The picture seen above is an advertisement for a Chinese hacker training course.  Now I know many of you are struggling to process this information;  something seems wrong with the picture.  The reason your brain is having trouble with the image,  is that it is located in a place called, the “outdoors”.  Like me, many of you spend way too much time online and this poster is horribly out of place.

The following report from China Daily talks about the growing public concern over hacking and online hacking courses.  It also interviews Wang Xianbing, a consultant for hackbase.com:

“Lots of hacker schools only teach students how to hack into unprotected computers and steal personal information,” said Wang Xianbing, a security consultant for hackerbase.com. “They then make a profit by selling users’ information.”

For investing hundreds of yuan in hacker school, students could obtain the skills to make a fortune, Wang said.

“Hacker school is a bit like driving school – they teach you how to drive but it’s up to you if you are going to drive safely or kill someone,” said Wang.

What the article doesn’t tell you is that Wang Xianbing is also known as Janker and the Lonely Swordsman; one of China’s first generation of hackers and the leader of online conflicts with the US and Japan.

This article, from the People’s Daily, details Wang Zi’s efforts to bring back the patriotic spirit of the Red Hacker Alliance.

“The Tao that can be described in words is not the true Tao. The Name that can be named is not the true Name,” – the first two sentences of Tao Te Ching are the slogan of hong ke that appear on the new union’s new homepage.

After the Olympics, Wang Zi’s group retired from the web for a short time, and then on the first day of this year, the group made a bold new announcement.

The blurb on their newly-launched website reads, “Hong ke culture is back. We will hold and transmit hong ke spirit focusing on justice, pioneering and love for the motherland.”

Lin Lin, the leader of Evil Octal (another Chinese hacker organization), refutes Wang Zi’s claim to the title of new leader:

“Lion is the spiritual leader of the hong ke union,” Lin Lin, a leader of hacker group Eviloctal Security Team, told the Global Times. “And without him, no hong ke organization can be regarded as a reorganization of the original.

The article goes to great lengths to distance the organization from being government sanctioned:

Wang Zi says his union is a purely non-governmental organization. They could not register the union’s name with the Ministry of Industry and Information Technology until they deleted “Zhongguo” (China) from it.

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl

The first reference I can find of this defacement indicates it took place in September of 2006, to protest Prime Minister Koizumi’s visit to the Yasukuni Shrine. Several people posting think it was done by a female hacker due to the signature line that translates to something like, “the girl pissing on the Yasukuni toilet.”

The article uses the screen shot to demonstrate how ferocious female Chinese hacker can be and does not attribute it to Xiao Tian. Plus, we know our gal would never use such vulgar language. She saves all that built up nationalist energy for the dance floor:

FROM Xiao Tian’s blog: She is on the left in black and says to ignore the other girl in the short skirt. As a matter of fact, Xiao Tian wants you to know she hates that girl. Apparently, the DJ pushed the girl up on the stage so the two could dance together. Xiao Tian doesn’t have kind words for the DJ either. Also, she claims to have been a bit nervous on stage, so these are not her best dance moves.

That is why you come here, for the culture. Now, back to your nerdly doings.

Not sure how widely the story was circulated in the western press but it sure was popular in China.

On her blog, Xiao Tian admits that all the sudden publicity came as a shock when people started calling asking about the article. She claims to have stepped away from the “security” site for quite some time and that much of what was written was hype. Just a girl who enjoys blogging and computers. For someone who takes so many pictures of herself, it is hard to believe that this has become such a burden on her.

The Cn Girl Security Team website has been showing a 403 error for the past week and some have suggested it was done by hackers. They say this further demonstrates the low-level technical skills possessed by the group. Xiao Tian denies the rumor and contends there was a problem with the hosting service.

Either way, one more hacker website bites the dust. Hundreds remain but we got you covered.

UPDATE 13 JULY 08: Still doing some research but at this point it is kind of a moot question… CHINESE HACKER WITHERED ROSE HAS RETURNED! Why I don’t do things the simple way is one of those questions that may never be answered. Did you check his blog site? Yep, Withered Rose reopened it on 2 July 08. The only explanation given for the long absence was that he was busy but his new job allows him time to blog. More later.

Jumper and I are in the process of looking through the posts at NCPH.net (it became active again on 14 April 08), a site previously run by Withered Rose, to determine if it is indeed the same organization. The site went down after it received a bit of notoriety from a Time’s article titled Enemies at The Firewall.

There are at least two articles that detail hacks of Taiwanese websites but it is uncertain if it is still run by Rose.

Hopefully, more to follow.

New Chinese hacker program making the rounds called Chinese Vampire v2.2.1 (starving anti-virus) billed as a trojan downloader tool, ARP attack, QQ tail…etc. The screenshot below shows the downloader interface:

From what I have read about the tool, it is very effective. So effective in fact, that another Chinese hacker calling himself Sadness, from the Black Wolf hacker group, stole it. Yes, he did. Look at the trackback URLs associated with this screenshot compared to the one above (circled in red). Notice that our thief has changed it to the Black Wolf website instead of the www.9u9u9.cn address.

The true author of Vampire v2.2.1 runs the website pictured below and calls himself SKSgod…sigh. He was really unhappy with the theft of his property and posted a pretty nasty response to Sadness. Yeah, hacker on hacker violence doesn’t concern me in the least.

Now the truly exciting part of this post, there is also a female hacker involved in the marketing of this fine product named Jiajia (佳佳). Hmmm, you say…that name sounds familiar? Well it should! It is the same name as one of the members of the Six Golden Flowers.

Jiajia of the Six Golden Flowers

Is the same Jiajia? I don’t think it is but not sure. On her blog, this Jiajia claims that due to the controversy over the stolen program, there are only two legitimate sites to download Vampire v2.2.1. One is her site and the other at SKSgod’s. Yes, there was a picture associated with Jiajia’s website:

Now this girl certainly doesn’t look like Jiajia number one and she appears to be a bit younger. Also, the characters next to the picture said “Sleepless Night.” Hell, this could be the picture off an album cover (and yes I did try to see if I could find a record called Sleepless Night) for all I know. She may just be the Brittany Spears of China. Thought I would include it anyway…sue me.

When we last caught up with our old friend Coolswallow/Ericool/Peng Yinan, he was giving a presentation titled, “Hacker in a Nutshell,” at the Chen Ruiqiu building, located on the Jiaotong University campus.

Mr. Peng was not very happy with our coverage of his activities…see here. My response here.

Once again, he has been invited back to Jiaotong University to pass along his experience to job-seeking students studying information security engineering…of course it took place at the Chen Ruiqiu building.

Peng Yinan offering help to future information security specialists

As an alumni of the university, he was there to assist these young students in gaining employment in the information security industry:

Students in need…how will this help?

Not sure but…could this be considered a FAIL?

Yeah, I just wanted to give failblog.org a plug…love this website!

In the male dominated world of Chinese hackers, females find it difficult to be accepted as equals. Their technical skills are often viewed as inferior to their male counterparts.

As far as I am aware, the first group of female Chinese hackers to break this mold were the Six Golden Flowers. The Golden Flowers have since broken up and gone their separate ways, but a new and larger group has taken their place, the Cn (China) Girl Security Team.

The website for the China Girl Security Team was registered on 12 Mar 2007 and currently has 2,217 members. The leader of the group Xiao Tian, is only 19 years old:

One of Xiao Tian’s chief lieutenants, who goes by the online name of Clever Without Equal (that’s close anyway), is dialed into just about every major Chinese hacker site on her blog:

Also linked through Clever’s blog is Evbs:

She seems to be getting the hang of this hacking thing:

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(‘cnn’);

setInterval(“e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.