Archive for April, 2008

Apr 26 2008

The originator of “Red Heart China” gets his website hacked!! Europeans responsible?

Published by under Chinese hacker video

Started to wonder why all those hearts were appearing on Chinese blogs and the answer may just be, the Red Heart China MSN:

About 2.3 million Chinese MSN users have added a pattern of “red heart” and the English word “China” in front of their online signatures to show their unity and patriotism.

MSN China spokesman Feng Guangshun released the figure on Thursday. Many more people have opened their MSN accounts to find a message which asked them to add the “red heart” and “China” in front of their signatures.

A bit more on Red Heart from the Wall Street Journal:

When Xingrong Chen logged into MSN Messenger yesterday, she found a message from a friend inviting her to join China’s latest Internet craze:

“Please add (L) China after your name on MSN, to show the unity of Chinese people around the world. Please send this message to your friends on MSN.”

She followed the instruction and within a second, a red heart icon and the word “China” appeared beside her user name.

“I have no idea who first raised this idea, and it doesn’t matter.” the 24-year old Shanghai resident said, “My MSN contact list is red all over now!”

Youku video of people explaining Red Heart China:

Well, apparently not everyone is as excited about this new wave of patriotism sweeping China. According to many news sources in China (24 April 08), the man who originated the Red Heart China signature has had his website 5sai.com hacked.

  1. CEO Chen Huaiyuan said that the day before yesterday, the 5sai.com website came under attack from four foreign IP addresses and as of last night, the attacks still had not stopped
  2. Statistical data from the 5sai.com server showed that the IP addresses were located in Europe
  3. During the high frequency periods of the attack they were receiving two to three attacks every second and during the low peaks it was three to four attacks every minute

2 responses so far

Apr 24 2008

New “Kinda-Lazy” Chinese hacker attack on CNN scheduled for tomorrow. UPDATE x2

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!! :)

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(‘cnn’);

setInterval(“e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.

4 responses so far

Apr 22 2008

Return of Poizon B0x?

Does anyone remember Poizon B0x from the “Sino-US Hacking War” years ago?

Some Chinese Hacker group thinks Poizon B0x is coming back on a “China Killer” rampage in what they describe as a second round of the Sino-US hacking war.  Here is a gist of a board post from April 20, 2008:

Red Alert:  Beware of the United States hacker organization Poizon B0x coming in again.

No news organizations are reporting this but [rumors] are spreading around the Internet that a new round of the Sino-US hacking war [is coming... and] a May 1/Golden week special youth day counter-offensive [is planned], we hope for a lot of support in the counterattack!

The May 1st date mentioned above is highly significant as it coincides with the anniversary of the EP-3 incident in 2001 and the start of Chinese hacker counter-attacks:

American cracker group PoizonBOx has defaced at least a hundred Chinese websites since April 4 (2001). Chinese hackers are now vowing to retaliate with a planned week-long all-out crack attack on American websites and networks which will start on May 1(2001).

At this point, it is difficult to tell if this is speculation or if it is based on some defacements attributed to Poizon Box.  I can’t seem to find much else to corroborate this post so I’m a bit skeptical about all of this.  I’ll monitor the board and report any news as it comes in.  Any offline comments or questions can go to jumper *at* thedarkvisitor *dot* com.

Comments Off

Apr 22 2008

More on anticnn.exe

CNN hating Chinese nationalists can download a tool to send high volumes of requests to www.cnn.com in an attempt to knock it offline.  The tool is bundled in a .rar file that contains a readme and the pre-compiled windows binary.  A quick virus check showed that some scanners identified it as backdoor but that didn’t seem to be the case.  When I ran the tool, a simple flag icon appeared in the lower right of my test VM.

 When I click on the flag, the full interface appears with three options:  start/stop, minimize and exit. 

Here is a sample of the request/response I got after running it for a few seconds:

GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp HTTP/1.1

Accept: */*

Host: www.cnn.com

Connection: Keep-Alive

 
HTTP/1.1 400 Bad Request

Date: Tue, 22 Apr 2008 12:12:34 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 287

Connection: close

Content-Type: text/html; charset=iso-8859-1

 

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache Server at
www.cnn.com Port 80</address>
</body></html>

I read somewhere that it is self-updating but I never saw any requests other than DNS resolution (to my own configured DNS servers, not hard-coded) and requests to www.cnn.com.  I’ll run it in “paused” mode for a while to see what happens.

UPDATE (0100GMT 23 April 08):  No suspicious traffic came from this binary (apart from what was expected, of course).

UPDATE (1628GMT 24 April 08): Heike and I have dubbed anticnn.exe the “Mao-inator”.

3 responses so far

Apr 21 2008

Hackcnn responsible for taking down SportsNetwork

Published by under Uncategorized

This seems to be the website responsible for attacking the SportsNetwork website:

The portal page gives an automatic download to use against the CNN website and is point and click. Only 1k and uses only 1% of CPU, so that’s good. Here is part of the bbs talking about the target but it is a restricted access area so I can’t get in:

Comments Off

Apr 21 2008

Anatomy of a Chinese hacker attack

Published by under Hacker Organization,US attacks

Even though a major attack did not occur on CNN, there were some lessons learned that we can take away from this event. So what did we learn? Here are some of things I noted:

  1. We can reconstruct a bit of the social side of the attack
  2. There is some evidence about their method of organization for operational tactics
  3. Stockpile of ready made software for novice attackers
  4. Possible reasons the attack was canceled

Social

The first thing we need to do is identify the reason behind the attack. What were the catalysts that led the Chinese hacker community to go after CNN? This would be my list:

  1. CNN report on Chinese hackers is seen as unfair and accusations that parts of the CNN interview were fabricated
  2. CNN makes remarks about the Tibet situation that angers the nation
  3. Anti-CNN’s call for protests provides timing for coordinated effort
  4. Beijing’s call for an apology from CNN may have been seen as tacit support for the attack. Or, at least that there would be no retribution if one did take place. This might be the most important factor of all.
  5. Reliving the glory days of the Sino-US cyber conflicts
  6. Making a name for themselves and building their own Chinese hacker cell. Many of China’s most famous hackers got their start during the early years of conflict with different nations.

Organization

With the decision made to launch an attack, they seem to have decided to use the website that cn_magistrate opened in 2007:

Domain Name: hacksa.cn
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

The website would be used for a central gathering point, dissemination of information and organization. During this phase, they probably planned their basic attack formation and strategy. Using the QQ charts found on www.hacksa.com, I was able to make this very rough organizational chart:

(Yes, very rough and ugly chart. God I miss my I2 for making charts)

The QQ numbers listed six headquarters units (probably the more experienced hackers), 42 regular groups (actually 44, since he started with zero and may have accidentally listed group 32 twice), and one propaganda unit. For easy math, I took the number of headquarter units and evenly divided the regular units among them as best I could. You will note I put the two group 32′s together and placed the left over regular units into the final formation. The propaganda unit was made as a separate organization, some of the additional units may have belonged with them. Of course, cn_magistrate may have used a completely different configuration but this is the one that made the most sense to me. The chart brings up several questions:

  1. The character 满 to the right of the groups means filled. Why did cn_magistrate skip the additional group 32 and group 33 when bringing the units up to full strength? Groups 37-42 seem logical if you are filling them in as recruits become available. Were the extra group 32 and group 33 special somehow?
  2. Only one of the headquarter units shows it to be full. Were they possibly having trouble getting skilled hackers to join the attack?
  3. How many people did it take to fill up the groups? We can guess that it was more than one, since a QQ number was assigned each of the groups.
  4. What was the function of the propaganda unit? A possible answer is that it was to spread news if the attack turned out to be successful. Useless to have a political attack if no one is aware it happened.

The next thing we are able to tell was the means they used to get recruits to participate in the attack. This was accomplished through posting requests on popular websites and probably through restricted registration areas. Here is a listing of just some of the websites the group posted to:

http://bbs.neteasy.cn/showthread.php?p=984976

http://www.coogo.net/bbs/showtopic-444648.aspx http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost http://www.ipark.cn/bbs/Post.asp?PostID=836336

http://blog.xuite.net/lemon_head/simple/16728332

http://tieba.baidu.com/f?kz=357748876

http://bbs.neteasy.cn/showthread.php?p=984976

http://www.coogo.net/bbs/showtopic-444648.aspx http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost http://www.ipark.cn/bbs/Post.asp?PostID=836336

http://blog.xuite.net/lemon_head/simple/16728332

http://tieba.baidu.com/f?kz=357748876

http://bbs.hackbase.com/viewthread.php?tid=3210548

http://tianya.com

The group used thes sites to request compromised computers and while I can’t locate the posting now, also funds. Was the money donated to be used to rent botnets?

Stockpile

The website http://playgood.ys168.com was used to stock scripted software that could be downloaded by recruits who had little technical ability.

End Game

Finally, the assault was called off and then the organization was disband. Big question, why?

  1. As stated, that too many people were aware of the operation
  2. Unable to fill the units enough to be effective
  3. Just plain worried about the consequences
  4. Beijing sent out an order to shut it down

Please feel free to comment on other things we should have learned from this or where I totally botched this analysis.

2 responses so far

Apr 21 2008

Chinese hackers displaying CNN hack trophy?

Published by under Nationalism,Tibet,US attacks

Danwei reporting that Chinese hackers are celebrating a successful hack on a portion of the CNN website with screen shots of their trophy:

The top picture is screen grab that shows the current state of the website. The second image shows the hacked web page and the slogans left by the hackers, both in English and Chinese.:

Comments Off

Apr 20 2008

Revenge of the Flame disbands, denies all responsibility for attack on CNN…and kills website

The leader of Revenge of the flame has taken down his website and posted a disbandment notice.

!!!We salute our lovable motherland!!!

(graphic posted in the center of this statement does not load)

Revenge of the Flame disbanded

There are actually many ways to be patriotic, we do not want to be impulsive, we should study well, struggle and take great effort to gain knowledge. Only in this way can we develop our motherland and our motherland’s strength. This is all we really wish to see happen.

The Revenge of the Flame has already halted all DDOS attacks, we do not advocate the attack, we advocate diligent study of technology. From this point on, any attack whatsoever, has nothing to do with Revenge of the Flame. If any member of our group, Revenge of the Flame, participates in this type of activity, it is an individual action and has nothing to do with cn_Magistrate or Hackerwolf. Request that everyone make careful deliberations.

(Note: I was under the impression that magistrate hackerwolf was one word, one name but obviously it is two individuals. Here are their blogs; cn_Magistrate and Hackerwolf.)

Currently, everyone on the internet is using the instrument of attack as a means to express their passion and this has already obstructed the motherland’s normal network communications. This is something we do not wish to see happen. Regardless if it is “Revenge of the Flame” or not, we hope that everyone can rationally reflect on this question.

From this moment, the Revenge of the Flame is disbanded!! If there are any notification after this, they will be posted here. We respectfully ask that you pay attention to this page.

Any attack whatsoever, regardless if it is by an individual or an organization, has serious consequences!!!!!!!!!!!!!!!!!!!!!!

The Revenge of the Flame exists no more forever!! We are now a “patriotic study organization” and we will take the flame into our heart! The Revenge of the Flame in our hearts can never be extinguished! We must struggle! We must work! We must turn our strengths into a shining sword spirit (this sentence may have a somewhat different meaning, not sure).

Without a doubt we must study even more, our forum has already been established. This is really our true exchange space.

http://bbs.hacksa.cn

cn_Magistrate
Hackerwolf

20 April 2008

To our lovable motherland, I say I love you!!

2 responses so far

Apr 19 2008

More from Revenge of the Flame on CNN attack

Located cn_Magistrate’s blog, the leader of Revenge of the Flame, here is a post from his blog on 18 April 2008:

As always, my thanks for everyone’s strong sense of nationalistic responsibility; once again, the Magistrate is grateful to everyone.

Today is 18 April, we are angry and we shall roar, the annoucement follows:

  1. Prior to 8:00 pm on 18 April 2008, we invite everyone on IS (ID number 12570496).  We will have an important matter to pass along.  (This part a little rough on xlation) Please note our compatriots will find a way online, obey directions that have been put in place.
  2. Tool download address, considering that there are many normal web users who do not have a high-degree of technical knowledge, we are providing idiot-type (really means for those who don’t know) tools for download. The download address: http://playgood.ys168.com/.  Everyone please pay attention to the group announcements.
  3. Everyone please remain disciplined, listen to the directions of each of the group managers.  Pay attention to your own words, deeds and essence.  We are all Chinese!

18 April 2008
cn_Magistrate
Hackerwolf

One response so far

Apr 18 2008

Chinese hacker group identified as “Revenge of the Flame” calls off attack on CNN…too many people know

Graphic Attached to Release

Graphic Attached to Release by Revenge of the Flame

The Chinese hacker group that has been organizing to attack CNN has been identified as the “Revenge of the Flame.” They recently released a statement calling off the DDoS attack on CNN; however, it may have come too late to stop some of its members from going after the site. CNN has just filed a report stating that they had experienced an attack in an attempt to disrupt their website. For this reason, we will keep the clock up and see what happens tomorrow…it might not be over.

Statement from Revenge of the Flame:

In just three short days, our organization, the Revenge of the Flame, has grown large. First, I want to thank everyone for their strong sense of nationalistic responsibility. However, maybe we were too impetuous. We love our country! We will resist all anti-Chinese influences! However, we must choose the right way to come to the defense of our country, families and ourselves!!! After some core internal discussions, we have decided to temporarily cancel the 19th attack plan! The Revenge of the Flame organization still exists! Later we can be a computer discussion organization, we will study together for the day our country needs us! Our government and military will all mobilize! At that time, we will let those so-called foreign net-forces see! No matter where, China will never lose to them! We also have our net-forces! Perhaps at that time, our Revenge of the Flame will be the main strength! We all love our country! But, we must use sensible methods to defend our honor!

ATTENTION: Our original plan for 19 April has been canceled because too many people are aware of it and the situation is chaotic. At an unspecified date in the near future, we will launch the attack. We ask that everyone remain ready. I will repeat it again. At an unspecified date in the near future, we will launch the attack. We are only at present cancelling the attack. We could send out a notice on the day of the attack and have it completed in one day. The attack hasn’t been cancelled; it will be carried out on an unspecified day in the near future. I think everyone understands what we mean.

We hope that even more people with the Chinese national blood will join our actions. Only in unity is there strength. We are not individuals, we are a collective, and we are Chinese.

17 April 2008
Magistrate
Hackwolf
Source: http://www.hacksa.cn

Continue Reading »

9 responses so far

Next »