The Dark Visitor

While this registers about a zero-factor on my WOW o’meter, it does bring up one of my chief complaints, is there any reason I can’t Google “Chinese Cyber Command” in English and get almost 1,700 hits (which is what I got using Chinese to find US Cyber Command “美军成立“黑客”司令部“)? Oh yeah, we don’t do Chinese…@#$%!

The Chinese translation is actually US Military Establishes “Hacker” Command…so that is funny…but probably just to me.

The reason this “revelation” pegs absolutely nothing on my bar of “Oh my god they know!” is that the US Air Force has announced their new cyber command both far and wide. I also think it is a brilliant idea…one that the US Army should steal. Computers are ground-based operations and do not fly.

Rob Rachwald from Fortify Software on Facebook vulnerability:

“Fortify Software, the application vulnerability specialist, says that buffer overflows are at the heart of a series of hacks against the Facebook and MySpace social networking sites.

The bad news is that this exploit is being used in a hacker toolkit currently being offered for download on several Chinese language hacker sites, meaning that novices have been able to stage these attacks, and not just professional hackers,” he added.

Just want to add a couple of thoughts here:

1.  When he says, “Several Chinese language hacker sites…” he really should add, “that thousands of Chinese hackers can download.” Using just the word several, sounds like only five or six guys/gals could find it.
2. These guys aren’t novices, they get paid.  Some inexperienced yes, novices no.
3.  Who uses the word scupper?

Verb 1. scupper - wait in hiding to attack

The kid is just barely seven years old and already goes by the name “Cowboy.” Christ.  Here are the stats on this rising child genious from Guangxi, China:

1.  At the age of three, he was able to install both Windows 98 and Windows XP
2.  At the age of four, he was learning DOS commands, installing drivers and downloading computer games
3.  At the age of five, he was learning to install computer hardware
4.  At the age of six, he started college-level classes in Visual Basic 6.0
5.  At the age of seven, he crashed the entire New York City power grid

Okay, that last one I made up but you know it is only a matter of time. Got to watch my kid perform in a play about farm animals that took the class one week to learn…we are in so much trouble!

it belonged to them so why not.

It was reported on 26 Feb 08, that the Yili Electric Power Plant (located in Xinjiang) had recently carried out a live hacker attack exercise against its own network in order to raise the capability of network personnel to defend against outside attacks. The Yili Power Plant personnel playing the parts of the hackers had no determined time or target of the simulated attack, they could attack whenever or wherever within the network.

One of the more interesting aspects of the article, was that this was to increase the ability of network personnel to respond to emergency incidents in support of engineering project “SG186.” Here is a little about Project SG186:

Playing a critical role in the SG186 information infrastructure project under the Chinese Government’s strategic economic blueprint — the 11th Five-Year Plan, the SGCC data center faced an urgent need to optimize its information management to keep pace with business growth and the fast changing requirements of the China power industry. The top priority was to integrate all scattered, diversified and isolated data sources onto a unified storage and management platform, offering a centralized data service environment and analytics platform for all IT applications.

More on Chinese Project SG186…

UPDATE: Added that this was a simulated attack, performed by personnel within the Yili Power Plant in case there was any confusion.

UPDATE TO UPDATE: Actually only added four words, which I have put in
bold, because the previous update made it sound like there was zero way you could have determined that before the additions.

I’ve written before about the entrepreneurial nature of Chinese hackers but not sure if it is enough to make the point. This is a big industry with big profits and the money is not just made from illegal activities; they have created a market for anything dealing with Chinese hacker culture.

Just to give you a better example of what I am talking about, I have created a collage of the monthly magazine Hacker Handbook published by nohack.cn.  Remember, this is just one hacker website and there are hundreds of them.

Nohack’s entire collection of hacker magazines is available for sale at Taobao.

This film came out on 19 June 2006, so it is a little old but has one, two or
three interesting things:

Title: Hacker Apocalypse

Running time: 67 minutes

Written by: Li Feng  (Who also wrote Hero)

Backed by: The famous Beijing amatuer film organization BAERXIU Movie Club

Plot:  Tieke, the proprietor of a computer company, is also the brains behind a secret hacker organization.  He accepts a large sum of money from an unnamed organization  to make preparations for a large-scale invasion campaign on the Japanese network using a virus he created called “The broken-hearted rose.”

The movie was not well received by some hackers and DVD fans…they hacked the movie’s website twice.

There was a TV show in 2002 on CCTV6 called the Rose hacker.

There is also a real Chinese Rose virus/trojan (rose.exe).  Jingtian talks a little about on the Kaspersky forum here.

Of course the most famous Chinese hacker Rose, the Withered.

Why all this? Not sure, but started to see a lot of refs in Chinese to 
rose hacker/virus this or that and now you have too.

The Atlantic has a great article on the Great Firewall of China (GFW).  It is full of technical details about the central component of Internet censorship in China.  The article discusses some of the censorship countermeasures such as proxy servers and VPN and suggests that the PRC government only has to make it difficult, not impossible.  The majority of users can’t be bothered to use a proxy so they stick with the sanitized official news sources.

One thing that I have found in my own research is that internal/domestic censorship is handled primarily by content providers themselves, not by the government.  There isn’t any official guidance on what should be censored on portals and boards (”bars”) so it is left up to the provider, who may be overly cautious in order to avoid trouble.  I have read that there are periodic meetings between propaganda representatives and the official content providers in order to inform them of what issues should be avoided and which stories should be prominently displayed.  This leaves those within the PRC who are not willing to use proxies with an unbalanced view of current events.

 I so wish I could steal that title from Maarten…

The really nice thing about having a blog is that you get to interact with people who are much smater than you; Jumper, Eastwood, 回声, Richard…you get the point.  Well, a new member of the “much smarter than me club” is Maarten Van Horenbeeck.  Maarten was nice enough to contact me and share some of his research on targeted attacks and information operations.  Maarten’s summary from his presentation at 24C3 on targeted attack patterns :

In essence, I looked into targeted attacks against the Falun Gong community, as they are still taking place today. I list some of the unique features (such as “domain parking”) some of these attacks have, and briefly touch on ways to better defend corporate networks. Naturally, there was too little time in one hour to cover it all. Finally, I show a small map that illustrates the complexity of a single attack series over a total of 8 months.

Being retired Army, I am a sucker for a good presentation and Maarten delivers in spades.

Want to share two more of the slides from his presentation because these pointed out that Maarten isn’t just a tech guy, he has researched Chinese strategy and truly understands it.  He also points out the targeting methodology of the attacks in the pre-attack stage.  This is something I have referred to as net reconnaissance, similar to probing operations.

Here is Maarten’s blog site, the rest of his presentation “Crouching Powerpoint, Hidden Trojan” and from the 243C conference (torrent vids included). Also, wanted to include this link to Chinese strategic thinking, Learning from the Stones.

Many thanks to Maarten for letting me share this!

From an article in the China Philantrophy Times, which falls under the PRC Bureau of Civil Administration, discussing justice and fundamental ethics.  The article touches on immorality and the difference between “legally illiterate” and those who intentionally break the law.  One of the examples they use are Chinese hackers:

Recently, a Xinhua News article reported that due to young people’s worship of hacker technology and the pursuit of “illegal money (making money from hacking),” the country now has a large number of hacker websites that conduct training in hacker technology and supply free hacker tool downloads, which has constantly lowered the hacker threshold (made it easier to become a hacker). Now there are many hackers who are bringing up other hackers.  They master some insignificant skills in order to bully normal web users, as well as small and medium size websites.

Fang Binxing, a scholar at the Chinese Academy of Engineering, believes that the main reason Chinese hackers are increasing in number is due to the spread of hacker tools.

The technology expert’s argument of course makes a certain amount of sense but only on a technical level.   The basic reason is that many of these people who study, develop and use hacker technology don’t feel it is
wrong.  Their hearts have already been blinded (immoral), it is as if they are like robotic assassins.  It is only the technology that motivates them, they are only driven by benefit/profit (fun is also a form of benefit) that provides them their power.

Now to be fair and to take this example of hackers in the total context of the article, it is saying that here is case where
the youth have failed to see the difference between right and wrong. They know difference between the two in their hearts but the pursuit of fame, riches and power has led them to behave in an immoral manner. However, it does point out certain things we need to take note of:

1.  The government is aware of the Chinese hacker community but does not control it
2.  This is a warning from the government to the Chinese hackers that things are getting out of hand
3.  These are not the actions of patriots, it is now bordering on criminal activity

The full article in Chinese is here…

McAfee Avert Labs has released issue three of the Sage soft magazine.  Inside is a detailed overview of malware related to several regions of the world including China (I assume the discussion only includes the mainland).

The article provides some interesting background on Internet use in China as well as preferred methods of communication and payment.  It goes on to discuss malware threats and how online game password stealing malware seems to dominate there.  One interesting statistic:  some 70% of QQ users have reportedly had their QQ accounts stolen.

No big surprise here.  The PRC based company Huawei which has alleged ties to the PLA was preparing to partner with Bain Capital to buy a majority 16% stake in 3Com that would give them a board position.  There was some concern that this deal would give Huawei access to Tippingpoint, a 3Com subsidiary that makes IPS appliances used in .gov and .mil space.  

The Nautica clothing site in the Republic of China has been compromised by a malicious iframe that redirects to very well-known rogue anti-spyware pushers often associated with the Russian Business Network.  If the site is searched on Google, the index listing indicates that “This site may harm your computer”.

So naturally, the first thing I do is check it out.  

I was a little bit disappointed that all I found was an iframe redirect to meoryprof.info which 302’s to spywaresafe.net, which refused my connection.   Initially I thought it was because I was using wget so I passed a valid looking IE user-agent string to it and was still refused.  Google’s cache only shows the text “sl0n” on the site.  Not very effective malware, I guess. Most of these fake anti-spyware programs don’t use packers, debugger detection or any anti-RE techniques.  I have about 40 or so different versions of this type of malware.  

Reported a few days ago on Chinese hacker squeegee men and it seems like they are not very welcome in China.  An unidentified technology security company in Shanghai was busted for their unique brand of marketing.  A salesman would come calling and explain the horrors some online game companies experience through DDOS attack:

Oh, and did he forget to mention his company just happens to sell firewalls?  Probably a good idea to purchase this magic firewall because if you don’t, well a couple of days later…you experience those horrors he tried to protect you against.  Police decided to investigate and Manager Luo and Saleman Li were arrested.  Turns out, they were in it for the money.  Go figure.One section I couldn’t figure out involved a scene
talking about the Shanghai company and this website:

This is Chinahacker.com, a member of the Red Hacker Alliance, that I go to every now and then.  Exactly why they are used in the video to show where you can download DDOS attack software is still not clear, but no worries, I checked on the site and it is still up and running. Recent posts as of today, which is their yesterday…damn, International Dateline!

Full video of the story:

I spent the weekend in DC at the Shmoocon hacker annual.  It was a lot of fun and a great learning opportunity.  Simple Nomad made an historical reference to a Chinese trojan that a lot of people probably aren’t aware of or don’t remember.  Continue Reading »

That was my original title for this article but it has changed, now I consider
her the Keyser Soze (The Usual Suspects) of Chinese hackers.   I have gone through so many websites trying to figure out her past and just who she is that it has become a blur.  She is light, she is dark, she is mean, she is sweet, she is 26, she isn’t nearly that old…etc.  It is as hard to get a handle on her as it is to figure out the correct spelling of Keyser Soze, if that is indeed how it is spelled.  Anyway, I decided to just let you know what is not in contention and cut out all the other noise:

She was a member of the Six Golden Flowers until they broke up.  The line
underneath the picture at the top says:

“Don’t bring up the Six Golden Flowers with me again, I am developing on my own.”

Dark Angel’s Picture from The Six Golden Flowers

She goes by the names Dark Angel (黑暗天使) and Heihaitang (黑海棠).  As always with Chinese hackers, the meat to bone comes with the current website they run.  And, what she is doing now is using her reputation to sell hacker classes…just like every other Chinese hacker of any weight.

She offers 181 individual classes for about US $17 each (no deadline) and a year long structured course of 14 classes at US $170 (internal programs are free of charge).