The Dark Visitor

On May 29th, we posted a profile of Cn Girl Security Team, an organization of female hackers. A reporter from the Daily News and Analysis, Venkatesan Vembu, picked up the story and called for an interview.

Not sure how widely the story was circulated in the western press but it sure was popular in China.

On her blog, Xiao Tian admits that all the sudden publicity came as a shock when people started calling asking about the article. She claims to have stepped away from the “security” site for quite some time and that much of what was written was hype. Just a girl who enjoys blogging and computers. For someone who takes so many pictures of herself, it is hard to believe that this has become such a burden on her.

The Cn Girl Security Team website has been showing a 403 error for the past week and some have suggested it was done by hackers. They say this further demonstrates the low-level technical skills possessed by the group. Xiao Tian denies the rumor and contends there was a problem with the hosting service.

Either way, one more hacker website bites the dust. Hundreds remain but we got you covered.

Bruce Schneier is a well-known security and cryptography researcher.  He has a popular blog where he posted his recent article detailing “The Truth About Chinese Hackers”, which was written for Discovery Channel.

This article is not particularly insightful and sort of lumps all of the Chinese hackers into a single group of young, male patriotic kids doing it for the babes and limos.

These hacker groups seem not to be working for the Chinese government. They don’t seem to be coordinated by the Chinese military.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living.

This is very short sighted.  We should be honest here, neither Bruce Schneier nor Heike and I know with absolute certainty what Chinese hackers are doing, who is coordinating them and who might be paying them.  Maybe the article shouldn’t be titled “The Truth About Chinese Hacker” because Bruce doesn’t know what the truth is (Heike would have said that he couldn’t handle the truth either, but that’s not my style).

I think a lot of people assume that activity attributed to the PRC is simply based on the IP address.  After studying spear phishing attacks, custom malware attacks and the types of data that have been exfiltrated from various NGO targets it seems likely that some entity is coordinating the collection and exploitation of this information.  In my humble opinion, there may be more to this than WoW passwords.

UPDATE: Dominic reminds me that some people might not be as Chinese hacker obsessed as myself and suggests I give some links as to why Withered Rose is important.  Whoops on my part! For some background on rose, read here and here.

As mentioned yesterday and updated today, Withered Rose (Tan Dailin) is back to his old haunts; both mghacker.com and ncph.net websites are up and running again. Just a couple of observations:

1) Rose has done some scrubbing of his personal blog mghacker.com. Had to go to the wayback machine to make sure but you can tell a number of posts have been deleted for some reason by comparing the wayback machine to what is listed on the current blog’s archive. Rose has wiped out everything prior to March of 2007 and selectively edited the months still showing.

2) Not sure why but at least four of the new post on ncph.net are old posts from the mghacker.com blog:

a.

Mghacker 再现社会工程学 (29 Mar 2007)
Ncph 再现社会工程学 (31 May 2008)

b.

Mghacker 3389密码的嗅探 (29 Mar 2007)

Ncph 3389密码的嗅探 (11 May 2008)

c.

Mghacker Rainbow Table 分析 (10 Apr 2007)

Ncph Rainbow Table 分析 (11 May 2008)

d.

Mghacker 获取cuteftp中的ssh密码 (16 May 2007)

Ncph 获取cuteftp中的ssh密码 (11 May 2008)

3) Whois data shows that NCPH.net administrative contact as:

Administrative Contact:
ncph studio
ncph studio ()
si chuan li gong xue yuan
zigong, Sichuan, cn 643000
P: +86.13154663992 F: +86.13154663992

Sichuan Ligong Xueyuan is the Sichuan University of Science and Engineering. Rose founded NCPH while a student at the university. A Chinese hacker going by the name of Rodag, who was also a member of NCPH lists the university as a contact on his blog.

The contact number 86.13154663992, was noted by Jumper in an IRC log:

# jumperon 08 Dec 2007 at 11:04 pm edit this

In the second picture of Rose, he is using a tool called Metasploit on his computer. http://www.metasploit.com.

IDefense has a lot of stuff on NCPH and Rose. There are a couple of archived webcast videos about them on idefense’ website. I did a bunch of searching and found this funny tidbit:

21:41 gila poyo
21:41 you computer is hack by chinese’s hack infall, shit!
21:41 from http://www.chinahonker.com my name is tan dailin
21:41 contact us with QQ 5372453 or
21:41 tel:86+0+13154663992
21:41 my blog :www.mghacker.com or http://www.ncph.net
21:41 ~~~~~~~~~~~~~~~~~~~~~~~~~shit! you are a pig !
21:41 i found this in some machine
21:41 haha
21:41 YOUR COMPUTER IS HACK

It is from an archived IRC log. There isn’t any more context to go off of so I’m not sure who is who in this. Gila poyo is malay but I don’t know what it means.

My guess is the at the two of them are old college buddies.

4) What does this random sampling of information mean? Not much. Just wanted people to be aware that Mr. Rose is back in business and on the internet.

UPDATE 13 JULY 08: Still doing some research but at this point it is kind of a moot question… CHINESE HACKER WITHERED ROSE HAS RETURNED! Why I don’t do things the simple way is one of those questions that may never be answered. Did you checked his blog site?  Yep, Withered Rose reopened it on 2 July 08.  The only explanation given for the long absence was that he was busy but his new job allows him time to blog.  More later.

Jumper and I are in the process of looking through the posts at NCPH.net (it became active again on 14 April 08), a site previously run by Withered Rose, to determine if it is indeed the same organization.  The site went down after it received a bit of notoriety from a Time’s article titled Enemies at The Firewall.

There are at least two articles that detail hacks of Taiwanese websites but it is uncertain if it is still run by Rose.

Hopefully, more to follow.

Richard Bejtlich blogged about the AF Cyber Panel last month and provides a plug for the TDV book which he reviewed a while ago.  The Cyber Panel had some informal discussion about the cyber-militia:

In the US, our DoD relies upon professional, uniformed military members, government civilians, and an immense contracting force to defend the nation and project its military power. In China, their PLA mixes uniformed military with ordinary civilians, some of whom act at the behest of the military and government, with others acting on their own for “patriotic means.” 

The discussion turns into a comparison of the US/PRC capabilities and specifically how the US can recruit and retain qualified cyber warriors.  The problem seems to be that the PRC can call up an army of qualified patriotic hackers while the US is having problems recruiting and retaining talent.

Chinese hackers are much more organized than I could ever hope to be and as a consequence, do a lot of the heavy lifting for you in finding them. So, you want to figure out what groups are operating in certain regions of China, where do you begin? Let me suggest cn-hack.cn as a great place to start your research. They have conveniently broken down the groups by province and city:

Next, click on the area you are interested in (I chose Henan) and presto, hacker website from the region:

Not a comprehensive listing to be sure but thought it was interesting. Do you think they have their own sports teams?  Go, Beijing Hackers! Boo, Hebei!

New Chinese hacker program making the rounds called Chinese Vampire v2.2.1 (starving anti-virus) billed as a trojan downloader tool, ARP attack, QQ tail…etc. The screenshot below shows the downloader interface:

From what I have read about the tool, it is very effective. So effective in fact, that another Chinese hacker calling himself Sadness, from the Black Wolf hacker group, stole it. Yes, he did. Look at the trackback URLs associated with this screenshot compared to the one above (circled in red). Notice that our thief has changed it to the Black Wolf website instead of the www.9u9u9.cn address.

The true author of Vampire v2.2.1 runs the website pictured below and calls himself SKSgod…sigh. He was really unhappy with the theft of his property and posted a pretty nasty response to Sadness. Yeah, hacker on hacker violence doesn’t concern me in the least.

Now the truly exciting part of this post, there is also a female hacker involved in the marketing of this fine product named Jiajia (佳佳). Hmmm, you say…that name sounds familiar? Well it should! It is the same name as one of the members of the Six Golden Flowers.

Jiajia of the Six Golden Flowers

Is the same Jiajia? I don’t think it is but not sure. On her blog, this Jiajia claims that due to the controversy over the stolen program, there are only two legitimate sites to download Vampire v2.2.1. One is her site and the other at SKSgod’s. Yes, there was a picture associated with Jiajia’s website:

Now this girl certainly doesn’t look like Jiajia number one and she appears to be a bit younger. Also, the characters next to the picture said “Sleepless Night.” Hell, this could be the picture off an album cover (and yes I did try to see if I could find a record called Sleepless Night) for all I know. She may just be the Brittany Spears of China. Thought I would include it anyway…sue me.

Why do criminals always return to the scene of the crime?

When we last caught up with our old friend Coolswallow/Ericool/Peng Yinan, he was giving a presentation titled, “Hacker in a Nutshell,” at the Chen Ruiqiu building, located on the Jiaotong University campus.

Mr. Peng was not very happy with our coverage of his activities…see here. My response here.

Once again, he has been invited back to Jiaotong University to pass along his experience to job-seeking students studying information security engineering…of course it took place at the Chen Ruiqiu building.

Peng Yinan offering help to future information security specialists

As an alumni of the university, he was there to assist these young students in gaining employment in the information security industry:

Students in need…how will this help?

Not sure but…could this be considered a FAIL?

Yeah, I just wanted to give failblog.org a plug…love this website!

In the male dominated world of Chinese hackers, females find it difficult to be accepted as equals. Their technical skills are often viewed as inferior to their male counterparts.

As far as I am aware, the first group of female Chinese hackers to break this mold were the Six Golden Flowers. The Golden Flowers have since broken up and gone their separate ways, but a new and larger group has taken their place, the Cn (China) Girl Security Team.

The website for the China Girl Security Team was registered on 12 Mar 2007 and currently has 2,217 members. The leader of the group Xiao Tian, is only 19 years old:

One of Xiao Tian’s chief lieutenants, who goes by the online name of Clever Without Equal (that’s close anyway), is dialed into just about every major Chinese hacker site on her blog:

Also linked through Clever’s blog is Evbs:

She seems to be getting the hang of this hacking thing:

Ordinarily, I’d try to obfuscate text on this subject but since we’re already GFW’d, who cares…

A couple of sites are reporting that the well-known Tibet independence writer Woeser has had all or many of her online accounts hijacked and her website defaced with an anti-splittist message. The Honkers Union of China has taken responsibility.  The honkers have used her Skype account to attempt to contact her associates.  No word if the contact list has been abused to send malware.  Interesting snippet from the article:

The hackers removed the content of the website and replaced it with a gif animation of the Chinese flag with the headline “LONG LIVE THE PEOPLE’S REPUBLIC OF CHINA! “DOWN WITH TIBET INDEPENDENCE!” Below the animation is a photo of Woeser with the words “Please remember this Tibetan separatist Woeser’s ugly face. Whoever sees this ugly face, please beat her hard like one beats a dog.” Further text was added and has apparently been changed several times in the hours since the site was hacked. The website is currently hosted on a server in the United States.

The website is still defaced at the time of this writing.

Meet Demon Group, an organization that specializes in providing much needed hacking services…their fellow citizens would like to see them dead or jailed…in no particular order or combination.

The screen capture above had to be taken from a Google cache because Demon Group’s website (www.ddosx.cn) seems to have vanished from the interwebs. I have some theories on why it disappeared, which I will share later.

First noticed the group when I found one of their advertisements on Baidu Postings (Large Chinese BBS):

The group claims to provide various types of DDoS attack services on internet cafes, websites, private servers, servers…etc. They sell attack software packages and rent out specialized tools to gather up infected computers (Guaranteed to gather up no fewer than 600-900 in a single day). The contact number provided is QQ:81991.

Demon Group Spams

Demon group, you spam your services…you spam them a lot! You spam them too much! Now you have ticked off a guy named Good Good, he would like to see you go to jail, he has reported you to the INTERNET POLICE!

Continue Reading »

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!!

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(’cnn’);

setInterval(”e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.

Even though a major attack did not occur on CNN, there were some lessons learned that we can take away from this event. So what did we learn? Here are some of things I noted:

1. We can reconstruct a bit of the social side of the attack
2. There is some evidence about their method of organization for operational tactics
3. Stockpile of ready made software for novice attackers
4. Possible reasons the attack was canceled

Social

The first thing we need to do is identify the reason behind the attack. What were the catalysts that led the Chinese hacker community to go after CNN? This would be my list:

1. CNN report on Chinese hackers is seen as unfair and accusations that parts of the CNN interview were fabricated
2. CNN makes remarks about the Tibet situation that angers the nation
3. Anti-CNN’s call for protests provides timing for coordinated effort
4. Beijing’s call for an apology from CNN may have been seen as tacit support for the attack. Or, at least that there would be no retribution if one did take place. This might be the most important factor of all.
5. Reliving the glory days of the Sino-US cyber conflicts
6. Making a name for themselves and building their own Chinese hacker cell. Many of China’s most famous hackers got their start during the early years of conflict with different nations.

Organization

With the decision made to launch an attack, they seem to have decided to use the website that cn_magistrate opened in 2007:

Domain Name: hacksa.cn
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

The website would be used for a central gathering point, dissemination of information and organization. During this phase, they probably planned their basic attack formation and strategy. Using the QQ charts found on www.hacksa.com, I was able to make this very rough organizational chart:

(Yes, very rough and ugly chart. God I miss my I2 for making charts)

The QQ numbers listed six headquarters units (probably the more experienced hackers), 42 regular groups (actually 44, since he started with zero and may have accidentally listed group 32 twice), and one propaganda unit. For easy math, I took the number of headquarter units and evenly divided the regular units among them as best I could. You will note I put the two group 32’s together and placed the left over regular units into the final formation. The propaganda unit was made as a separate organization, some of the additional units may have belonged with them. Of course, cn_magistrate may have used a completely different configuration but this is the one that made the most sense to me. The chart brings up several questions:

1. The character 满 to the right of the groups means filled. Why did cn_magistrate skip the additional group 32 and group 33 when bringing the units up to full strength? Groups 37-42 seem logical if you are filling them in as recruits become available. Were the extra group 32 and group 33 special somehow?
2. Only one of the headquarter units shows it to be full. Were they possibly having trouble getting skilled hackers to join the attack?
3. How many people did it take to fill up the groups? We can guess that it was more than one, since a QQ number was assigned each of the groups.
4. What was the function of the propaganda unit? A possible answer is that it was to spread news if the attack turned out to be successful. Useless to have a political attack if no one is aware it happened.

The next thing we are able to tell was the means they used to ge