ToC:

Introduction ———- by root
Flashsky interviews ———- by flashsky
Struts2 framework of the security flaws ———- by kxlzx
To focus on IP spoofing ———- by papaya
Fuzz client-side storage objects, looking for client ddos ———- by woyigui
Point defects in the use of application software experience (Webkit articles) ———- by wushi
Bypassing Linux kernel module version check ———- by wzt
ACS – Active Content Signatures ———- by Eduardo Vela Nava
Kabbah heuristics to bypass the virtual machine approach ———- by dangdang

The article from Alibaba reports that the website was down on Tuesday but as of a few moments ago when I checked, it was back up and running:

The post-90 generation teens that run 2009.90admin. com, wrote on their website, “We are not Internet attackers, we are just a group of computer fans; we are not mentally handicapped kids, we are the real patriotic youth. We’ll target anti-China websites across the nation and send it as a birthday gift to our country.”

The site was the subject of hot debate on the Chinese version of twitter but could not be viewed Tuesday. Efforts to reach the site’s operators were unsuccessful.

The 500-word statement appeared over a red and black background decorated with a flying national flag.

Last year we reported on Xcon 2008, a Chinese hacker conference that is held annually in Beijing.   Well, for Xcon 2009, it looks like Microsoft, a sponsor of the program,  is attempting to reach out to the “security researchers” attending the meeting:

Microsoft shared the stage with Chinese security researchers at a Beijing hacker conference on Wednesday, aiming to build ties in a country that produces a growing number of threats to Microsoft products.

John Lambert, a team head at the Microsoft Security Engineering Center, spoke to an audience of a few hundred people about security features in Microsoft products and tools used by the company to find vulnerabilities in its software.

This is probably a smart move on Microsoft’s part; greater access and a little money for advance notice of zero-day attacks.  Or, a really horrible idea that will haunt them forever.  Either way.

The picture seen above is an advertisement for a Chinese hacker training course.  Now I know many of you are struggling to process this information;  something seems wrong with the picture.  The reason your brain is having trouble with the image,  is that it is located in a place called, the “outdoors”.  Like me, many of you spend way too much time online and this poster is horribly out of place.

The following report from China Daily talks about the growing public concern over hacking and online hacking courses.  It also interviews Wang Xianbing, a consultant for hackbase.com:

“Lots of hacker schools only teach students how to hack into unprotected computers and steal personal information,” said Wang Xianbing, a security consultant for hackerbase.com. “They then make a profit by selling users’ information.”

For investing hundreds of yuan in hacker school, students could obtain the skills to make a fortune, Wang said.

“Hacker school is a bit like driving school – they teach you how to drive but it’s up to you if you are going to drive safely or kill someone,” said Wang.

What the article doesn’t tell you is that Wang Xianbing is also known as Janker and the Lonely Swordsman; one of China’s first generation of hackers and the leader of online conflicts with the US and Japan.

In response to these same events, a hacker, using the online name cn_magistrate, formed a group called Revenge of the Flame and announced his plan to carry out a DDoS attack on the  CNN website.  We followed the events as calls went out for Chinese netizens to join the action.  We were there when cn_magistrate called off the attack and disbaned the organization.  Then he vanished…

cn_magistrate

Cold Case:  Yeah, we keep looking.  Finally located him through a combination of e-mail address, website and online name.   Below are the results of a Whois search we conducted on the associated website during the time of the attack (Notice the website name and e-mail address):

Domain Name: hacksa.cn
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

Hacksa.cn website letter

The image seen above was taken from cn_magistrate’s current blog showing the old URL  hacksa.cn,  which was associated with the CNN attack.

This reply from cn_magistrate in the comments section of his blog shows the e-mail address  Kenan2677@126.com, used to register hacksa.cn.

SURPRISE…

He claims to be a Taiwanese citizen…

I’ve written to cn_magistrate and asked if he will talk to us about the incident.  Off topic, did anyone hear the news about Taiwan and the US coming closer to an extradition agreement?  That would be cool.

The head of China Hacker Union, “Strange Dog,” was taken away by police, while company personnel were interrogated and photographed.  All of the company’s hard drives were removed and brought back for investigation.   It is said that staff personnel at China Hacker Union have confirmed the story.

The article also points out that the arrest might be related to their other hacking activity. As of this posting, the 77169.com website is still down.

This article, from the People’s Daily, details Wang Zi’s efforts to bring back the patriotic spirit of the Red Hacker Alliance.

“The Tao that can be described in words is not the true Tao. The Name that can be named is not the true Name,” – the first two sentences of Tao Te Ching are the slogan of hong ke that appear on the new union’s new homepage.

After the Olympics, Wang Zi’s group retired from the web for a short time, and then on the first day of this year, the group made a bold new announcement.

The blurb on their newly-launched website reads, “Hong ke culture is back. We will hold and transmit hong ke spirit focusing on justice, pioneering and love for the motherland.”

Lin Lin, the leader of Evil Octal (another Chinese hacker organization), refutes Wang Zi’s claim to the title of new leader:

“Lion is the spiritual leader of the hong ke union,” Lin Lin, a leader of hacker group Eviloctal Security Team, told the Global Times. “And without him, no hong ke organization can be regarded as a reorganization of the original.

The article goes to great lengths to distance the organization from being government sanctioned:

Wang Zi says his union is a purely non-governmental organization. They could not register the union’s name with the Ministry of Industry and Information Technology until they deleted “Zhongguo” (China) from it.

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl

UPDATE2: Lost33 is now in contact with us and we are trying to get his side of the story.  He has requested we mask his QQ number now that he is in contact and we have complied.  (Never do late night updates.  A commenter pointed out that the original wording for this update sounded like we were holding his QQ hostage unless he spoke with us.  That certainly wasn’t my meaning but that is definitely what it sounded like.  Just wanted to explain the reason for the sudden masking of his contact number.)

First, hats off to the researchers at IWM.  They did great work on the GhostNet project and we owe them a debt of gratitude for sharing it with us.

The Hunt

One aspect skipped over in the GhostNet report were the e-mails associated with the websites, losttemp33@hotmail.com and opanpan@gmail.com.  For the last two days, Jumper and I have been tracking them down to see where they would take us.

Comparing the Whois returns for two of the websites involved, macfeeresponse.com and scratchindian.com, yields startlingly similar results:

Double-click to fully englarge

We conclude that this is the same person using different e-mail addresses or associates working together.  The domains are registered on the same server and are too close in content to be considered a random coincidence.

The Opanpan e-mail went nowhere, so we concentrated on losttemp33.  A simple Google search for the e-mail address, led us to the website for Programmers United Development Net:

Clicking on the link leads to three programs losttemp33 provided for download.

Next we were able to locate a post from 2005 on Windows hacking:

Notice that the author of this post uses the signature Lost33 in the upper left-hand corner.  Using the signature Lost33 and the Chinese characters for hacker (黑客), we were able to find an individual who was associated with Xfocus, Isbase and even seems to have studied under Glacier.  More importantly, we found a blog under the same name.

This blog stopped getting updates in 2006 but provided us with a couple of more clues to keep searching.  The first red box shows the date of birth as 24 July 1982 and place of current residence as Chengdu City, Sichuan.  It is important to recall that all of the Whois results for GhostNet associated websites showed Chengdu, Sichuan as the city and province for the organization. The second red box at the bottom is Lost33’s personal motto, “The bored soldier swaying on an empty battlefield.”

We kept searching but it seemed like we had hit a brick wall, Lost33 vanished from the internet in 2006.  That was when we decided that a person might change their user id but never their motto.  Can’t abandon your motto.

Plugged in the “The bored soldier,” and bingo…The Bored Soldier’s blog space:

Lost33 now blogs under the name Damnfootman:

Why are we sure this is the same person as Lost33?  Well, they not only share the same motto but birth date and place of residence as well:

Blog bits of interest

• Lost33 attended the University of Electronic Science and Technology in China.

• He has a link on the website to the Chinese hacker forum for Eviloctal and our dear friend Sunwear.

• Lost33 is also keeping up with friends at Xfocus and NSfocus on garden variety hacker tools.

We have left a couple of posts on Lost33’s blog and are waiting to see if he will respond:

The note asks Lost33 if he would be willing to discuss the GhostNet matter with us.

There were two QQ numbers associated with the opanpan and lost33 email addresses.  We attempted to contact both of them but were rejected.

Summary

While we are aware that there are other lost33 websites out there, such as myspace/lost33, these do not meet the profile of our hacker. It would be a very unusual set of circumstances that would lead to such a bizarre set of coincidences coming together as we have here:

• The Ghostnet websites list Chengdu, Sichuan under organization and the pseudonym losttemp33 as the contact e-mail address.

• The e-mail address losttemp33@hotmail.com has been posted on at least two websites dealing with computer programming. The post on hacking Windows shows that the person also uses the alias lost33 as an alternative to the full e-mail address.

• An individual using the lost33 signature has posted on several Chinese hacker forums including Xfocus and Isbase (the Green Army). He may even have been a student under Glacier.

• The first lost33 website shows a birth date of 24 July 1982 and current address as Chengdu, Sichuan. The website motto is, “The bored solider sways on the empty battlefield.”

• The second “bored soldier” website is clearly owned by the same person as the first lost33 website. The owners were born on the same date; both live in Chengdu, Sichuan and use the same motto. The new website has links with known hacker websites (Xfocus, NSfocus and Eviloctal), links to hacker programs and demonstrates and education in technology (University of Electronic Science and Technology of China).

Obviously the weakest link in the analysis is the jump between losttemp33 and lost33 but we feel the weight of the evidence shows a connection. We do not conclusively claim this person is involved but we think further inquiry is needed.

<edit> – A few readers have asked for the QQ number that was redacted.  Since lost33 doesn’t seem to be using that QQ number anymore – here is the original screenshot:

Kingsoft’s 2008 Year-End report reveals that within hacker circles, the majority of money is earned by establishing viral dissemination chains.  While a virus author may earn a salary of one million yuan a year (approx USD 150,000), it was possible for a viral dissemination group to earn ten million yuan (approx USD 1.5 million) yearly.

The Crab Group had gained access to a unidentified trusted server in Guangdong, uploading viruses and trojans on popular websites.  The group had been using the “Cat Ringworm” virus, a.k.a Charging Bull, as their primary dissemination tool and infected around 30 million computers.

For background on the Chinese hacker virus industry chain read here, here, and here.