Well possibly…

What happens when two of China’s historic Trojan designers marry? Yes, guy and girl hacker.  My guess is the next generation of Uber Hackers is soon to be born. It was bound to happen eventually, so let me introduce the happy couple:

GLACIER (Groom)

1. Real Name: Huang Xin (黄鑫)
2. Online Name: Glacier (冰河)
3. Organization: www.xfocus.org,
4. Age: 29 (In 2007)
5. Known Hacks: Developed the Glacier Trojan, China’s most popular
6. Summary: Graduated from Xi’an Electronic Sci-Tech University. Married to Chinese female hacker Wollf. In 2006, he was 28 years old and a resident of Guangxi. Godfather of the Chinese Trojan.

WOLLF (Bride)

1. Real Name: Wang Juan (王娟)
2. Online Name: Wollf
3. Organization: Unknown
4. Age: 27 (in 2007)
5. Known Hacks: Developed the Wollf Trojan
6. Summary: Born in Sichuan and has worked in a Hainan Network Comapany. The mother of Chinese Trojans.

Both added to Top Chinese Hackers

Small section from my book on the UK attack that took place in 2005:

Knowing the types of malicious programs developed and used by certain hacker groups can assist us in pinpointing the source of attacks. Just as traditional criminals develop modus operandi, so do cyber criminals. They will favor one set of techniques and tools over others and just as in traditional law enforcement, these techniques can be used to identify the individuals or groups responsible for the crime. While not foolproof, profiling of groups such as the Red Hacker Alliance may offer additional clues as to their involvement in cases of fraud or theft of sensitive materials.

In June of 2005, the National Infrastructure Security Co-ordination Centre (NISCC) released a report detailing Trojan e-mail attacks targeting United Kingdom “government and companies.” The briefing noted that the attacks were coming from the “Far-East” and Trojans used in the attack included Gray Pigeon and Nethief. Chinese hackers have taken credit for the creation of both of these two Trojan programs. Mark Sunner, the Chief Technical Officer for MessageLabs, said:

MessageLabs can confirm that the source of the IP addresses originates in China. But there’s a much bigger and broader problem here. The ‘China’ word is not meaningless but it doesn’t mean they are the perpetrators.

Other experts were also skeptical that the IP addresses alone proved the attacks were coming from China. However, on 23 October 2005, Hackbase.com posted a story about the attacks on the British government and the speculation that the attacks were coming from the Far East. The article was apparently taken from the foreign press and translated into Chinese. The comments in response to the article from members of Hackbase, while not conclusive, are very suggestive:

41444: Awesome, I am very moved!! My thanks to the elder hackers, I hope you all can attack the US

Real Cow X: I want to express my sincere sympathy to the English government! ! ! ! Many thanks to the elder hackers

Well done!!: The English government has become the target of a Trojan e-mail attack!!!

By applying the hacker profile to this case, the evidence points very strongly to Chinese fingerprints present at the crime scene. The attack perpetrated against the UK government had: IP addresses that originated from China; used a backdoor to gain entrance to the computers, one of the preferred methods of the Red Hacker Alliance; and used both Gray Pigeon and Nethief, two of their favorite tools. In addition, members within the organization, when reading about the attack, expressed their admiration for the “elder hackers” who they seem to credit for the attack’s success.

Well 2008 is suppose to be the year of the Chinese hacker…wasn’t 2004 also their year? Anyway, to keep up this winning streak, they have also made it to the top of the list of countries hosting malware.

Even though this is a bit old, from Oct of this year, I thought it was interesting.

So where does all this malware come from? In order to answer that question, it’s necessary to take a look at the solutions used by cyber criminals to host malware.

Malware hosted on the Internet can be present through a range of ways. It can be found on compromised home machines, which are infected with bots running tiny HTTP servers that become distribution points. Or it can be present on the hacked websites of ISPs. A very popular choice is companies that give away small amounts of free web space for users to build their own homepage. Such samples include www.pochta.ru, www.googlepages.com, www.100freemb.com, www.dump.ru or www.home.ro.

There have also been cases where stolen credit cards were used to purchase a domain name and a hosting package from a legitimate ISP; these were then used to distribute malware.

Continue reading Top 20 Countries Hosting Malware…

       This is probably just a coincidence but yesterday the site got three hits from Vietnam.  The reason I noticed, was this was the first time we have received visitors from there:

Then in today’s news, Vietnamese hackers deface Chinese government site over ongoing Spratlys and Paracel Islands dispute.  Retaliatory strikes are pretty much a given in this type of situation.  It puts into play two of the Red Hackers favorite themes, Chinese national sovereignty and attacks on China’s internet security.  Keep you posted if I learn anymore.

中国黑客内战

It is very likely that within the next 2-5 years, a major civil war will erupt between factions within the Chinese Red Hacker Alliance. I’m making this forecast (Analyst love to use this term rather than “predict” because it is easier to fluff off when you are proven dead wrong.) based on the following reasons:

1. The organization has all but lost its nationalistic character and is rapidly shifting/shifted toward one based on profit motive. This has caused the movement to lose much of its cohesion and sense of unity. If there isn’t an event to rekindle their patriotic spirit, the group will splinter.
2. Increased competition between different factions to earn money, attract recruits and sell products is at an all time high. Chinese hackers are reaching a saturation point in their marketing of Trojans, viruses and training courses. This will only add to the tensions already present. Chinese hackers have moved from a circular shaped structure to a pyramid; the scramble to reach the top will do nothing to alleviate these tensions.
3. Internal hacking attacks and threats between different cells have been documented in my book and by the Chinese themselves. The year 2004 saw the first skirmishes in this war and the environment does not seem to have improved. Combine these elements with the youthful age of the alliance and it will cause some members to act in the extreme.

What brought on this sudden prediction? It has been something I have thought on and off again since the beginning of this research. The ideology that holds them together is too difficult to maintain during periods of inactivity. What do you do with young nationalists who have no war to fight, no motherland to defend? They either get bored and move on…or start to eat their own.

A posting on Janker’s website titled “Chinese hackers, what is going on?” makes the observation that, “recently there has been turmoil inside the Chinese hacker security circle.” He sites numerous examples of Chinese hackers attacking each other and is exasperated at the state of the alliance. These examples go from December of 2004 to June of 2005. One commenter, going by the name of Kerberos, actually used the term “civil war” to describe the situation. Another website, even called it the “Hacker Warring States.” A reference to the Chinese Warring States period.

So why did I wait to have my own thoughts reflected in the Chinese Hacker community before making this prediction (sorry, forecast)? I personally think it is wrong to apply “Blue” thinking to explain a “Red” paradigm. What appears logical to us does not always fit neatly into different cultures. Western societies use linear logic while Eastern cultures often apply circular. The dialectic thought process is not always clear or easy to decipher. Fine, I just don’t get ‘em.

        UPDATED: One of the projects I have been thinking about putting together is a calendar showing dates and events of possible future Chinese hacker attacks.

Take this example; it should have been fairly easy to identify the Olympic Games as a catalyst for Chinese hacker attacks. China views the 2008 Olympics as its coming-out party. It should not come as a huge surprise that patriotic Chinese hackers would target their competitor’s websites for information collection. Oh, by the way, if you think only our English cousins are going to be attacked over the Olympics, you are sadly mistaken. Care to guess if this information was disseminated to other countries, warning them of possible Chinese intrusions…

        I can guarantee that in March of 2008, the Taiwanese will suffer attacks from mainland hackers. Why? They will hold national elections and the anti-independence, pro-unification crowd will have to make themselves known. Oil and natural gas corporations, if the attacks aren’t happening right now, they are coming. The Japanese, sorry, you guys are pretty much on your own; probably not a date on the calendar that won’t correspond to some grievance. The point being, there are indicators we can use to make a reasonable guess on dates of attack.

孤独剑客

(Lonely Swordsman)

Thanks to the propensity of every organization to have their own wiki, I have finally been able to nail down the two founders of the “Ultra Right-Wing Chinese Hackers Opposed to Japan Alliance”. Yep, a mouthful. The group was established in the year 2000 and played a significant role in both the Sino-Japanese (2000) and Sino-US (2001) cyber conflicts. Here is a little on the group from my book provided by Chu Tianbi:

The year 2000 would bring both highs and lows for the Red Hacker Alliance. From late January to mid-February, a group calling themselves the “Ultra Right-Wing Chinese Hackers Opposed to Japan Alliance” claimed to have attacked some 30 Japanese web sites “belonging to the ministries, the prime minister, parliament, and the state planning agency.” This was in retaliation for what the hackers perceived as a denial of the Nanjing Massacre following the loss of a Japanese court case by Azuma Shiro. Azuma Shiro was a Japanese soldier who maintained a diary during WWII that recounted Japanese atrocities in Nanjing. The diary was published and his former superior immediately sued Shiro for libel. Shiro lost the case and subsequent appeals in 1998 and 2000. Their web site, located at Http://www.bsptt.gx.cn/public/badboy/hack/, posted an open letter to the Japanese government that stated:

“Let it be known that the objective of this alliance is to carry out savage attacks on the small number of Japanese mad-dogs on the net. The alliance is comprised completely of fervent patriotic Chinese net-worms.”

The site provided over 300 Japanese government URLs, the e-mail addresses of over 100 Japanese representatives, and dozens of the most effective hacker attack tools. Furthermore, the site explained how to use these tools to attack Japanese web sites. In an online interview with Computer Journal, a hacker calling himself “ROOT,” admitted that the paralysis of the web sites for the prime minister’s office, the Bureau of Statistics, and the Bureau of Science and Technology were his doing. ROOT complained that the attacks on Japanese web sites occurred because of dissatisfaction with the Japanese government’s far right denial of the historical facts of the Nanjing Massacre:

“I did absolutely everything by myself. The payback for little Japan didn’t require anyone else. I think I’ve done what anyone should have done as a Chinese person, and anyone else would have done this. I hope they connect what I’ve done with what happened in Osaka, giving a warning to the Japanese devils.”

Continue Reading »

Congrats guys…oh yeah, your iPhone is going to get hammered too.

We expect 2008 to be the year of the iPhone attack, the Chinese Hacker, P2P network spammers and the hijacking of the Storm botnet,” said Jose Nazario, senior security engineer at Arbor Networks. Continue reading more of Year of the Chinese hacker.

中国顶级黑客名单

Just added a new section to the website called “Top Chinese Hackers” in the upper right-hand corner. It will be an ongoing project and could take a bit of time to complete since I have a lot of info on different individuals. I’ll add a short post each time it is updated so you don’t have to constantly check.

木马

The Chinese hacker’s preferred weapon of choice is the Trojan. The love for this method started with Cult of the Dead Cow’s Back Orifice. Then the Chinese started inventing their own Trojans like Glacier and Grey Pigeon. Now you can’t go to a Chinese hacker website without seeing the newest, latest and greatest Trojan for sale.

Finjan Security has a nice article on network sites exploiting their use. For more fun, it also has a Chinese government website involved in the organization. Cool diagram I don’t understand either…here.