In response to these same events, a hacker, using the online name cn_magistrate, formed a group called Revenge of the Flame and announced his plan to carry out a DDoS attack on the  CNN website.  We followed the events as calls went out for Chinese netizens to join the action.  We were there when cn_magistrate called off the attack and disbaned the organization.  Then he vanished…

cn_magistrate

Cold Case:  Yeah, we keep looking.  Finally located him through a combination of e-mail address, website and online name.   Below are the results of a Whois search we conducted on the associated website during the time of the attack (Notice the website name and e-mail address):

Domain Name: hacksa.cn
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

Hacksa.cn website letter

The image seen above was taken from cn_magistrate’s current blog showing the old URL  hacksa.cn,  which was associated with the CNN attack.

This reply from cn_magistrate in the comments section of his blog shows the e-mail address  Kenan2677@126.com, used to register hacksa.cn.

SURPRISE…

He claims to be a Taiwanese citizen…

I’ve written to cn_magistrate and asked if he will talk to us about the incident.  Off topic, did anyone hear the news about Taiwan and the US coming closer to an extradition agreement?  That would be cool.

Chinese hackers are annoying, it’s a fact.  You ask a simple question trying to establish if they were the person responsible for  hacking the Turkish Embassy website and you get the run around.  Our hacker in question responds with the standard, “I’ve got no idea what you’re talking about.” ANNOYING

Then in our comments section, a Chinese hacker leaves a message saying that it was all just a crazy coincidence and this is the wrong guy.  Next, someone using a different name leaves the comment “Mafia Baron MSN:lfort@lvte.cn” without any further explanation.  ANNOYING

Time to revisit the hacker’s website and see what I missed.  One of the first things I looked for was the name Mafia Baron in the blogroll section to make sure I hadn’t made a mistake…and it wasn’t there.  Bless Google cache for keeping a copy from the 12th, clearly showing the link to Mafia Baron (on left) even though it was removed today (on right). ANNOYING

When you rolled over the link for Mafia Baron,  it pointed back to the same website, http://hi.baidu.com/forhack.  It just might be that the owner of the  site accidentally  linked to his own website and not that of the Baron.   ANNOYING

Why do I think the site owner accidentally linked to his own site?  Baidu blogs have a special feature that shows the last couple of visitors to your site if they are also using Baidu blogs and one of the guests had lfort08 underneath his icon.  It was too similar to the address left in our comments section to be unrelated:

Clicking on the icon takes you to the Mafia Baron’s website and in his photo album is a screen shot of the embassy defacement, time stamped only 46 minutes after the reported time of the attack:  ANNOYING

You know, if all of the stuff on the Baron’s website just disappears, it will really be…

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl

Lost33 did not make contact with Jumper last night.  In fact, it seems he spent the night changing his QQ number and deleting all info from his blog. The website is now completely empty, except for a change to his personal data.  Lost33 changed his current residence from Sichuan to Beijing:

We retained a full copy of the previous night’s conversation with Lost33 but have decided to only release two sections.  The first section is being reprinted to prove the connection between Lost33 and the losttemp33 hotmail account:

The second section is being released…well, to be honest, just because I think it is funny. I can practically see Jumper’s expression as he types, “Yes, really.”

Are we surprised, shocked, or angry over Lost33 punking us…

-Hey, it’s just his nature.

Yep, that would be us…

According to researchers at IWM, Lost33’s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network.  However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.

From the report by Robert Lemos at Security Focus:

However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.

“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.

So it looks like we are now investigating a massive network intrusion of two computers.  One, two.  We will call our project CasperNet.

Spoke with Jumper earlier today and he still feels it is worthwhile to pursue.  So, he will continue his conversation with Lost33 tonight.

UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him.  I botched up his report but he was still kind enough to stop by and offer these words of encouragement:

“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”

UPDATE2: Lost33 is now in contact with us and we are trying to get his side of the story.  He has requested we mask his QQ number now that he is in contact and we have complied.  (Never do late night updates.  A commenter pointed out that the original wording for this update sounded like we were holding his QQ hostage unless he spoke with us.  That certainly wasn’t my meaning but that is definitely what it sounded like.  Just wanted to explain the reason for the sudden masking of his contact number.)

First, hats off to the researchers at IWM.  They did great work on the GhostNet project and we owe them a debt of gratitude for sharing it with us.

The Hunt

One aspect skipped over in the GhostNet report were the e-mails associated with the websites, losttemp33@hotmail.com and opanpan@gmail.com.  For the last two days, Jumper and I have been tracking them down to see where they would take us.

Comparing the Whois returns for two of the websites involved, macfeeresponse.com and scratchindian.com, yields startlingly similar results:

Double-click to fully englarge

We conclude that this is the same person using different e-mail addresses or associates working together.  The domains are registered on the same server and are too close in content to be considered a random coincidence.

The Opanpan e-mail went nowhere, so we concentrated on losttemp33.  A simple Google search for the e-mail address, led us to the website for Programmers United Development Net:

Clicking on the link leads to three programs losttemp33 provided for download.

Next we were able to locate a post from 2005 on Windows hacking:

Notice that the author of this post uses the signature Lost33 in the upper left-hand corner.  Using the signature Lost33 and the Chinese characters for hacker (黑客), we were able to find an individual who was associated with Xfocus, Isbase and even seems to have studied under Glacier.  More importantly, we found a blog under the same name.

This blog stopped getting updates in 2006 but provided us with a couple of more clues to keep searching.  The first red box shows the date of birth as 24 July 1982 and place of current residence as Chengdu City, Sichuan.  It is important to recall that all of the Whois results for GhostNet associated websites showed Chengdu, Sichuan as the city and province for the organization. The second red box at the bottom is Lost33’s personal motto, “The bored soldier swaying on an empty battlefield.”

We kept searching but it seemed like we had hit a brick wall, Lost33 vanished from the internet in 2006.  That was when we decided that a person might change their user id but never their motto.  Can’t abandon your motto.

Plugged in the “The bored soldier,” and bingo…The Bored Soldier’s blog space:

Lost33 now blogs under the name Damnfootman:

Why are we sure this is the same person as Lost33?  Well, they not only share the same motto but birth date and place of residence as well:

Blog bits of interest

• Lost33 attended the University of Electronic Science and Technology in China.

• He has a link on the website to the Chinese hacker forum for Eviloctal and our dear friend Sunwear.

• Lost33 is also keeping up with friends at Xfocus and NSfocus on garden variety hacker tools.

We have left a couple of posts on Lost33’s blog and are waiting to see if he will respond:

The note asks Lost33 if he would be willing to discuss the GhostNet matter with us.

There were two QQ numbers associated with the opanpan and lost33 email addresses.  We attempted to contact both of them but were rejected.

Summary

While we are aware that there are other lost33 websites out there, such as myspace/lost33, these do not meet the profile of our hacker. It would be a very unusual set of circumstances that would lead to such a bizarre set of coincidences coming together as we have here:

• The Ghostnet websites list Chengdu, Sichuan under organization and the pseudonym losttemp33 as the contact e-mail address.

• The e-mail address losttemp33@hotmail.com has been posted on at least two websites dealing with computer programming. The post on hacking Windows shows that the person also uses the alias lost33 as an alternative to the full e-mail address.

• An individual using the lost33 signature has posted on several Chinese hacker forums including Xfocus and Isbase (the Green Army). He may even have been a student under Glacier.

• The first lost33 website shows a birth date of 24 July 1982 and current address as Chengdu, Sichuan. The website motto is, “The bored solider sways on the empty battlefield.”

• The second “bored soldier” website is clearly owned by the same person as the first lost33 website. The owners were born on the same date; both live in Chengdu, Sichuan and use the same motto. The new website has links with known hacker websites (Xfocus, NSfocus and Eviloctal), links to hacker programs and demonstrates and education in technology (University of Electronic Science and Technology of China).

Obviously the weakest link in the analysis is the jump between losttemp33 and lost33 but we feel the weight of the evidence shows a connection. We do not conclusively claim this person is involved but we think further inquiry is needed.

<edit> – A few readers have asked for the QQ number that was redacted.  Since lost33 doesn’t seem to be using that QQ number anymore – here is the original screenshot:

The note asks the owner of the website if he would be willing to discuss the GhostNet matter with us.

He logged on for several hours after the question had been posted but has not responded as of this time.

This story will run later today, with or without communication from the individual.

What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.

Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox.  Let’s face it, “Charging Ox” does not sound cool.

In June of 08, we told you about Chinese Vampire and later the next month about the big controvery surrounding the original author.

Prediction: “Chinese body art” sites and body art pictures (人体艺术照片) will be high on the list for hackers.  Why?

According to Google Insight, there has been a 2400% increase in the number of searches for this term over the last seven days.

It is also showing up in the #19 spot as hot searches on Top Baidu.  What is Chinese body art?  Shhh, it’s pron.  Artsy pron.  Let’s see, China announces crackdown on pron…now this “art” makes the top searches on Google and Baidu.  Hmmm?

Going back to Google Insight, you can get your tags for search engine optimization over the past 30 days:

1. 艺术照片

2. 人体艺术

3. 人体

4. 人体艺术图片

5.  人体写真

Really want to get fancy and you could add cities:

Trojan Horse

So the Analyt’s Diary blog at viruslist.com has an article on some new mass SQL injection attack that jacks up .asp pages with redirects to browser exploits. The exploits drop one of two trojans that steal passwords and whatnot. Here is h.js:

document.write(“”);
document.write(“”);

Wordpress won’t display the script. Basically, it loads an iframe that points to two separate URLS (these URLs contain browser exploits so don’t follow them):

hxxp://vvexe.com/haha/index.html and
hxxp://www.kenya.com/faq.htm

I can’t seem to get to either of these sites at the moment. I’ll try again later.

Update:  I spent some time looking at this malware.  The two pages listed earlier in this post contain iframes to browser plug-in exploits for real player and other typical vulnerabilities.  The exploits attempt to load and run down.exe (e160f590d894a98474697ac0db987746 not packed/delphi code) which in turn downloads hxxp://www.vvexe.com/haha/down.txt to get the additional files 1.exe (a7fc8c966fdeb550fe19aba3169569be not packed/VC++), do.exe (5af5edaa2cebf1fed56ad36799b2c850 ) and cool.exe (18867d6de1a3a9241c14c22c19b51351 not packed/delphi).

1.exe is a WoW trojan and waits for passwords sent to:

grunt.wowchina.com and [kr|us|tw|eu].[version|logon].worldofwarcraft.com.  It also looks for and attempts to disable many types of security software.  It attempts to send the stolen credentials to an asp on www.yilu777.com.

do.exe is a little more interesting.  It appears to be a generic remote access trojan that sends a beacon to qq number 58836533.  A quick search for that qq number revealed that this person’s paipai account has been frozen:

So I do some more digging and find the QQ profile with a name and nick:

Searching for the nickname got me to a few blogs and profiles that had some young girl who is really into anime. Maybe her QQ account got pwn3d or maybe, just maybe she is a member of “China Girl Security”. I tried to get an add on that QQ account so I could talk to the hacker but didn’t have any luck.

Note to Chinese hackers: Please pay the tax on your WoW gold profits.