On April 3, computing.co.uk reported the arrest of four Chinese men for breaking into the online bank accounts of their fellow citizens. The report was high on theory and low on details. For the moment we will ignore the "spin" being placed in this story elsewhere in the media -- does this mean the Chinese government wants to stop hackers, but only if they are hacking other Chinese? -- let's just examine the facts.
The four men, who have the surnames of Duan, Wei, Li, and Ruan, according to an April 1 report from Shanghai Daily News received sentences ranging from 8 years to 2.5 years. They were also fined 155,000 yuan, or about $20,000 USD. The sentencing occurred in the Luwan District People's Court.
According the Shanghai Daily News report, the hackers did their work by using a hacker tool called "Grey pigeon 2006vip". After planting this software on various websites, visitors to those websites became infected with a trojan which stole their userids and passwords when they logged on to their bank. We call this type of infection a "Drive By Infector". All that is necessary to be infected is to visit a website hosting the malware.
Li's role was to hack the website and install "Grey Pigeon". Duan received the accounts and transferred the money out of the victim accounts to an account controlled by the hackers. Wei and Ruan had the hands-on job of withdrawing the cash from ATM machines.
The withdraws mentioned in the trial occurred on April 11, 2007 and May 12, 2007.
Luwan district, which is part of Shanghai, has seen similar cases of this type recently, including the the conviction of Bai Yongchun last September, who was also convicted of stealing money by using the Grey Pigeon software.
Grey Pigeon can be found being discussed at "hacker120.com", which also goes by the name of "www.hkop.cn", in a forum called: 黑客攻防技术专区
The current version of Grey Pigeon (Grey Pigeon 2008, or 微尘灰鸽子2008免杀版), has been available at hacker120.com since January 31, 2008. The virus tries to edit your registry to make itself a Windows Service, by adding the tag:
HKLM\SYSTEM\CurrentControlSet\Services\Windows XP Vista
to your registry, with a pointer to itself. The originally downloaded file is named "hacker.com.cn.ini", but this file is renamed to an ".exe" with the same name as it is copied to create the Windows Service named "Windows XP Vista".
Sophos detects the current version of Grey Pigeon as "Troj/Mdrop-BQA", and has protected against it since Feb 2008, according to this Sophos information page.
In China, the Grey Pigeon family is prevalent enough that Chinese anti-virus company "Rising" has a special detection program for it, which can be downloaded from their website (GPDetect.exe), where they have a link to Grey Pigeon information from their main website homepage. (The information page about Grey Pigeon has been being updated since originally published by Rising in 2005!)
Wednesday, April 09, 2008
Posted by Gary Warner, UAB Center for Information Assurance and Joint Forensics Research at 7:30 AM