Archive for the 'Hacker Hunting' Category

Apr 06 2010

IWM and Shadow Server Project Report: Shadows in the Clouds

The researchers at InfoWar Monitor and Shadow Server have released a great research paper that adds to the Ghostnet report from last year. TDV gets a plug in the report for our chat with lost33.

8 responses so far

Jul 19 2009

Leader of Chinese hacker group that planned DDoS attack on CNN identified

In April of 2008, we reported Revenge of the Flame‘s plan to carry out a DDoS attack on the CNN website.  A series of events during that time period enraged the Chinese online community: European nations harshly criticized China’s response to the Tibetan uprising; pro-Tibetan independence protesters in Paris tried to snatch the Olympic torch from the hands of a wheelchair-bound Chinese female athlete; and Jack Cafferty, a CNN commentator, referred to Chinese products as “junk” and called the Chinese government “goons and thugs.”   In response to these insults, Anti-CNN called for overseas Chinese in Europe to wave the Chinese flag and raise their voice to the sky.

In response to these same events, a hacker, using the online name cn_magistrate, formed a group called Revenge of the Flame and announced his plan to carry out a DDoS attack on the  CNN website.  We followed the events as calls went out for Chinese netizens to join the action.  We were there when cn_magistrate called off the attack and disbaned the organization.  Then he vanished…

cnmagistrate

cn_magistrate

Cold Case:  Yeah, we keep looking.  Finally located him through a combination of e-mail address, website and online name.   Below are the results of a Whois search we conducted on the associated website during the time of the attack (Notice the website name and e-mail address):

Domain Name: hacksa.cn
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

cnmagistrate2

Hacksa.cn website letter

The image seen above was taken from cn_magistrate’s current blog showing the old URL  hacksa.cn,  which was associated with the CNN attack.

cnmagistrate4

This reply from cn_magistrate in the comments section of his blog shows the e-mail address  Kenan2677@126.com, used to register hacksa.cn.

SURPRISE…

cnmagistrate3

He claims to be a Taiwanese citizen…

I’ve written to cn_magistrate and asked if he will talk to us about the incident.  Off topic, did anyone hear the news about Taiwan and the US coming closer to an extradition agreement?  That would be cool.

3 responses so far

Jul 14 2009

Hacker hunting: Finding the Mafia Baron

baron

Chinese hackers are annoying, it’s a fact.  You ask a simple question trying to establish if they were the person responsible for  hacking the Turkish Embassy website and you get the run around.  Our hacker in question responds with the standard, “I’ve got no idea what you’re talking about.” ANNOYING

Then in our comments section, a Chinese hacker leaves a message saying that it was all just a crazy coincidence and this is the wrong guy.  Next, someone using a different name leaves the comment “Mafia Baron MSN:lfort@lvte.cn” without any further explanation.  ANNOYING

Continue Reading »

4 responses so far

Apr 24 2009

Hackers: the China Syndrome by Mara Hvistendahl

Best hobby in the world.

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl


4 responses so far

Apr 04 2009

CasperNet gets punked

Remember the fable about the Scorpion and the Frog?  Well, we got stung…

Lost33 did not make contact with Jumper last night.  In fact, it seems he spent the night changing his QQ number and deleting all info from his blog. The website is now completely empty, except for a change to his personal data.  Lost33 changed his current residence from Sichuan to Beijing:

CapserNetPunk1

We retained a full copy of the previous night’s conversation with Lost33 but have decided to only release two sections.  The first section is being reprinted to prove the connection between Lost33 and the losttemp33 hotmail account:

jumper_tdv 2009-04-02 23:57:28
Do you have the email address losttemp33@hotmail.com?
周小屁 2009-04-02 23:57:30
Sorry for my english too
周小屁 2009-04-02 23:58:11
yes ,but i never use it.

The second section is being released…well, to be honest, just because I think it is funny. I can practically see Jumper’s expression as he types, “Yes, really.”

jumper_tdv 2009-04-03 00:05:29
The problem is that your lost33 email is used to register DNS names for hackers
周小屁 2009-04-03 00:05:43
really?

jumper_tdv 2009-04-03 00:05:51
Yes, really

Are we surprised, shocked, or angry over Lost33 punking us…

-Hey, it’s just his nature.

6 responses so far

Apr 03 2009

Children of a lesser malware

UPDATE: Added further comment by Nart Villeneuve at the bottom (Great guy!)

Yep, that would be us…

According to researchers at IWM, Lost33′s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network.  However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.

From the report by Robert Lemos at Security Focus:

However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.

“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.

So it looks like we are now investigating a massive network intrusion of two computers.  One, two.  We will call our project CasperNet.

Spoke with Jumper earlier today and he still feels it is worthwhile to pursue.  So, he will continue his conversation with Lost33 tonight.

UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him.  I botched up his report but he was still kind enough to stop by and offer these words of encouragement:

“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”

3 responses so far

Apr 02 2009

Hunting the GhostNet Hacker

UPDATE: James Tay from Citizen Lab left us a comment.  That’s right, part of the support team for the Ghostnet Report.  God, we really should have cleaned up the place.  Thanks for taking the time to stop by James! (originally I stated he was a contributing author, James has clarified).

UPDATE2: Lost33 is now in contact with us and we are trying to get his side of the story.  He has requested we mask his QQ number now that he is in contact and we have complied.  (Never do late night updates.  A commenter pointed out that the original wording for this update sounded like we were holding his QQ hostage unless he spoke with us.  That certainly wasn’t my meaning but that is definitely what it sounded like.  Just wanted to explain the reason for the sudden masking of his contact number.)

First, hats off to the researchers at IWM.  They did great work on the GhostNet project and we owe them a debt of gratitude for sharing it with us.

The Hunt

One aspect skipped over in the GhostNet report were the e-mails associated with the websites, losttemp33@hotmail.com and opanpan@gmail.com.  For the last two days, Jumper and I have been tracking them down to see where they would take us.

Comparing the Whois returns for two of the websites involved, macfeeresponse.com and scratchindian.com, yields startlingly similar results:

ghostnetwhoiscompare

Double-click to fully englarge

We conclude that this is the same person using different e-mail addresses or associates working together.  The domains are registered on the same server and are too close in content to be considered a random coincidence.

The Opanpan e-mail went nowhere, so we concentrated on losttemp33.  A simple Google search for the e-mail address, led us to the website for Programmers United Development Net:

ghostnetPUDN

Clicking on the link leads to three programs losttemp33 provided for download.

Next we were able to locate a post from 2005 on Windows hacking:

ghostnetfirstemail

Notice that the author of this post uses the signature Lost33 in the upper left-hand corner.  Using the signature Lost33 and the Chinese characters for hacker (黑客), we were able to find an individual who was associated with Xfocus, Isbase and even seems to have studied under Glacier.  More importantly, we found a blog under the same name.

ghostnetmopprofile

This blog stopped getting updates in 2006 but provided us with a couple of more clues to keep searching.  The first red box shows the date of birth as 24 July 1982 and place of current residence as Chengdu City, Sichuan.  It is important to recall that all of the Whois results for GhostNet associated websites showed Chengdu, Sichuan as the city and province for the organization. The second red box at the bottom is Lost33′s personal motto, “The bored soldier swaying on an empty battlefield.”

We kept searching but it seemed like we had hit a brick wall, Lost33 vanished from the internet in 2006.  That was when we decided that a person might change their user id but never their motto.  Can’t abandon your motto.

Plugged in the “The bored soldier,” and bingo…The Bored Soldier’s blog space:

ghostnetbannerheader

Lost33 now blogs under the name Damnfootman:

ghostnetdamnfootman

Why are we sure this is the same person as Lost33?  Well, they not only share the same motto but birth date and place of residence as well:

ghostnetprofile

Blog bits of interest

  • He has a link on the website to the Chinese hacker forum for Eviloctal and our dear friend Sunwear.

We have left a couple of posts on Lost33′s blog and are waiting to see if he will respond:

ghostnetpost

The note asks Lost33 if he would be willing to discuss the GhostNet matter with us.

There were two QQ numbers associated with the opanpan and lost33 email addresses.  We attempted to contact both of them but were rejected.

Summary

While we are aware that there are other lost33 websites out there, such as myspace/lost33, these do not meet the profile of our hacker. It would be a very unusual set of circumstances that would lead to such a bizarre set of coincidences coming together as we have here:

  • The Ghostnet websites list Chengdu, Sichuan under organization and the pseudonym losttemp33 as the contact e-mail address.
  • The e-mail address losttemp33@hotmail.com has been posted on at least two websites dealing with computer programming. The post on hacking Windows shows that the person also uses the alias lost33 as an alternative to the full e-mail address.
  • An individual using the lost33 signature has posted on several Chinese hacker forums including Xfocus and Isbase (the Green Army). He may even have been a student under Glacier.
  • The first lost33 website shows a birth date of 24 July 1982 and current address as Chengdu, Sichuan. The website motto is, “The bored solider sways on the empty battlefield.”
  • The second “bored soldier” website is clearly owned by the same person as the first lost33 website. The owners were born on the same date; both live in Chengdu, Sichuan and use the same motto. The new website has links with known hacker websites (Xfocus, NSfocus and Eviloctal), links to hacker programs and demonstrates and education in technology (University of Electronic Science and Technology of China).

Obviously the weakest link in the analysis is the jump between losttemp33 and lost33 but we feel the weight of the evidence shows a connection. We do not conclusively claim this person is involved but we think further inquiry is needed.

<edit> – A few readers have asked for the QQ number that was redacted.  Since lost33 doesn’t seem to be using that QQ number anymore – here is the original screenshot:

lost33's QQ

20 responses so far

Apr 02 2009

A simple post

Published by under Hacker Hunting

I posted this yesterday on a Chinese blog and Jumper has been trying to reach him via QQ:

ghostnetmask

The note asks the owner of the website if he would be willing to discuss the GhostNet matter with us.

He logged on for several hours after the question had been posted but has not responded as of this time.

This story will run later today, with or without communication from the individual.

Comments Off

Feb 15 2009

Charging Bull and Chinese Vampire

bullvampire

What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.

Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox.  Let’s face it, “Charging Ox” does not sound cool.

In June of 08, we told you about Chinese Vampire and later the next month about the big controvery surrounding the original author.

One response so far

Jan 27 2009

Chinese body art 人体艺术

On 18 January, we gave you a look at how to spot hot trends in China and the possibility that Chinese hackers were using similar tools to find targets for malware.  Getting the most bang for your buck.  Today, I’ve decided to see if my knowledge is worth anything.

Prediction: “Chinese body art” sites and body art pictures (人体艺术照片) will be high on the list for hackers.  Why?

insight

According to Google Insight, there has been a 2400% increase in the number of searches for this term over the last seven days.

baidurenben

It is also showing up in the #19 spot as hot searches on Top Baidu.  What is Chinese body art?  Shhh, it’s pron.  Artsy pron.  Let’s see, China announces crackdown on pron…now this “art” makes the top searches on Google and Baidu.  Hmmm?

Going back to Google Insight, you can get your tags for search engine optimization over the past 30 days:

1. 艺术照片

2. 人体艺术

3. 人体

4. 人体艺术图片

5.  人体写真

Really want to get fancy and you could add cities:

insight2

6 responses so far

Next »