The Dark Visitor

Defaced DPP website

A Chinese hacker (elder brother Ma) has defaced the website of the Taiwanese Democratic Progressive Party with the 5-star flag of mainland China to protest the release of Chen Shuibian by a Taiwanese court.  Chen is on trial for embezzlement.

Breaking!! Double-edged sword turns out to be…well, double-edged.  A Chinese hacker broke into the Tsinghua University website and left a stinging rebuke of the education system under the university president’s name.  Turned out to be hugely popular, go figure.

GOOD: Standing army ready to fight all your political battles abroad

BAD: Same standing army ready to take you to task domestically

The Web site of the elite Tsinghua University, considered as competitive as Beijing University and even superior in the sciences, was victimized by hackers recently. An article purporting to express the views of the university’s president, Gu Binglin, criticized China’s university education system in harsh and even dirty terms. The majority of Chinese netizens expressed support and understanding toward this unidentified hacker, however.

Throw the hacker in jail? With a 92% approval rating, the university’s president should have kept his mouth shut and hired the kid as a speechwriter.

In March of this year, CNN ran a story about Xiao Chen and his organization of hackers, reporting that the group had broken into the Pentagon and received payments from the Chinese government.

Xiao Chen, in a subsequent interview with the Shanghai Post, refuted all of CNN’s allegations and tearfully explained how all of this controversy had caused him to close his website hack4.com…he had struggled to create it…he had poured his heart and soul into it…and now was left with only had a handful of magic beans to show for his trouble.

I may be mixing my stories but he did elevate whining to an art form.

No need to worry, Xiao Chen pulled himself up, dusted himself off and managed to get back in the hacking game. Welcome to the new hack4.com , decorated in Olympic themed swirls guaranteed to never go out of style:

This is the official Chinese government website for Longgang Emergency Management:

This is also the official Longgang Emergency Management website, when you add xiaozi.html:

You would think, with the recent earthquake in Sichuan and the ongoing Olympics, that government websites dealing with emergency management would be inspected rather thoroughly. Not so much. Google spiders crawling the internet, show that the website has been hacked since at least 31 July 08.

Is it unusual for a Chinese hacker to attack their own government’s website? The first-generation of Chinese hackers had very strict rules about not hacking inside China but the current crop doesn’t seem to adhere to the same code. Doing a pull on Zone-h.com.cn, gives 1,952 known Chinese government websites that have been hacked. A fairly large number of those attacks appear to be carried out by Chinese hackers.

So, from the URL extension on the hacked page of the Longgang Emergency Management website, who or what is a xiaozi? It is a who, or to be more precise, a him.

Meet Network Boy (Wanglu Xiaozi):

Blog name: Network boy’s BLog Hacker
Site admin nickname: Network boy
Age: 18
Birthday: 13 December 1989
Sex: Male
Blood type: B
Zodiac sign: Virgo
Address: Wulumuqi, Xinjiang
Personal quote:
Hobbies:

Not to get in a battle over Zodiac signs but isn’t someone born on 13 December a Sagittarius? Maybe something to do with the Chinese Lunar Calendar but trying to figure it out hurts my head about as much as International Date Line conversion. I have Chinese friends I give birthday gifts to five times a year just to be on the safe side. Moving on.

Going through Netboy’s website reveals that government websites are not his only target, he also has an affinity for fellow hacker websites as well.

1) First target, zgmuma.com (China’s Trojan Base):

According to Netboy, he was bored and went to his favorite hacker site (hackol.com) to study but the website was down. He did notice a link toward the bottom of the page that connected to zgmuma.com and for reasons unmentioned decided to see if he could break into the site. Zgmuma.com is another Chinese hacker website that boasts the largest collection of online game trojans around. It also provides hacker training.

I have to give Netboy credit, he provides a step-by-step account of his exploits, to include screen shots and the tools used to perform reconnaissance on the intended victim. With this one he was able to find a fatal flaw in the server to crack. While Netboy was breaking into zgmuma, his buddy, who goes by the name of Ice Sugar, contacted him to say that he had gained access to cnhacker.com and posted a hacked page:

Ice Sugar passed over the info on cnhacker.com to Netboy, who said he also posted a hacked page on the site.

2) Second target, an81.cn (The Dark Hacker Group):

Netboy was able to gain access to this website because they were using Dvbbs8.1. He was thankful that it was not 8.2, because then he would not have been able to gain access to the backstage shell. Using Thunder (unclear) he was able to discover the site admin’s password, 6423987, after making several manual guesses. He also used an ASP trojan during the process but I couldn’t begin to tell you what he was talking about; didn’t understand much of the technical jargon.

3) Third target, www.163???.com (Hacker)

Netboy really liked the design of this website and consider it difficult to break but still managed. Once again, he takes you through his very methodical system of cracking the website and I wish I was able to translate it but can’t. Some of you people who are more on the tech side might be able to gather what he did even better than me by the screen shots.

For whatever reason, he decided to hide the target’s URL but it only took about a minute to find the site, www.163xjs.com.  Wasn’t able to access the site due to a “directory listing denied” message. However, Google’s cache was not so particular about who peeked:

Even though the imagery is absent, it is clearly the same website.

4) Fourth target, hacker98.cn

Lot of stuff on this hack too but I’m getting bored and you get the point. He hacks other Chinese hacker websites.

Conclusion: At the end of each of these attacks, Netboy posts an invitation for other skilled people to join his group. So, this all may be just to gain recruits by proving he is better than the other groups out there.

Chinese hacker candy is dandy…

Hat tip: To you know who

On the afternoon of May 31st, the Nanning Public Security Bureau Cyber Police received a report from the Guangxi Earthquake Bureau that a hacker had invaded and altered their website.

The FAKE message left by the hacker read:

“The violent earthquake that struck Wenchuan, Sichuan…we grieve for our fellow citizens who perished in the great Wenchuan, Sichuan, earthquake. In the near future, a major earthquake registering 9+ will hit the Guangxi area. Request that city residents make preparations as soon as possible.”

(Emphasis added)

Guangxi Earthquake Website

Cooperation between the cyber police from six provinces, spanning a three-day period, finally located the hacker responsible for the fraudulent message in Jiangsu.

Cyber Police Investigation

On 4 June, police arrested a further unidentified suspect named Chen who made a full confession.

Congratulations to Chinese hacker Chen, I had to add a new category to cover this event. Posted under Evil and/or Stupid…qualified as Evil and Stupid.

One of the clearest instructional videos I have seen on how to use the Gray Pigeon trojan horse.  I haven’t tried to translate the video but thought it might be of interest to some of our more technically inclinded audience.  The first part describes how to use the program and the second part shows how the information is collected from an infected computer.

Video Removed (killing the rest of the posts)

“Electronic Heroin” an analysis of Chinese juvenile cybercrime (Part I)

Second, analysis on the causes of juvenile cybercrime

What are the reasons for juvenile cybercrime?  Adolescents resides in puberty, where large changes take place in both physiology and psychology.  Individual youth are led down the wrong road and step onto the path of criminality due to individual physiology, psychology and different types of conflicts and contradictions  Additionally, in real life there are unhealthy influences and during the socialization process, deviations and distortions easily occur in individual youth.

1. As young people mature, there is a conflict between a sense of isolation and an intense feeling of needing to belong.  On the internet, they find this compensation in the openness, equality and freedom that make a perfect match for their needs.  This makes juveniles the main crowd on the internet.  The virtual nature, openness and freedom of the internet permits unrestricted conversations that cause youth to disseminate obscene materials; their morales and sense of responsibility decay; and their awareness of legality is diluted to the point they don’t feel it is a crime.  It becomes so serious that they will even break the law.
2. The current internet legal system is not robust, allowing cybercriminals to act without legal restrictions.  Although the country has laid out a series of laws and regulations regarding internet security and punishments for computer crimes, such as the “People’s Republic of China Computer Information Systems Security and Safeguards Regulation,” the current laws are unable to adapt to the current situation of  computer development.  This is especially true for new internet problems that arise that the law is unable to restrict.  This brings about a legal gap.
3. The unhealthy content on the internet has caused juvenile criminals to bury (hide) hidden dangers.  The internet is full of pornography, reactionary (material) and violent information; as well as traps.  Understaffed chatroom supervision allows juvenile cybercriminals to bury (hide) inducements.  Some managers of underground internet cafes are the ringleaders who entice youth into criminal activity.  Some internet cafe managers are only concerned with profit, regardless of the harm the unhealthy information does to the youth, or the youth browsing all manner of pornography, reactionary (material), or violent websites.  Some go far as to supply them with these materials.  At the same time, bloody and violent internet games are the hotbed for juvenile cybercrime.  Research indicated that long-term playing of bloody and violent online games which can cause the user to develop an aggressive personality that leads to criminal activity.
4. Factors in society, school and the family are also causes of juvenile cybercrime.  Some morally corrupt individuals online recklessly spread pornographic and violent images, as well as popular online games that cause segments of the youth to become infatuated with them.  They are unable to pay the  online game fees so they take risks.  The school’s education on ethics and online morality is insufficient.  The negative evaluation of weak students, the dislike and discrimination against students with bad behavior causes some students to give up on themselves.  They become infatuated with the internet and look there to find self confidence and happiness.  Furthermore, the education at home is inappropriate, with parents not strictly supervising there children online.  Some parent’s unhealthy personal habits also influence their children.

For some this may be a familiar face, for the rest, let me introduce Sunwear. We met Mr. Sunwear back in November, when he was doing bad things to Japanese websites and leaving some rather crude defacements. Sunwear and a friend of his named Kitty became so upset at the attention he was receiving on the blog that they left comments imploring us to remove the article. No such luck for him.

So, did Sunwear swear off his life of crime, turn over a new leaf and devote his life to charity? No such luck for me:

Just for fun…

Just for fun? Words alone cannot express how disappointed I am…

Sign above the internet cafe reads “Hacker Tribe.”

No, this is not my new shtick. You will not be burdened with a building a day that has the Chinese characters for  hacker attached to it…unless, it becomes a really popular feature on the blog. OK, so it won’t.

Two things to point out here, one the ad for the internet cafe and the other a comment on the place:

1. The internet cafe does not have a website…repeat, the INTERNET cafe does not have a website
2. Commenter: Who knows Hacker Tribe’s IP address?  Who chose this name? Aren’t they worried about getting attacked?