Apr 22 2008

More on anticnn.exe

Published by at 8:31 am under Chinese Malware,Nationalism,US attacks

CNN hating Chinese nationalists can download a tool to send high volumes of requests to www.cnn.com in an attempt to knock it offline.  The tool is bundled in a .rar file that contains a readme and the pre-compiled windows binary.  A quick virus check showed that some scanners identified it as backdoor but that didn’t seem to be the case.  When I ran the tool, a simple flag icon appeared in the lower right of my test VM.

 When I click on the flag, the full interface appears with three options:  start/stop, minimize and exit. 

Here is a sample of the request/response I got after running it for a few seconds:

GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp HTTP/1.1

Accept: */*

Host: www.cnn.com

Connection: Keep-Alive

 
HTTP/1.1 400 Bad Request

Date: Tue, 22 Apr 2008 12:12:34 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 287

Connection: close

Content-Type: text/html; charset=iso-8859-1

 

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache Server at
www.cnn.com Port 80</address>
</body></html>

I read somewhere that it is self-updating but I never saw any requests other than DNS resolution (to my own configured DNS servers, not hard-coded) and requests to www.cnn.com.  I’ll run it in “paused” mode for a while to see what happens.

UPDATE (0100GMT 23 April 08):  No suspicious traffic came from this binary (apart from what was expected, of course).

UPDATE (1628GMT 24 April 08): Heike and I have dubbed anticnn.exe the “Mao-inator”.

3 responses so far

3 Responses to “More on anticnn.exe”

  1. [...] on Tuesday, The Dark Visitor, a site that tracks Chinese hackers, reported that on a downloadable tool now available for those [...]

  2. [...] Chinese Hackers have launched a DoS attack on CNN.com. They’ve got so far as to launch a downloadable tool for all those interested in assisting in the next [...]

  3. Heikeon 22 Apr 2008 at 7:51 pm

    Jumper,

    Your latest find is amazing! Tried to contact you but have had no luck so far. I know you are busy with that crazy testing stuff you are doing but I think this needs to be put out…quick.