The Dark Visitor

This was more than likely a message to the rest of the Red Hacker Alliance that we do not hack inside China or there will be consequences.  According to the video, it wasn’t just money that Heikeba was after but fame played a large part as well.  The downfall seems to have come when they decided to break into banks inside of China and steal from Chinese citizens.  That my friends is a no-no!

Also, it is not nice to attach Trojans to music and picture downloads.

This is the part I’m not completely clear on and if someone who has better ears than I do can provide clarification it would be really appreciated.  The police discovered that the site was spread out across 15 cities inside of China. Here is the difficult part, they found records on the site dealing with New York, London and Paris and something about logging into the sites at the same time which seemed impossible or only slightly possible.  There is some discussion of time-zones and logging into them at the same time.

Difficult to tell if they are saying Heikeba was responsible for hacking into
websites in these cities.  Hopefully, we can get a little help here.

Just wanted to put up a quick post on something that I have always found very interesting, the Chinese hacker trophy room.  This is the name I have given it, the Chinese hackers just call it a picture center or pictures.  It is an area of the website they use to post snapshots of hacked websites.  These were once very popular but have grown out of favor as the nature of the organization has changed from nationalism to criminal activity.  Most Chinese hacker websites now are training others to hack for a fee or marketing Trojans and viruses.

Here is the trophy room from yeshack.com.

These screenshots are just of the first two pages, there are seven in total.
Couldn’t get pages 3,4 and 5 to load.

Just in case you are wondering, still viewing the film on Heikeba, it has some
very interesting parts to it that the written article did not mention.

Hope to give you an update later today.

See:  http://aimpoints.hq.af.mil/display.cfm?id=23678 for a look at some of the things the DoD is thinking about.  You may also wish to check out http://www.airforcetimes.com/news/2008/01/gns_cyberairforce_080128/ although it does not specificly reference China.  Comments are welcome.

Of interest to Dark Visitor readers is item number three in the SANS list:

Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing

One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.

The open-source information we have so far about this type of well-resourced [Chinese] cyber espionage is anecdotal and positive attribution hasn’t been possible.  Our only sources are the Rolls-Royce information (very detailed) and Charlie Chen.  The information that we have from DoD sources is very limited on detail and a lot of readers are inclined to dismiss it because attribution by IP address only is pretty unreliable.  I think there is a lot more going on behind the scenes than IP geolocation.  Consider the information that has been exfiltrated.  Consider the methods that were used to harvest email addresses to use for social engineering.  Consider the tools that were used and then you have a much better picture.  Let’s face it, script kiddies aren’t interested in Naval Order of Battle in the Taiwan Straight.  Also, script kiddies aren’t after specific information from the world’s largest research based pharmaceutical company. Update:  I neglected to reference another attack with some good details:  SANS ISC covered the spear-phishing attack on 30 members of Fa1un G0ng which is banned in the PRC.

There once was a website named heikeba.com (黑客吧), but alas no more.  The site was run by three Hangzhou University students named Lin Yupeng (林宇鹏), Lin Cailong(林才龙) and Yao Pingqiang (姚平强).  These young entrepreneurs dealt in massive numbers of Trojans.  Reports have stated that they had an extensive collection of malware and at the time of the website’s demise, there were over 500 for sale.  Heikeba.com had over 25,000 registered users and 100 VIP members.  Toward the end, the site was averaging around US $2,700 a month and in less than nine months since its start in January of 2007, had made close to US $14,000.

So, what happened to heikeba.com?  It seems that on 13 September 2007, the group was actually arrested and taken away by police for selling illegal programs.  According to Liu Yuechuan (刘悦川), the police officer who conducted the investigation, he used VIP membership to get into the site and was shocked that it contained so many Trojans.  He was also amazed at the number of viruses hidden on the site.  The website was considered one of the largest distributors of malware in the country.

What makes this so unusual is that it hardly ever happens and certainly not
with this much publicity.   There is hardly a Chinese hacker website that doesn’t sale or distribute some sort of malicious program and you don’t need VIP membership to discover it.  What these guys really did or who they angered is still a mystery.  Maybe it was just time to set an example.

Here is the CCTV special on the investigation and the arrest. It has a lot more details and I will do my best to give you an updated gist of the program.

Think the SAT and GRE were a bear? Don’t even complain around a Chinese student taking the National College Entrance Exam, it is a make or break your life test.

 Tales are legion of parents taking leave for days before the exam and camping in hotels near exam venues, adding to the stress students are already under.

They don’t hesitate to cough up 10,000 yuan ($1,300) for tonics which are supposed to boost brain power and the immune system.

Some families even hire ‘nurses’ to look after test-taking progeny. Xiao Ling, a sophomore at Hainan Normal University and also an experienced home tutor and a good cook, became a ‘nurse’ last month in Haikou of South China’s Hainan Province.

The family paid her 2,000 yuan ($260) a month, roughly four times they would pay a domestic helper, asking her to help their 17-year-old son review his studies, chat with him to ease his pressure and to make nutritious meals.

Chinese hackers don’t see this as a time for high anxiety, just another way to make bank.

 And in another case, a gang of 11 people traveled around country promising students in 17 provinces places at universities, according to the public security bureau of Haikou, capital of the south island province of Hainan.

Three of the 11 suspects were still at large. The suspects forged the stamps and matriculation certificates of many universities, hired hackers to falsify computer enrollment records and pretended to be recruitment staff, police said.

It isn’t just the colleges that are having trouble with hackers, China’s military academies have also had to tighten controls.

It would also impose more serious punishment on academies and officials who violated the rules. These included, for instance, officials who leaked exam papers and hackers who attacked the enrolment in the computer network.

The Patriot’s Security Website (3800hk.com) was originally established in 2003 as the Black Hawk’s Red Hacker Base (3800cc.com).  Its founder, Li Qiang (李强), a.k.a Rice (大米), has turned the station into a Chinese hacker training industry that markets numerous lines of hacker training CDs, DVDs, online courses and manuals.

The profile above only lists Li as a lecturer and the station master is given as Stef:

However, in this interview with sina.com, Li Qiang is clearly identified as the true founder
of the organization:

According to 3800hk.com’s description, the company headquarters has 21 personnel, 9 temporary workers and 17 technicians:

Furthermore, the company has invested around US $83,000 dollars in hardware and equipment. It has 10 servers spread out in locations such as Hangzhou, Yangzhou, Guangzhou, Henan, Beijing and Shanghai.

Someone has to say it…I personally welcome our new Chinese hacker overlords:

During 2007, millions of home computers, Internet cafes, and corporate networks in China were affected by virus outbreaks. “This is an industry where profits are higher than real estate,” sighed Wang Lei, a Chinese computer virus vendor during his arrest.

Worm.Nimayam

The raging Worm.Nimayam outbreak covered China in two short months. The programmer, Li Jun, was arrested in February 2007 and sentenced to four years in prison, but that did not slow down the virus industry.

The virus acts like a Trojan horse. It is a small program similar to a phone-tapping device hiding in one’s computer. It picks up personal information, and thus hackers can manipulate the owner’s property (money) or virtual property (such as on-line gaming accounts, e-shopping).

Huigezi (win32.hack.huigezi)

In March 2007, a more powerful virus entered the virtual world: Huigezi. According to incomplete statistics, the direct impact of the Huigezi virus has reached over 20 million yuan (approximately US$2.7 million). One can only image how many accounts have been broken into by this virus and how much financial loss has been sustained throughout the country. Even now, Huigezi variants continue to endanger network security.

Read, your new bosses command it!

So what can’t these guys find to turn a buck?  You got me.  Not going to write much on this ’cause I’ve got to check on a few personal records:

Foreign hackers, primarily from Russia and China, are increasingly seeking to steal Americans’ health care records, according to a Department of Homeland Security analyst.

They’ve been focused on the [Department of Defense] – the military – but now are spreading out into the health care private sector,” Walker said.

Read about it here, I’ve got a cold and need to call Beijing.

Today I noticed that we haven’t had any visitors from China since January 17th.  I assumed the worst - that the blog is blocked by the infamous great firewall.  I checked out http://www.websitepulse.com/help/testtools.china-test.html and thedarkvisitor.com does indeed appear to be blocked by URL filters.  The DNS name resolves correctly but the web request is never answered.  Censorship in the PRC is decentralized but our site appears to be blocked in all of the cities that this test is available for.  I will be conducting some more testing using TOR later this evening.  I’m not sure I understand why the site would have been blocked since it is not the least bit critical of the CCP or the PRC government and we don’t have any posts about taboo subjects.  There are a couple of posts that make light of Taiwan independence but I wouldn’t guess that would be enough to cause someone to recommend the site be blocked at a national level.  I would be very interested in hearing any readers’ thoughts on this issue of censorship in China.   UPDATE - I used a number of open proxies in China and all returned a 404 when thedarkvisitor.com was requested while other US websites loaded fine.

could we come up with something besides the Chinese flag.

This was a hack of the Matushita Electronics Company (panasonic.com.cn, that still seems to be down) website located in China by H4ck3rsBr.  The hacker uses all the prerequisite Japanese imperialism slogans and denouncements.  Internet security analyst Chen Sanyan thought it was probably a university student on vaction.  He stated that Winter and Summer breaks were their busiest times of the year.

A commenter on the defacement was kind enough to point to http://hi.baidu.com/h4ck3rsbr/blog/ as the possible source:

Continue Reading »

您好，Heike invited me to start contributing to the blog. I have setup email for myself at jumper (at-sign) thedarkvisitor (dot) com. I have enjoyed reading the blog and I hope my future contribution is meaningful. 谢谢！

UPDATE: Jumper adds the following on this post:

I doubt that the mystery poster is Charlie Chung-Ping Chen. Charlie Chung-Ping Chen researches processors. It is certainly possible that he made the transition during his four year absence from the web but I think it is a stretch. At any rate, he hasn’t responded to Gordon. I assume Gordon contacted him by his university email and his status at the university is listed as “leave of absence”.

I tried to find out more about the powerpoint and didn’t have much luck. There isn’t any intro slide and the person who posted the presentation hasn’t posted anything else. It is very amusing that the poster’s handle is Deep Throat.

This thread was first brought to my attention by Jumper who has been collecting postings from an individual in Taiwan named Charlie Chen who is fairly elusive.  The same theme runs through all of Chen’s postings concerning a PRC government run organization of eight Chinese hacker groups dedicated to cyber espionage.

Did a little checking and came across an article by Gordon Housworth who is just as curious about the mystery poster as Jumper.  Gordon did a ton of research and from what I can tell has a good handle on the identity of our mystery man.  He was also able to locate a 26-frame slide show associated with Mr. Chen.

Bsmith provides a detailed update on the uc8010-dot-com, ucmal-dot-com situation.

On or around 4 January, there was an automated attack on thousands of websites. Initial reports were that 70,000 legitimate sites had been compromised, but now the number is estimated at 94,000 sites. These included Fortune 500 corporations, state government agencies, and schools. These sites were infected with malicious code that attempts to engage in click fraud and steal online game credentials from people who visit the destinations.

Read it…Chinese hackers compromise 94,000 sites!

Never heard of this, don’t know what to make of it, not sure I even care.  Anti-Fans, a phenomenon that began in Korea where large numbers of “Anti-Fans” seek to just trash and even poison celebrities.  Number one targets are singers and dancers.  So, the good news…it has spread to China!

This is the Taiwanese band F-4 and they got hacked by Chinese anti-fans for referring to Taiwan as a country while fiming a commercial for tourism.  (Have to admit, a lot of boy-bands here in the US could use a good hacking…just kidding…sort of.)

Chinese actress Zhao Wei targeted by Chinese anti-fans for…too much hotness? No, she wore the Japanese flag.

 Artist Wang Xinling, just a little too cutesy for some fans. They are anti-fans due to her winky-hand-movey antics on stage.

And for the most disturbing of all, they claim to be the Bin Laden for celebrities.

A posting at Sam, Saman, Samantha’s blog sums up my feelings quite well.  But, just because they seem to have gone way past the deep end of the pool, doesn’t mean they can’t make a semi-rocking video!  Enjoy (fair warning, the thing loads slow, slow, I mean really slow):