Apr 06 2010
Archive for the 'Hacker Hunting' Category
Jul 19 2009
In April of 2008, we reported Revenge of the Flame‘s plan to carry out a DDoS attack on the CNN website. A series of events during that time period enraged the Chinese online community: European nations harshly criticized China’s response to the Tibetan uprising; pro-Tibetan independence protesters in Paris tried to snatch the Olympic torch from the hands of a wheelchair-bound Chinese female athlete; and Jack Cafferty, a CNN commentator, referred to Chinese products as “junk” and called the Chinese government “goons and thugs.” In response to these insults, Anti-CNN called for overseas Chinese in Europe to wave the Chinese flag and raise their voice to the sky.
In response to these same events, a hacker, using the online name cn_magistrate, formed a group called Revenge of the Flame and announced his plan to carry out a DDoS attack on the CNN website. We followed the events as calls went out for Chinese netizens to join the action. We were there when cn_magistrate called off the attack and disbaned the organization. Then he vanished…
Cold Case: Yeah, we keep looking. Finally located him through a combination of e-mail address, website and online name. Below are the results of a Whois search we conducted on the associated website during the time of the attack (Notice the website name and e-mail address):
Domain Name: hacksa.cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59
Hacksa.cn website letter
This reply from cn_magistrate in the comments section of his blog shows the e-mail address Kenan2677@126.com, used to register hacksa.cn.
He claims to be a Taiwanese citizen…
I’ve written to cn_magistrate and asked if he will talk to us about the incident. Off topic, did anyone hear the news about Taiwan and the US coming closer to an extradition agreement? That would be cool.
Jul 14 2009
Chinese hackers are annoying, it’s a fact. You ask a simple question trying to establish if they were the person responsible for hacking the Turkish Embassy website and you get the run around. Our hacker in question responds with the standard, “I’ve got no idea what you’re talking about.” ANNOYING
Then in our comments section, a Chinese hacker leaves a message saying that it was all just a crazy coincidence and this is the wrong guy. Next, someone using a different name leaves the comment “Mafia Baron MSN:firstname.lastname@example.org” without any further explanation. ANNOYING
Apr 24 2009
Best hobby in the world.
a trim 46-year-old.” I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.
Hackers: the China Syndrome by Mara Hvistendahl
Apr 04 2009
Remember the fable about the Scorpion and the Frog? Well, we got stung…
Lost33 did not make contact with Jumper last night. In fact, it seems he spent the night changing his QQ number and deleting all info from his blog. The website is now completely empty, except for a change to his personal data. Lost33 changed his current residence from Sichuan to Beijing:
We retained a full copy of the previous night’s conversation with Lost33 but have decided to only release two sections. The first section is being reprinted to prove the connection between Lost33 and the losttemp33 hotmail account:
The second section is being released…well, to be honest, just because I think it is funny. I can practically see Jumper’s expression as he types, “Yes, really.”
Are we surprised, shocked, or angry over Lost33 punking us…
-Hey, it’s just his nature.
Apr 03 2009
UPDATE: Added further comment by Nart Villeneuve at the bottom (Great guy!)
Yep, that would be us…
According to researchers at IWM, Lost33′s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network. However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.
From the report by Robert Lemos at Security Focus:
However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.
“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.
So it looks like we are now investigating a massive network intrusion of two computers. One, two. We will call our project CasperNet.
Spoke with Jumper earlier today and he still feels it is worthwhile to pursue. So, he will continue his conversation with Lost33 tonight.
UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him. I botched up his report but he was still kind enough to stop by and offer these words of encouragement:
“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”
Apr 02 2009
UPDATE: James Tay from Citizen Lab left us a comment. That’s right, part of the support team for the Ghostnet Report. God, we really should have cleaned up the place. Thanks for taking the time to stop by James! (originally I stated he was a contributing author, James has clarified).
UPDATE2: Lost33 is now in contact with us and we are trying to get his side of the story. He has requested we mask his QQ number now that he is in contact and we have complied. (Never do late night updates. A commenter pointed out that the original wording for this update sounded like we were holding his QQ hostage unless he spoke with us. That certainly wasn’t my meaning but that is definitely what it sounded like. Just wanted to explain the reason for the sudden masking of his contact number.)
First, hats off to the researchers at IWM. They did great work on the GhostNet project and we owe them a debt of gratitude for sharing it with us.
One aspect skipped over in the GhostNet report were the e-mails associated with the websites, email@example.com and firstname.lastname@example.org. For the last two days, Jumper and I have been tracking them down to see where they would take us.
Comparing the Whois returns for two of the websites involved, macfeeresponse.com and scratchindian.com, yields startlingly similar results:
Double-click to fully englarge
We conclude that this is the same person using different e-mail addresses or associates working together. The domains are registered on the same server and are too close in content to be considered a random coincidence.
The Opanpan e-mail went nowhere, so we concentrated on losttemp33. A simple Google search for the e-mail address, led us to the website for Programmers United Development Net:
Clicking on the link leads to three programs losttemp33 provided for download.
Next we were able to locate a post from 2005 on Windows hacking:
Notice that the author of this post uses the signature Lost33 in the upper left-hand corner. Using the signature Lost33 and the Chinese characters for hacker (黑客), we were able to find an individual who was associated with Xfocus, Isbase and even seems to have studied under Glacier. More importantly, we found a blog under the same name.
This blog stopped getting updates in 2006 but provided us with a couple of more clues to keep searching. The first red box shows the date of birth as 24 July 1982 and place of current residence as Chengdu City, Sichuan. It is important to recall that all of the Whois results for GhostNet associated websites showed Chengdu, Sichuan as the city and province for the organization. The second red box at the bottom is Lost33′s personal motto, “The bored soldier swaying on an empty battlefield.”
We kept searching but it seemed like we had hit a brick wall, Lost33 vanished from the internet in 2006. That was when we decided that a person might change their user id but never their motto. Can’t abandon your motto.
Plugged in the “The bored soldier,” and bingo…The Bored Soldier’s blog space:
Lost33 now blogs under the name Damnfootman:
Why are we sure this is the same person as Lost33? Well, they not only share the same motto but birth date and place of residence as well:
Blog bits of interest
- Lost33 attended the University of Electronic Science and Technology in China.
- Lost33 is also keeping up with friends at Xfocus and NSfocus on garden variety hacker tools.
We have left a couple of posts on Lost33′s blog and are waiting to see if he will respond:
The note asks Lost33 if he would be willing to discuss the GhostNet matter with us.
There were two QQ numbers associated with the opanpan and lost33 email addresses. We attempted to contact both of them but were rejected.
While we are aware that there are other lost33 websites out there, such as myspace/lost33, these do not meet the profile of our hacker. It would be a very unusual set of circumstances that would lead to such a bizarre set of coincidences coming together as we have here:
- The Ghostnet websites list Chengdu, Sichuan under organization and the pseudonym losttemp33 as the contact e-mail address.
- The e-mail address email@example.com has been posted on at least two websites dealing with computer programming. The post on hacking Windows shows that the person also uses the alias lost33 as an alternative to the full e-mail address.
- An individual using the lost33 signature has posted on several Chinese hacker forums including Xfocus and Isbase (the Green Army). He may even have been a student under Glacier.
- The first lost33 website shows a birth date of 24 July 1982 and current address as Chengdu, Sichuan. The website motto is, “The bored solider sways on the empty battlefield.”
- The second “bored soldier” website is clearly owned by the same person as the first lost33 website. The owners were born on the same date; both live in Chengdu, Sichuan and use the same motto. The new website has links with known hacker websites (Xfocus, NSfocus and Eviloctal), links to hacker programs and demonstrates and education in technology (University of Electronic Science and Technology of China).
Obviously the weakest link in the analysis is the jump between losttemp33 and lost33 but we feel the weight of the evidence shows a connection. We do not conclusively claim this person is involved but we think further inquiry is needed.
<edit> – A few readers have asked for the QQ number that was redacted. Since lost33 doesn’t seem to be using that QQ number anymore – here is the original screenshot:
Apr 02 2009
I posted this yesterday on a Chinese blog and Jumper has been trying to reach him via QQ:
The note asks the owner of the website if he would be willing to discuss the GhostNet matter with us.
He logged on for several hours after the question had been posted but has not responded as of this time.
This story will run later today, with or without communication from the individual.
Feb 15 2009
What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.
Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox. Let’s face it, “Charging Ox” does not sound cool.
Jan 27 2009
On 18 January, we gave you a look at how to spot hot trends in China and the possibility that Chinese hackers were using similar tools to find targets for malware. Getting the most bang for your buck. Today, I’ve decided to see if my knowledge is worth anything.
Prediction: “Chinese body art” sites and body art pictures (人体艺术照片) will be high on the list for hackers. Why?
According to Google Insight, there has been a 2400% increase in the number of searches for this term over the last seven days.
It is also showing up in the #19 spot as hot searches on Top Baidu. What is Chinese body art? Shhh, it’s pron. Artsy pron. Let’s see, China announces crackdown on pron…now this “art” makes the top searches on Google and Baidu. Hmmm?
Going back to Google Insight, you can get your tags for search engine optimization over the past 30 days:
Really want to get fancy and you could add cities: