The Dark Visitor

During the Olympics Games, a secret organization was formed by a Chinese hacker named Wang Zi to protect Olympic websites against foreign hackers and while they won’t say, reprisals were probably taken against offenders.

This article, from the People’s Daily, details Wang Zi’s efforts to bring back the patriotic spirit of the Red Hacker Alliance.

“The Tao that can be described in words is not the true Tao. The Name that can be named is not the true Name,” – the first two sentences of Tao Te Ching are the slogan of hong ke that appear on the new union’s new homepage.

After the Olympics, Wang Zi’s group retired from the web for a short time, and then on the first day of this year, the group made a bold new announcement.

The blurb on their newly-launched website reads, “Hong ke culture is back. We will hold and transmit hong ke spirit focusing on justice, pioneering and love for the motherland.”

Lin Lin, the leader of Evil Octal (another Chinese hacker organization), refutes Wang Zi’s claim to the title of new leader:

“Lion is the spiritual leader of the hong ke union,” Lin Lin, a leader of hacker group Eviloctal Security Team, told the Global Times. “And without him, no hong ke organization can be regarded as a reorganization of the original.

The article goes to great lengths to distance the organization from being government sanctioned:

Wang Zi says his union is a purely non-governmental organization. They could not register the union’s name with the Ministry of Industry and Information Technology until they deleted “Zhongguo” (China) from it.

Best hobby in the world.

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl

What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.

Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox.  Let’s face it, “Charging Ox” does not sound cool.

In June of 08, we told you about Chinese Vampire and later the next month about the big controvery surrounding the original author.

Via: Fergdawg

In 2007, the official website of Dolphin Stadium was compromised with malicious code linked to a javascript file inserted into the header of the front page.  The redirect ended up at domain registered in China.

Just sayin’…

Predictive analytics: encompasses a variety of techniques from statistics and data mining that analyze current and historical data to make predictions about future events. (courtesy of the wiki)

Last night I was reading Chinese Cyber Nationalism and this section in Chapter Three on the EP-3 incident (Sino-US Hacker War 2001) got me thinking:

“On 26 April, H.U.C [Honker Union of China] announced on its site that Chinese hackers would wage a seven-day self-defense war against American websites.  The major targets included hundreds of American government and military websites.  The attacking time was set at 9:00 PM on 30 April, when a seven-day Labor Day holiday started in China.”

(emphasis mine)

Even from our own little blog on the Chinese hacker attack on CNN that was scheduled for 8:00 pm on 20 April.  In 2008, 20 April was a non-work day in China.

That’s right! Off days, holidays and late at night are the perfect time to cyber mobilize a massive number of people for a “Cyber People’s War”.

Obvious yes…but then where is my attack table for 2009?

2009 China Public Holidays

Based on a seven-day workweek, China has one of the most confusing holiday and non-work day systems ever.  Bless the good people at CNReview for providing the calendar above and keeping me from suffering a fatal aneurysm.

So green and blue days are danger and yellow safer. Remember, due to time differences between the US and China, attacks would more than likely begin and end a day before those shown on the Chinese calendar.

We aren’t talking about individual or small group attacks that can occur at anytime, just major efforts by a large number of hackers.  People have to work!  “Sure Xiao Wang, I’d love to join the war against whatever your enraged about at the moment but…I’ve gotta be at work then.”

Attacks will also occur early in the morning for the US (approx 5:00 am – 8:00am) given the EST and PST differences with Beijing.  These are normally 12- 13 hours for the East Coast and 15-16 hours for the West Coast, depending on how daylight saving time matches up.  No DST for China, they don’t play.

Hawaii?  Screw Hawaii! I’m freezing to death here.  They can figure out their own times.

Rest of the world, adjust accordingly.

On 24 December 08, Chinese hackers once again defaced the Yasukuni Shrine website.  Here is a little background from The Dark Visitor:

(Cyber Conflict of 2001)

August of 2001 would again see attacks on Japanese web sites in response to former Prime Minister Junichiro Koizumi’s visit to the controversial Yasukuni war memorial.  Chinese hackers struck first on 13 August, attacking the server for the Japan Meteorological Agency.   Following that, a large number of Japanese government web sites were attacked, such as “the Chemicals Evaluation and Research Institute, the the Defense Systems Research Committee, the Central Convention Service, Inc., the Fire and Disaster Management Agency, the Defense Facilities Administration Agency, the Communications Research Laboratory, and web sites for members of Parliament. The Honker Union of China issued the following statement:
Continue Reading »

My Xcon 2006 pass

Jumper sent me an e-mail about the upcoming Xcon 2008 Conference that will take place in Beijing from 18-19 October:

If you have any questions, comments, please shoot against Casper
Though I am happy to forward it.

On Fri, Sep 5, 2008 at 4:40 PM, Sowhat <smaillist (at) gmail (dot) com [email concealed]> wrote:
> Got couple of emails with comments (language mistakes) and questions,
> Thanks guys!
>
> Actually XCon is held by XFOCUS guys (Casper and others), they wrote
> it up and I was just helping to post the CFP.
>
> If you have any questions regarding the schedule, the conferences,
> the hotel, etc.
>
> Welcome to XCon! Welcome to China!
>
> Best
> Sowhat
>
> On Fri, Sep 5, 2008 at 3:45 PM, Sowhat <smaillist (at) gmail (dot) com [email concealed]> wrote:
>> XCon 2008 Call for Paper
>>
>> Nov. 18th ? 19th, 2008, Beijing, PRC (http://xcon.xfocus.net)
>>
>> XCon is wholeheartedly expecting papers from those who are passionate
>> about information security technique and their participation and sharing of
>> the conference.
>>
>> Attenders
>> Anyone who loves information security, including information security
>> experts and fans, network administrators, network security consultants, CIO,
>> hacker technique fans, etc.

More details on the conference here at Security Focus.

For those of you who are unfamiliar with Xcon,  I’ll give you a little background.  The yearly host of the Xcon conference series is a group  going by the name Xfocus.  One of their 2007 conference attendees, XYZreg (Zhang Yi), a regular member of their security group,  claimed to have broken Kaspersky Anti-Virus Technology.  When I went to the conference in 2006, two of the major sponsors were Microsoft and NSfocus. NSfocus was one of the very first hacker sites in China, originally called the Green Army.  The organizaton has a very confusing history.

If anyone is planning on attending the conference, please drop me a line.

Just going to change the name of the blog to the Xiao Tian Show and call it a day. Even though Chinese hackers are now constantly worrying about the Olympics getting hacked, Xiao Tian has managed to remain in the spotlight. The latest articles making the rounds about Xiao Tian still summarize the interview with the Daily News and Analysis, just with the addition of a defacement:

The first reference I can find of this defacement indicates it took place in September of 2006, to protest Prime Minister Koizumi’s visit to the Yasukuni Shrine. Several people posting think it was done by a female hacker due to the signature line that translates to something like, “the girl pissing on the Yasukuni toilet.”

The article uses the screen shot to demonstrate how ferocious female Chinese hacker can be and does not attribute it to Xiao Tian. Plus, we know our gal would never use such vulgar language. She saves all that built up nationalist energy for the dance floor:

FROM Xiao Tian’s blog: She is on the left in black and says to ignore the other girl in the short skirt. As a matter of fact, Xiao Tian wants you to know she hates that girl. Apparently, the DJ pushed the girl up on the stage so the two could dance together. Xiao Tian doesn’t have kind words for the DJ either. Also, she claims to have been a bit nervous on stage, so these are not her best dance moves.

That is why you come here, for the culture. Now, back to your nerdly doings.

Bruce Schneier is a well-known security and cryptography researcher.  He has a popular blog where he posted his recent article detailing “The Truth About Chinese Hackers”, which was written for Discovery Channel.

This article is not particularly insightful and sort of lumps all of the Chinese hackers into a single group of young, male patriotic kids doing it for the babes and limos.

These hacker groups seem not to be working for the Chinese government. They don’t seem to be coordinated by the Chinese military.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living.

This is very short sighted.  We should be honest here, neither Bruce Schneier nor Heike and I know with absolute certainty what Chinese hackers are doing, who is coordinating them and who might be paying them.  Maybe the article shouldn’t be titled “The Truth About Chinese Hacker” because Bruce doesn’t know what the truth is (Heike would have said that he couldn’t handle the truth either, but that’s not my style).

I think a lot of people assume that activity attributed to the PRC is simply based on the IP address.  After studying spear phishing attacks, custom malware attacks and the types of data that have been exfiltrated from various NGO targets it seems likely that some entity is coordinating the collection and exploitation of this information.  In my humble opinion, there may be more to this than WoW passwords.

UPDATE: Dominic reminds me that some people might not be as Chinese hacker obsessed as myself and suggests I give some links as to why Withered Rose is important.  Whoops on my part! For some background on rose, read here and here.

As mentioned yesterday and updated today, Withered Rose (Tan Dailin) is back to his old haunts; both mghacker.com and ncph.net websites are up and running again. Just a couple of observations:

1) Rose has done some scrubbing of his personal blog mghacker.com. Had to go to the wayback machine to make sure but you can tell a number of posts have been deleted for some reason by comparing the wayback machine to what is listed on the current blog’s archive. Rose has wiped out everything prior to March of 2007 and selectively edited the months still showing.

2) Not sure why but at least four of the new post on ncph.net are old posts from the mghacker.com blog:

a.

Mghacker 再现社会工程学 (29 Mar 2007)
Ncph 再现社会工程学 (31 May 2008)

b.

Mghacker 3389密码的嗅探 (29 Mar 2007)

Ncph 3389密码的嗅探 (11 May 2008)

c.

Mghacker Rainbow Table 分析 (10 Apr 2007)

Ncph Rainbow Table 分析 (11 May 2008)

d.

Mghacker 获取cuteftp中的ssh密码 (16 May 2007)

Ncph 获取cuteftp中的ssh密码 (11 May 2008)

3) Whois data shows that NCPH.net administrative contact as:

Administrative Contact:
ncph studio
ncph studio ()
si chuan li gong xue yuan
zigong, Sichuan, cn 643000
P: +86.13154663992 F: +86.13154663992

Sichuan Ligong Xueyuan is the Sichuan University of Science and Engineering. Rose founded NCPH while a student at the university. A Chinese hacker going by the name of Rodag, who was also a member of NCPH lists the university as a contact on his blog.

The contact number 86.13154663992, was noted by Jumper in an IRC log:

# jumperon 08 Dec 2007 at 11:04 pm edit this

In the second picture of Rose, he is using a tool called Metasploit on his computer. http://www.metasploit.com.

IDefense has a lot of stuff on NCPH and Rose. There are a couple of archived webcast videos about them on idefense’ website. I did a bunch of searching and found this funny tidbit:

21:41 gila poyo
21:41 you computer is hack by chinese’s hack infall, shit!
21:41 from http://www.chinahonker.com my name is tan dailin
21:41 contact us with QQ 5372453 or
21:41 tel:86+0+13154663992
21:41 my blog :www.mghacker.com or http://www.ncph.net
21:41 ~~~~~~~~~~~~~~~~~~~~~~~~~shit! you are a pig !
21:41 i found this in some machine
21:41 haha
21:41 YOUR COMPUTER IS HACK

It is from an archived IRC log. There isn’t any more context to go off of so I’m not sure who is who in this. Gila poyo is malay but I don’t know what it means.

My guess is the at the two of them are old college buddies.

4) What does this random sampling of information mean? Not much. Just wanted people to be aware that Mr. Rose is back in business and on the internet.