The Dark Visitor

Best hobby in the world.

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl

Remember the fable about the Scorpion and the Frog?  Well, we got stung…

Lost33 did not make contact with Jumper last night.  In fact, it seems he spent the night changing his QQ number and deleting all info from his blog. The website is now completely empty, except for a change to his personal data.  Lost33 changed his current residence from Sichuan to Beijing:

We retained a full copy of the previous night’s conversation with Lost33 but have decided to only release two sections.  The first section is being reprinted to prove the connection between Lost33 and the losttemp33 hotmail account:

The second section is being released…well, to be honest, just because I think it is funny. I can practically see Jumper’s expression as he types, “Yes, really.”

Are we surprised, shocked, or angry over Lost33 punking us…

-Hey, it’s just his nature.

UPDATE: Added further comment by Nart Villeneuve at the bottom (Great guy!)

Yep, that would be us…

According to researchers at IWM, Lost33’s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network.  However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.

From the report by Robert Lemos at Security Focus:

However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.

“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.

So it looks like we are now investigating a massive network intrusion of two computers.  One, two.  We will call our project CasperNet.

Spoke with Jumper earlier today and he still feels it is worthwhile to pursue.  So, he will continue his conversation with Lost33 tonight.

UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him.  I botched up his report but he was still kind enough to stop by and offer these words of encouragement:

“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”

UPDATE: James Tay from Citizen Lab left us a comment.  That’s right, part of the support team for the Ghostnet Report.  God, we really should have cleaned up the place.  Thanks for taking the time to stop by James! (originally I stated he was a contributing author, James has clarified).

UPDATE2: Lost33 is now in contact with us and we are trying to get his side of the story.  He has requested we mask his QQ number now that he is in contact and we have complied.  (Never do late night updates.  A commenter pointed out that the original wording for this update sounded like we were holding his QQ hostage unless he spoke with us.  That certainly wasn’t my meaning but that is definitely what it sounded like.  Just wanted to explain the reason for the sudden masking of his contact number.)

First, hats off to the researchers at IWM.  They did great work on the GhostNet project and we owe them a debt of gratitude for sharing it with us.

The Hunt

One aspect skipped over in the GhostNet report were the e-mails associated with the websites, losttemp33@hotmail.com and opanpan@gmail.com.  For the last two days, Jumper and I have been tracking them down to see where they would take us.

Comparing the Whois returns for two of the websites involved, macfeeresponse.com and scratchindian.com, yields startlingly similar results:

Double-click to fully englarge

We conclude that this is the same person using different e-mail addresses or associates working together.  The domains are registered on the same server and are too close in content to be considered a random coincidence.

The Opanpan e-mail went nowhere, so we concentrated on losttemp33.  A simple Google search for the e-mail address, led us to the website for Programmers United Development Net:

Clicking on the link leads to three programs losttemp33 provided for download.

Next we were able to locate a post from 2005 on Windows hacking:

Notice that the author of this post uses the signature Lost33 in the upper left-hand corner.  Using the signature Lost33 and the Chinese characters for hacker (黑客), we were able to find an individual who was associated with Xfocus, Isbase and even seems to have studied under Glacier.  More importantly, we found a blog under the same name.

This blog stopped getting updates in 2006 but provided us with a couple of more clues to keep searching.  The first red box shows the date of birth as 24 July 1982 and place of current residence as Chengdu City, Sichuan.  It is important to recall that all of the Whois results for GhostNet associated websites showed Chengdu, Sichuan as the city and province for the organization. The second red box at the bottom is Lost33’s personal motto, “The bored soldier swaying on an empty battlefield.”

We kept searching but it seemed like we had hit a brick wall, Lost33 vanished from the internet in 2006.  That was when we decided that a person might change their user id but never their motto.  Can’t abandon your motto.

Plugged in the “The bored soldier,” and bingo…The Bored Soldier’s blog space:

Lost33 now blogs under the name Damnfootman:

Why are we sure this is the same person as Lost33?  Well, they not only share the same motto but birth date and place of residence as well:

Blog bits of interest

• Lost33 attended the University of Electronic Science and Technology in China.

• He has a link on the website to the Chinese hacker forum for Eviloctal and our dear friend Sunwear.

• Lost33 is also keeping up with friends at Xfocus and NSfocus on garden variety hacker tools.

We have left a couple of posts on Lost33’s blog and are waiting to see if he will respond:

The note asks Lost33 if he would be willing to discuss the GhostNet matter with us.

There were two QQ numbers associated with the opanpan and lost33 email addresses.  We attempted to contact both of them but were rejected.

Summary

While we are aware that there are other lost33 websites out there, such as myspace/lost33, these do not meet the profile of our hacker. It would be a very unusual set of circumstances that would lead to such a bizarre set of coincidences coming together as we have here:

• The Ghostnet websites list Chengdu, Sichuan under organization and the pseudonym losttemp33 as the contact e-mail address.

• The e-mail address losttemp33@hotmail.com has been posted on at least two websites dealing with computer programming. The post on hacking Windows shows that the person also uses the alias lost33 as an alternative to the full e-mail address.

• An individual using the lost33 signature has posted on several Chinese hacker forums including Xfocus and Isbase (the Green Army). He may even have been a student under Glacier.

• The first lost33 website shows a birth date of 24 July 1982 and current address as Chengdu, Sichuan. The website motto is, “The bored solider sways on the empty battlefield.”

• The second “bored soldier” website is clearly owned by the same person as the first lost33 website. The owners were born on the same date; both live in Chengdu, Sichuan and use the same motto. The new website has links with known hacker websites (Xfocus, NSfocus and Eviloctal), links to hacker programs and demonstrates and education in technology (University of Electronic Science and Technology of China).

Obviously the weakest link in the analysis is the jump between losttemp33 and lost33 but we feel the weight of the evidence shows a connection. We do not conclusively claim this person is involved but we think further inquiry is needed.

<edit> – A few readers have asked for the QQ number that was redacted.  Since lost33 doesn’t seem to be using that QQ number anymore – here is the original screenshot:

I posted this yesterday on a Chinese blog and Jumper has been trying to reach him via QQ:

The note asks the owner of the website if he would be willing to discuss the GhostNet matter with us.

He logged on for several hours after the question had been posted but has not responded as of this time.

This story will run later today, with or without communication from the individual.

What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.

Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox.  Let’s face it, “Charging Ox” does not sound cool.

In June of 08, we told you about Chinese Vampire and later the next month about the big controvery surrounding the original author.

On 18 January, we gave you a look at how to spot hot trends in China and the possibility that Chinese hackers were using similar tools to find targets for malware.  Getting the most bang for your buck.  Today, I’ve decided to see if my knowledge is worth anything.

Prediction: “Chinese body art” sites and body art pictures (人体艺术照片) will be high on the list for hackers.  Why?

According to Google Insight, there has been a 2400% increase in the number of searches for this term over the last seven days.

It is also showing up in the #19 spot as hot searches on Top Baidu.  What is Chinese body art?  Shhh, it’s pron.  Artsy pron.  Let’s see, China announces crackdown on pron…now this “art” makes the top searches on Google and Baidu.  Hmmm?

Going back to Google Insight, you can get your tags for search engine optimization over the past 30 days:

1. 艺术照片

2. 人体艺术

3. 人体

4. 人体艺术图片

5.  人体写真

Really want to get fancy and you could add cities:

Trojan Horse

So the Analyt’s Diary blog at viruslist.com has an article on some new mass SQL injection attack that jacks up .asp pages with redirects to browser exploits. The exploits drop one of two trojans that steal passwords and whatnot. Here is h.js:

document.write(”");
document.write(”");

Wordpress won’t display the script. Basically, it loads an iframe that points to two separate URLS (these URLs contain browser exploits so don’t follow them):

hxxp://vvexe.com/haha/index.html and
hxxp://www.kenya.com/faq.htm

I can’t seem to get to either of these sites at the moment. I’ll try again later.

Update:  I spent some time looking at this malware.  The two pages listed earlier in this post contain iframes to browser plug-in exploits for real player and other typical vulnerabilities.  The exploits attempt to load and run down.exe (e160f590d894a98474697ac0db987746 not packed/delphi code) which in turn downloads hxxp://www.vvexe.com/haha/down.txt to get the additional files 1.exe (a7fc8c966fdeb550fe19aba3169569be not packed/VC++), do.exe (5af5edaa2cebf1fed56ad36799b2c850 ) and cool.exe (18867d6de1a3a9241c14c22c19b51351 not packed/delphi).

1.exe is a WoW trojan and waits for passwords sent to:

grunt.wowchina.com and [kr|us|tw|eu].[version|logon].worldofwarcraft.com.  It also looks for and attempts to disable many types of security software.  It attempts to send the stolen credentials to an asp on www.yilu777.com.

do.exe is a little more interesting.  It appears to be a generic remote access trojan that sends a beacon to qq number 58836533.  A quick search for that qq number revealed that this person’s paipai account has been frozen:

So I do some more digging and find the QQ profile with a name and nick:

Searching for the nickname got me to a few blogs and profiles that had some young girl who is really into anime. Maybe her QQ account got pwn3d or maybe, just maybe she is a member of “China Girl Security”. I tried to get an add on that QQ account so I could talk to the hacker but didn’t have any luck.

Note to Chinese hackers: Please pay the tax on your WoW gold profits.

The program seen above is a patch for the Microsoft “black screen of death” and was written by a female Chinese hacker group at the Guangdong Foreign Language, Foreign Trade University (Guangdong Foreign Studies University).

The patch keeps Chinese users, who are running pirated copies of Microsoft Windows, from having to refresh their computer screens every hour when the black screen pops up.

The Chinese hacker program was released on 15 October, five days before Microsoft’s pre-announced plan went into effect (Jumper, is this possible?).  The black screen seems to have been a mere annoyance, designed by Microsoft to encourage people to purchase legal copies of Windows.  It does not effect the computer’s ability to function.

From the comments I have read on a few boards, this does not seem to be one of the programs written to spread malware.

The website for the group that released the patch is here.  The message attached to the download reads as follows:

“Excuse me Bill Gates, this time, I must once again oppose all of you [Microsoft]. I can’t let you introduce chaos into the Chinese system again for no good reason! For many years now, people have stolen Windows and just this year you decide do something about it? That is stupid!!

We are not the military but we have the same mission, to protect the sovereignty of the Chinese network.”

A few interesting comments on the boards you might like to read.  Don’t have the time to translate, so I give you the Google xlations.  No, they aren’t 100% accurate but they will give you the feel of the conversation.

Something to take note of, not all of the Chinese users are onboard with the “hate Microsoft theme.” There are a number of dissenting voices, saying that stealing intellectual property is wrong.  Good for them!

Update (jumper 1543GMT OCT 26):  The site hosting the anti-anti-piracy patch is overloaded:

Maarten Van Horenbeeck informed us that his recent SANS Fire 2008 presentation on targeted attacks has been released for the public. You can find it at Maarten’s website here.

You may also want to check out another presentation of his titled “Crouching PowerPoint, Hidden Trojan”.