The Dark Visitor

On May 29th, we posted a profile of Cn Girl Security Team, an organization of female hackers. A reporter from the Daily News and Analysis, Venkatesan Vembu, picked up the story and called for an interview.

Not sure how widely the story was circulated in the western press but it sure was popular in China.

On her blog, Xiao Tian admits that all the sudden publicity came as a shock when people started calling asking about the article. She claims to have stepped away from the “security” site for quite some time and that much of what was written was hype. Just a girl who enjoys blogging and computers. For someone who takes so many pictures of herself, it is hard to believe that this has become such a burden on her.

The Cn Girl Security Team website has been showing a 403 error for the past week and some have suggested it was done by hackers. They say this further demonstrates the low-level technical skills possessed by the group. Xiao Tian denies the rumor and contends there was a problem with the hosting service.

Either way, one more hacker website bites the dust. Hundreds remain but we got you covered.

UPDATE 13 JULY 08: Still doing some research but at this point it is kind of a moot question… CHINESE HACKER WITHERED ROSE HAS RETURNED! Why I don’t do things the simple way is one of those questions that may never be answered. Did you checked his blog site?  Yep, Withered Rose reopened it on 2 July 08.  The only explanation given for the long absence was that he was busy but his new job allows him time to blog.  More later.

Jumper and I are in the process of looking through the posts at NCPH.net (it became active again on 14 April 08), a site previously run by Withered Rose, to determine if it is indeed the same organization.  The site went down after it received a bit of notoriety from a Time’s article titled Enemies at The Firewall.

There are at least two articles that detail hacks of Taiwanese websites but it is uncertain if it is still run by Rose.

Hopefully, more to follow.

New Chinese hacker program making the rounds called Chinese Vampire v2.2.1 (starving anti-virus) billed as a trojan downloader tool, ARP attack, QQ tail…etc. The screenshot below shows the downloader interface:

From what I have read about the tool, it is very effective. So effective in fact, that another Chinese hacker calling himself Sadness, from the Black Wolf hacker group, stole it. Yes, he did. Look at the trackback URLs associated with this screenshot compared to the one above (circled in red). Notice that our thief has changed it to the Black Wolf website instead of the www.9u9u9.cn address.

The true author of Vampire v2.2.1 runs the website pictured below and calls himself SKSgod…sigh. He was really unhappy with the theft of his property and posted a pretty nasty response to Sadness. Yeah, hacker on hacker violence doesn’t concern me in the least.

Now the truly exciting part of this post, there is also a female hacker involved in the marketing of this fine product named Jiajia (佳佳). Hmmm, you say…that name sounds familiar? Well it should! It is the same name as one of the members of the Six Golden Flowers.

Jiajia of the Six Golden Flowers

Is the same Jiajia? I don’t think it is but not sure. On her blog, this Jiajia claims that due to the controversy over the stolen program, there are only two legitimate sites to download Vampire v2.2.1. One is her site and the other at SKSgod’s. Yes, there was a picture associated with Jiajia’s website:

Now this girl certainly doesn’t look like Jiajia number one and she appears to be a bit younger. Also, the characters next to the picture said “Sleepless Night.” Hell, this could be the picture off an album cover (and yes I did try to see if I could find a record called Sleepless Night) for all I know. She may just be the Brittany Spears of China. Thought I would include it anyway…sue me.

Why do criminals always return to the scene of the crime?

When we last caught up with our old friend Coolswallow/Ericool/Peng Yinan, he was giving a presentation titled, “Hacker in a Nutshell,” at the Chen Ruiqiu building, located on the Jiaotong University campus.

Mr. Peng was not very happy with our coverage of his activities…see here. My response here.

Once again, he has been invited back to Jiaotong University to pass along his experience to job-seeking students studying information security engineering…of course it took place at the Chen Ruiqiu building.

Peng Yinan offering help to future information security specialists

As an alumni of the university, he was there to assist these young students in gaining employment in the information security industry:

Students in need…how will this help?

Not sure but…could this be considered a FAIL?

Yeah, I just wanted to give failblog.org a plug…love this website!

In the male dominated world of Chinese hackers, females find it difficult to be accepted as equals. Their technical skills are often viewed as inferior to their male counterparts.

As far as I am aware, the first group of female Chinese hackers to break this mold were the Six Golden Flowers. The Golden Flowers have since broken up and gone their separate ways, but a new and larger group has taken their place, the Cn (China) Girl Security Team.

The website for the China Girl Security Team was registered on 12 Mar 2007 and currently has 2,217 members. The leader of the group Xiao Tian, is only 19 years old:

One of Xiao Tian’s chief lieutenants, who goes by the online name of Clever Without Equal (that’s close anyway), is dialed into just about every major Chinese hacker site on her blog:

Also linked through Clever’s blog is Evbs:

She seems to be getting the hang of this hacking thing:

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!!

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(’cnn’);

setInterval(”e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.

The leader of Revenge of the flame has taken down his website and posted a disbandment notice.

!!!We salute our lovable motherland!!!

(graphic posted in the center of this statement does not load)

Revenge of the Flame disbanded

There are actually many ways to be patriotic, we do not want to be impulsive, we should study well, struggle and take great effort to gain knowledge. Only in this way can we develop our motherland and our motherland’s strength. This is all we really wish to see happen.

The Revenge of the Flame has already halted all DDOS attacks, we do not advocate the attack, we advocate diligent study of technology. From this point on, any attack whatsoever, has nothing to do with Revenge of the Flame. If any member of our group, Revenge of the Flame, participates in this type of activity, it is an individual action and has nothing to do with cn_Magistrate or Hackerwolf. Request that everyone make careful deliberations.

(Note: I was under the impression that magistrate hackerwolf was one word, one name but obviously it is two individuals. Here are their blogs; cn_Magistrate and Hackerwolf.)

Currently, everyone on the internet is using the instrument of attack as a means to express their passion and this has already obstructed the motherland’s normal network communications. This is something we do not wish to see happen. Regardless if it is “Revenge of the Flame” or not, we hope that everyone can rationally reflect on this question.

From this moment, the Revenge of the Flame is disbanded!! If there are any notification after this, they will be posted here. We respectfully ask that you pay attention to this page.

Any attack whatsoever, regardless if it is by an individual or an organization, has serious consequences!!!!!!!!!!!!!!!!!!!!!!

The Revenge of the Flame exists no more forever!! We are now a “patriotic study organization” and we will take the flame into our heart! The Revenge of the Flame in our hearts can never be extinguished! We must struggle! We must work! We must turn our strengths into a shining sword spirit (this sentence may have a somewhat different meaning, not sure).

Without a doubt we must study even more, our forum has already been established. This is really our true exchange space.

http://bbs.hacksa.cn

cn_Magistrate
Hackerwolf

20 April 2008

To our lovable motherland, I say I love you!!

Located cn_Magistrate’s blog, the leader of Revenge of the Flame, here is a post from his blog on 18 April 2008:

As always, my thanks for everyone’s strong sense of nationalistic responsibility; once again, the Magistrate is grateful to everyone.

Today is 18 April, we are angry and we shall roar, the annoucement follows:

1. Prior to 8:00 pm on 18 April 2008, we invite everyone on IS (ID number 12570496).  We will have an important matter to pass along.  (This part a little rough on xlation) Please note our compatriots will find a way online, obey directions that have been put in place.
2. Tool download address, considering that there are many normal web users who do not have a high-degree of technical knowledge, we are providing idiot-type (really means for those who don’t know) tools for download. The download address: http://playgood.ys168.com/.  Everyone please pay attention to the group announcements.
3. Everyone please remain disciplined, listen to the directions of each of the group managers.  Pay attention to your own words, deeds and essence.  We are all Chinese!

18 April 2008
cn_Magistrate
Hackerwolf

Graphic Attached to Release by Revenge of the Flame

The Chinese hacker group that has been organizing to attack CNN has been identified as the “Revenge of the Flame.” They recently released a statement calling off the DDoS attack on CNN; however, it may have come too late to stop some of its members from going after the site. CNN has just filed a report stating that they had experienced an attack in an attempt to disrupt their website. For this reason, we will keep the clock up and see what happens tomorrow…it might not be over.

Statement from Revenge of the Flame:

In just three short days, our organization, the Revenge of the Flame, has grown large. First, I want to thank everyone for their strong sense of nationalistic responsibility. However, maybe we were too impetuous. We love our country! We will resist all anti-Chinese influences! However, we must choose the right way to come to the defense of our country, families and ourselves!!! After some core internal discussions, we have decided to temporarily cancel the 19th attack plan! The Revenge of the Flame organization still exists! Later we can be a computer discussion organization, we will study together for the day our country needs us! Our government and military will all mobilize! At that time, we will let those so-called foreign net-forces see! No matter where, China will never lose to them! We also have our net-forces! Perhaps at that time, our Revenge of the Flame will be the main strength! We all love our country! But, we must use sensible methods to defend our honor!

ATTENTION: Our original plan for 19 April has been canceled because too many people are aware of it and the situation is chaotic. At an unspecified date in the near future, we will launch the attack. We ask that everyone remain ready. I will repeat it again. At an unspecified date in the near future, we will launch the attack. We are only at present cancelling the attack. We could send out a notice on the day of the attack and have it completed in one day. The attack hasn’t been cancelled; it will be carried out on an unspecified day in the near future. I think everyone understands what we mean.

We hope that even more people with the Chinese national blood will join our actions. Only in unity is there strength. We are not individuals, we are a collective, and we are Chinese.

17 April 2008
Magistrate
Hackwolf
Source: http://www.hacksa.cn

Continue Reading »

Running through some websites and found what I can only classify as Chinese hacker baseball cards. Not sure if you can trade them with your friends, or which ones are more valuable but here you go:

Northern Beggar
Wan Tao
Net Name: Old Eagle
Affiliation:  The China Eagle Union
Net-fu: 4 Stars
Gangsta Rep: 3 Stars
Affiliation’s power: 4 Stars
Personal Contribution: 4 Stars

Western Poison
Huang Xin
Net Name: Glacier
Affiliation:  Security Focal Point (http://xfocus.net/)
Net-fu: 5 Stars
Gangsta Rep: 4 Stars
Affiliation’s power: 5 Stars
Personal Contribution: 4 Stars

Central High Spirit
Xiao Ban
Affiliation:  Xiaoban Software (http://www.netxeyes.org)
Net-fu: 5 Stars
Gangsta Rep: 5 Stars
Affiliation’s power: 3 Stars
Personal Contribution: 4 Stars

Eastern Demon
Gong Wei
Net Name: Goodwill
Affiliation:  The Green Army
Net-fu: 3 Stars
Gangsta Rep: 4 Stars
Affiliation’s power: 5 Stars
Personal Contribution: 4 Stars

Southern Emperor
Xie Chaoxia
Net Name: Old Poison
Affiliation:  Security Net Science and Technology （http://cnns.net/）
Net-fu: 4 Stars
Gangsta Rep: 4 Stars
Affiliation’s power: 4 Stars
Personal Contribution: 3 Stars

TRANSLATION NOTES:

For the term 武学修为 I have used net-fu but it is more like martial arts capability.  However, they are referring to
the hacker’s skill…so net-fu seemed the way to go.

On the term Jianghu (江湖), had to go to Baidu to get an accurate translation:

In modern days, the term jianghu is frequently used to refer to the triads and the secret societies of gangsters. A 2004 movie entitled Jiang Hu starring Andy Lau and Jacky Cheung is about the gangster societies in Hong Kong.

This was more than likely a message to the rest of the Red Hacker Alliance that we do not hack inside China or there will be consequences.  According to the video, it wasn’t just money that Heikeba was after but fame played a large part as well.  The downfall seems to have come when they decided to break into banks inside of China and steal from Chinese citizens.  That my friends is a no-no!

Also, it is not nice to attach Trojans to music and picture downloads.

This is the part I’m not completely clear on and if someone who has better ears than I do can provide clarification it would be really appreciated.  The police discovered that the site was spread out across 15 cities inside of China. Here is the difficult part, they found records on the site dealing with New York, London and Paris and something about logging into the sites at the same time which seemed impossible or only slightly possible.  There is some discussion of time-zones and logging into them at the same time.

Difficult to tell if they are saying Heikeba was responsible for hacking into
websites in these cities.  Hopefully, we can get a little help here.

The Patriot’s Security Website (3800hk.com) was originally established in 2003 as the Black Hawk’s Red Hacker Base (3800cc.com).  Its founder, Li Qiang (李强), a.k.a Rice (大米), has turned the station into a Chinese hacker training industry that markets numerous lines of hacker training CDs, DVDs, online courses and manuals.

The profile above only lists Li as a lecturer and the station master is given as Stef:

However, in this interview with sina.com, Li Qiang is clearly identified as the true founder
of the organization:

According to 3800hk.com’s description, the company headquarters has 21 personnel, 9 temporary workers and 17 technicians:

Furthermore, the company has invested around US $83,000 dollars in hardware and equipment. It has 10 servers spread out in locations such as Hangzhou, Yangzhou, Guangzhou, Henan, Beijing and Shanghai.

Well possibly…

What happens when two of China’s historic Trojan designers marry? Yes, guy and girl hacker.  My guess is the next generation of Uber Hackers is soon to be born. It was bound to happen eventually, so let me introduce the happy couple:

GLACIER (Groom)

1. Real Name: Huang Xin (黄鑫)
2. Online Name: Glacier (冰河)
3. Organization: www.xfocus.org,
4. Age: 29 (In 2007)
5. Known Hacks: Developed the Glacier Trojan, China’s most popular
6. Summary: Graduated from Xi’an Electronic Sci-Tech University. Married to Chinese female hacker Wollf. In 2006, he was 28 years old and a resident of Guangxi. Godfather of the Chinese Trojan.

WOLLF (Bride)

1. Real Name: Wang Juan (王娟)
2. Online Name: Wollf
3. Organization: Unknown
4. Age: 27 (in 2007)
5. Known Hacks: Developed the Wollf Trojan
6. Summary: Born in Sichuan and has worked in a Hainan Network Comapany. The mother of Chinese Trojans.

Both added to Top Chinese Hackers