Link to McAfee’s PDF white paper Global Energy Cyberattacks: “Night Dragon” that primarily originated in China.

Hong Lei

More on Tomato Garden and the arrest of Hong Lei, the author of the pirated software.  Online polls show massive support for Hong Lei as a nationalist hero:

The Chinese IT community is abuzz with news of the arrest of Hong Lei, distributor of the popular “Tomato Garden” pirate version of Windows XP, which means the popular unlocked version of the Microsoft software will no longer be available.

According to Sina.com, more than 90 percent of users they surveyed are or were users of Tomato Garden pirate editions. And 79 percent said they were on Tomato Garden’s side. Less than 5 percent said they supported Microsoft.

The Wall Street Journal has some interesting interviews with people inside China concerning the case and the drivers behind the software theft.

AUSTRALIA’S diplomats have been warned about a fake email amid concerns it could be part of a cyber espionage attempt, possibly originating from China.

The Department of Foreign Affairs and Trade confirmed yesterday staff had been briefed about a suspicious email sent to several staff last month. The source of the email is under investigation by the department’s communications experts.

In November of 2008, Chinese hackers used the popularity of the the viral video “Kappa Girl” to infect an untold number of users.  In May of 2009, Chinese hackers started using pictures of the “Maritime Girl” for exactly the same purpose.

In the Mainland China Internet Security Report for the First Half of 2009, researchers examine a couple of case studies looking at the top-10 methods for spreading trojans and coming in at number four was the “Maritime Girl“.

Yin Hong, known now and probably forever as the “Maritime Girl”, was a student at the Shanghai Maritime University and posed in a series of very revealing photos for her boyfriend.  After they broke up,  the boyfriend spitefully posted the photos all over China’s interwebs.  A download frenzy ensues and Chinese hackers attach trojan malware primarily used to steal online gaming accounts.

Welcome once again to Chinese hacker social engineering 101.

I spent most of my time at the con attending presentations.  There were at least two presentations that featured a slide devoted to Xiao Tian and the Dark Visitor got mentioned in two presentations.  I think that we should setup a scholarship fund to sponsor Xiao Tian so she can come to Vegas next year and meet with us.

So I decided to put together a give away for people who attended the meetup and settled on a CD packed full of Chinese hacker papers and videos. I put a nice lightscribe label on all of them and included “The Dark Visitor” in Chinese characters. Well apparently I entered the characters rather hastily and instead of 黑客, I put 黑咯, which means Dark Cough (according to Ming Zhou). So at least I learned a new character and maybe that will be the name of the next big disease that comes out of Asia. Who knows? Maybe the flawed Dark Visitor CD will turn out to be the next ultra rare one-eyed beanie baby or something (I’ll start planting them on ebay tomorrow).

Heike and I have talked about having some TDV wearable stuff. Perhaps a Titan Rain Suit? Maybe a “Certified Great Firewall Engineer” T-Shirt? How about a Javaphile Coffee Shop baseball hat? Sunwear tanktop? Let us know what you think. We’ll think of something clever to do with the proceeds like buy Xiao Tian an HD webcam.

F-Secure’s senior security response manager, Chia Wing Fei, explained that the Trojan would have allowed attackers to simply send a link via text message to a malicious Web site and prompt the mobile recipient to download the worm. Once the malware would be installed, it could send similar text messages to all contacts listed on the phone.

“These messages are sent in your name and from your phone,” Chia said. “It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you ($25).”

Read more on “Sexy Space” trojan.

The database covers more Chinese Web sites and provides more up-to-date information about their security than any other, Zhao said in the interview. China produces the majority of the world’s malware, he said.

A history for each site in the database lists dates of malware infection, the strings of malicious code placed on the sites and which antivirus products defend viewers against their attacks. The database also stores tens of thousands of viruses found being distributed by the sites.

Yep, that would be us…

According to researchers at IWM, Lost33′s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network.  However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.

From the report by Robert Lemos at Security Focus:

However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.

“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.

So it looks like we are now investigating a massive network intrusion of two computers.  One, two.  We will call our project CasperNet.

Spoke with Jumper earlier today and he still feels it is worthwhile to pursue.  So, he will continue his conversation with Lost33 tonight.

UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him.  I botched up his report but he was still kind enough to stop by and offer these words of encouragement:

“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”

Scott Henderson, author of The Dark Visitor, a self-published book about Chinese hackers, said he thought it was feasible that the attacks described in the report could have been carried out by an individual over the course of a year or so.

Henderson said it wouldn’t be unusual for a Chinese hacker to want to infiltrate the Dalai Lama’s computers because most of the mainland hackers he has researched “place as much importance on sovereignty (over Tibet and other contentious areas) as Beijing does.”

To be fair to the researhers at IWM, they never said it was the government either.  At least that is my interpretation of their conclusions.

So, do we have any evidence that this could have been done by a group other than the Chinese government?

Stay tuned…

When a reporter makes several attempts to contact you, get back with the guy.  The author of this article, Oded Yaron, tried numerous times to get in touch with me and we missed each other.  My fault, not his.  He still gave our website a plug without mentioning that one of the people that blogs here is a real jackass.  Thanks!

My apologies to Mr. Yaron and from his report, Virtual battleground attacks Hezbollah’s soft underbelly:

Last week, while trying out breaking-in tools developed by Chinese hackers, an Israeli Network security company, Applicure, brought down the Hezbollah Web site (hizbollah.tv), using no more than 10 bots, which are computers controlled by hackers.