Wanted to take this opportunity to wish everyone a Happy New Year and offer my special thanks to Jumper, Eastwood and J.D for giving me advise, encouragement and counsel.  You guys have made this a very enjoyable experience!  Be safe and have a great New Year!

    Ever played Sudoku? There was a time when I couldn’t get away from the game.  Maybe it is my obsessive-complusive personality but finding out who hacked what is getting to be a lot like that.

Fair warning, this Chinese hacker hunt isn’t very satisfactory, no picture of the guy at the end of the trail.  Still, I did it, so you will have to suffer the disappointment with me.

Went back to an old favorite of mine, zoneh.cn and started looking at the hacked websites.  I don’t bother with  internal Chinese hacks but the ones outside of China just annoy me.

Coming in at number 6 in the standings of Top 20 Users is Webshell with 689:

One of the websites outside of China, listed under Webshell’s credits is http://www.photozone.co.kr: (Korean)

Here is the mirror of Webshell’s hack:

Translation: Whoosh, an amateur passed by. I am just a very young amateur.

Continue Reading »

Proficient Windows Registry + BIOS

I know this has been slow going but…well, the holidays you know.  In the spotlight today:

1. Real Name: Zhang Xinghu (张兴虎)
2. Online Name: Flyingfox
3. Organization: www.54hack.org, www.yl.net.cn
4. Age: Unknown
5. Known Hacks:
6. Summary: Founder of China Youth Hackers Alliance.  In 2004 was a technical security advisor for a police station. Author of Proficient Windows Registry+ BIOS

Added to list of Top Chinese Hackers.

(Scroll to the bottom of the link) Reporters Without Borders is claiming that it was probably mainland Chinese hackers who used a DDOS attack on Boxun’s website to shutdown dissident postings.  Not really familiar with Boxun but they have also posted the attacking IPs and the number of hits received.

Received a comment from reader Kitty stating that, Chinese hacker Sunwear claims the article I wrote showing him in a People’s Armed Police uniform was a joke on a friend and not real. Kitty also claims this has stirred up trouble.

Actually, in an update posted on 26 Nov 2007, I make pretty much that same observation. I would also submit to kitty that it isn’t the picture that has caused trouble but Sunwear’s act of breaking into Japanese websites he does not own.  Just my two pennies worth.

  Started surfing Baidu and ran across this 2006 interview with Dhillion Andrew Kannabhiran (a.ka. L33tdwag), CEO and founder of Hack in the Box. The discussion was conducted by superlone, a member of Eviloctal (Chinese hacker group) and was sort of funny, weird, chilling, uncomfortable…  It is a bit longish but I think well worth the read.

Here is my favorite part:

superlone: as for chinese secuirty industry,how much do you know about it?about chinese hackers and the level of chinese hackers?

L33tdawg: well on the industry aspect i don’t really know much.as for chinese hackers we are affiliated with XFOCUS which imho has some of the best researchers.remember that it was the XFOCUS guys who were the first to turn LSD’s RPC DCOM research into a working exploit targetting all Chinese version of Windows.

superlone: what other chinese seucurity groups or communities do you know besides XFOCUS?

L33tdawg:apart from XFOCUS, i know you are from www.eviloctal.com.well i’m sure there are many, but seeing that i do not read or speak Chinese, it is a bit difficult to make contact.

Ahh, fun with Chinese hackers. Continue reading…or not.

  Got to give Ed Dickson at Blogger News Network credit for working Storm Worm, zombies and scantily clad women in Santa attire into the same headline.  Of course the offending URL for this potential horror movie has a .cn trailer attached to it.  Now, in case you somehow missed out on getting your computer infected on Xmas, I’m sure our Chinese hacker friends will give you another shot at it come New Year’s.

  Elia Florio has written a very informative piece on a Chinese hacker named Hao Tian distributing a program that exploits vulnerabilities in MS Office for Word.

The attacker has only to bind an executable such as Backdoor or an Infostealer trojan, and the tool will do the rest. It will create a malicious MS Word file that can drop and run the chosen .exe file. No need to analyze buffer overflows, find return addresses, or program complicated shellcode. Zero knowledge, maximum result, and minimal effort.

Closely following the article, Hao Tian decided his registration was full and closed shop.

Go read the full article on this Chinese hacker malware at Symantec.

    First, let me start you off with a little background on the Gray Pigeon Trojan here.  Great stuff, they even upset their own people enough to force them to stop production.  A good thing too because that program was turning up in a lot of government systems, like here for example.

   However, just like every 80’s horror movie, the thing just refuses to die.  So,  the announcement posted on 2 Dec 07, at hx99.net (previous link removed, page taken down by hx99.net) saying they were making a come back didn’t come as too much of a shock.

   The old disbandment message dated 21 March 07 is still  on the front page of the Gray Pigeon website (why does the one pigeon look like a hummingbird…who knows.):

   Just as promised, their fresh postings on 18 and 22 Nov 07 promise a revival of the site.   The posting on 22 Nov 07 could use some IT input on the screenshots.

The text is too much for my Chinese but maybe some of you IT guys could provide some insight.

Hat-Tip: As always, Jumper

    Interesting article from SCmagazine on Chinese hackers filling the void after the Russian hackers packed up shop.  It doesn’t give enough detail to determine the particulars but raises a lot of questions.  Was this a voluntary surrender by the Russians?  Working in concert with one another?  Would love to hear more about it if anyone knows. 

Russian Hacker Move Out…And The Chinese Move in.

Well possibly…

What happens when two of China’s historic Trojan designers marry? Yes, guy and girl hacker.  My guess is the next generation of Uber Hackers is soon to be born. It was bound to happen eventually, so let me introduce the happy couple:

GLACIER (Groom)

1. Real Name: Huang Xin (黄鑫)
2. Online Name: Glacier (冰河)
3. Organization: www.xfocus.org,
4. Age: 29 (In 2007)
5. Known Hacks: Developed the Glacier Trojan, China’s most popular
6. Summary: Graduated from Xi’an Electronic Sci-Tech University. Married to Chinese female hacker Wollf. In 2006, he was 28 years old and a resident of Guangxi. Godfather of the Chinese Trojan.

WOLLF (Bride)

1. Real Name: Wang Juan (王娟)
2. Online Name: Wollf
3. Organization: Unknown
4. Age: 27 (in 2007)
5. Known Hacks: Developed the Wollf Trojan
6. Summary: Born in Sichuan and has worked in a Hainan Network Comapany. The mother of Chinese Trojans.

Both added to Top Chinese Hackers

Small section from my book on the UK attack that took place in 2005:

Knowing the types of malicious programs developed and used by certain hacker groups can assist us in pinpointing the source of attacks. Just as traditional criminals develop modus operandi, so do cyber criminals. They will favor one set of techniques and tools over others and just as in traditional law enforcement, these techniques can be used to identify the individuals or groups responsible for the crime. While not foolproof, profiling of groups such as the Red Hacker Alliance may offer additional clues as to their involvement in cases of fraud or theft of sensitive materials.

In June of 2005, the National Infrastructure Security Co-ordination Centre (NISCC) released a report detailing Trojan e-mail attacks targeting United Kingdom “government and companies.” The briefing noted that the attacks were coming from the “Far-East” and Trojans used in the attack included Gray Pigeon and Nethief. Chinese hackers have taken credit for the creation of both of these two Trojan programs. Mark Sunner, the Chief Technical Officer for MessageLabs, said:

MessageLabs can confirm that the source of the IP addresses originates in China. But there’s a much bigger and broader problem here. The ‘China’ word is not meaningless but it doesn’t mean they are the perpetrators.

Other experts were also skeptical that the IP addresses alone proved the attacks were coming from China. However, on 23 October 2005, Hackbase.com posted a story about the attacks on the British government and the speculation that the attacks were coming from the Far East. The article was apparently taken from the foreign press and translated into Chinese. The comments in response to the article from members of Hackbase, while not conclusive, are very suggestive:

41444: Awesome, I am very moved!! My thanks to the elder hackers, I hope you all can attack the US

Real Cow X: I want to express my sincere sympathy to the English government! ! ! ! Many thanks to the elder hackers

Well done!!: The English government has become the target of a Trojan e-mail attack!!!

By applying the hacker profile to this case, the evidence points very strongly to Chinese fingerprints present at the crime scene. The attack perpetrated against the UK government had: IP addresses that originated from China; used a backdoor to gain entrance to the computers, one of the preferred methods of the Red Hacker Alliance; and used both Gray Pigeon and Nethief, two of their favorite tools. In addition, members within the organization, when reading about the attack, expressed their admiration for the “elder hackers” who they seem to credit for the attack’s success.

Well 2008 is suppose to be the year of the Chinese hacker…wasn’t 2004 also their year? Anyway, to keep up this winning streak, they have also made it to the top of the list of countries hosting malware.

Even though this is a bit old, from Oct of this year, I thought it was interesting.

So where does all this malware come from? In order to answer that question, it’s necessary to take a look at the solutions used by cyber criminals to host malware.

Malware hosted on the Internet can be present through a range of ways. It can be found on compromised home machines, which are infected with bots running tiny HTTP servers that become distribution points. Or it can be present on the hacked websites of ISPs. A very popular choice is companies that give away small amounts of free web space for users to build their own homepage. Such samples include www.pochta.ru, www.googlepages.com, www.100freemb.com, www.dump.ru or www.home.ro.

There have also been cases where stolen credit cards were used to purchase a domain name and a hosting package from a legitimate ISP; these were then used to distribute malware.

Continue reading Top 20 Countries Hosting Malware…

       This is probably just a coincidence but yesterday the site got three hits from Vietnam.  The reason I noticed, was this was the first time we have received visitors from there:

Then in today’s news, Vietnamese hackers deface Chinese government site over ongoing Spratlys and Paracel Islands dispute.  Retaliatory strikes are pretty much a given in this type of situation.  It puts into play two of the Red Hackers favorite themes, Chinese national sovereignty and attacks on China’s internet security.  Keep you posted if I learn anymore.

中国黑客内战

It is very likely that within the next 2-5 years, a major civil war will erupt between factions within the Chinese Red Hacker Alliance. I’m making this forecast (Analyst love to use this term rather than “predict” because it is easier to fluff off when you are proven dead wrong.) based on the following reasons:

1. The organization has all but lost its nationalistic character and is rapidly shifting/shifted toward one based on profit motive. This has caused the movement to lose much of its cohesion and sense of unity. If there isn’t an event to rekindle their patriotic spirit, the group will splinter.
2. Increased competition between different factions to earn money, attract recruits and sell products is at an all time high. Chinese hackers are reaching a saturation point in their marketing of Trojans, viruses and training courses. This will only add to the tensions already present. Chinese hackers have moved from a circular shaped structure to a pyramid; the scramble to reach the top will do nothing to alleviate these tensions.
3. Internal hacking attacks and threats between different cells have been documented in my book and by the Chinese themselves. The year 2004 saw the first skirmishes in this war and the environment does not seem to have improved. Combine these elements with the youthful age of the alliance and it will cause some members to act in the extreme.

What brought on this sudden prediction? It has been something I have thought on and off again since the beginning of this research. The ideology that holds them together is too difficult to maintain during periods of inactivity. What do you do with young nationalists who have no war to fight, no motherland to defend? They either get bored and move on…or start to eat their own.

A posting on Janker’s website titled “Chinese hackers, what is going on?” makes the observation that, “recently there has been turmoil inside the Chinese hacker security circle.” He sites numerous examples of Chinese hackers attacking each other and is exasperated at the state of the alliance. These examples go from December of 2004 to June of 2005. One commenter, going by the name of Kerberos, actually used the term “civil war” to describe the situation. Another website, even called it the “Hacker Warring States.” A reference to the Chinese Warring States period.

So why did I wait to have my own thoughts reflected in the Chinese Hacker community before making this prediction (sorry, forecast)? I personally think it is wrong to apply “Blue” thinking to explain a “Red” paradigm. What appears logical to us does not always fit neatly into different cultures. Western societies use linear logic while Eastern cultures often apply circular. The dialectic thought process is not always clear or easy to decipher. Fine, I just don’t get ‘em.