The Dark Visitor

In March of this year, CNN ran a story about Xiao Chen and his organization of hackers, reporting that the group had broken into the Pentagon and received payments from the Chinese government.

Xiao Chen, in a subsequent interview with the Shanghai Post, refuted all of CNN’s allegations and tearfully explained how all of this controversy had caused him to close his website hack4.com…he had struggled to create it…he had poured his heart and soul into it…and now was left with only had a handful of magic beans to show for his trouble.

I may be mixing my stories but he did elevate whining to an art form.

No need to worry, Xiao Chen pulled himself up, dusted himself off and managed to get back in the hacking game. Welcome to the new hack4.com , decorated in Olympic themed swirls guaranteed to never go out of style:

CNN hating Chinese nationalists can download a tool to send high volumes of requests to www.cnn.com in an attempt to knock it offline.  The tool is bundled in a .rar file that contains a readme and the pre-compiled windows binary.  A quick virus check showed that some scanners identified it as backdoor but that didn’t seem to be the case.  When I ran the tool, a simple flag icon appeared in the lower right of my test VM.

 When I click on the flag, the full interface appears with three options:  start/stop, minimize and exit. 

Here is a sample of the request/response I got after running it for a few seconds:

GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp HTTP/1.1

Accept: */*

Host: www.cnn.com

Connection: Keep-Alive

 
HTTP/1.1 400 Bad Request

Date: Tue, 22 Apr 2008 12:12:34 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 287

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache Server at www.cnn.com Port 80</address>
</body></html>

I read somewhere that it is self-updating but I never saw any requests other than DNS resolution (to my own configured DNS servers, not hard-coded) and requests to www.cnn.com.  I’ll run it in “paused” mode for a while to see what happens.

UPDATE (0100GMT 23 April 08):  No suspicious traffic came from this binary (apart from what was expected, of course).

UPDATE (1628GMT 24 April 08): Heike and I have dubbed anticnn.exe the “Mao-inator”.

Even though a major attack did not occur on CNN, there were some lessons learned that we can take away from this event. So what did we learn? Here are some of things I noted:

1. We can reconstruct a bit of the social side of the attack
2. There is some evidence about their method of organization for operational tactics
3. Stockpile of ready made software for novice attackers
4. Possible reasons the attack was canceled

Social

The first thing we need to do is identify the reason behind the attack. What were the catalysts that led the Chinese hacker community to go after CNN? This would be my list:

1. CNN report on Chinese hackers is seen as unfair and accusations that parts of the CNN interview were fabricated
2. CNN makes remarks about the Tibet situation that angers the nation
3. Anti-CNN’s call for protests provides timing for coordinated effort
4. Beijing’s call for an apology from CNN may have been seen as tacit support for the attack. Or, at least that there would be no retribution if one did take place. This might be the most important factor of all.
5. Reliving the glory days of the Sino-US cyber conflicts
6. Making a name for themselves and building their own Chinese hacker cell. Many of China’s most famous hackers got their start during the early years of conflict with different nations.

Organization

With the decision made to launch an attack, they seem to have decided to use the website that cn_magistrate opened in 2007:

Domain Name: hacksa.cn
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

The website would be used for a central gathering point, dissemination of information and organization. During this phase, they probably planned their basic attack formation and strategy. Using the QQ charts found on www.hacksa.com, I was able to make this very rough organizational chart:

(Yes, very rough and ugly chart. God I miss my I2 for making charts)

The QQ numbers listed six headquarters units (probably the more experienced hackers), 42 regular groups (actually 44, since he started with zero and may have accidentally listed group 32 twice), and one propaganda unit. For easy math, I took the number of headquarter units and evenly divided the regular units among them as best I could. You will note I put the two group 32’s together and placed the left over regular units into the final formation. The propaganda unit was made as a separate organization, some of the additional units may have belonged with them. Of course, cn_magistrate may have used a completely different configuration but this is the one that made the most sense to me. The chart brings up several questions:

1. The character 满 to the right of the groups means filled. Why did cn_magistrate skip the additional group 32 and group 33 when bringing the units up to full strength? Groups 37-42 seem logical if you are filling them in as recruits become available. Were the extra group 32 and group 33 special somehow?
2. Only one of the headquarter units shows it to be full. Were they possibly having trouble getting skilled hackers to join the attack?
3. How many people did it take to fill up the groups? We can guess that it was more than one, since a QQ number was assigned each of the groups.
4. What was the function of the propaganda unit? A possible answer is that it was to spread news if the attack turned out to be successful. Useless to have a political attack if no one is aware it happened.

The next thing we are able to tell was the means they used to get recruits to participate in the attack. This was accomplished through posting requests on popular websites and probably through restricted registration areas. Here is a listing of just some of the websites the group posted to:

http://bbs.neteasy.cn/showthread.php?p=984976
http://www.coogo.net/bbs/showtopic-444648.aspx http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost http://www.ipark.cn/bbs/Post.asp?PostID=836336
http://blog.xuite.net/lemon_head/simple/16728332
http://tieba.baidu.com/f?kz=357748876
http://bbs.neteasy.cn/showthread.php?p=984976
http://www.coogo.net/bbs/showtopic-444648.aspx http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost http://www.ipark.cn/bbs/Post.asp?PostID=836336
http://blog.xuite.net/lemon_head/simple/16728332
http://tieba.baidu.com/f?kz=357748876
http://bbs.hackbase.com/viewthread.php?tid=3210548
http://tianya.com

The group used thes sites to request compromised computers and while I can’t locate the posting now, also funds. Was the money donated to be used to rent botnets?

Stockpile

The website http://playgood.ys168.com was used to stock scripted software that could be downloaded by recruits who had little technical ability.

End Game

Finally, the assault was called off and then the organization was disband. Big question, why?

1. As stated, that too many people were aware of the operation
2. Unable to fill the units enough to be effective
3. Just plain worried about the consequences
4. Beijing sent out an order to shut it down

Please feel free to comment on other things we should have learned from this or where I totally botched this analysis.

Danwei reporting that Chinese hackers are celebrating a successful hack on a portion of the CNN website with screen shots of their trophy:

The top picture is screen grab that shows the current state of the website. The second image shows the hacked web page and the slogans left by the hackers, both in English and Chinese.:

UPDATE: It looks like the organizers might be trying to put a stop to the attack due to the number of people who are aware of it. Translating some of it now.
UPDATE to UPDATE While the group may be trying to call off the attack, it might be too late. CNN is now reporting that they have been targeted in an attempt to disrupt their web site.
FINAL UPDATE FOR THIS POST: See the newest release by the group planning attack on CNN here

First, I have added a clock with the Beijing local time because it crossed my mind that some people might be thinking the scheduled attack on CNN is going to take place on US date, time. Nope, Beijing local. So that means it is suppose to take place tomorrow. I will leave the clock up if you want to check back.

Second, many more Chinese sites, not just hacker, starting to call for the DDOS attack on CNN. Also they are starting to solidify their plans. Here are the details from one posting on the Guilin University of Electronic Technology bulletin board:

1. Attack will start on 19 April 2008, at 8:00 pm
2. DDOS attack on www.cnn.com
3. The DDOS attack is going to last over three hours
4. They need a large number of compromised computers to carry out the attack and are requesting everyone’s support in putting to together the number needed

The plan has many more details but unfortunately the language is too technical for me to translate.

Here are additional sites calling for the attack on CNN.

http://bbs.neteasy.cn/showthread.php?p=984976
http://www.coogo.net/bbs/showtopic-444648.aspx
http://www.ytjt.com.cn/bbs/redirect.php?tid=36644&goto=lastpost
http://www.ipark.cn/bbs/Post.asp?PostID=836336
http://blog.xuite.net/lemon_head/simple/16728332
http://tieba.baidu.com/f?kz=357748876

Probably many more out there.

UPDATE: Carl Jongsma, from Computer World, was kind enough to provide us a little press on this breaking situation.

UPDATE: Tried once again to contact CNN and warn them of the scheduled attack. If anyone has a better contact than just their news tip e-mail, please inform them.

UPDATE (APRIL 18 1556GMT; Jumper): Arbor Networks is using their tools to monitor the situation.  Take a look at Jose Nazario’s post here.

UPDATE: Since we have some smart people looking at the blog, I wanted to post below part of the Chinese hackers’ attack plan. This seems to be part of the DDoS call for large numbers of attacking computers. Will supply what I can about the Chinese, though it is possibly wrong. If someone knows what this is referring to please post in the comments and we will move it to the blog:

总群：29332975 (This refers to the total number)
复仇的火焰分群1：10093595 (Revenge of the flame group 1)
复仇的火焰分群2：60087657 (Revenge of the flame group 2)
复仇的火焰分群3：17697381 (Revenge of the flame group 3)
复仇的火焰分群4：52911651 (Revenge of the flame group 4)
复仇的火焰分群5：13283694 (Revenge of the flame group 5)
复仇的火焰分群6：52274747 (Revenge of the flame group 6)
复仇的火焰分群7：13735729 (Revenge of the flame group 7)
复仇的火焰分群8：28556275 (Revenge of the flame group 8 )
复仇的火焰分群9：8333214 (Revenge of the flame group 9)
复仇的火焰分群10：24207831 (Revenge of the flame group 10)
复仇的火焰分群11：18574877 (Revenge of the flame group 11)

UPDATE to UPDATE Jumper figured out that these were probably the QQ numbers for the group leaders of the attack. When I went back and looked at some of the sites calling for the DDoS attack, one did list it as QQ群 or QQ groups.

Anti-CNN has issued a call for the Chinese flag to wave over Europe on 19 April 2008. The call was issued to show opposition to Europe’s stance on the Tibet issue. Anti-CNN has called for all overseas Chinese in Germany, France, England and Holland to appear in a simultaneous protest. Overseas Chinese were asked to have their voices penetrate the European sky. It appears the protests may have been scheduled for April 26th, as the announcement asked for people who had already made plans, to switch them to 19 April. The protests on the 19th are scheduled as follows:

1. 1500-1800hrs, 19 April 2008, at the Bundestag, Platz der Republik, Berlin
2. 1300-1500hrs, 19 April 2008, two routes (from Talie – Hotel de Ville – Bastille) or (Republique – Bastille – Hotel de Ville –Bastille, Paris
3. 1100-1500hrs, 19 April 2008, Downing Street outside of Whitehall, England
4. (No time given) 19 April 2008, Amsterdam, Holland

The protests appear to be well organized, with the coordination of donations, banners, flags, T-shirts…etc. While it is of course impossible to tell how widespread the demonstrations will be, an online keyword search, using Chinese, did produce several hundred hits.

To coincide with the European protests, several Chinese hacker groups are calling for a DDOS attack on the CNN website to begin at 8:00pm on 19 April 2008. While only three websites have openly posted about this attack, my guess is that many more calls are going on behind closed doors.

The first screen shot below calls for an attack similar to the Sino-US hacker war.

Could not get the web page for Tianya to open but it clearly calls for a DDOS attack on the CNN website to begin at 8:00 pm (Beijing time) on 19 April 2008.

Over at Hackbase, Dreamsmaker is also putting out the word for an attack on the CNN website.

The final tidbit of this story comes from a thread discussing the possibility of having demonstrations inside the country to support China’s position on Tibet. It was mentioned that during the anti-Japanese protests of 2005, all the people who passed out leaflets supporting the protests were punished. While some thought it was impossible to hold the demonstrations inside…a commenter calling himself…little stupid told this story:

I was in Beijing during that time, leaflets were everywhere. Although the next day they were all torn down, the schools still had them all over the place. Even the Beijing police supplied free eggs to throw at the Japanese Consulate.

UPDATE: From CNN

“Thank you for contacting CNN. This email is to notify you that your news tip has been received and will be reviewed in a timely manner. You will be contacted if the news tip is valid and we need further information and verification.

We appreciate your news tip and thank you for choosing CNN as your breaking news source.

Sincerely,

CNN Viewer Communications Management
‘CNN, The Most Trusted Name In News’

Wonder if they will check before it all goes black?