Tuesday, April 22, 2008

Chinese Hacktivists Waging People's Information Warfare Against CNN

Empowering and coordinating script kiddies by releasing DIY DDoS tools (backdoored as well) during the DDoS attacks against Estonia for instance, is exactly what is happening in the time of blogging with a massive forum and IM coordination between Chinese netizens enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coordinated incidents greatly illustrate what people's information warfare, and the malicious culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a central coordination point for recruiting DDoS participants on a nationalism level. Some info on hackcnn.com, the malware, internal commentary on behalf of the hacktivists, and who's behind it :

hackcnn.com ( CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000

Upon execution of the tool, 18 TCP Connection Attempts to cnn.com ( start, trying to access the following file at CNN.com :

- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"

Scanner results : 3% Scanner(1/36) found malware!
File size: 174592 bytes
MD5...: c03abd4d871cd83fe00df38536f26422
SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691
Released by : Red Flag Cyber Operations nixrumor@gmail.com

From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :

Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers

Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :

"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."

"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."

DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.

According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list.