The Dark Visitor

Received an e-mail today from www.blogged.com that has rated us as follows:

We evaluated your blog based on the following criteria: Frequency of Updates, Relevance of Content, Site Design, and Writing Style.

After carefully reviewing each of these criteria, your site was given its 8.0 score.

An 8.0…I mean WTF? I strongly suspect that Jumper has pulled the blog down from my own unbiased rating of around 8.15 prior to his arrival.

An 8.0 is great? Not in my book buddy, that is like low hanging “B” work. We at TDV vow to increase the quality of our postings, we will spare nothing to move up the ladder at blogged.com…unless of course it involves too much effort.

I swear people have to sit around and think of phrases like this…from the WSJ:

In addition to cybersecurity threats in other countries, “so many people are going to the Olympics and are going to get electronically undressed,” said Joel Brenner, the government’s top counterintelligence officer. He tells of one computer-security expert who powered up a new Treo hand-held computer when his plane landed in China. By the time he got to his hotel, a handful of software programs had been wirelessly inserted.

More nudity here…

Bruce Schneier is a well-known security and cryptography researcher.  He has a popular blog where he posted his recent article detailing “The Truth About Chinese Hackers”, which was written for Discovery Channel.

This article is not particularly insightful and sort of lumps all of the Chinese hackers into a single group of young, male patriotic kids doing it for the babes and limos.

These hacker groups seem not to be working for the Chinese government. They don’t seem to be coordinated by the Chinese military.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living.

This is very short sighted.  We should be honest here, neither Bruce Schneier nor Heike and I know with absolute certainty what Chinese hackers are doing, who is coordinating them and who might be paying them.  Maybe the article shouldn’t be titled “The Truth About Chinese Hacker” because Bruce doesn’t know what the truth is (Heike would have said that he couldn’t handle the truth either, but that’s not my style).

I think a lot of people assume that activity attributed to the PRC is simply based on the IP address.  After studying spear phishing attacks, custom malware attacks and the types of data that have been exfiltrated from various NGO targets it seems likely that some entity is coordinating the collection and exploitation of this information.  In my humble opinion, there may be more to this than WoW passwords.

Chinese hacker candy is dandy…

Hat tip: To you know who

UPDATE: Dominic reminds me that some people might not be as Chinese hacker obsessed as myself and suggests I give some links as to why Withered Rose is important.  Whoops on my part! For some background on rose, read here and here.

As mentioned yesterday and updated today, Withered Rose (Tan Dailin) is back to his old haunts; both mghacker.com and ncph.net websites are up and running again. Just a couple of observations:

1) Rose has done some scrubbing of his personal blog mghacker.com. Had to go to the wayback machine to make sure but you can tell a number of posts have been deleted for some reason by comparing the wayback machine to what is listed on the current blog’s archive. Rose has wiped out everything prior to March of 2007 and selectively edited the months still showing.

2) Not sure why but at least four of the new post on ncph.net are old posts from the mghacker.com blog:

a.

Mghacker 再现社会工程学 (29 Mar 2007)
Ncph 再现社会工程学 (31 May 2008)

b.

Mghacker 3389密码的嗅探 (29 Mar 2007)

Ncph 3389密码的嗅探 (11 May 2008)

c.

Mghacker Rainbow Table 分析 (10 Apr 2007)

Ncph Rainbow Table 分析 (11 May 2008)

d.

Mghacker 获取cuteftp中的ssh密码 (16 May 2007)

Ncph 获取cuteftp中的ssh密码 (11 May 2008)

3) Whois data shows that NCPH.net administrative contact as:

Administrative Contact:
ncph studio
ncph studio ()
si chuan li gong xue yuan
zigong, Sichuan, cn 643000
P: +86.13154663992 F: +86.13154663992

Sichuan Ligong Xueyuan is the Sichuan University of Science and Engineering. Rose founded NCPH while a student at the university. A Chinese hacker going by the name of Rodag, who was also a member of NCPH lists the university as a contact on his blog.

The contact number 86.13154663992, was noted by Jumper in an IRC log:

# jumperon 08 Dec 2007 at 11:04 pm edit this

In the second picture of Rose, he is using a tool called Metasploit on his computer. http://www.metasploit.com.

IDefense has a lot of stuff on NCPH and Rose. There are a couple of archived webcast videos about them on idefense’ website. I did a bunch of searching and found this funny tidbit:

21:41 gila poyo
21:41 you computer is hack by chinese’s hack infall, shit!
21:41 from http://www.chinahonker.com my name is tan dailin
21:41 contact us with QQ 5372453 or
21:41 tel:86+0+13154663992
21:41 my blog :www.mghacker.com or http://www.ncph.net
21:41 ~~~~~~~~~~~~~~~~~~~~~~~~~shit! you are a pig !
21:41 i found this in some machine
21:41 haha
21:41 YOUR COMPUTER IS HACK

It is from an archived IRC log. There isn’t any more context to go off of so I’m not sure who is who in this. Gila poyo is malay but I don’t know what it means.

My guess is the at the two of them are old college buddies.

4) What does this random sampling of information mean? Not much. Just wanted people to be aware that Mr. Rose is back in business and on the internet.

UPDATE 13 JULY 08: Still doing some research but at this point it is kind of a moot question… CHINESE HACKER WITHERED ROSE HAS RETURNED! Why I don’t do things the simple way is one of those questions that may never be answered. Did you check his blog site? Yep, Withered Rose reopened it on 2 July 08. The only explanation given for the long absence was that he was busy but his new job allows him time to blog. More later.

Jumper and I are in the process of looking through the posts at NCPH.net (it became active again on 14 April 08), a site previously run by Withered Rose, to determine if it is indeed the same organization. The site went down after it received a bit of notoriety from a Time’s article titled Enemies at The Firewall.

There are at least two articles that detail hacks of Taiwanese websites but it is uncertain if it is still run by Rose.

Hopefully, more to follow.

Remember Crouching Powerpoint, Hidden Trojan?  Maarten VAn Horenbeeck will be giving a presentation at the SANS Fire conference in DC later this month.

Is Troy Burning? An analysis of targeted cyber attacks.
- Maarten Van Horenbeeck, SANS ISC
- Thursday, July 24, 2008 * 7:00pm

The use of trojans in targeted attacks has been known dating back to at least 2002. However, only since 2005 has their use and methodology become relatively widespread and better understood. Recently some of the more notorious attacks, especially those on governments, have been widely discussed in the media, but little technical information is available.

This presentation is based on private investigations of targeted attacks against various organizations, and provides a detailed view on the methodologies, both from a technical as a social engineering perspective, most popular in these attacks. In addition, it briefly touches on how effective today’s protection mechanisms are and to what degree these attacks can be mitigated and detected.

More details on the conference here.  If anyone is going, please let me or Heike know.

From Chosun.com:

The claims of an unidentified Chinese hacker have alarmed Korea’s Internet portals. Nate.com, a leading Korean portal run by SK Communications, is dismayed by a message left on a Chinese website. Claiming to be a hacker, the writer offered to sell the personal information of 12 million Nate.com members for one million yuan (W100 million, US$1=W1,006). As if to prove the claims, the writer revealed the information of five or six Koreans.

Cont reading…Chinese hacker threatens to release user information

Richard Bejtlich blogged about the AF Cyber Panel last month and provides a plug for the TDV book which he reviewed a while ago.  The Cyber Panel had some informal discussion about the cyber-militia:

In the US, our DoD relies upon professional, uniformed military members, government civilians, and an immense contracting force to defend the nation and project its military power. In China, their PLA mixes uniformed military with ordinary civilians, some of whom act at the behest of the military and government, with others acting on their own for “patriotic means.” 

The discussion turns into a comparison of the US/PRC capabilities and specifically how the US can recruit and retain qualified cyber warriors.  The problem seems to be that the PRC can call up an army of qualified patriotic hackers while the US is having problems recruiting and retaining talent.

On the 21st of June, we told you about SKSgod selling a trojan downloader called “Chinese Hacker Vampire” and the online controversy that ensued when another hacker took credit for it.  The end? No, fresh drama has been introduced into this saga.

Author of Chinese Hacker Vampire Program JAILED!

On 4 July, News.cn reported that an 18-year-old hacker surnamed Zhou had been arrested in connection with selling the trojan downloader program.  Police from Chongqing City launched an investigation into the case after receiving a phone call from an anonymous source who reported that there was a website selling the Chinese Hacker Vampire downloader.  According to the report, Zhou’s website even threatened to shutdown the anti-virus software industry.

On July 1st,  Chongqing police captured Zhou while still asleep in his apartment and he later made a full confession to the crime.  The end? No.

Silly police, you can’t arrest a vampire

Decided to visit SKSgod’s website and see when he last posted and surprise…it was 5 July.  Wait, wasn’t he jailed on July 1st?  Nope.  SKSgod is just having a real run of bad luck with people stealing his program and identity.

On 5 July, he posts an apology to all the people who lost money purchasing the Chinese Vampire downloader and promised to use his energy to create a better program.  One person in the comments section suggested that his time and energy could be put to better use. So, that was funny.

On 4 July, when the story was breaking about the arrest, he posted three separate articles dealing with the rumor.  All three postings had the same theme, complaining about how all this news was hurting his reputation.

Is he at all concerned about the poor schmuck shown getting arrested? Nope, this is all about him and his online creds.  The end? Who knows.