The Dark Visitor

First, even though Mr. Minnick was kind enough to mention me in this report, he did all of the heavy lifting and investigation.  My VERY limited contribution to his work was simply commenting on things he uncovered.  The equivalent of one person watching someone else work and telling them your opinion of their labor.

Defense News
02/23/09
Chinese IT Firm Accused of Links to Cyberwarfare
By WENDELL MINNICK

TAIPEI — In the past 10 years, Beijing-based Venus Info Tech has become the dominant provider of information technology (IT) network security to the Chinese intelligence and military community.

It also has been accused of providing hacker services that help the Chinese government penetrate foreign government computer networks. Sources also accuse Venus of helping Beijing build the “great firewall of China,” by developing software to monitor and control the domestic Internet.

Finally, Venus has operating agreements with Microsoft and other non-Chinese firms, which Western observers say may help Beijing find vulnerabilities in other governments’ networks.

The firm “is heavily party affiliated and the company personnel go through party indoctrination because they handle state secrets,” said Scott Henderson, author of the book, “The Dark Visitor — Inside the World of Chinese Hackers.”
“I would be very worried about U.S. companies working with this type of organization; [it] gives them too much access.” Venus officials declined requests for an interview.

Continue reading on the Venus story by Wendell Minnick…

UPDATED: My apologies to Mr. Minnick, I didn’t notice he had this story up on his personal blog so I have deleted the full story and left the teaser.  The rest of the story is continued on his blog.  Please click over there.

What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.

Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox.  Let’s face it, “Charging Ox” does not sound cool.

In June of 08, we told you about Chinese Vampire and later the next month about the big controvery surrounding the original author.

It is hard to believe that a man is telling the truth when you know that you would lie if you were in his place.

-H. L. Mencken

The Chinese hacker website Hackbase has been running a promotion during the holidays trying to bring their number of registered members up to one million.  On 30 January, they announced the achievement of that goal.

The lucky one millionth customer registered under the name Vpn88 and got prizes worth nearly 3,000 yuan.

1. A Hackbase Diamond Membership for one year, valued at 988 yuan
2. A set of seven Hackbase special training classes valued at 1,800 yuan
3. A 4G thumbdrive valued at 80 yuan
4. An honorary Hackbase forum medal
5. 1,000 in Hackbase forum money (?)

I’m a skeptic by nature but there may be some truth to this claim. Hackbase has been around for six years and gets a lot of traffic.

You might even call them a “player“

Introduction: Rambling thoughts

There is an old military expression that says, “Amateurs study strategy,  professionals study logistics.” Logistics is the ability to drive the train, to make sure that the troops have the capability to accomplish the strategy.  What are the logistics behind a Chinese hacker attack?

1) Computers

2) Personnel

3) Transportation (Access to the internet)

3) Knowledge

4) Malware (Trojans, Viruses….etc)

5) Programs (Scanners, Dictionary attack tools…etc)

6) Money

7) More?

There is also a formula for determining threat analysis:

1) Intent:  Without the intent to do harm, the threat assessment is considered minimal.  Friends and allies are considered extremely low-level threats even if they have the capability to cause great destruction.  Capability without intent lowers the risk factor considerably.

Clearly, Chinese hackers have demonstrated intent in the form of nationalism and monetary gain. CHECK

2) Capability:  Does an adversary have the means to carry out the threat?  While the enemy may wish to do you great harm, without capability it means little.

With a number of governments scrambling to secure and/or repair their information systems, there is little doubt Chinese hacker have the capability. CHECK

3) Motivation:  The determination to carry out and sustain the attack.

Motivation started in the form of nationalism but quickly turned to cash.  Either way, the motivation to continue and sustain attacks is still present and shows no sign of decreasing.  CHECK

So, what binds these rambling thoughts?  Money, money money!  Without the financing to support their logistics, operations come to a standstill.  Pull out logistics and you lose capability, leaving only intent.

Final random thought: A reporter once asked Willy Sutton, a bank robber, why he robbed banks?

“Because that’s where the money is”

-Willy Sutton, Bank Robber

And Now, back to your regularly scheduled program:

From Chinanews.com, the Wuxi court has found a gang of six Chinese hackers guilty of running phony websites designed to steal the passwords of online gamers.  In less than half a year, the crew had earned over one million yuan (USD 146,000).

In July of 2007, the defendant, Mr. Ma, learned of a method to hijack domain name servers in order steal account names and passwords from online gamers.  He then asked his co-conspirator, Mr. Peng, to write the hijacking program.

In August and September of last year, Mr Ma brought four other members into the gang and together they developed a scheme to get rich.  In order to carry out the crime, the group invested 22,000 yuan (USD 3,200) in a computer, server and room rental.

Peng’s program was used to capture the domain name servers in ten provinces and cities such as Jiangsu Province, Liaoning Province, Shanghai, Chongqing…etc.  After a user register for the website, they would automatically be redirected to the gang’s forged website.

The gang members were sentenced from 1-4 years for the crime.

iDefense 2009 Cyber Threats and Trends via Earthtimes:

Additionally, cyber warfare has become a reality in today’s political climate, and several regions are seeing a rise in politically and financially motivated activities. According to VeriSign iDefense, Russian hackers are the most effective group when it comes to cyber fraud, while Chinese hackers utilize amateur hacking groups for low-level espionage operations.

Chinese hackers are targeting French Embassy websites all around the world to protest President Nicolas Sarkozy’s visit with the Dalai Lama.

According to hack4.com, featured in CNN documentary on Chinese hackers, the following French Embassy websites were successfully defaced:

法驻美国大使馆:http://www.ambafrance-us.org/
法驻英国大使馆:http://www.ambafrance-uk.org/
法驻中国大使馆:http://www.ambafrance-cn.org/（最新消息，已经恢复正常） (Repaired)
法驻加拿大使馆:http://www.ambafrance-ca.org/

Visiting all of the above websites shows that either they were not defaced or have been repaired since the attack. Hack4.com points out that the following websites have not been hit, suggesting they are future targets:

法驻日本大使馆:http://www.ambafrance-jp.org/
法驻冰岛大使馆:http://www.ambafrance-is.org/

Hack4.com’s gives this screenshot of the reported hacked website(s) (Deleted):

UPDATE: Better screenshots of the defaced French Embassy websites from 7747.net:

(Sorry guys, just updated to WordPress 2.7 and having a few problems.  Can’t seem to get the screenshot to enlarge when you click on it.  The three defaced websites are the US, UK and Canada.)

UPDATE: Once again, Eastwood has set me straight. Linked the image through the Chinese hacker website and now you should be able to pull up the graphic.

Not every industry is suffering during these tough economic times. One of my favorite Chinese hacker websites is expanding operations and doing a little hiring. In fact, business is so good, they are expanding into the US, Hong Kong, South Korea and the UK.

The salary range is from 30,000-100,000 yuan (USD 4,300 to 14,500 approx) and they are inviting computer and network security personnel from all over the country and the world to join their organization. However, the applicants must work at the Beijing headquarters for a trial-period of three months.

If you make it past the trial period you get to enjoy the same perks as the rest of the staff such as dining together, birthday cakes, free travel, paid holiday, training and end-of-year red envelope (these contain money).

For those who show exceptional skill at their post, arrangements can be made to go to Hong Kong, South Korea, the US and the UK.

They are trying to fill four positions:

1) Training department manager

2) Training department computer lecturer

3) Training department network lecturer

4) Training department security lecturer

The advertisement list all the qualifications for the positions to include education and ages. I will supply these details for anyone who is interested. The applicants will have an online test and need to report for a two day interview.

They also list three different online applications for graduates, non-graduates and interns.

Mine is already filled and let’s hope I snag one of these sweet positions. Hell, they won’t even have to pay reloc

The program seen above is a patch for the Microsoft “black screen of death” and was written by a female Chinese hacker group at the Guangdong Foreign Language, Foreign Trade University (Guangdong Foreign Studies University).

The patch keeps Chinese users, who are running pirated copies of Microsoft Windows, from having to refresh their computer screens every hour when the black screen pops up.

The Chinese hacker program was released on 15 October, five days before Microsoft’s pre-announced plan went into effect (Jumper, is this possible?).  The black screen seems to have been a mere annoyance, designed by Microsoft to encourage people to purchase legal copies of Windows.  It does not effect the computer’s ability to function.

From the comments I have read on a few boards, this does not seem to be one of the programs written to spread malware.

The website for the group that released the patch is here.  The message attached to the download reads as follows:

“Excuse me Bill Gates, this time, I must once again oppose all of you [Microsoft]. I can’t let you introduce chaos into the Chinese system again for no good reason! For many years now, people have stolen Windows and just this year you decide do something about it? That is stupid!!

We are not the military but we have the same mission, to protect the sovereignty of the Chinese network.”

A few interesting comments on the boards you might like to read.  Don’t have the time to translate, so I give you the Google xlations.  No, they aren’t 100% accurate but they will give you the feel of the conversation.

Something to take note of, not all of the Chinese users are onboard with the “hate Microsoft theme.” There are a number of dissenting voices, saying that stealing intellectual property is wrong.  Good for them!

Update (jumper 1543GMT OCT 26):  The site hosting the anti-anti-piracy patch is overloaded:

Dear TDV Readers,

Heike and I would like to invite you to listen to our second TDV podcast where we discuss Chinese hackers, censorship, targeted attacks and naked chinese hacker vampires with foot fetishes.

It is 48 minutes long.  It would have been in longer if I had left in the part where Heike had to fix his little girl’s injury with a brownie.  Get it from the iTunes store or direct from our feedburner RSS.

With Kind Regards,
Jumper and Heike

Podcast RSS

iTunes download

New group to keep an eye on: J. Leaves “Security Team”

Zero-Day exploit group: http://00day.cn

As with most of my posts, I was looking for something else and bumped into this group.  It seems they found a crack in a section of the JSP version of eWebEditor (1.4 and older) on August 30th and have just released the code.  No, I will not link to the code.

The eWebEditor is an HTML editor put out by a Chinese company located in Fuzhou, Fujian.

Yes, I did send the company an e-mail:

We, at the Dark Visitor, strive to be good citizens of the international community.