We were pretty darn busy in April, so some things fell through the cracks and I missed this report on nationalist motivated hacking. If you recall, during that time period, there were calls in France to boycott the Beijing Olympics over the crackdown in Tibet. The French magazine Capital posted an online poll on whether or not France should participate in the games…Chinese hackers and nationalists were not pleased:
Capital publisher Jean-Joel Gurviez:
“On the first day, we had about 300 responses, which was normal for this type of poll, and they were 80 percent in favour of a boycott. The next day there were 20,000 responses, with 80 percent opposing a boycott,” he said.
Almost all of the responses arrived via Chinese servers, Gurviez said, leading technicians to initially think the influx was driven by Chinese sites directing patriotic fans to vote.
“But a few days later we had hackers operating off servers in China try to change our content, and there were 2.5 million attempts to access protected files. We had to shut down the site temporarily,” he said.
SBS Dateline reporter, George Negus, conducts an interview with Chinese hacker Yang Zhao. Yang talks about the attacks on CNN, nationalism and intrusion methods. This is the Youtube version of the video and is shorter than the version found on the SBS Dateline website.
CNN hating Chinese nationalists can download a tool to send high volumes of requests to www.cnn.com in an attempt to knock it offline. The tool is bundled in a .rar file that contains a readme and the pre-compiled windows binary. A quick virus check showed that some scanners identified it as backdoor but that didn’t seem to be the case. When I ran the tool, a simple flag icon appeared in the lower right of my test VM.
When I click on the flag, the full interface appears with three options: start/stop, minimize and exit.
Here is a sample of the request/response I got after running it for a few seconds:
GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp HTTP/1.1
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache Server at www.cnn.com Port 80</address>
</body></html>
I read somewhere that it is self-updating but I never saw any requests other than DNS resolution (to my own configured DNS servers, not hard-coded) and requests to www.cnn.com. I’ll run it in “paused” mode for a while to see what happens.
UPDATE (0100GMT 23 April 08): No suspicious traffic came from this binary (apart from what was expected, of course).
UPDATE (1628GMT 24 April 08): Heike and I have dubbed anticnn.exe the “Mao-inator”.
Never heard of this, don’t know what to make of it, not sure I even care. Anti-Fans, a phenomenon that began in Korea where large numbers of “Anti-Fans” seek to just trash and even poison celebrities. Number one targets are singers and dancers. So, the good news…it has spread to China!
This is the Taiwanese band F-4 and they got hacked by Chinese anti-fans for referring to Taiwan as a country while fiming a commercial for tourism. (Have to admit, a lot of boy-bands here in the US could use a good hacking…just kidding…sort of.)
Chinese actress Zhao Wei targeted by Chinese anti-fans for…too much hotness? No, she wore the Japanese flag.
Artist Wang Xinling, just a little too cutesy for some fans. They are anti-fans due to her winky-hand-movey antics on stage.
And for the most disturbing of all, they claim to be the Bin Laden for celebrities.
A posting at Sam, Saman, Samantha’s blog sums up my feelings quite well. But, just because they seem to have gone way past the deep end of the pool, doesn’t mean they can’t make a semi-rocking video! Enjoy (fair warning, the thing loads slow, slow, I mean really slow):
The following is the defacement of the Japanese site nishimatsu.co by a Chinese hacker named Sunwear. He used English on some lines and Chinese on others, but here is the translation with one line omitted :
(English) Hi
(Chinese) You Japanese pigs
(English) Fuck All Japan Gril (18-20)
(Chinese) I represent all the PRC men who fuck all your pretty Japanese girls from ages (18-20).
(This line illegible)
(Chinese) You all took over 300 slaves from China. I Sunwear swear that I will hack 3000 Japanese websites
(English) Destroy Japan!!!!!!
(English) By China Sunwear E-Mail btwlu@163.com (Chinese) Chinese people look, if you have a patriotic heart add my QQ 625185 and later when there is a site to hack I will give you a call.
Tracked down his website at http://hi.baidu.com/patricksunwear and did some checking around. There are only six personal pictures on the site and all appear to be the same male. Two pictures drew my attention:
The uniform he is wearing is that of the People’s Armed Police; a quasi military organization, protection of the party, and has recently started moving into anti-terror stuff. Hard to see detail but the rank insignia seems to be that of a 2nd Lieutenant.
My guess is that it is not his official duty to hack into Japanese websites, just a 2nd Lt doing what they all do… getting into more trouble than they can get out of.
UPDATE 26 Nov: After looking at the two pictures and thinking about it some more, he just may be trying on the uniform of his buddy. I don’t know, that haircut just has me thinking not in regs.
The headlines in most major papers that cover Chinese hackers paint them as ethereal beings, invisible, coming from nowhere, invading, attacking, and then returning to their void. Media reports are filled with “Chinese hackers” involvement in one type of exploit or another, speculations about government affiliation, and the types of online crimes they have committed. What they fail to provide is background on just who comprises this secretive organization. Certainly, these spirits from a land as unfathomable as China must be impossible to locate, much less study.
The reality turns out to be considerably less mysterious and much more mundane. Chinese hackers are incredibly easy to find and provide more information about themselves than anyone reading the news could imagine. The problem is not a lack of information but an overabundance of it. The Red Hacker Alliance is producing thousands of internal documents just waiting to be translated and studied. No special computer skills are required and you do not need the ability to detect and track an intruder over countless Internet connections or jumps between satellites. It doesn’t require a government clearance with access to classified documents. The information has been sitting in the open since the very founding of the organization and it is this very information we will use to examine their history, structure, exploits, political agenda, and possible government affiliations.
While not an unbroken historic timeline, we will trace the birth of Chinese hackers on the Internet from a purely nationalistic organization, to their current situation that is rapidly expanding into commercialization and criminal activity. Before looking directly at the history of the Chinese Red Hacker Alliance, it is perhaps vital that we have an understanding of China’s past and how it affects its population’s current psyche in order to get greater insight into why these groups are so much more nationalistic than their Western counterparts. Continue Reading »
chinese hackers
