The Dark Visitor

During the Olympics Games, a secret organization was formed by a Chinese hacker named Wang Zi to protect Olympic websites against foreign hackers and while they won’t say, reprisals were probably taken against offenders.

This article, from the People’s Daily, details Wang Zi’s efforts to bring back the patriotic spirit of the Red Hacker Alliance.

“The Tao that can be described in words is not the true Tao. The Name that can be named is not the true Name,” – the first two sentences of Tao Te Ching are the slogan of hong ke that appear on the new union’s new homepage.

After the Olympics, Wang Zi’s group retired from the web for a short time, and then on the first day of this year, the group made a bold new announcement.

The blurb on their newly-launched website reads, “Hong ke culture is back. We will hold and transmit hong ke spirit focusing on justice, pioneering and love for the motherland.”

Lin Lin, the leader of Evil Octal (another Chinese hacker organization), refutes Wang Zi’s claim to the title of new leader:

“Lion is the spiritual leader of the hong ke union,” Lin Lin, a leader of hacker group Eviloctal Security Team, told the Global Times. “And without him, no hong ke organization can be regarded as a reorganization of the original.

The article goes to great lengths to distance the organization from being government sanctioned:

Wang Zi says his union is a purely non-governmental organization. They could not register the union’s name with the Ministry of Industry and Information Technology until they deleted “Zhongguo” (China) from it.

UPDATED: Webshell, in the comments, may be saying that Yingcracker (also fixed, I had typed in yinghacker) is a female.  Anyway, finally located his/her website.  If it is a guy, he is very much in touch with his feminine side.

In the last few days, the story of Yingcracker, “the most beautiful female hacker in China,” has been making the rounds  in Chinese news outlets and blogs.  Her exploits and earnings, in this male dominated society, have been posted by  numerous online sources.  The number of male friends added to her blog since the story first appeared have been impressive.

Problem: Yingcracker is a man baby! He thinks it’s kinda funny to pretend to be a MM (girl) online.  Xiao Tian e-mails me this:

Best hobby in the world.

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl

Remember the fable about the Scorpion and the Frog?  Well, we got stung…

Lost33 did not make contact with Jumper last night.  In fact, it seems he spent the night changing his QQ number and deleting all info from his blog. The website is now completely empty, except for a change to his personal data.  Lost33 changed his current residence from Sichuan to Beijing:

We retained a full copy of the previous night’s conversation with Lost33 but have decided to only release two sections.  The first section is being reprinted to prove the connection between Lost33 and the losttemp33 hotmail account:

The second section is being released…well, to be honest, just because I think it is funny. I can practically see Jumper’s expression as he types, “Yes, really.”

Are we surprised, shocked, or angry over Lost33 punking us…

-Hey, it’s just his nature.

UPDATE: Added further comment by Nart Villeneuve at the bottom (Great guy!)

Yep, that would be us…

According to researchers at IWM, Lost33’s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network.  However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.

From the report by Robert Lemos at Security Focus:

However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.

“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.

So it looks like we are now investigating a massive network intrusion of two computers.  One, two.  We will call our project CasperNet.

Spoke with Jumper earlier today and he still feels it is worthwhile to pursue.  So, he will continue his conversation with Lost33 tonight.

UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him.  I botched up his report but he was still kind enough to stop by and offer these words of encouragement:

“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”

SecureWorks brings us a question and answer secession conducted with Chinese hackers at a conference sponsored by Yesky in Beijing.  The title of the conference was “Chinese Hackers Talk Hacking.”

In interviews given at the conference and online, we get some insight into the Chinese hacking subculture and how it is growing at such a rapid pace. Translated below are some interesting responses that seemed to reflect the attitude of the populace:

Q: Under what circumstances will you perform a hack?

A: If it is a matter that affects us internationally, then we will gather members to perform the attack. Most of the time, we attack through the web site.

Cont…

The following post has gone viral in the Chinese hacker community, as well as other social network sites in China.  It is a call for the Red Hacker Alliance to assist the Pakistan online community in fighting off Indian hackers who have broken into large social network sites such as Orkut.

A Pakistani wrote the original e-mail requesting assistance from his Chinese friend, claiming that his group, which has 42,000 members, was under constant assault from Indian hackers.  His Chinese friend then reposted their correspondence with a list of reasons why Chinese hackers should come to their aid.  The posting hit a cord with the Chinese and it has gone viral.

This looks very similar to the warning signs we saw during the run up to the CNN attack.  However, we have not found specific targets or groups organizing/planning attacks.

(The following post is very long but should give you an idea why the letter has appealed to the Chinese sense of nationalism and calls for assistance.)

Our Pakistani brothers hope that the Chinese Red Hacker Alliance will reach out their hand in mutual assistance

I am a normal Chinese citizen and due to a lucky coincidence, have become acquainted with several Pakistani friends. After knowing them for a short period of time, I have come to the profound understanding that even though the Chinese and Pakistani people have different religions, there is an ingrained friendship.

Continue Reading »

The program seen above is a patch for the Microsoft “black screen of death” and was written by a female Chinese hacker group at the Guangdong Foreign Language, Foreign Trade University (Guangdong Foreign Studies University).

The patch keeps Chinese users, who are running pirated copies of Microsoft Windows, from having to refresh their computer screens every hour when the black screen pops up.

The Chinese hacker program was released on 15 October, five days before Microsoft’s pre-announced plan went into effect (Jumper, is this possible?).  The black screen seems to have been a mere annoyance, designed by Microsoft to encourage people to purchase legal copies of Windows.  It does not effect the computer’s ability to function.

From the comments I have read on a few boards, this does not seem to be one of the programs written to spread malware.

The website for the group that released the patch is here.  The message attached to the download reads as follows:

“Excuse me Bill Gates, this time, I must once again oppose all of you [Microsoft]. I can’t let you introduce chaos into the Chinese system again for no good reason! For many years now, people have stolen Windows and just this year you decide do something about it? That is stupid!!

We are not the military but we have the same mission, to protect the sovereignty of the Chinese network.”

A few interesting comments on the boards you might like to read.  Don’t have the time to translate, so I give you the Google xlations.  No, they aren’t 100% accurate but they will give you the feel of the conversation.

Something to take note of, not all of the Chinese users are onboard with the “hate Microsoft theme.” There are a number of dissenting voices, saying that stealing intellectual property is wrong.  Good for them!

Update (jumper 1543GMT OCT 26):  The site hosting the anti-anti-piracy patch is overloaded:

In March of this year, CNN ran a story about Xiao Chen and his organization of hackers, reporting that the group had broken into the Pentagon and received payments from the Chinese government.

Xiao Chen, in a subsequent interview with the Shanghai Post, refuted all of CNN’s allegations and tearfully explained how all of this controversy had caused him to close his website hack4.com…he had struggled to create it…he had poured his heart and soul into it…and now was left with only had a handful of magic beans to show for his trouble.

I may be mixing my stories but he did elevate whining to an art form.

No need to worry, Xiao Chen pulled himself up, dusted himself off and managed to get back in the hacking game. Welcome to the new hack4.com , decorated in Olympic themed swirls guaranteed to never go out of style:

This is the official Chinese government website for Longgang Emergency Management:

This is also the official Longgang Emergency Management website, when you add xiaozi.html:

You would think, with the recent earthquake in Sichuan and the ongoing Olympics, that government websites dealing with emergency management would be inspected rather thoroughly. Not so much. Google spiders crawling the internet, show that the website has been hacked since at least 31 July 08.

Is it unusual for a Chinese hacker to attack their own government’s website? The first-generation of Chinese hackers had very strict rules about not hacking inside China but the current crop doesn’t seem to adhere to the same code. Doing a pull on Zone-h.com.cn, gives 1,952 known Chinese government websites that have been hacked. A fairly large number of those attacks appear to be carried out by Chinese hackers.

So, from the URL extension on the hacked page of the Longgang Emergency Management website, who or what is a xiaozi? It is a who, or to be more precise, a him.

Meet Network Boy (Wanglu Xiaozi):

Blog name: Network boy’s BLog Hacker
Site admin nickname: Network boy
Age: 18
Birthday: 13 December 1989
Sex: Male
Blood type: B
Zodiac sign: Virgo
Address: Wulumuqi, Xinjiang
Personal quote:
Hobbies:

Not to get in a battle over Zodiac signs but isn’t someone born on 13 December a Sagittarius? Maybe something to do with the Chinese Lunar Calendar but trying to figure it out hurts my head about as much as International Date Line conversion. I have Chinese friends I give birthday gifts to five times a year just to be on the safe side. Moving on.

Going through Netboy’s website reveals that government websites are not his only target, he also has an affinity for fellow hacker websites as well.

1) First target, zgmuma.com (China’s Trojan Base):

According to Netboy, he was bored and went to his favorite hacker site (hackol.com) to study but the website was down. He did notice a link toward the bottom of the page that connected to zgmuma.com and for reasons unmentioned decided to see if he could break into the site. Zgmuma.com is another Chinese hacker website that boasts the largest collection of online game trojans around. It also provides hacker training.

I have to give Netboy credit, he provides a step-by-step account of his exploits, to include screen shots and the tools used to perform reconnaissance on the intended victim. With this one he was able to find a fatal flaw in the server to crack. While Netboy was breaking into zgmuma, his buddy, who goes by the name of Ice Sugar, contacted him to say that he had gained access to cnhacker.com and posted a hacked page:

Ice Sugar passed over the info on cnhacker.com to Netboy, who said he also posted a hacked page on the site.

2) Second target, an81.cn (The Dark Hacker Group):

Netboy was able to gain access to this website because they were using Dvbbs8.1. He was thankful that it was not 8.2, because then he would not have been able to gain access to the backstage shell. Using Thunder (unclear) he was able to discover the site admin’s password, 6423987, after making several manual guesses. He also used an ASP trojan during the process but I couldn’t begin to tell you what he was talking about; didn’t understand much of the technical jargon.

3) Third target, www.163???.com (Hacker)

Netboy really liked the design of this website and consider it difficult to break but still managed. Once again, he takes you through his very methodical system of cracking the website and I wish I was able to translate it but can’t. Some of you people who are more on the tech side might be able to gather what he did even better than me by the screen shots.

For whatever reason, he decided to hide the target’s URL but it only took about a minute to find the site, www.163xjs.com.  Wasn’t able to access the site due to a “directory listing denied” message. However, Google’s cache was not so particular about who peeked:

Even though the imagery is absent, it is clearly the same website.

4) Fourth target, hacker98.cn

Lot of stuff on this hack too but I’m getting bored and you get the point. He hacks other Chinese hacker websites.

Conclusion: At the end of each of these attacks, Netboy posts an invitation for other skilled people to join his group. So, this all may be just to gain recruits by proving he is better than the other groups out there.