Apr 22 2008
CNN hating Chinese nationalists can download a tool to send high volumes of requests to www.cnn.com in an attempt to knock it offline. The tool is bundled in a .rar file that contains a readme and the pre-compiled windows binary. A quick virus check showed that some scanners identified it as backdoor but that didn’t seem to be the case. When I ran the tool, a simple flag icon appeared in the lower right of my test VM.
When I click on the flag, the full interface appears with three options: start/stop, minimize and exit.
Here is a sample of the request/response I got after running it for a few seconds:
GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Tue, 22 Apr 2008 12:12:34 GMT
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<title>400 Bad Request</title>
<p>Your browser sent a request that this server could not understand.<br />
<address>Apache Server at www.cnn.com Port 80</address>
I read somewhere that it is self-updating but I never saw any requests other than DNS resolution (to my own configured DNS servers, not hard-coded) and requests to www.cnn.com. I’ll run it in “paused” mode for a while to see what happens.
UPDATE (0100GMT 23 April 08): No suspicious traffic came from this binary (apart from what was expected, of course).
UPDATE (1628GMT 24 April 08): Heike and I have dubbed anticnn.exe the “Mao-inator”.
3 Responses to “More on anticnn.exe”