The Dark Visitor

KnowSec is sharing the database and also reports finding more than 100 trojan downloaders a day.

The database covers more Chinese Web sites and provides more up-to-date information about their security than any other, Zhao said in the interview. China produces the majority of the world’s malware, he said.

A history for each site in the database lists dates of malware infection, the strings of malicious code placed on the sites and which antivirus products defend viewers against their attacks. The database also stores tens of thousands of viruses found being distributed by the sites.

UPDATE: Added further comment by Nart Villeneuve at the bottom (Great guy!)

Yep, that would be us…

According to researchers at IWM, Lost33’s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network.  However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.

From the report by Robert Lemos at Security Focus:

However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.

“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.

So it looks like we are now investigating a massive network intrusion of two computers.  One, two.  We will call our project CasperNet.

Spoke with Jumper earlier today and he still feels it is worthwhile to pursue.  So, he will continue his conversation with Lost33 tonight.

UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him.  I botched up his report but he was still kind enough to stop by and offer these words of encouragement:

“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”

Ashok Sharma, from the AP, asked me this question yesterday and here was my response from his article Dalai Lama condemns hacking of computers:

Scott Henderson, author of The Dark Visitor, a self-published book about Chinese hackers, said he thought it was feasible that the attacks described in the report could have been carried out by an individual over the course of a year or so.

Henderson said it wouldn’t be unusual for a Chinese hacker to want to infiltrate the Dalai Lama’s computers because most of the mainland hackers he has researched “place as much importance on sovereignty (over Tibet and other contentious areas) as Beijing does.”

To be fair to the researhers at IWM, they never said it was the government either.  At least that is my interpretation of their conclusions.

So, do we have any evidence that this could have been done by a group other than the Chinese government?

Stay tuned…

Just damn, damn, damn.

When a reporter makes several attempts to contact you, get back with the guy.  The author of this article, Oded Yaron, tried numerous times to get in touch with me and we missed each other.  My fault, not his.  He still gave our website a plug without mentioning that one of the people that blogs here is a real jackass.  Thanks!

My apologies to Mr. Yaron and from his report, Virtual battleground attacks Hezbollah’s soft underbelly:

Last week, while trying out breaking-in tools developed by Chinese hackers, an Israeli Network security company, Applicure, brought down the Hezbollah Web site (hizbollah.tv), using no more than 10 bots, which are computers controlled by hackers.

According to Kingsoft Anti-Virus, the “Crab Group” is one of China’s top-5 virus dissemination families and responsible for the recent infection of around 30 million computers.

Kingsoft’s 2008 Year-End report reveals that within hacker circles, the majority of money is earned by establishing viral dissemination chains.  While a virus author may earn a salary of one million yuan a year (approx USD 150,000), it was possible for a viral dissemination group to earn ten million yuan (approx USD 1.5 million) yearly.

The Crab Group had gained access to a unidentified trusted server in Guangdong, uploading viruses and trojans on popular websites.  The group had been using the “Cat Ringworm” virus, a.k.a Charging Bull, as their primary dissemination tool and infected around 30 million computers.

For background on the Chinese hacker virus industry chain read here, here, and here.

What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.

Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox.  Let’s face it, “Charging Ox” does not sound cool.

In June of 08, we told you about Chinese Vampire and later the next month about the big controvery surrounding the original author.

Jiangmin Anti-Virus is warning that the E-Rose Virus is making the rounds this Valentine’s Day.  In 2006, China had the largest number of computers infected from the spread of this malware.

Sometimes it doesn’t really matter how many layers of security your bank has if your personal computer is infected. A victim of Chinese hackers using the Korean bank Hana, may…or may not have learned this lesson:

According to investigators at Seoul’s Gangnam Police Station, the hackers breached the online account of the victim, identified only as Seok, on Jan. 5, and moved money from the account three times, 7 million won at a time, despite Seok having been tipped off by Kookmin Bank earlier that day that her online bank account had been accessed by a user from a suspicious Internet protocol (IP) address based in China that had been used in another hacking attempt in August last year.

The most loyal TDV readers may remember a post from a while back showing some Google searches that turned up more than one hundred Chinese .gov sites with malicious links or defacements.  It appears that there are a few more to add to the list as of late.  One of the Chinese malware blogs that I follow posted a string of blog posts indicating that .gov sites were gettting compromised and having malware embedded in them.

www.sxfc.gov.cn, www.lfzs.gov.cn and a few non-.gov sites had very similar malware links embedded in them.  At the time of this writing, many of the links embedded in the sites are broken but some of the malware is still there for the wget’ing.

After a few redirects, we get to a1.css, which is an FSG packed PE file.  It is well detected by antivirus (38/39 on virustotal.com).  Nothing too interesting.

The Chinese malware that I have come across is either not packed at all or uses well-known packers like UPX and FSG.  What have you TDV readers come across?  Any custom packers?

Yesterday, Jiangmin released their 2008 Computer Virus Epidemic report showing the top 10 viruses for 2008.  The report further noted that online organized crime elements were forming underground industrial chains to manufacture and disseminate viruses.

In 2008, there were 1.09 million viruses intercepted, representing an increase of over 200% from 2007.  The report also stated that over 28 million computers had been infected by viruses and this reflected a drop of 18.39% from 2007 due to enhanced security awareness.

Trojans accounted for 78% of all viruses intercepted, backdoor programs 10%, malicious advertisements 4%, worms 6%, and all others 2%.  Presenting the biggest problem, trojans and backdoor viruses increased 10% when compared to 2007 statistics.

China’s Top 10 Viruses for 2008

1. Trojan/PSW.OnLineGames
2. Trojan/PSW.GamesPass
3. Trojan/Agent
4. Checker/Autorun
5. Backdoor/Huigezi
6. Trojan/PSW.QQPass
7. Exploit.CVE-2007-0071
8. Trojan/StartPage
9. Trojan/DogArp
10. Win32/Infectrpcss