The Dark Visitor

Several Chinese security bloggers and the Rising AV company are reporting that Chinese hackers are going after Iranian websites.  Apparently in response to the Baidu DNS compromise.

http://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hackbase.com%2Fnews%2F2010-01-12%2F32938.html

http://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hackbase.com%2Fnews%2F2010-01-12%2F32926.html

http://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hackbase.com%2Fnews%2F2010-01-12%2F32933.html

http://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hackbase.com%2Fnews%2F2010-01-13%2F32955.html

Tags: China vs. Iran

The Iranian Cyber Army has compromised the DNS records for baidu.com by logging into their DNS management portal at register.com.  You might remember the Iranian Cyber Army from their recent twitter DNS compromise.  There are many blogs and news outlets reporting on this.

I know some readers might wonder if this will spark some sort of cyber war between Iran and the PRC. 

From BBC:

http://news.bbc.co.uk/2/hi/technology/8453718.stm

http://www.techcrunch.com/2009/12/17/twitter-reportedly-hacked-by-iranian-cyber-army/

Tags: Baidu, dns, Iran

My 中文 isn’t nearly as good as Heike’s (as demonstrated here) but I do believe that this pic posted to sunwear‘s baidu blog says that the PRC Internet is the most free.  You might remember sunwear – he is the one that arp-jacked metasploit.com.

UPDATE:  Found this image (via @torproject) at http://www.rayfile.com/zh-cn/files/77930287-efc7-11de-bf31-0014221b798a/1236f674/:

Tags: lolz, Sunwear

The well-known ph4nt0m security group has made their latest edition available here:  zh-cn | google xlate.

ToC:

Introduction ———- by root
Flashsky interviews ———- by flashsky
Struts2 framework of the security flaws ———- by kxlzx
To focus on IP spoofing ———- by papaya
Fuzz client-side storage objects, looking for client ddos ———- by woyigui
Point defects in the use of application software experience (Webkit articles) ———- by wushi
Bypassing Linux kernel module version check ———- by wzt
ACS – Active Content Signatures ———- by Eduardo Vela Nava
Kabbah heuristics to bypass the virtual machine approach ———- by dangdang

Tags: ph4nt0m, webzine

So it turns out that the changes CNNIC has made to restrict registration of .cn TLD domains to business license holder has had at least a temporary impact on spam tactics.  Doesn’t seem to have made any difference in the volume but spammers are now moving away from purchasing new inexpensive .cn domains for spamming.  Here is the link to the Sophos Labs blog that contains this revealing graph:

The .cn Top Level Domain has been frequently associated with malware, pornography and spamvertising.  In an apparent effort to clean up the TLD, China NIC has started requiring a business license in order to register a .cn domain.

The China Internet Network Information Center (CNNIC) published a notice Sunday saying that applicants must submit written applications to the registration agents. The written materials must include an application form with an official seal, an enterprise business license and the registrant’s ID card.

In addition, the NIC will actually attempt to notify and verify individually owned .cn sites.  If a site owner doesn’t respond in after five days, the domain will be revoked.

CNNIC plans to verify the information of the owners of personal site in the nation. Those found unqualified to have a site will be required to update the information in five working days, otherwise they will be shut down.

This is an interesting development.  Clearly, something needed to be done about the .cn TLD garbage sites clogging up the tubes.  I’m not sure what this means for individual site operators though.  I’m sure it is still possible for individuals within the PRC to get a non-cn TLD and host their websites outside of the mainland.

Source: “All .cn websites require business license” – http://business.globaltimes.cn/china-economy/2009-12/491515.html – Linked from Danwei.

HT to Sunbelt for this article about the piloyd worm jacking up web pages in the PRC.  Not enough details yet to determine the vector.  According to Sunbelt’s article, it is 8/41 on virustotal.com.  I’ll update this post if I’m able to collect a sample for analysis.

Here are some details from  threatexpert.com.

The article from Alibaba reports that the website was down on Tuesday but as of a few moments ago when I checked, it was back up and running:

The post-90 generation teens that run 2009.90admin. com, wrote on their website, “We are not Internet attackers, we are just a group of computer fans; we are not mentally handicapped kids, we are the real patriotic youth. We’ll target anti-China websites across the nation and send it as a birthday gift to our country.”

The site was the subject of hot debate on the Chinese version of twitter but could not be viewed Tuesday. Efforts to reach the site’s operators were unsuccessful.

The 500-word statement appeared over a red and black background decorated with a flying national flag.

Taiwanese organizers in Kaohsiung, Taiwan’s second largest city, plan to show the controversial film, “Ten Conditions of Love” next month, sparking outrage in the Chinese hacker community once again.  Given the fact that it is Taiwan, it is doubly outrageous. 

The film’s showing in Melbourne last month sent Chinese hackers on a mini-rampage, see here, here, here and here.

Now all eyes turn to the Taiwanese film festival:

Anonymous hackers have attacked a Taiwan film festival over plans to screen a documentary on the US-based leader of China’s predominantly Muslim Uighur minority, festival organizers said Tuesday.

A message, posted on a blog run by one of the organizers of the Kaohsiung Film Festival, blamed Rebiya Kadeer for recent bloody unrest in northwest China’s Xinjiang region, which is home to the Turkic-speaking Uighurs.

“I don’t know if you heard about the violence (in Xinjiang) and if you know how many people were left homeless. It is all because of that woman,” said the message, referring to Kadeer.

This was posted by Scott Henderson (Trying to comply with the law of the land)

Green Dam, the censorship software that the Chinese government wanted on all PCs sold in China, turned out to be a flop. Beijing’s still keen on exerting greater control over the Internet, though, and Jonathan Ansfield has a good story in the New York Times about the censors’ latest tactic. According to Ansfield’s story, new “secret government orders” have been forcing popular Chinese websites to require new users register with their real names before posting any comments online.