same world most adults in the US live in. Most US adults choose to share ownership in these companies.

It sounds like so far either nobody taught you about it, or you've chosen not to participate. I hope you start participating because owning the means of production is really good for you, for your future. Really really good. A great first step is to simply check off the "401k" box at w

Re:

[youngone]

Yeah, I get that, it's your childish, Fox News level knowledge of "socialism" that makes me laugh.

Re:

[youngone]

The point I was making is that he states that in "socialist" countries, the government prevents people from investing in the sharemarket.
That is a flat-out lie.
It also sounds a lot like the sort of stupid some Republican would spout to get himself elected.

Re:

[Opportunist]

And now the plan for someone whose income is too low for a 401k.

You know, the kind of people who you actually get to SEE working.

Re:

[raymorris]

I'm not sure what you mean by "too low for a 401k", I had a 401k when my paycheck was tiny. When I flipped hamburgers for a living one of my co-workers had saved up $25,000 by the time she was 22. Her job was primarily filling drinks and milkshakes.

For people who "you see working" who want to increase their income I'd start with a couple of examples. Electricians average $55,000. LPNs make about the same amount and the schooling is less than a year. It can be done mostly online. So good jobs are certai

Re:

[sysrammer]

Damn straight. People want that extra money so that they can invest in something that has a *real* payoff. Powerball.

Re:

[thegarbz]

I live in a world where I own most of the 500 largest and best US companies.

You remind me of that 3rd rock from the sun episode where Dick walks into some company and crashes their board meeting because he's a shareholder and thus an "owner".

You're display the same depth of knowledge of the issue. We laughed at dick due to his childish understandings of our corporate ownership works. But we're not laughing at you because it's truly sad that you actually believe what you wrote.

Re:

[pnutjam]

Just gonna leave this here: http://gutenberg.net.au/ebooks... [gutenberg.net.au]

Re:

[sysrammer]

What's stupid about it?

Re:For the sake of greed

[SirSlud]

A simplified view that might be appropriate for a 4 year old but not really relevant to any of the systems in practice where they've been intermixed in every ecenomy that's ever existed. No mlnimally eduacted adult should harbor the reductive worldview that socialist policies are always worse than capitalism for everything, everywhere, any time.

Re:

[Anonymous Coward]

Old joke:

In Capitalism, Man exploits Man.
In Communism, it's the other way around.

BTW, I notice you said 'socialism', not 'communism'. I guess socialism would fall somewhere in between.

Re:

[youngone]

You should try reading a book once in a while.
Also don't watch quite so much Fox News.

Re:

[thegarbz]

Yes, fortunately there isn't a single example of a purely capitalist or purely socialist system in the entire world.

Re:

[Pinky's Brain]

Companies mostly go to China to make money, but saying the people who steered the world economy in this direction were just greedy is naive. People like Soros and especially Kissinger have mostly ideological reasons for their actions, not greed. The rest of the Davos crowd though it's self serving also truly believe the only reason for trade deregulation not producing good outcomes is because they weren't deregulated enough yet.

Also, what's the alternative at this point? A cold war with China with complete

Stop dealing with China

[DewDude]

The fucking communists don't give a shit about anything than world domination. Stop dealing with those asshole and enact some real sactions; isolate them; and leave them the fuck alone.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Stop dealing with China

[chill]

It isn't Ameican Communists, it was/is the Capitalists. They happily sold the bulk of our supply chain to China for a few pennies more in profit.

Stop dealing with the Chinese? Good luck ever building anything that requires electronics ever again.

Re:

[hoofie]

It isn't Ameican Communists, it was/is the Capitalists. They happily sold the bulk of our supply chain to China for a few pennies more in profit.

Stop dealing with the Chinese? Good luck ever building anything that requires electronics ever again.

Where were all of those electronics built BEFORE China ? The US, Europe, Japan, Taiwan, Australia. The only reason production went there was cost. There is no technical reason why it can't happen again.

Re:

[thegarbz]

Where were all of those electronics built BEFORE China ?

In rich people's homes because they are the only ones would could afford them. You have to remember it isn't some corporate stooge who sold out to China. It was America who never placed any faith or set aside any budget for the Made in USA tag.

Re:

[WindBourne]

of course, blacks have not been treated as equal in any communist nation. Even now, China is harmful to africans blaming them for covid. And blacks in Russia, eastern Europe, Germany, Belgium, etc?

Re:

[antdude]

Started? They started LONG ago!

Re:Stop dealing with China

[Opportunist]

The fucking communists don't give a shit about anything than world domination.

Damn right, they're poaching on our turf!

Re:Stop dealing with China

[cygnusvis]

China is NOT COMMUNIST. If you look at what it means to be communist, and what it means to be fascist, China is the poster boy for fascism right now. You can call a fox a hen but its still a fox. The fact that you have private property and billionaires in China excludes them from any definition of communism (even very loose definitions). Why is it in america, having billionaires is capitalist, but in china, having billionaires is communist? Because China is fascist (look up the definition, china fits the bill perfectly) not communist.

Re:

[Anonymous Coward]

Unitary Marxist-Leninist[1] one-party socialist republic[2] [wikipedia.org]
How about this?
China's constitution states that The People's Republic of China "is a socialist state under the people's democratic dictatorship led by the working class and based on the alliance of workers and peasants," and that the state organs "apply the principle of democratic centralism."[167] The PRC is one of the world's only socialist states explicitly aiming to build communism. [wikipedia.org]
Sounds communist to any normal person.
In addition, just a

Re:

[snowshovelboy]

Sounds communist to any normal person.

Well, that's only because Mussolini's "The Doctrine of Facism" isn't required reading for normal people.

Re:

[Required Snark]

Wow, a great example of How to Lie with Misleading Quotations. Those links with underlining look sooooo official and authoritative. Why didn't you convert them to ALL CAPS while you were at it?

Meanwhile other sections of Wikipedia tell a different story: China is a Socialist market economy [wikipedia.org].

The socialist market economy (SME) is the economic system and model of economic development employed in the People's Republic of China. The system is based on the predominance of public ownership and state-owned enterpri

Re:

[phantomfive]

In common usage, "fascist" means "stuff I don't like if I'm in the D team," and "communist" means "stuff I don't like if I'm in the R team." Not really worth arguing about.

Re:

[GezusK]

While the US is trying to put backdoors in all encryption...much more dangerous than this.

Re:

[youngone]

The Chinese are not communists. Not even close.

Re:

[dicobalt]

It's nice to see someone saying this.

Re: Stop dealing with China

[jabuzz]

In this case sanction the banks by imposing restrictions on access to western banking systems. That will basically destroy the banks in question, and be a lesson not to do the same or else.

Re:

[AmiMoJo]

You can't stop China that way. If the US tries to isolate them it will do two things.

1. Hurt the US even more than it hurts China. We have already seen this happening with the trade war.

2. Force everyone else to choose between China and the US, and many of them will choose China.

In the next few years Chinese GDP will overtake the US to become the largest economy in the world. It's inevitable, nothing you can do short of starting WW3 can stop it. So you need to think about what you CAN do. Maybe start by tal

Re:

[MooseTick]

"The fucking communists don't give a shit about anything than world domination."

That is a very SMALL handful of people. Most Chinese are like everyone else. They want a good life for themselves and their family. They want to leave work early, take vacations, get laid, have a nice car, be healthy, etc.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LaughingRadish]

Seems like "This billion dollars is yours if you can prove X == -X".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

C'mon, it wasn't that big a sacrifice. Sure, those 3 days really sucked, but then, second in command for all eternity? Doesn't sound like such a bad deal.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

You know, every time this comes up, it reminds me of a bunch of nerds discussing the relevant question whether some D&D class can perform certain feats...

Re:

[zephvark]

I think that Jesus dying for our sins was a giant fucking waste of effort.

It's lovely how quickly people go zipping off-topic, don't you think?

According to most current Christian-flavored denominations, Jesus actually was God, so he couldn't have really died. Paradoxically, many of them also believe that Jesus made a great sacrifice in giving up his life. No, he was apparently just taking in a quick dirt nap.

To get back on topic, which two "Western companies" were they and, how liable are they in their home countries for deliberately spreading malware? At least one of them appear

Re:

[cygnusvis]

The Feds are angry because it competes with them

A law that gives access with judges order (limited to data IN THE COUNTRY) is different than a back door that allows access to international data at will and can be discovered and used by 3rd party. China has plenty of laws allowing them access to anything because they are fascists (look up the definition, china fits the bill), why did they need a back door? For hidden access, probably espionage.

Re:

[rtb61]

It's like so what, what else would you expect, the west has blown trust with China years ago. A company required me to install specific software on a computer to interact with it. That computer would have a connection to that company and definitely not to the internal network and would only be used for that connection and nothing else. They can data mine what they already have, who cares. Why you would connect a forced install to your internal network is really dumb.

Re:

[misnohmer]

It is naive to think that once you build in a back door for "lawful use" it will never be discovered by anyone and used unlawfully. That is the problem of back doors, by definition. If it exists, it will be exploited, maybe not today, maybe not tomorrow, but it till be exploited.

Re:

[LynnwoodRooster]

Wait, so a hidden backdoor to which NO ONE other than the tax software company agreed to use, is the same as getting a warrant from a judge and then using that to investigate a specific individual or company? Really?

Seriously?

[cygnusvis]

A major Chinese bank, which all are state controlled, installs state made root kits? IM SHOCKED!! Western companies need to remember that THEY HAVE NO RIGHTS IN CHINA. Chinese companies also have no rights.

Re:

[hoofie]

Not even close

Re:

[snowshovelboy]

True, in China it was legal before they did it. They only made it legal in the US after the fact.

Re:

[AmiMoJo]

Reminds me of British banks trying to force customers to install "security" software a few years ago. Of course it was spyware and riddled with security flaws itself, and they were less than transparent about what it did.

What am I not surprised

[sentiblue]

Doesn't matter how outrageous things like this got exposed I'm just not going to be surprised. The CCP, chinese companies, chinese military, even US companies founded by chinese ... they all steal shit and they have no fucking shame. They don't just steal research/data/info... they also steal logos, brand names, whatever the fuck looks/feels/seems a little bit worthy stealing.

Didn't see this part coming

[MiniMike]

Trustwave said the software worked as advertised, allowing its customer to pay local taxes

This is the only part of the story that surprised me.

well, DUH, China is officially COMMUNIST

[tiqui]

By definition, there's no such thing as a "Chinese Bank"; that's a fiction designed to encourage foolish people to think there's something normal or civilized about a Marxist county with totalitarian one-party rule.

It's not some xenophobic racist anti-Chinese (as in "anti-Chinese-race") thing to point out a basic fact: namely that in a Communist society there is no such thing as a church, or a bank, or a business, etc - all entities which appear independent are actually united with the government and the single political party; there's no actual dividing line between the party, the military, the spy agencies, the schools, the "businesses", etc. No such dividing lines are permissible because they could introduce the possibility of alternate political views, alternate power structures, and thus "counter-revolutionary" ideas. The Soviets, by virtue of not being mono-ethnic, never had the cover of being able to scream "RACIST!" at any critics, whereas China and its defenders use the very racial purity of China to attack any critics of its evil government as anti-Chinese bigots (implying that anti-Chinese is "anti Chinese ethnicity", rather than "anti-Chinese communist government" ). Sadly there are many western businesses (Like Amazon, The Washington Post, NBC Universal, etc) with large financial ties to China who will be willing to play along in defending China's geopolitical interests by helping with these false attacks.

Having said that, however, let me say that I actually do not believe China is a Communist country at all; it's something far worse and more monstrous:

China is the fascist super-state Hitler imagined he could build

[1] China is a mono-racial society, and many of its people believe their race to be superior.

[2] China is clearly not actually "Communist" as much as they claim to be so - they have huge numbers of very poor and many very rich. As long as they are party members with the right connections, people there are allowed to get rich and not have their stuff re-distributed. China is actually Fascist in structure and behavior. This is far more dangerous Mussolini (a socialist) invented fascism as a more-efficient and more-improved form of Marxism, one that concentrates politics and power in the hands of one party and its government, but retains some strengths of a market economy by allowing businesses to operate under tight government control and then using government control of those businesses to assist in government control of the population. Hitler saw this and burrowed it from Mussolini and indeed Germany between the wars seemed to have a miraculous economic success - just as China has recently seemed to.

[3] China is expansionist. Like all Marxist regimes, it believes it can only truly succeed in bringing about utopia on earth by spreading the political system globally until there are no alternatives left to mankind and there's no "outside" of the system, to which any non-compliant people might hope to escape.

[4] China is at that stage where it routinely makes obviously false statements (about really big geopolitical stuff, not small stuff all diplomats do) and repeats them through state-owned media outlets over and over again, until their own people and any foreign stooges believe them, and outside diplomats simply shrug their shoulders in surrender and say stuff like "well, that's just China... you have to understand..."

[5] China is reaching out around the world and gradually taking real estate with the claim essentially "well, that was once ours, and we're just re-asserting our historic rights"...... it's just a tad familiar..... reminds one of the "sudatenland"...

[6] China, unlike NAZI Germany, has lots of nukes.

Interestingly, I have never heard a single Western liberal complain about China's "lack of diversity"; I don't think I'll hold my breath for that.

Government controls the businesses

[raymorris]

In China, government owns and controls the banks, government owns and controls the schools, government controls the religion. The party controls the government (and everything else)

That doesn't mean the bank and the car company don't exist. They really do have real factories making real cars. Millions of electric cars, actually. It's just owned controlled by politicians through a "good old boy network".

Versus the United States, where you can decide Monday morning that you want to own Chase Bank, do a cou

Re:

[Cederic]

By definition, there's no such thing as a "Chinese Bank"

Don't be so fucking stupid.

A bank is a bank whether it's a co-operative, owned by a Government, floated on a stock exchange or privately run by someone that thinks financial liquidity is a good thing.

Chinese banks are banks. They hold deposits, offer loans, facilitate financial transactions and act like banks, offering banking services. They're banks.

Shit, you'll be telling me next that the USA has no army, because its armed forces are all part of the Government.

Busted

[Canberra1]

The thing about malware/backdoors/rootkits/APT is that they eventually get discovered. Shame embarrassment and finger SHOULD follow, and maybe even ISDS complaints and damages payable. Don't get angry, get even. OK, this now gets a virus signature, and a utility to be surgically removed, and the ports blocked at multiple levels. Mr Trump should be able to get the ball rolling on ISDS damages, under the provisions of unfair trade agreement violations. I can tell you in 1985, program path protections could

Functional network segregation...

[aaarrrgggh]

Not sure why the software would live anywhere but a jail on a network, with supervised external access only when specifically needed.

Re:

[coofercat]

Is that what you do with your banking apps?

I suspect most companies with China-mainland offices keep the whole office in a little network of its own with little to no access back to the mothership. After that though, are they really going to run every app they have in a separate VM/DMZ? I doubt it.

Either way, those companies that have relatively open networks in/out of China would probably do well to lock them down pretty sharpish.

Our company experienced the same time

[nrlz]

Our company experienced the same thing. The Chinese government required us to install their software to file taxes online. However our account urged us to set up an independent computer to run their software because if there were any technical problems we would have to send the whole computer in to be fixed. We were lucky to have listened to them as the independent computer didn't have any corporate secrets on it.

Sony

[bloodhawk]

brings back memories of Sony installing rootkits. China are not the first to do this and won't be the last.

Re:

[Joopsy]

I would disagree. The sony rootkit, while shocking, didn't actually try to exfiltrate data or download/install any secondary programs (that could do absolutely anything)

Tangental but kind of related to the subject...

[Travelsonic]

I can't help but feel like this just poses yet another blow against other user-software having system level access without justification (*cough*anticheat in games*cough*) - even with the differences between banking apps and that, the risks with any system level programs with vulnerabilities are IMO the same - only here I'd argue it's worse due to the financial stuff the software is used for.