The Dark Visitor

One thing that has always interested me is the types of targets Chinese hackers seek out for attack. Since it is impossible for us to protect everything, or be everywhere, understanding the most likely targets should be a high priority. Of course this is only part of a comprehensive cyber security program but knowing how your adversary thinks is one area we need to explore.

An article in pchome.net gave the five most desired websites Chinese hackers sought out in order to hang trojans. Trojans have been the tool of choice for Chinese hackers since their first indigenously produced program Glacier was introduced into the cyber conflict with Taiwan in 1999.

According to pchome.net, these were the preferred websites:

1)

Government websites

: Government sites are chosen due to low-level security and the lack of specially trained security personnel. They do not bring financial gain but have the potential to influence public opinion. This type of attack “challenges authority” and brings about personal satisfaction for the hacker. A successful attack on a government website provides the attacker with recognition and fame.

2)

Medium and Small-Scale company websites

: Similar to government websites due to the lack of security. While these types of attacks to not bring about fame for the hacker, they are very good practice for the novice.

3)

Community websites

: Huge number of visitors, even if the trojan is only around for a short period of time, it can result in a large number of infected visitors. Although the value of the individual users is not as great as a financial website, the collective of infected users can be used to create a botnet. Furthermore, this allows the hacker to steal virtual game assets and QQ (ICQ) money.

4)

Financial websites

: This type of website does not have a larger number of users but the average individual has a high net worth. If a hacker is able to install a trojan here, they can gain user account passwords, access bank accounts and control stock securities. Although this type of website has very high security, it is the most desirable.

5)

E-commerce sites

: These website share the benefits of both community and financial websites and are the most lucrative. Hackers are able to manipulate price, supply/demand and control the online transactions. Furthermore, they can use trusted user accounts to construct phishing “activities.” E-commerce website are the most favored for hackers to carry out phishing exploits.

Army lessons learned: First rule in the Army is never present a problem without a solution. Solution, hire people like Jumper who are experts in preventing these types of attacks.

People often ask me if I am worried about this website getting hacked or shutdown by Chinese hackers…I tell them no, I have an excellent firewall…called Jumper.

From Chosun.com:

The claims of an unidentified Chinese hacker have alarmed Korea’s Internet portals. Nate.com, a leading Korean portal run by SK Communications, is dismayed by a message left on a Chinese website. Claiming to be a hacker, the writer offered to sell the personal information of 12 million Nate.com members for one million yuan (W100 million, US$1=W1,006). As if to prove the claims, the writer revealed the information of five or six Koreans.

Cont reading…Chinese hacker threatens to release user information

On the 21st of June, we told you about SKSgod selling a trojan downloader called “Chinese Hacker Vampire” and the online controversy that ensued when another hacker took credit for it.  The end? No, fresh drama has been introduced into this saga.

Author of Chinese Hacker Vampire Program JAILED!

On 4 July, News.cn reported that an 18-year-old hacker surnamed Zhou had been arrested in connection with selling the trojan downloader program.  Police from Chongqing City launched an investigation into the case after receiving a phone call from an anonymous source who reported that there was a website selling the Chinese Hacker Vampire downloader.  According to the report, Zhou’s website even threatened to shutdown the anti-virus software industry.

On July 1st,  Chongqing police captured Zhou while still asleep in his apartment and he later made a full confession to the crime.  The end? No.

Silly police, you can’t arrest a vampire

Decided to visit SKSgod’s website and see when he last posted and surprise…it was 5 July.  Wait, wasn’t he jailed on July 1st?  Nope.  SKSgod is just having a real run of bad luck with people stealing his program and identity.

On 5 July, he posts an apology to all the people who lost money purchasing the Chinese Vampire downloader and promised to use his energy to create a better program.  One person in the comments section suggested that his time and energy could be put to better use. So, that was funny.

On 4 July, when the story was breaking about the arrest, he posted three separate articles dealing with the rumor.  All three postings had the same theme, complaining about how all this news was hurting his reputation.

Is he at all concerned about the poor schmuck shown getting arrested? Nope, this is all about him and his online creds.  The end? Who knows.

According to HC360.com, with the end of Chinese college entrance exams (高考) and the start of registration, parents and students need to protect their online information from hackers.  The warning explains that while the internet contains a lot of relevant information about registration, it also has risks.

Digital Security Laboratories (sucop.com) is reminding parents of the students taking the exams to increase their vigilance and prevent incidents with hackers before they occur.  They list several methods the hackers commonly use to get information from the students:

1) The underground hacker industrial chain uses information on the college entrance examination in order to disseminate trojans and viruses.  The article further explains that this element of the underground economy is already in place and fully developed.   People engaged in this type of activity are highly adept at using social engineering to manipulate large-scale events such as the Olympics, disasters, entrance exams…etc. They used the information collected from online users for their own financial benefit.

2)  The underground transaction website: Online registration is now very common and some websites publicly advertise that the can alter student records, household registration and achievements.  This is just a way to cheat parents and students out of their money.

3) Some phishing websites are even a greater danger:  The hackers use these phishing websites to post false information and disrupt the registration process of the college.  They also solicit enrollment expenses from the students that do not exist.  Furthermore, they also use the site, combined with the methods mentioned above to get the student information to resell.  Hacker have also used loopholes in the college registration sites to blackmailed students by tampering with the data they entered on the online form.

Dear Chinese hacker master,

Sadly, I have all these compromised computers just laying around the place and don’t know what do with them, could you please help?!?

- Confucius…sed amateur

Dear Confused,

No need to be embarrassed, we have all experienced this dilemma at one time or another. Let me offer a few simple solutions to this common problem:

1. Steal virtual property from the compromised computer. Take their game account ID, QQ number and Q money.
2. Steal real property from the compromised computer. Real property can consist of bank accounts or online stock speculator account numbers. There are many types of trojans designed specifically for getting the account numbers of online stock speculators.
3. Steal people’s private data. Remember, just like the Edison Chen photo scandal, regular people can be extorted too if you threaten to release their explicit photos on the internet. Use their private information that could be harmful to blackmail them. If you steal commercial data such as financial reports and personnel records it can be used for your illegal benefit. Also, you can attempt to control their webcam in order to fill the desires of peeping toms.
4. Use the victim’s connections to get illegal benefits. Perhaps you think your QQ number is insignificant, you don’t have QQ 秀 (unclear) or QQ money. Not so, your friends QQ numbers, your e-mail contacts and cellphone contacts are all targets for the attacker. The attacker can fake your identity to carry out all manner of illegal activity. Everyone’s personal connections have commercial worth. The most common example of this is the 12950 service that used groups of QQ numbers to send out trash/spam? information to steal money or the MSN virus that automatically sent out information to your friends to defraud them. NOTE: the 12590 service could refer to this: Optional service Game treasure box makes the mobile into a game machine. A mobile QQ can go anywhere, 12586 online entertainment (that has many strange old friends), 12590 interactive message service (that has various voice monsters), CRBT and MMS (that are full of fun, personalized ring tones and pictures that can be downloaded anytime)……your enjoyment with these features is endless!
5. Plant rogue software on the compromised computer. This will make it automatically click online advertising for profit. This can really effect your online experience as I suspect everyone hates online pop-up ads. After the attacker controls a lot of compromised computers, they can force out ads and obtain profits from the ad owners. The number one reason for rogue software flooding is that many companies purchase rogue software developers’ advertisements. Other attackers use the rear platform? to covertly click on advertisements in order to gain profits. This causes the ad owner to waste money through invalid clicks.
6. Use the compromised computer as a springboard (proxy server) to attack other computers. Any type of hacker attack can leave behind traces and in order to better conceal yourself, it is necessary to use many proxy jumps. The compromised computers can act as an agent and a scapegoat. The attacker can disseminate even more trojans and think of your computer as a downloading station. It is a possibility that network speed and performance will be improved with proxy servers.
7. The compromised computer is the foot soldier to launch DDOS attacks. DDOS attacks can earn money for internet gangs or cyberwarfare (those who engage in it) as some people will hire these internet goons who initiate conflicts. Internet gang members can carry out an attack directly against their target and then blackmail the victim. Compromised computers are a chess piece for internet gangs and DDOS attacks have become a poisonous cancer for the internet.

Yep, a little fun in the beginning with this post (I made it up)  but the rest is a real list of uses for compromised computers put out by Chinese hackers.

I swear I heard the sound of people flipping their webcams towards the ceiling after reading number 3.

UPDATE: Hat-Tip to Therese who sets me straight on the definition of QQ 秀:

QQ 秀 == QQ “Show”

It’s one of the things that you can spend QQB on. You purchase outfits and accessories to dress up your little avatar. It’s like putting on a show. Therese also provides a Flickr link to “patriotism QQ-Show.”

http://www.flickr.com/photos/keso/2421813915/

Somehow I missed this article at Dark Reading on “whale phishing” by Chinese hackers:

SecureWorks, a leading security services provider, reported today that a Chinese hacker is behind the current and former executive “whaling phishing scams” involving the US Federal Courts and the IRS. The new US Tax Court scam, targeting financial executives, which started two weeks ago is the latest in a wave of whaling attacks involving the IRS and the Federal Courts beginning in June 2007. Jackson also just discovered that the same hacker launched an IRS whaling scam this past weekend and the SecureWorks Counter Threat Unit is investigating it currently.

Dark Reading has some excellent stuff, including the rest of this article…

One of the clearest instructional videos I have seen on how to use the Gray Pigeon trojan horse.  I haven’t tried to translate the video but thought it might be of interest to some of our more technically inclinded audience.  The first part describes how to use the program and the second part shows how the information is collected from an infected computer.

Video Removed (killing the rest of the posts)

According to reports, a detachment from the Shenzhen Public Security Bureau Internet Police organization, assisted the Jiangsu Police Department in arresting a male suspect who had hacked into the Kunshan Red Cross website to defraud people donating to victims of the Sichuan earthquake.

A 24 year old suspect, named Yang (from Hubei), was arrested for altering the information on the homepage that listed the phone number and bank account number used to make donations.

In the above shot, I have shown the area the hacker altered.  It is unclear if this is somehow related to the previous incident.

Meet Demon Group, an organization that specializes in providing much needed hacking services…their fellow citizens would like to see them dead or jailed…in no particular order or combination.

The screen capture above had to be taken from a Google cache because Demon Group’s website (www.ddosx.cn) seems to have vanished from the interwebs. I have some theories on why it disappeared, which I will share later.

First noticed the group when I found one of their advertisements on Baidu Postings (Large Chinese BBS):

The group claims to provide various types of DDoS attack services on internet cafes, websites, private servers, servers…etc. They sell attack software packages and rent out specialized tools to gather up infected computers (Guaranteed to gather up no fewer than 600-900 in a single day). The contact number provided is QQ:81991.

Demon Group Spams

Demon group, you spam your services…you spam them a lot! You spam them too much! Now you have ticked off a guy named Good Good, he would like to see you go to jail, he has reported you to the INTERNET POLICE!

Continue Reading »

If I was in the business of spotting popular trends, the first thing I would do is a hire a Chinese hacker. While the rest of the world is passively watching events unfold around them, Chinese hackers are doing the math on how many people will participate and what online avenues are associated with them…like symbols.

According to an article in tech.ccidnet.com, hackers are using recent events and the patriotism they have inspired to spread a new trojan called, “Red Heart Robber.”  The snatching of the Olympic torch, the CNN incident, and earthquake in Sichuan have caused the Chinese online community to attach red hearts with the Chinese flag (and other variations) to their QQ sig and webpages to show support/sympathy for China.  When normal online users download the image of the red heart flag to show their support for China, a nasty little trojan is attached.

Attacking your own symbol of patriotism…not cool!

Hacker illegally invades section of the official Red Cross website and tampers with solicited donation accounts

Verified by the Ministry of Public Security, a section of the official Red Cross website has been illegally hacked. According to the report, criminal elements gained access to the section of the website that held the special accounts for earthquake disaster relief donations.

An individual named Li Bujiu, had opened four fraudulent bank accounts to steal the funding.

The Ningbo Bank released a statement warning all citizens to be verify account numbers when making donations. The bank suggested using CCTV, TV, and newspapers as references to verify the accounts.

The falsified accounts were listed as follows:

Opened by Li Yaqiong at the Henan, bank: Agriculture Bank of China, ACCT #: 6228482080560018616;

Opened by Li Bujiu at the Commerce bank, ACCT #: 6222002201101753792;

Opened by Li Bujiu at the Agricultural bank, ACCT #: 6228480150082864813;

Opened by Li Bujiu at the Construction bank, ACCT #: 6227003526450024660;

Opened by Li Bujiu at the Postal Savings Bank, ACCT #: 6221886400011381263;

Opened by Lin Yumin at the Agricultural bank, ACCT#: 9559980150169780312

I think it was Eddie Murphy who once said, “The only reason you would want to do something like this is if you wanted to go to straight to hell and not wait in line!”

This is a long article and will need to be done in at least two parts (three?), along with a lot of gisting. It came out yesterday on Chinacourt.org and provides an in-depth look at the drivers pushing juvenile cybercrime in China:

Analysis: Juvenile Cybercrime Causes and Prevention

In the past few years, following the rapid expansion of the internet in our country (China), the internet has become a daily part of many people’s lives and an intrical component. According to statistics, in 2007, the number of online users in our country (China) reached 162 million people with juvenile users accounting for 85.8% of that figure. Furthermore, among the country’s juvenile users, 13.2% have become addicts and another 13% manifest internet addiction tendencies. The highest proportion of internet addiction occurs in 17.1% of juvenile users from the ages of 13 to 17. While the internet has the prospect of bringing happiness and creating large amounts of wealth, it also introduces enticements and sin. According to statistical data, 90% of juveniles go online to play games, while the rest use it to chat or browse unhealthy websites. Browsing unhealthy websites and playing online games is either the direct or indirect cause of juvenile crime. This article, will analyze the manifestation of juvenile cybercrime, exploring all of the causes that entice it, in order to have a beneficial discussion on countermeasures to prevent juvenile cybercrime. First, the manifestation and characteristics of juvenile cybercrime: Following the application and development of computer network technology, the youth have clearly become the majority of internet users and cybercrime has become a new phenomenon of juvenile criminals. Due to the psychological immaturity of youth, they unhesitatingly throw themselves into the internet, becoming excessively dependent and turn into “electronic heroin junkies.” Not only has the internet taken away their thirst for knowledge and kindheartedness, it has also robbed them of their precious youth. From investigations into cybercriime cases over the last couple of years, Chinese juvenile cybercrime manifests itself in these forms:

1. The internet is used to carry out traditional types of crime such as theft, ransom, injury, fraud, robbery…etc. The virtual nature of the internet provides an artificial space and convenient channel for juvenile to carry out crimes. They can very easily hide their true identity, address…etc, to carry out criminal activity.

Continue Reading »

Used this chart was from IT Rising’s 2007 report on the computer virus epidemic:

To create this crappier but English version of the chart:

Danwei linked to this article indicating that the hackers responsible for compromising the Korean auction site several months ago have been arrested in the PRC.  The article goes on to describe some interesting details such as:

KBS also talked to Chinese hackers who claim there is something of a black market for Korean personal information in China. They say Koreans hire Chinese hackers to break into sites to get information, which is then handed over and sold in Korea.

There is also some limited information about a tool that was used to compromise the Korean sites.

A reporter from China Ningbo Net recently received an e-mail from hackers offering a unique set of services, breaking mailbox passwords and remote control of other people’s computers. According to the hackers’ pricelist, they offered the following services:

1. 300 Yuan to break an overseas mailbox password, with 85% probability of success
2. 200 Yuan to break a domestic mailbox password, with 90% probability of success
3. 1000 Yuan to break a company’s mailbox password (no success rate given)

By going to the webpage supplied in the e-mail and using their QQ number, the reporter was able to find out that the hackers could break passwords for 163, 126, QQ, Yahoo, Sohu, Sina, TOM, Hotmail, MSN…etc.

Furthermore, the reporter learned that despite the disclaimer on the website that read, breaking into other people’s mailbox is an illegal activity and these services are soley for the purpose of recovering a forgotten password, they pretty much didn’t care if the mailbox belonged to you or not. Yep, if you paid, they would get you that password. Surprise!

The hackers also wanted 50 Yuan upfront money deposited in their bank or Alipay account as a show of good faith from the buyer.

The reporter consulted with IT experts and Public Security officials who confirmed that yes, it was possible to break into a mailbox but that this was more than likely just an online scam to cheat people out of money.