The Dark Visitor

According to HC360.com, with the end of Chinese college entrance exams (高考) and the start of registration, parents and students need to protect their online information from hackers.  The warning explains that while the internet contains a lot of relevant information about registration, it also has risks.

Digital Security Laboratories (sucop.com) is reminding parents of the students taking the exams to increase their vigilance and prevent incidents with hackers before they occur.  They list several methods the hackers commonly use to get information from the students:

1) The underground hacker industrial chain uses information on the college entrance examination in order to disseminate trojans and viruses.  The article further explains that this element of the underground economy is already in place and fully developed.   People engaged in this type of activity are highly adept at using social engineering to manipulate large-scale events such as the Olympics, disasters, entrance exams…etc. They used the information collected from online users for their own financial benefit.

2)  The underground transaction website: Online registration is now very common and some websites publicly advertise that the can alter student records, household registration and achievements.  This is just a way to cheat parents and students out of their money.

3) Some phishing websites are even a greater danger:  The hackers use these phishing websites to post false information and disrupt the registration process of the college.  They also solicit enrollment expenses from the students that do not exist.  Furthermore, they also use the site, combined with the methods mentioned above to get the student information to resell.  Hacker have also used loopholes in the college registration sites to blackmailed students by tampering with the data they entered on the online form.

This seems to be one of the most popular articles currently floating around on Chinese hacker websites concerning the increasing resilience of new viruses and the virus industrial chain.  This will be extreme gist because I’m kinda pressed for time today:

1.  Little Wu, expert gamer, depressed because all his virtual property is getting stolen
2.  Little Wu isn’t alone, past couple of days all the online gamers have been worried about a new virus called the  Disk Wizard
3.  Disk Wizard is considered 10 times more serious than last year’s king of viruses Panda Burning Incense
4.  According to reports, Disk Wizard can prohibit the use of any anti-virus software
5.  Disk Wizard can prevent the user from going into safe mode to remove the virus and from accessing their anti-virus webpage to request help
6. CNCERT estimates the virus industrial chain earning 238 million YUAN a year and causing losses of 7.6 billion YUAN
7. Reported that the author of Mechanical Dog made 100,000 YUAN a month, more than four times the amount of top programmers
8. Engineer from Kingsoft said that Trojans such as Mechanical Dog and others were working together to deliver the viruses
9. Disk Wizard is cable of downloading AV Terminator (Mechanical Dog)
10. These types of Trojan download tools have become the most popular platforms for virus manufactures and also their most profitable
11. Due to lack of oversight, it is becoming more common to see viruses for sale on the Internet
12. Very easy to find malware for sale postings all over the place, use 
    QQ number to contact seller
13. Estimates that by 2010 China’s online gaming industry will earn 30 billion YUAN
14. CNNIC reports China already has 40 million online gamers, making up 20% on their online population
15. Report claims that laws need to be clarified to go after virus manufactures, now it is only a misdemeanor

I really want to find a larger version of that chart at the top of the page, spent about 2 hours trying to locate it with no luck. If anyone finds it, please let me know.

 Horton hears a (Chinese hacker) Hu…Part I
Horton hears a (Chinese hacker) Hu…Part II
Horton hears a (Chinese hacker) Hu…Part III

The highest earnings come from selling loopholes.  This isn’t something the normal programmer can do, it takes a high-level of skill to locate a loopholes on a large company’s website.  According to hacker Hu, these loopholes can be used to carry out attacks on corporations and therefore, sell for several tens of thousands of YUAN, to several hundred thousand YUAN.

Not only that, hackers can receive requests to design viruses and the anti-viruses. Hackers can also put together groups of controlled computers to launch large-scale attacks. These groups of computers are called botnets in hacker groups.

Monitored data from CNCERT shows that China has five botnets that exceed over 100,000 slave computers and one or two of those have 300,000 slave computers. These slave networks can be leased and earn the hackers millions of YUAN a year. According to CNCERT, this section of the underground industry is exceeding 238 million YUAN a year and causing losses of over 7.6 billion YUAN.

Hacker Hu said that after the virus maker sells the virus, the virus’ journey
has just begun.  For example, after a “Gun Buyer” purchases a virus to steal virtual property, they will hire a botnet to spread the virus. The disseminated virus can steal online game players money and weapons and send the stolen goods to a mailbox.

The botnet is the core for disseminating viruses but there is a fairly easy method to accomplish this. Hacker Hu smiles, “You get up early, go to the internet bar and capture the 30 computers there with a virus and go home and wait for the money.” The programmer or the person owning the botnet, can earn five FEN to five JIAO for every infected computer. The hacker industry has evolved to the point where there are very distinct divisions of labor. Each gang usually has ten or more people, some who spread the virus, some who steal virtual currency and some who launder the money.

NOTE: Five FEN is worth about .6 cents and five JIAO about 6 cents.

To launder virtual items, a member of the gang will open a lot of gamer accounts and a stolen article will be passed around among these different accounts and then sold. The game company doesn’t know which accounts are real players and which are sellers. Hacker Hu says that the virtual money is then sold at wholesale through a down-line surrogate.

In addition, hackers design other Trojans for sale that are mass produced and burned onto. Based on the exclusive nature or functionality of the Trojan, the price can be from tens of YUAN to over 1,000 YUAN.  Furthermore, some hacker organizations provide malicious advertising plug-in services.  These plug-ins causes a users computer to pop up a special window, every 1,000 times the window pop ups earns 12 YUAN. Currently, there are at least 50 malicious advertising agencies within the country (China).  CNCERT estimates that the annual production of malicious advertising amounts to 108 million YUAN.

Thus ends the saga of Chinese hacker HU!

Horton hears a (Chinese hacker) Hu…Part I
Horton hears a (Chinese hacker) Hu…Part II

Normally, computers with known security loopholes are the targets for “Hanging the Horse.” Once these computers have been infected with a Trojan, it is very possible that someone browsing could unwittingly click on the Trojan and valuable information contained on the computer could fall into the clients hands.  Another method of “Hanging the Horse” is through junk mail or posting documents that contain Trojans on forums that encourage users to download them.  Once the attack is successful, the targeted information can be stolen using hacker tools.

In hacker circles, these packets of information are called “Envelopes” and are divided up differently depending on the type of product; there are “Equipment Envelopes,” “QQ Envelopes,”…etc. The next sentence is a little tricky but it seems to equate the sell of the “Envelopes” at this stage a wholesale market.

NOTE: From a segment that appears later in this story, I believe that an “Equipment Envelope” is referring to one that contains online game virtual property like swords, helmets, armor…etc.

From there the hackers can gather the most valuable information, like QQ numbers that are relatively short or have a higher rank. Afterwards, these filtered “Second-hand Envelopes” move into the retail market.  After the “Traders” sort the evelopes, they will use BBS and e-commerce sites to make the final sale of the stolen virtual property (Q-money, online game equipment…etc.).

The “Gun Sellers,” “Horse Hangers,” “Major Clients,” and “Traders” all make money. The economic benefits are rapidly turning the word “hacker,” which was once synonymous with “Technology Knights,” into a dirty word. However, hacker Hu says that the real money makers in this chain are the major clients (namely, the one who steals the envelopes).

If done well, it is not difficult to make several tens of thousands of YUAN a month. Some people earn over 10 million YUAN a year. With the cooperation of as few 2-3 or as many 10 people, after this valuable passes though the underground chain it is sold all around the world.

It was reported that Li Jun, the programmer who wrote “Panda Burning Incense,” deposited nearly 10,000 YUAN a day into his account. After he was arrested by police, he acknowledged that he had made over 10 milliion YUAN.

Sorry, looks like it is going to be a 4-part post. More tomorrow.

continuation of Horton hears a (Chinese hacker) Hu…

The article next asks the question, what is the nature of the Chinese hacker community? A reporter from the paper went inside serveral of the domestic (Chinese) hacker websites and forums to carry out an investigation in order to answer this question. In a network that specialized in selling online gamer information, the reporter was able to contact a hacker through his QQ number. The hacker was only willing to reveal his surname Hu.

According to hacker Hu, he was 23 years old, had just graduated from a computer vocational school and was working as a programmer for a software firm in Shenzhen. Hacker Hu’s QQ name was “Envelope Seller.” Hu explained that he provided all categories of hacker services; installing Trojans, taking control of websites and intrusion.

Hacker Hu said that currently, all the professional hacker were just like him and that most of them did not have a formal profession. They depended on their hacker business to make a living.

The article then recounts the 2007 case of Panda Burning Incense.  This was the virus unleashed by Li Jun, a 25-year-old hacker from Wuhan, who caused massive damage to domestic Chinese networks.

Hacker Hu explains that he is careful and meets his clients either through BBS or friends and afterwards they communicate through QQ.  Hu further explains that his services are specific to each customer and that he is not like Li Jun, who sold his virus to just anyone. Hu says he does this to prevent a similar wide-spread viral outbreak.

Hackers like Hu, who have the ability to program viruses, are called “Gun Sellers” and their main role is the manufacture of hacker tools. They then sell these tools to their down-line clients.  The clients pay several hundred or thousands of YUAN to “Gun Sellers” like Hu to purchase these hacker procedures, the most popular being Trojans.

The next step is to plant the Trojan on the website, this step is called “Hanging the Horse.” The Client can complete this part themself, or if they do not have the skills to do it, they can hire a specialist.  Hacker Hu will sometimes do this for his clients.

Sorry, CinC house just said, ”If you don’t get off the computer, I will kill you!” 
Gotta go, more tomorrow.

Reported a few days ago on Chinese hacker squeegee men and it seems like they are not very welcome in China.  An unidentified technology security company in Shanghai was busted for their unique brand of marketing.  A salesman would come calling and explain the horrors some online game companies experience through DDOS attack:

Oh, and did he forget to mention his company just happens to sell firewalls?  Probably a good idea to purchase this magic firewall because if you don’t, well a couple of days later…you experience those horrors he tried to protect you against.  Police decided to investigate and Manager Luo and Saleman Li were arrested.  Turns out, they were in it for the money.  Go figure.One section I couldn’t figure out involved a scene
talking about the Shanghai company and this website:

This is Chinahacker.com, a member of the Red Hacker Alliance, that I go to every now and then.  Exactly why they are used in the video to show where you can download DDOS attack software is still not clear, but no worries, I checked on the site and it is still up and running. Recent posts as of today, which is their yesterday…damn, International Dateline!

Full video of the story:

That was my original title for this article but it has changed, now I consider
her the Keyser Soze (The Usual Suspects) of Chinese hackers.   I have gone through so many websites trying to figure out her past and just who she is that it has become a blur.  She is light, she is dark, she is mean, she is sweet, she is 26, she isn’t nearly that old…etc.  It is as hard to get a handle on her as it is to figure out the correct spelling of Keyser Soze, if that is indeed how it is spelled.  Anyway, I decided to just let you know what is not in contention and cut out all the other noise:

She was a member of the Six Golden Flowers until they broke up.  The line
underneath the picture at the top says:

“Don’t bring up the Six Golden Flowers with me again, I am developing on my own.”

Dark Angel’s Picture from The Six Golden Flowers

She goes by the names Dark Angel (黑暗天使) and Heihaitang (黑海棠).  As always with Chinese hackers, the meat to bone comes with the current website they run.  And, what she is doing now is using her reputation to sell hacker classes…just like every other Chinese hacker of any weight.

She offers 181 individual classes for about US $17 each (no deadline) and a year long structured course of 14 classes at US $170 (internal programs are free of charge).

  With the increase in the number of attacks by Chinese hackers, I may never have to do my own research again.  Yesterday we had attacks on the Pennsylvania state government and today they decided to go after Cleveland…I said Cleveland.  Nobody is safe.  The hackers exploited un-patched SQL injection vulnerabilities that forced end users to visit sites that pay third parties a fee in exchange for sending them traffic.  It really is all about the money.  Read it before the people paying for Adsense go broke!