Slammer Source Code Provides Clues - [Chinese hackers]

EWeek.com ^ | January 27, 2003 | Dennis Fisher

[HAL9000]

As corporate IT departments go about the business of cleaning up their networks, there are strong indications that the SQL Slammer worm that brought down portions of the Internet over the weekend is based on the work of an obscure Chinese cracking group.

[twntaipan]

When this all sorts out I think they will note that the attack actually began in Asia on Friday (local time). I live in Taiwan and noticed a decided slow down in the Internet beginning about noon on Friday.

[GovernmentShrinker]

Is it my tinfoil hat showing, or would it be impossible for this Honkers group to be doing what it's doing from inside China without the full support of the Chinese government?

[xrp]

No...try as they might, no government, not even the Chinese government, can restrain determined people in accessing their Internet.

It could have been as simple as establishing a session to a willing or unwilling host outside of China and firing off the worm.

[boris]

Disconnect China from the web?

[twntaipan]

No, I don't think they could be doing it without at least some protection from someone at some level of government. There are more than 40,000 people employeed by the PRC government to monitor and clamp down on Internet activities (most specifically anything related to dissent, but that includes access to most Western news cites; CNN is allowed for reasons you can probably figure).

[twntaipan]

You are probably right about finding a willing site outside of China. But the majority of hacking/viri writing is associated mostly with a university in the south of China, about an hour from Hong Kong. I believe the university is FuoShan University.

[cryptical]

All it took to get the ball rolling was a single UDP packet. Not that hard to get out, even if the government is stringently monitoring the net. Remember, UDP is connectionless, so spoofing the originator makes it hard to determine the origin past a couple of hops.

[twntaipan]

But clues in the code have, apparently, been used to trace it back to the probable source. Triads (Chinese gangs) are reported to have invested heavily in hacking for their own purposes. Those gangs exist only because they are allowed to in China.

[edwin hubble]

http://call.army.mil/fmso/fmsopubs/issues/china_electric/china_electric.htm

This is a dot-mil army site on Chinese gov't electronic warfare.

There is no confusion about the source of these attacks.
This is not the first or the last. They are experimenting.

[tallhappy]

Yes. I figured this one was from Chinese military as well as earlier ones. Not surprised to see it confirmed.

It is part of their program on asymetrical warfare. They are sponsored by the Chinese government.