Hacker News new | comments | show | ask | jobs | submit login
Ransomware Infects 100K PCs in China, Demands WeChat Payment (movaxbx.ru)
150 points by known 6 days ago | hide | past | web | favorite | 58 comments





Lol. THis is the programmer equivalent of dumb crooks

1. Sends money to a centralized service that can track his account, must share info with Chinese government

2. Forgot to register domain privately

3. Instead of using DES or RSA, he just XOR’d the file with a key he hard coded in the file

4. He apparently left his name a and phone number in the code?

5. When they looked at what servers it was pinging, they were able to gain access because it had not been properly secured

Am I missing anything else?


For 1, right now it is still fairly easy to buy "identities" from black market to use with Chinese Internet services. With the so-called "4-piece set" (national ID card, SIM card, debit card linked to a bank account, U-shield (hardware 2FA key for online banking)), one can set up WeChat/Alipay to collect payments without revealing their true identity.

And those "4-piece sets" are not faked ones. People purchase those from slumdogs who woud like some extra cash and don't know or don't care what happens if their identities are used in criminal activities.

But with 2-5... It's possible that those dumb crooks were too dumb to consider that much and just used an WeChat account registered under their own name.


You can buy identities alright, the real challenge is how to cash out the money. The account will likely be locked upon investigation, if not, the moment whoever cash it over the ATM or counter will be arrested on site.

Scammers often hire innocent agent cash out these accounts. But still with very low success rate.


> The account will likely be locked upon investigation

The WeChat account already been banned. http://www.xinhuanet.com/fortune/2018-12/05/c_1123807970.htm

Now it's time for the police to dig out the real criminal.

A proxy/jumper account might work until (as you said) somebody starting to cash the money out.

Seems a very dumb thief, but again, how do somebody steal money online without been caught now days?


use e-tokens like Bitcoin, with a mix service, then convert them to real currency in a random country.

Well, too late to know for that guy, he's already been arrested[0]. Guys on Solidot[1] digged out many interesting things, including one issue he posted on one of he's own GitHub repo saying "Help! How can I delete this repo, I have to run!".

LOL

BUT, I almost feel pity for him. Take look the picture of him on the news[0], look the environment he's living in and how thin he is, pretty rough life I'd say.

I hope hes doing well in prison and become a better man after this. If he can write a virus capable of doing all that, then I think he will also doing well in most companies that does web related works.

[0] https://news.163.com/18/1207/10/E2DS6H800001899O.html

[1] https://www.solidot.org/story?sid=58856


Privacy cryptos like Monero?

Then it will probably be banned in China, so nobody can actually pay the ransom.

Plus, I have read a news article on Wired[0], I don't think Monero is private enough to against state/police launched attacks?

Consider there are many ways to make money legally, doing something at that level of risk maybe just not worth the trouble.

[0] https://www.wired.com/story/monero-privacy/


so... you just have to mug someone and take the stuff they normally carry around with them? yikes.

That probably doesn't work, since the victim will report the theft and the cards will be cancelled.

What a genius way to get someone you hate thrown into prison!

Just put @omarforgotpwd's name/number/server/doxx into the code and release it really clumsily.


Hmm... What if it was intentional, to frame someone else?

So, person is either just dumb or playing 8 dimensional chess. I know what I think.

I normally come to the same conclusion when I'm thinking about politics.


This isn't 8-dimensions.

For someone who works in this space this would be a simple framing attempt. I give that like one dimension, maybe one and a half. In reality it's probably just a dumb crook or someone doing it for the lulz.


Someone has a bot that scrapes Github for Discord bot tokens and deletes all content in servers it has permissions in and replaces it with info saying X person did it and to "come to his house."

Stuff like that is pretty common I feel for people to use against their enemies. Especially if it was designed to be small and got out of hand.


Or maybe they know it'll look too dumb and thus suspect a framing attempt, so it's 3D class after all.

It could just be a person with some computer knowledge but not really smart enough to do an encrypted attack and if fake ID is as easy as some posters suggest, and they could very quickly and easily with the limited knowledge they had come out with a few thousand dollars then I don't think they were dumb or stupid. It may look stupid given how complex attacks can be these days but so too does the Nigerian Prince email look stupid. But he to this day is still looking for someone to help him with his money.

Also it's entirely possible they purposefully left the files recoverable via XOR instead of DES [1] because all they really care about is getting $16 from you, not punishing you if you don't.

[1] a distinction the author was clearly aware of as it claimed DES was used in the ransom note


I was wondering the same. It’s a pretty genius way to “get revenge” that’s likely to work if so.

You're probably right... but I wouldn't underestimate the power and prevalence of 差不多.

Translation?

I'm guessing "close enough" as in "sloppy work"?


Chabuduo - "near enough is good enough". Said when defending a half-assed solution that barely hangs together. Now that I think about it, I see this in codebases all the time.

MVP?


more likely some kid who hacked together some ransomware.

Since WeChat is a central authority, it would be foolish to ask for payment to the ransomware author's actual WeChat ID. It's very likely whatever ID they're asking for payments to is automatically generated/pulled/guess/etc so that the ransomeware's only purpose is to cause havoc and/or waste the government's time. If the ransomware was created to earn money it would ask for cryptocurrency like all the others, but then it wouldn't have made as many headlines.

Alternative possibility: given the simple, traceable, almost begging-to-be-caught nature of the malware, and that it so easily led researchers to a name and address of a potential author, perhaps its goal is actually to frame someone... to take out a rival hacker, revenge, lulz, ...?

Not saying it's what's actually happening here, but it's something that has crossed my mind before about malware - that it would be comparatively easy to lead one or more false trails to shift blame for whatever reason, and I wonder how many pieces of malware have actually managed to pull this off, and pinned the blame on an obvious target, e.g. Chinese government, "russian hackers", etc.


What's to say the Chinese Government didn't infect the machines and use it to pin the blame on someone they wanted neutralized?

Because they don't justification to take someone down. If the Party could take down high ranking Party members like Bo Xilai or massively popular celebs like Fan Bingbing or foreign citizens like that Swedish publisher or a group of people like the million Uighurs, they hardly need an elaborate scheme like this to take someone into custody.

You're overthinking it.


I guess it depends on the image they want to project and the message they want to send. Sometimes there is a political end to a Government's posturing. Sometimes it's more than the end they're looking for, sometimes they need to set the scene first to control the narrative in a way that sells the story they want for their own political gain.

It's the game of wits from Princess Bride. They might want to take someone out, so you can't choose the wine in front of you. But, they must know you know that, so you can't choose the wine in front of them. But they may be trying to protect their image, and if so, you can't choose the wine in front of them either.

I heard recently about the degree of rivalry between Chinese Hacker groups and how some get rid of competition by framing them for attacks. Which is absolutely brutal if you remember some hacking offenses face the death penalty.

That, or the creator is just stupid

Reads to me like someone writing viruses that doesn't know a thing about writing viruses


> "Reads to me like someone writing viruses that doesn't know a thing about writing viruses"

someone who infected 100,000 machines knows at least 'a thing' about writing viruses


I mean yes, it is a remarkable technical achievement.

To use the analogy of an art thief, this is as if he had simply smashed some glass and made a run for it, without dealing with security systems and whatnot. He might make it out the door, but now the museum has him on video, they have his fingerprints, and they're probably going to get the stolen art back.


A person capable of writing even a simple virus is not an idiot. How can you live in China and not be aware how these things work?

Why not just use mules (if that's the right term)?

The world has no shortage of desperate people who will jump at the chance to earn a few bucks "working from home," where they help "hardworking businessmen between banks" move money. Perhaps the excuse is different and culture-specific, but peoples' inclination to look the other way when they think it benefits them is universal.


It's very likely whatever ID they're asking for payments to is automatically generated/pulled/guess/etc

If that's true then it's kind of like the robin hood of malware.


Twist: use the previous victim as a recipient for the payment.

This would create an interesting spread incentive for the attack: once you are infected and you pay, you can still be reimbursed if you manage to infect someone else. You could even make this into a pyramid where several person's payment go to a parent carrier, and people will even want to be infected quickly to be closer to the top of the pyramid.

Or just use a random previous victim id. Now it becomes a viral non-consensual lottery and you benefit from spreading it.


You can't just signup for a WeChat ID right now. As of late 2017, when you signup for a WeChat ID it shows you a sign-up QR code. Someone who is a verified WeChat user (someone with WeChat Pay which has RealID) must scan and verify you before you are allowed.

Why not have the real WeChat ID hidden among randomly generated 'noise' WeChat ID's? Then the real attacker could get paid and still have plausible deniability.

This criminal mind is going to get me in trouble some day...


It's not hard to steal money. It's hard to get away with it.

Part of the difficulty is fighting greed, as the people that get caught are the ones that push their luck way too far. They're often wildly successful at first with more cautious approaches, but as they get more brazen they end up getting busted.


I think you make sense, but the hacker may control some percentage of the "lucky" account holders.

"WeChat Payment"

Although it's a little tricky here, but once you acquired necessary Chinese IDs with debit cards (more than easy), it's not too hard, old people in villages are more than willing to sell theirs for sevral hundred RMB.

As for authorities, oh they are more busy maintaining social stability, if your case(assuming they allow you to register your case since it's obviously a dead end that effects their stats vital for promotion) are lucky enough to be included in an operation couple months later then maybe they can find out which countries these hustlers are at and cases closed.


>>As for authorities, oh they are more busy maintaining social stability

Never embarrass the powers that be though, 100K PCs and growing daily it's not a small incident.


Yeah. I'm thinking the real issue with using a single set of probably bought/stolen ID and infecting a few hundred thousand PCs is that you attract just enough attention for the authorities to be motivated to track you down. And unlike cybercriminals attacking mostly Western targets, I doubt they're safely overseas.

for anyone saying this is outright dumb, remember they are criminals.

They are probably receiving the money in different, probably years old, honest accounts. Which the real owner is compromised (e.g. hacked. or being coerced to send the payment out as soon as it is received under threats, etc)

Not seeing this is why developers should not assume they can wear the threat modeler hat.

Also, when you are a B2C like ransonware folks are, it is very hard to make the victim get bitcoins even if their life depends on the data you are holding hostage. Using weechat in china gets them zero attrition.


How is it done if every WeChat account has to be tied to a real life ID and vouched for by several established users?

Real life IDs can be forged/bought, multiples can be forged to verify others. There is no technical barrier to attacks on this sort of system, only financial barriers.

I've heard this before but I created a WeChat account last week and didn't have to provide anything other than a phone number for a SMS verification code.

In China, when you get a phone number, you have to give them your national ID/身份证. So anything you authenticate with a phone number could be traced back to you.

I created an account last week and had to have my registration verified by an existing user who also had wechat pay enabled.

Someone's familys going to get a bill for a 9mm pill.

what's the point of this when the money is obviously going frozen/siezed by the authorities?

Ironically, because of government reach and close technology company collaboration, including significant minority stakes in such companies, it would seem that malware groups operating in China have to be a lot better than their counterparts operating in other countries to remain at large for very long.

Russia is probably the best bet, not China. No extradition and pay FSB their share, and you may have the best chance on earth to get away with these things.

Is that actually the case?

how is any of that relevant when malware authors are from from random countries and accept payment via cryptocurrency?



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: