Offshore CyberProbes/CyberAttacks: New Sophisticated Coordination

Black Lab Security Alert
October 11, 2007

Rating: Extremely Serious

Black Lab Security Systems, Inc
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
Web: http://www.blacklabsecurity.com/
info@blacklabsecurity.com

Offshore CyberProbes/CyberAttacks: New Sophisticated Coordination Using
Distributed Short-Burst Stealth (C-DSSB) Attack Techniques

Upon further investigation of the recent off-shore cyber probes/attacks, Black Lab Security Systems (BLSS) has detected a new offshore attack capability consisting of sophisticated coordination utilizing short-burst attack techniques. This attack capability is even more advanced than the security industry’s recorded coordinated Distributed Denial of Service (DDoS) attacks in recent years. The objective of these C-DSSB attacks is not Denial of Service (DoS), but intrusion and code injection leading to ultimate control of the system and information extraction.

In closely spaced timeframes, multiple sites from China that are consistently attempting to exploit the same inbound ports (on computer under attack) along with Chinese computers are all consistently using the same outbound port as their local port (on the attacking computer) to the United States. BLSS believes that the probes on the same ports from multiple sites within China are too consistent to be a coincidence and present a high probability of a well coordinated cyber probe/attack.

A coordinating attack site (single attack IP) starts with a couple of “burst packets” of TCP or UDP. The attackers then coordinate the reminder of the Chinese and other compromised sites to hit the targeted site with “burst packets” in random order. The attackers will send attacks from site to site and then repeat. This technique hides or “stealths” the attack from looking like a standard DoS attack because COMM is broken which allows the other attacking sites to pick up where the previous attack site left off. One of the attacking IPs will continuously hang onto the attacking site for hours before taking a short break and then reconnecting.

Based on the number of diverse Chinese-based attack origination locations (11 cities and 9 provinces), our intelligence believes these attacks require resources much greater than a small criminal hacking team such as Chinese hackfest champion (and suspected PLA member) Tan Dailan (aka Wicked Rose) and his Network Crack Program Hacker (NCPH) Team. NCPH was last reported working out of the Sichuan province near the Sichuan University of Science & Engineering. However, the NCPH’s involvement in these Window’s based cyber attacks is likely. Tan Dailan has reportedly taken a leave of absence from the University, is receiving monthly funding from an unknown source and has received PLA training. Recently, NCPH was thought to be behind a barrage of attacks against several US government agencies using 35 versions of the exploit and siphoning millions of documents back to China.

One other known Chinese hacking cybercriminal: the Fujacks worm (aka as worm.whboy and Panda burning joss sticks first seen in January 2007) criminals Li Jun (age 25), Wang Lei, Zhang Shun and Lei Lei were convicted (September 2007) in a people's court in Hubei Province. The Fujacks worms were capable of: allowing others to access the computer, downloading code, remote code execution and access, modifying data, and modifying the Registry. According to Chinese media, Li Jun was sentenced to four years in prison. Wang Wanxiong, Li Jun’s lawyer, reported that Li Jun has received ten job offers for his "precious genius” including one offer from offer to become Jushu Technology’s (based in Hangzhou City, Zhejiang Province) Technology Director ($1M Chinese yuan or approximately $135,000 $US).

Previous Chinese-based systematic attacks lasting for at least two years and investigated by the FBI under code named “Titan Rain” were launched from Guangdong province.

Please note:
(1) Hubei, Guangdong, and Sichuan Provinces, mentioned above, are involved in the cyber attacks profiled in this alert.
(2) In 2003, Microsoft consented to sharing its operating systems code with the Chinese government in return for access to the Chinese market. The computer security community now fears the PLA may be putting this O/S code knowledge to use in their cyber warfare preparation efforts.
(3) The attacks profiled in this alert required significant coordination and resources. No direct proof pointing at the top-level PLA information warfare command (Fourth Department of the PLA General Staff Headquarters) or other Chinese Government organizations has been done.

Extremely Serious Rating
BLSS defines an extremely serious rating as attacks meeting two conditions:
(1) Continuous communications (either UDP or TCP) being received for more than 4 hours from each attacking IP address.
(2) An attacking IP address that sent communications (TCP, UDP, or RAW), then stopped communications and restarted the communications, continuously within a 12 hour period.

BACKGROUND
(1) We are a Cyber Security Software firm.
(2) We have established honey pot websites site on the Internet.
(3) Using the Shadow Security Suite (our product) as the (only) security solution active on the web server/network, we have successfully detected, stopped and gathered detail forensics information profiling the cyber probes/attacks and traced the probes/attacks back to China and other locations.
(4) We are detecting very detailed interrelated events because our packet monitor and port monitor are designed and developed using “raw sockets” methodology.
(5) All events that take place within a Shadow protected computer are correlated in a real-time environment to determine the exact forensics while Shadow protects the computer and will not allow unauthorized modifications to execute and any remote code execution including unknown vulnerabilities (see picture below of actual China attack captured in real-time).

REAL-TIME CAPTURE OF ON-GOING ATTACK


ADDITIONAL Attack Details
BLSS is detecting cyber probes and cyber attacks from multiple coordinated sites originating from China and other countries using similar techniques, payloads, and source transmission ports (predominately port 6000) from the attacking computer. The attacking computers located in countries outside of China as suspected to have successfully hacked by the Chinese hackers and are now remotely controlled zombie computers.

The attacks will continuously cycle through these inbound ports. Ports under attack include:
139 NetBIOS Session Service and file shares
1026 Calendar Access Protocol port
1027 Calendar Access Protocol port
1434 Monitors and manages Microsoft SQL databases
5168 Used by TrendMicro ServerProtect to receive pushed signature updates.
7212 Unassigned. Used by GhostSurf™ open proxy and RealPlayer™.

Based on our investigation, both TCP and UDP command packets are being sent to exploit ports. Therefore, BLSS believes that listed ports are categorized as a significant threat and appropriate actions should be taken within your network firewalls immediately.

The cyber attacks are attempting to execute “system wide” java scripts (*.js) and other malware programs to gain overall control of the attacked computer. The Java Scripts include: RAClient.exe, RAServer.js and RAControl.js.

There was no logon, no buffer over flow, nothing of any nature that would indicate capturing of the internal system name, password, etc.

BLSS has been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer depends on a successful ping (ICMP), and now begins with a defined IP address, and cycles through every possible IP combination within the IP address range. As an example, a probe starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.

Please note: during the "security hardening" of our honey pot website, we intentionally removed the four remote access java scripts because they are considered a security threat. You can read about these scripts as being classified as potential spyware at http://www.spywared.com/files/1320/12/1. RAClient.exe, RAServer.js and RAControl.js are listed in the middle of the page. Additionally, if you utilize a search engine, such as google.com, you will find that Chinese sites are discussing in great detail, how to use RAClient.js, RAServer.js and RAControl.js. If you will run a Google search with the following parameters "china [java script name]" (without quotes), you might be amazed at the results. If you run a google search on the specific java script file name(s), you will find many experts recommending the deletion of these specific scripts, as part of "security hardening".

BLSS is using our solution (Shadow) to monitor all communications, (port activity), process activity, shell activity, and user (login activity). Essentially, we have designed a new security solution to simultaneously monitor what we feel are all the critical sub-systems within a Microsoft PC or Server. Shadow has the ability to perform an analysis on a Microsoft computer, assign a unique ID to each specific executable, including all compiled binary files and O/S scripts, (.bat, .vbs, .js, etc.), and will authenticate each executable and script before it is allowed to execute. Shadow also continuously cycles all of the internal hard drives, continuously analyzing each authorized executable (binary and O/S script) to detect an unauthorized modification to any authorized compiled binary file and O/S script. Shadow will detect an unauthorized modification without the need for the executable payload to execute. Shadow will also detect new (unauthorized) executable payloads without the requirement for the payload to execute. Shadow also places a "secure environment" around all Microsoft admin tools, CMD.EXE and PowerShell.exe, when any of these utilities are executing.

IP ADDRESSES DETECTED
The detailed information the Chinese IP addresses include:



IP
ISP
Organization
Location
City
Province
Latitude
Longitude

125.76.238.164
CHINANET Shanxi(SN) province network
CHINANET Shanxi(SN) province network
CN, China
Beijing, 22
Beijing
39°92'89" North
116°38'83" East

219.148.119.2
Data Communication Division
CHINANET hebei province network
CN, China
Beijing, 22
Beijing
39°92'89" North
116°38'83" East

116.18.161.55

ChinaNet Guangdong Province Network
CN, China
Guangzhou, 30
Guangdong
23°11'67" North
113°25'00" East

219.147.233.30
Data Communication Division
CHINANET HEILONGJIANG PROVINCE NETWORK
CN, China
Zhongshan, 07
Guangdong
25°53'61" North
118°78'97" East

222.216.28.161
CHINANET Guangxi province network
CHINANET Guangxi province network
CN, China
Nanning, 16
Guangxi Zhuang
22°81'67" North
108°31'66" East

222.217.240.248
CHINANET Guangxi province network
CHINANET Guangxi province network
CN, China
Nanning, 16
Guangxi Zhuang
22°81'67" North
108°31'66" East

121.18.13.107

CNC Group Hebei province network
CN, China
Hebei, 10
Hebei
39°88'97" North
115°27'50" East

218.10.137.130
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.101
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.3
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
45°75'00" North

221.208.208.83
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.91
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.95
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.98
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.209.110.50
CNCGROUP Heilongjiang province network
Mudanjiang Internet Division
CN, China
Mudanjiang, 08
Heilongjiang
44°58'33" North
129°60'00" East

218.3.134.250
Data Communication Division
Network Center of Fast China Shipbuilding institut
CN, China
Zhenjiang, 04
Jiangsu
32°20'92" North
119°43'42" East

59.72.128.14
China Education and Research Network
Beihua University
CN, China
Jilin, 05
Jilin
43°85'08" North
126°56'03" East

58.247.50.243
CNC Group ShangHai province network
CNC Group ShangHai province network
CN, China
Shanghai, 23
Shanghai
31°00'50" North
121°40'86" East

222.215.136.52
CHINANET Sichuan province network
CHINANET Sichuan province network
CN, China
Chengdu, 32 -
Sichuan
30°66'67" North
104°06'66" East