The Dark Visitor

Yeah, the posts have been coming slow lately but some of you may have heard about a little event going on in China called the Olympics. Chinese hackers watching sporting events, worried about foreign hackers attacking them…my world is completely upside down.

The boys and girls from 3800hk.com, the largest Chinese hacker training site, take over 20 of their “employees” out to enjoy the games. Plus, they love them some Mr. Yao Ming:

More pictures of their adventure here if you are interested…but pretty much the same as these.

This is the official Chinese government website for Longgang Emergency Management:

This is also the official Longgang Emergency Management website, when you add xiaozi.html:

You would think, with the recent earthquake in Sichuan and the ongoing Olympics, that government websites dealing with emergency management would be inspected rather thoroughly. Not so much. Google spiders crawling the internet, show that the website has been hacked since at least 31 July 08.

Is it unusual for a Chinese hacker to attack their own government’s website? The first-generation of Chinese hackers had very strict rules about not hacking inside China but the current crop doesn’t seem to adhere to the same code. Doing a pull on Zone-h.com.cn, gives 1,952 known Chinese government websites that have been hacked. A fairly large number of those attacks appear to be carried out by Chinese hackers.

So, from the URL extension on the hacked page of the Longgang Emergency Management website, who or what is a xiaozi? It is a who, or to be more precise, a him.

Meet Network Boy (Wanglu Xiaozi):

Blog name: Network boy’s BLog Hacker
Site admin nickname: Network boy
Age: 18
Birthday: 13 December 1989
Sex: Male
Blood type: B
Zodiac sign: Virgo
Address: Wulumuqi, Xinjiang
Personal quote:
Hobbies:

Not to get in a battle over Zodiac signs but isn’t someone born on 13 December a Sagittarius? Maybe something to do with the Chinese Lunar Calendar but trying to figure it out hurts my head about as much as International Date Line conversion. I have Chinese friends I give birthday gifts to five times a year just to be on the safe side. Moving on.

Going through Netboy’s website reveals that government websites are not his only target, he also has an affinity for fellow hacker websites as well.

1) First target, zgmuma.com (China’s Trojan Base):

According to Netboy, he was bored and went to his favorite hacker site (hackol.com) to study but the website was down. He did notice a link toward the bottom of the page that connected to zgmuma.com and for reasons unmentioned decided to see if he could break into the site. Zgmuma.com is another Chinese hacker website that boasts the largest collection of online game trojans around. It also provides hacker training.

I have to give Netboy credit, he provides a step-by-step account of his exploits, to include screen shots and the tools used to perform reconnaissance on the intended victim. With this one he was able to find a fatal flaw in the server to crack. While Netboy was breaking into zgmuma, his buddy, who goes by the name of Ice Sugar, contacted him to say that he had gained access to cnhacker.com and posted a hacked page:

Ice Sugar passed over the info on cnhacker.com to Netboy, who said he also posted a hacked page on the site.

2) Second target, an81.cn (The Dark Hacker Group):

Netboy was able to gain access to this website because they were using Dvbbs8.1. He was thankful that it was not 8.2, because then he would not have been able to gain access to the backstage shell. Using Thunder (unclear) he was able to discover the site admin’s password, 6423987, after making several manual guesses. He also used an ASP trojan during the process but I couldn’t begin to tell you what he was talking about; didn’t understand much of the technical jargon.

3) Third target, www.163???.com (Hacker)

Netboy really liked the design of this website and consider it difficult to break but still managed. Once again, he takes you through his very methodical system of cracking the website and I wish I was able to translate it but can’t. Some of you people who are more on the tech side might be able to gather what he did even better than me by the screen shots.

For whatever reason, he decided to hide the target’s URL but it only took about a minute to find the site, www.163xjs.com.  Wasn’t able to access the site due to a “directory listing denied” message. However, Google’s cache was not so particular about who peeked:

Even though the imagery is absent, it is clearly the same website.

4) Fourth target, hacker98.cn

Lot of stuff on this hack too but I’m getting bored and you get the point. He hacks other Chinese hacker websites.

Conclusion: At the end of each of these attacks, Netboy posts an invitation for other skilled people to join his group. So, this all may be just to gain recruits by proving he is better than the other groups out there.

US law enforcement busted a gang of 11 international hackers that stole 40 million credit and debit card numbers. Three things stand out for me in this report:

1. Three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People’s Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.
2. In addition, an indictment against Hung-Ming Chiu and Zhi Zhi Wang, both of the People’s Republic of China, and a person known only by the online nickname “Delpiero,” was also unsealed in San Diego today. Chiu, Wang and Delpiero are charged with conspiracy to possess unauthorized access devices, trafficking in unauthorized access devices, trafficking in counterfeit access devices, possession of unauthorized access devices, aggravated identity theft, and aiding and abetting. Also in San Diego, Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine, were charged in a criminal complaint with conspiracy to traffic in unauthorized access devices. All are believed to be foreign nationals residing outside of the United States.
3. The San Diego charges allege that Yastremskiy, Suvorov, Chiu, Wang, Delpiero, Pavolvich, Burak and Storchak operated an international stolen credit and debit card distribution ring with operations from Ukraine, Belarus, Estonia, the People’s Republic of China, the Philippines and Thailand. The indictments allege that each of the defendants sold stolen credit and debit card information for personal gain.

First, I’m struck by the diversity of the group. They seem to come from all over the globe and my question is how did these people get together?

Second, and any help from someone familiar with the legal system would be greatly appreciated, the report states that several of the people indicted, lived outside of the US. Does this mean they were taken into custody in their respective countries or just named in the indictment? My guess is just indicted but I would like clarification if anyone knows.

Third, did the PRC cooperate in this investigation? The news has made its way into major Chinese news outlets and the Chinese hacker community but so far without comment. And yes, we are trying to find more information on Chiu and Wang.

Finally, major kudos to the Department of Justice for breaking the case.

UPDATE: We did warn you to watch these types of connections back in March.

Just going to change the name of the blog to the Xiao Tian Show and call it a day. Even though Chinese hackers are now constantly worrying about the Olympics getting hacked, Xiao Tian has managed to remain in the spotlight. The latest articles making the rounds about Xiao Tian still summarize the interview with the Daily News and Analysis, just with the addition of a defacement:

The first reference I can find of this defacement indicates it took place in September of 2006, to protest Prime Minister Koizumi’s visit to the Yasukuni Shrine. Several people posting think it was done by a female hacker due to the signature line that translates to something like, “the girl pissing on the Yasukuni toilet.”

The article uses the screen shot to demonstrate how ferocious female Chinese hacker can be and does not attribute it to Xiao Tian. Plus, we know our gal would never use such vulgar language. She saves all that built up nationalist energy for the dance floor:

FROM Xiao Tian’s blog: She is on the left in black and says to ignore the other girl in the short skirt. As a matter of fact, Xiao Tian wants you to know she hates that girl. Apparently, the DJ pushed the girl up on the stage so the two could dance together. Xiao Tian doesn’t have kind words for the DJ either. Also, she claims to have been a bit nervous on stage, so these are not her best dance moves.

That is why you come here, for the culture. Now, back to your nerdly doings.

Measured in 100’s of million

“Quantity has a quality all its own”

- J. Stalin

For all you number crunchers out there, CNNIC has released its 22nd Statistical Report on Chinese Internet Development. They have posted an English summary on their website, the full report is in Chinese:

With the Largest Amount of both Netizens and ccTLDs in the World, a Big Internet Power Is Taking Shape

by the end of June 2008, the amount of netizens in China had reached 253 million, surpassing that in the United States to be the first place in the world. This is according to a newly released Suvery Repot by China Internet Network Information Center (CNNIC).

This report, the 22nd Statistical Report on the Internet Development in China, also indicates the number of broadband users has reached 214 million, which also tops the world. The CNNIC also announced that, by the time of July 22, the number of CN domain names, which was 12.18 million, had exceeded .de, the country-code Top Level Domain for Germany, thus becoming the largest country code Top-Level Domain names in the world. These three major breakthroughs show a big Internet power is taking shape.

Continue Reading »

Calling on any government to fix a problem, gives you a dicey chance at best that it will be resolved. Now, call on the people who have skin in the game to assist and your odds of getting results rise exponentially.

From CNNIC, Chinese companies form Anti-Phishing Alliance:

In order to tackle phishing activities using CN domain names and to protect online safety, Anti-phishing Alliance of China (APAC) was founded on July 18, 2008. Its founding members include Chinese banks, securities companies, e-commerce companies, CN registry and registrars, as well as scholars. CNNIC, the registry of .CN, was appointed as the secretariat of APAC.

CNNIC was authorized to accept reporting about phishing sites, to organize an phishing site identification, and to stop its DNS resolution at once a phishing-site using CN domain name is identified.

Continue Reading »

Yes, it’s true. The Beijing Olympic Committee used Google to randomly pick my e-mail out of the 20 or 30 that are out there on the internet and the Renminbi is about to start rolling in. Read more about this little scam on page 12 of Symantec’s report for July of 2008…

Also, still people out there using the tragedy of the Sichuan Earthquake to spread the beijing.exe program through video.

This report begins on page 10 of the same Symantec report and includes a bunch of tag-lines.

The user may be lured into playing the video, which in turn opens an executable file. This
executable file has been detected as Trojan.Peacom.D by Symantec AntiVirus software.
Trojan. Peacomm.D is a Trojan horse that gathers system information and email addresses
from the compromised computer. The Peacomm family of Trojans are also commonly known
as the “Storm” Trojan. Similar attempts have been made in the past using high profile news
events to spread viruses via email. Users should be aware of such attempts, and avoid opening
emails and clicking on suspicious links.