The Dark Visitor

One of the clearest instructional videos I have seen on how to use the Gray Pigeon trojan horse.  I haven’t tried to translate the video but thought it might be of interest to some of our more technically inclinded audience.  The first part describes how to use the program and the second part shows how the information is collected from an infected computer.

Video Removed (killing the rest of the posts)

The first calls are starting to make the rounds on Chinese hacker sites to attack the Sharon Stone website. The actress recently started a firestorm in China after she gave an interview suggesting that the earthquake in Sichuan was the result of bad karma. I guessed it would be just a matter of time before Chinese hackers targeted her online and have been monitoring the boards.

One site has posted a bit of initial reconnaissance of the website:

There was also a post asking to have the unofficial website of Sharon Stone hacked:

Tried going to the website for a contact address but found the, “This site may harm your computer” posting. Maybe Jumper will have the time to check it out later.

Started to wonder why all those hearts were appearing on Chinese blogs and the answer may just be, the Red Heart China MSN:

About 2.3 million Chinese MSN users have added a pattern of “red heart” and the English word “China” in front of their online signatures to show their unity and patriotism.

MSN China spokesman Feng Guangshun released the figure on Thursday. Many more people have opened their MSN accounts to find a message which asked them to add the “red heart” and “China” in front of their signatures.

A bit more on Red Heart from the Wall Street Journal:

When Xingrong Chen logged into MSN Messenger yesterday, she found a message from a friend inviting her to join China’s latest Internet craze:

“Please add (L) China after your name on MSN, to show the unity of Chinese people around the world. Please send this message to your friends on MSN.”

She followed the instruction and within a second, a red heart icon and the word “China” appeared beside her user name.

“I have no idea who first raised this idea, and it doesn’t matter.” the 24-year old Shanghai resident said, “My MSN contact list is red all over now!”

Youku video of people explaining Red Heart China:

Well, apparently not everyone is as excited about this new wave of patriotism sweeping China. According to many news sources in China (24 April 08), the man who originated the Red Heart China signature has had his website 5sai.com hacked.

1. CEO Chen Huaiyuan said that the day before yesterday, the 5sai.com website came under attack from four foreign IP addresses and as of last night, the attacks still had not stopped
2. Statistical data from the 5sai.com server showed that the IP addresses were located in Europe
3. During the high frequency periods of the attack they were receiving two to three attacks every second and during the low peaks it was three to four attacks every minute

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!!

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(’cnn’);

setInterval(”e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.

First, a very big thank you to reader Copper, who first pointed out that there was a BIG button right over the article on Chinese hacker Xiao Chen that said…VIDEO! And, if you watch said video…it gives Xiao Chen’s webiste.

Here is the 1st screenshot from the CNN video, notice the links section at the botttom that I have circled in red.  The first link is to Hacker World (hack4.com) 黑客天下 and the second is to Hackbase.com.  It is typical for Chinese hackers to list their own website first in the links section.

UPDATE: Sorry, I was unclear in the paragraph above, Xiao Chen only owns 
hack4.com. Hackbase.com was listed just to show similarity in the websites.

Now look at this screen shot from hack4.com. There are a couple of differences but clearly the same website:

Next image from the  CNN video gives the Chinese 黑客天下, Hacker World or hack4.com:

Now take a look at this graphic from CNN in the left corner of the page:

and this one from hack4.com…

Finally, this one from CNN and you really had to be watching for it:

In the CNN interview, Xiao Chen claimed to have 10,000 registered members.
From the hack4.com website, they list the number of registered members as 9,746…pretty darn close:

The kid is just barely seven years old and already goes by the name “Cowboy.” Christ.  Here are the stats on this rising child genious from Guangxi, China:

1.  At the age of three, he was able to install both Windows 98 and Windows XP
2.  At the age of four, he was learning DOS commands, installing drivers and downloading computer games
3.  At the age of five, he was learning to install computer hardware
4.  At the age of six, he started college-level classes in Visual Basic 6.0
5.  At the age of seven, he crashed the entire New York City power grid

Okay, that last one I made up but you know it is only a matter of time. Got to watch my kid perform in a play about farm animals that took the class one week to learn…we are in so much trouble!

This film came out on 19 June 2006, so it is a little old but has one, two or
three interesting things:

Title: Hacker Apocalypse

Running time: 67 minutes

Written by: Li Feng  (Who also wrote Hero)

Backed by: The famous Beijing amatuer film organization BAERXIU Movie Club

Plot:  Tieke, the proprietor of a computer company, is also the brains behind a secret hacker organization.  He accepts a large sum of money from an unnamed organization  to make preparations for a large-scale invasion campaign on the Japanese network using a virus he created called “The broken-hearted rose.”

The movie was not well received by some hackers and DVD fans…they hacked the movie’s website twice.

There was a TV show in 2002 on CCTV6 called the Rose hacker.

There is also a real Chinese Rose virus/trojan (rose.exe).  Jingtian talks a little about on the Kaspersky forum here.

Of course the most famous Chinese hacker Rose, the Withered.

Why all this? Not sure, but started to see a lot of refs in Chinese to 
rose hacker/virus this or that and now you have too.

Reported a few days ago on Chinese hacker squeegee men and it seems like they are not very welcome in China.  An unidentified technology security company in Shanghai was busted for their unique brand of marketing.  A salesman would come calling and explain the horrors some online game companies experience through DDOS attack:

Oh, and did he forget to mention his company just happens to sell firewalls?  Probably a good idea to purchase this magic firewall because if you don’t, well a couple of days later…you experience those horrors he tried to protect you against.  Police decided to investigate and Manager Luo and Saleman Li were arrested.  Turns out, they were in it for the money.  Go figure.One section I couldn’t figure out involved a scene
talking about the Shanghai company and this website:

This is Chinahacker.com, a member of the Red Hacker Alliance, that I go to every now and then.  Exactly why they are used in the video to show where you can download DDOS attack software is still not clear, but no worries, I checked on the site and it is still up and running. Recent posts as of today, which is their yesterday…damn, International Dateline!

Full video of the story:

It is rare to find mention of the role women play in Chinese hacker society, so I was surprised to find a page dedicated to the “Six Golden Flowers.” The text written on the pictures gives a small history of their years in hacking but little else.

Digging a little further showed that in 2007, security media sources inside China named one of the members of the “Six Golden Flowers” as the most active and influential Chinese hacker in the country.

Another member of the group has received a great deal of press and even a video tribute…
Continue Reading »

I am mainly going to order this video for the technical information it contains.
No, really.  Okay, some might consider this a frivolous post but think about it, how much reign of destruction can you stand to read.  Besides, can you name any other Chinese hacker movie that received 83% on the Tomatometer…didn’t think so.

Here is the review:

Synopsis:

The brothers Chow Nunn and Chow Lui’s giant computer company is facing a tense crisis – a powerful computer virus is rapidly wiping out their computer network. At the last minute a cyber-friend arrives to join the battle. The mysterious “Angel.com” battles the virus and saves the company. Invited by Chow Lui for a visit in person, Angel.com arrives in the form of the beautiful Lynn (Shu Qi). But it turns out Lynn is a professional assassin with amazing high-tech and kung fu skills.

You read that right, “a professional assassin with amazing high-tech and KUNG FU skills.”  Read the rest here…

Know yourself and know your enemy and in 100 battles you will never be in peril.

-Sun Zi

Well, that includes understanding the culture of your adversary.  This week’s installment of Chinese hacker
culture is their brand of nationalist hip-hop. The girl, who looks bored out of her mind the whole video, is playing a couple of cuts that sound pretty good even if you don’t speak Chinese. Hell, I could only understand about 1 in 5 words, but that is about the same for US hip-hop, so I don’t feel too bad.

Most of the lines are talking about how great Chinese hackers are and that they should all band together to defend China from the outside world. One section talks about Hackbase and China Eagle. Somehow, and I don’t know why, they managed to work in Trojans to the song. Couldn’t really understand it though.

The link here, video seems to screw with Firefox broswer…

This was more than likely a message to the rest of the Red Hacker Alliance that we do not hack inside China or there will be consequences.  According to the video, it wasn’t just money that Heikeba was after but fame played a large part as well.  The downfall seems to have come when they decided to break into banks inside of China and steal from Chinese citizens.  That my friends is a no-no!

Also, it is not nice to attach Trojans to music and picture downloads.

This is the part I’m not completely clear on and if someone who has better ears than I do can provide clarification it would be really appreciated.  The police discovered that the site was spread out across 15 cities inside of China. Here is the difficult part, they found records on the site dealing with New York, London and Paris and something about logging into the sites at the same time which seemed impossible or only slightly possible.  There is some discussion of time-zones and logging into them at the same time.

Difficult to tell if they are saying Heikeba was responsible for hacking into
websites in these cities.  Hopefully, we can get a little help here.

There once was a website named heikeba.com (黑客吧), but alas no more.  The site was run by three Hangzhou University students named Lin Yupeng (林宇鹏), Lin Cailong(林才龙) and Yao Pingqiang (姚平强).  These young entrepreneurs dealt in massive numbers of Trojans.  Reports have stated that they had an extensive collection of malware and at the time of the website’s demise, there were over 500 for sale.  Heikeba.com had over 25,000 registered users and 100 VIP members.  Toward the end, the site was averaging around US $2,700 a month and in less than nine months since its start in January of 2007, had made close to US $14,000.

So, what happened to heikeba.com?  It seems that on 13 September 2007, the group was actually arrested and taken away by police for selling illegal programs.  According to Liu Yuechuan (刘悦川), the police officer who conducted the investigation, he used VIP membership to get into the site and was shocked that it contained so many Trojans.  He was also amazed at the number of viruses hidden on the site.  The website was considered one of the largest distributors of malware in the country.

What makes this so unusual is that it hardly ever happens and certainly not
with this much publicity.   There is hardly a Chinese hacker website that doesn’t sale or distribute some sort of malicious program and you don’t need VIP membership to discover it.  What these guys really did or who they angered is still a mystery.  Maybe it was just time to set an example.

Here is the CCTV special on the investigation and the arrest. It has a lot more details and I will do my best to give you an updated gist of the program.

Never heard of this, don’t know what to make of it, not sure I even care.  Anti-Fans, a phenomenon that began in Korea where large numbers of “Anti-Fans” seek to just trash and even poison celebrities.  Number one targets are singers and dancers.  So, the good news…it has spread to China!

This is the Taiwanese band F-4 and they got hacked by Chinese anti-fans for referring to Taiwan as a country while fiming a commercial for tourism.  (Have to admit, a lot of boy-bands here in the US could use a good hacking…just kidding…sort of.)

Chinese actress Zhao Wei targeted by Chinese anti-fans for…too much hotness? No, she wore the Japanese flag.

 Artist Wang Xinling, just a little too cutesy for some fans. They are anti-fans due to her winky-hand-movey antics on stage.

And for the most disturbing of all, they claim to be the Bin Laden for celebrities.

A posting at Sam, Saman, Samantha’s blog sums up my feelings quite well.  But, just because they seem to have gone way past the deep end of the pool, doesn’t mean they can’t make a semi-rocking video!  Enjoy (fair warning, the thing loads slow, slow, I mean really slow):