The Dark Visitor

UPDATE: It looks like the organizers might be trying to put a stop to the attack due to the number of people who are aware of it. Translating some of it now.
UPDATE to UPDATE While the group may be trying to call off the attack, it might be too late. CNN is now reporting that they have been targeted in an attempt to disrupt their web site.
FINAL UPDATE FOR THIS POST: See the newest release by the group planning attack on CNN here

First, I have added a clock with the Beijing local time because it crossed my mind that some people might be thinking the scheduled attack on CNN is going to take place on US date, time. Nope, Beijing local. So that means it is suppose to take place tomorrow. I will leave the clock up if you want to check back.

Second, many more Chinese sites, not just hacker, starting to call for the DDOS attack on CNN. Also they are starting to solidify their plans. Here are the details from one posting on the Guilin University of Electronic Technology bulletin board:

1. Attack will start on 19 April 2008, at 8:00 pm
2. DDOS attack on www.cnn.com
3. The DDOS attack is going to last over three hours
4. They need a large number of compromised computers to carry out the attack and are requesting everyone’s support in putting to together the number needed

The plan has many more details but unfortunately the language is too technical for me to translate.

Here are additional sites calling for the attack on CNN.

http://bbs.neteasy.cn/showthread.php?p=984976

http://www.coogo.net/bbs/showtopic-444648.aspx

http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost

http://www.ipark.cn/bbs/Post.asp?PostID=836336

http://blog.xuite.net/lemon_head/simple/16728332

http://tieba.baidu.com/f?kz=357748876

Probably many more out there.

UPDATE: Carl Jongsma, from Computer World, was kind enough to provide us a little press on this breaking situation.

UPDATE: Tried once again to contact CNN and warn them of the scheduled attack. If anyone has a better contact than just their news tip e-mail, please inform them.

UPDATE (APRIL 18 1556GMT; Jumper): Arbor Networks is using their tools to monitor the situation.  Take a look at Jose Nazario’s post here.

UPDATE: Since we have some smart people looking at the blog, I wanted to post below part of the Chinese hackers’ attack plan. This seems to be part of the DDoS call for large numbers of attacking computers. Will supply what I can about the Chinese, though it is possibly wrong. If someone knows what this is referring to please post in the comments and we will move it to the blog:

总群：29332975 (This refers to the total number)
复仇的火焰分群1：10093595 (Revenge of the flame group 1)
复仇的火焰分群2：60087657 (Revenge of the flame group 2)
复仇的火焰分群3：17697381 (Revenge of the flame group 3)
复仇的火焰分群4：52911651 (Revenge of the flame group 4)
复仇的火焰分群5：13283694 (Revenge of the flame group 5)
复仇的火焰分群6：52274747 (Revenge of the flame group 6)
复仇的火焰分群7：13735729 (Revenge of the flame group 7)
复仇的火焰分群8：28556275 (Revenge of the flame group 8 )
复仇的火焰分群9：8333214 (Revenge of the flame group 9)
复仇的火焰分群10：24207831 (Revenge of the flame group 10)
复仇的火焰分群11：18574877 (Revenge of the flame group 11)

UPDATE to UPDATE Jumper figured out that these were probably the QQ numbers for the group leaders of the attack. When I went back and looked at some of the sites calling for the DDoS attack, one did list it as QQ群 or QQ groups.

Anti-CNN has issued a call for the Chinese flag to wave over Europe on 19 April 2008. The call was issued to show opposition to Europe’s stance on the Tibet issue. Anti-CNN has called for all overseas Chinese in Germany, France, England and Holland to appear in a simultaneous protest. Overseas Chinese were asked to have their voices penetrate the European sky. It appears the protests may have been scheduled for April 26th, as the announcement asked for people who had already made plans, to switch them to 19 April. The protests on the 19th are scheduled as follows:

1. 1500-1800hrs, 19 April 2008, at the Bundestag, Platz der Republik, Berlin
2. 1300-1500hrs, 19 April 2008, two routes (from Talie – Hotel de Ville – Bastille) or (Republique – Bastille – Hotel de Ville –Bastille, Paris
3. 1100-1500hrs, 19 April 2008, Downing Street outside of Whitehall, England
4. (No time given) 19 April 2008, Amsterdam, Holland

The protests appear to be well organized, with the coordination of donations, banners, flags, T-shirts…etc. While it is of course impossible to tell how widespread the demonstrations will be, an online keyword search, using Chinese, did produce several hundred hits.

To coincide with the European protests, several Chinese hacker groups are calling for a DDOS attack on the CNN website to begin at 8:00pm on 19 April 2008. While only three websites have openly posted about this attack, my guess is that many more calls are going on behind closed doors.

The first screen shot below calls for an attack similar to the Sino-US hacker war.

Could not get the web page for Tianya to open but it clearly calls for a DDOS attack on the CNN website to begin at 8:00 pm (Beijing time) on 19 April 2008.

Over at Hackbase, Dreamsmaker is also putting out the word for an attack on the CNN website.

The final tidbit of this story comes from a thread discussing the possibility of having demonstrations inside the country to support China’s position on Tibet. It was mentioned that during the anti-Japanese protests of 2005, all the people who passed out leaflets supporting the protests were punished. While some thought it was impossible to hold the demonstrations inside…a commenter calling himself…little stupid told this story:

I was in Beijing during that time, leaflets were everywhere. Although the next day they were all torn down, the schools still had them all over the place. Even the Beijing police supplied free eggs to throw at the Japanese Consulate.

UPDATE: From CNN

“Thank you for contacting CNN. This email is to notify you that your news tip has been received and will be reviewed in a timely manner. You will be contacted if the news tip is valid and we need further information and verification.

We appreciate your news tip and thank you for choosing CNN as your breaking news source.

Sincerely,

CNN Viewer Communications Management
‘CNN, The Most Trusted Name In News’

Wonder if they will check before it all goes black?

On 8 April, the anti-cnn.com website was hacked for unknown reasons. Anti-cnn is a Chinese university student-led website established on 21 March 08, with the stated goal of countering false Western media reports on Tibet:

This website is established to expose the lies and distortions in the western media. The site is maintained by volunteers, who are not associated with any government officials.
We are not against the western media, but against the lies and fabricated stories in the media.
We are not against the western people, but against the prejudice from the western society.

According to Hackbase.com, on 9 April, the founder of the organization was using the power of Sohu.com to seek assistance from technical experts following the hacker attack. The website has received 500,000+ hits and has over 40 moderators handling in excess of 6,000 posts and 5,000 replies daily.

You know, not five minutes ago I was saying I didn’t want to get involved in the politics of this thing…just five minutes ago.

Chinese hackers have been targeting groups such as the free Tibet
movement and Fa1un GOng for years now. Since I have been away for the last couple of days, our good friend Greg was kind enough to send links to some very good information covering the attacks.

From Thomas Claburn at Information Week:

The attacks on mailing lists and online forums contain information related to recent events in Tibet and may appear to come from a trusted person or organization.

A shadow war against organizations supporting Tibetan protesters has erupted in cyberspace, mirroring efforts by Chinese authorities to quell unrest in the Tibet.
More here…

A great article from our friend Maarten Van Horenbeeck:

There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.

These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.

More here…

Brian Krebs at the Washington Post (an excellent investigative reporter):

 Human rights and pro-democracy groups sympathetic to anti-China demonstrators in Tibet are being targeted by sophisticated cyber attacks designed to disrupt their work and steal information on their members and activities.

Alison Reynolds, director of the Tibet Support Network, said organizations affiliated with her group are receiving on average 20 e-mail virus attacks daily. Increasingly, she said, the contents of the messages suggest that someone on one or more of the member groups’ mailing lists has an e-mail account or computer that has already been compromised.

More here…

I’ll be looking into this myself over the next couple of days to see if there is anything worth adding.

I saw this blog (Politically Motivated Computer Crime and Hacktivism) about Tibet supporters recieving email malware in my feed reader today and thought it might be interesting to TDV readers.  The original article is here.

“We are getting virus attacks that are just shameless… claiming to be desperate people inside Tibet. The emails are well-written and emotional, pleading for us to open the images,” she told AFP.

“At the moment we are having to use outside emails because our email accounts are not working, we have to direct everything through our outside emails,” he told AFP.

Hopefully more to follow (looking for malware samples)…