Joe Stewart begins at 6:30 am in Myrtle Beach, SC, with a sandwich of peanut butter, sugar-free Red Bull, and 50,000 or more pieces of malware are waiting for e-mail in box. Stewart, 42, is the director of malware research at Dell SecureWorks, a unit of Dell (DELL), and he was going hunting days for Internet spying. Malware blanket term for malicious software that allows your computer hacker successors, clients and fellow researchers continue to send Stewart suspicious specimens harvested from tissue attacked. His job is to sort through and separate the toxic haul what he had seen before: He's looking for things like software that could let hackers break into a database, control the security cameras, and monitor e-mail.Within industry, Stewart is known. In 2003 he unraveled one of the first spam botnets, which allows hackers foreclosure tens of thousands of computers at once and ordered them to stuff the box with millions of unwanted e-mails. He spent a decade helping to keep criminals from breaking into online bank accounts and such. In 2011, Stewart turned his sights on China. "I think it will I think in two months," he said. Two years later, trying to identify and develop countermeasures Chinese malware is pretty much all he does.Computer attacks from China will sometimes cause a flurry of news, as did the hack last month's New York Times (NYT). Previous wave of media attention crested in 2010, when Google (GOOG) and Intel (INTC) announced that it has been hacked. But the report does not convey the nature of unrelenting attack. It's not about an isolated incident, it is an ongoing invasion.
Story: Close, but not hack
Malware from China have flooded the Internet, targeting Fortune 500 companies, technology startups, government agencies, news organizations, embassies, universities, law firms, and everything must be in order to protect intellectual property assets. A new set of secret intelligence assessment described this month in the Washington Post found that the U.S. is the target of a massive campaign and sustained in computer espionage from China that threaten the U.S. economy. With the possible exception of the U.S. Department of Defense and a small number of three-letter agencies, victim outmatched by the enemy with vast resources and a long head start.Stewart said he met more and more people for its focus on China, some even want known to the public, either because their companies have access to a data line or the fear of side effects from the mainland. Why is he not unusual willingness to share its findings with other researchers. The motivation is part of an obsession with solving the puzzle, the sense of fair play. "I see the U.S. economy went south, with high unemployment and all that good company press China ... I just do not like it, "he said. "If they do it fair and square, more power to them. But to deceive one. "Stewart tracks about 24,000 domains on the Internet, he said Chinese spies hack lease or for the purpose of espionage. They include marketing firm in Texas and a private site owned by prominent political figures in Washington. He cataloged malware he saw in the category, which is usually associated with a team hack especially in China. He said 10 teams were deployed more than 300 malware group, double the number 10 months ago. "There are a large number of manpower thrown at it from their side," he said.
Story: In the Boom Chinese Corporate Espionage
Investigators in dozens of commercial security companies suspect many if not most hackers either military or their command of some Chinese intelligence organizations much or supervision. In general, they said the attack was organized and a very wide range of activities freelancer. Secret diplomatic cables published by WikiLeaks connected to the well-publicized Google hack Politburo officials, and the U.S. government has long been the intelligence Classified keep some hacker attacks linked to the man's Liberation Army (PLA), according to former intelligence officials. There is no public evidence, however, and the authorities in China have for years denied any involvement.Up now, private sector researchers like Stewart can reduce the success of putting a face to hack. There cryptic clues left behind, the alias used in registering the domain, old online profile, or post to a discussion board that provides a unique glimpse of the work of hackers but rarely identified. Sometimes, though, the hackers make mistakes. More recently, a hacker mistake led a reporter right at his door. Stewart is working on a bleak gray building surrounded by barbed wire. It recognizes a small sign with a key-locked doors as Dell SecureWorks. There are other tagapagpananaliksik, Stewart operates a patchwork of more than 30 computers to fill the small room. When he examined a sample of the malware, it fluctuated between full-screen and a white board to write the data in technical terms and notes that Chinese intelligence agencies.
VIDEO: NY Times Highlights Cyber ​​Hacking Vulnerability
Photo by Stephen Morton / BloombergDell SecureWorks facilityThe Myrtle Beach office computer to run most of the programs that he wrote himself to carve and fix malware and knew he was dealing with a variation of the old code or something completely new. As computers up to code, look for tricks Stewart signature to help him recognize the work of a writer or team; writer software compares unique slant and curve of the hands of individual letters. A system, technical work hard to give birth or confuse most people, but Stewart. He will remove the pattern. After work, he relaxes with a 15-minute session with a drum kit, play the same phrases and Stewart over.A most of the work is to understand how malware is developed, which makes it a beautiful-impressive level of detail. He can tell the computer languages ​​in which it is coded to help identify malware discovered by Russian crime syndicate from those used by Chinese spies. The most important thing he did, however, know who or what software do the talking. Once in the computer, malware is set to signal the server or servers scattered around the world, looking for additional commands. It is known in the business of information security as a "house call." Found Stewart and his fellow detectives tens of thousands of domains, known as the command and control nodes, where a hacker directs them attacks.Discovery Spurs command nodes dramatically improved tone vote for Stewart, it was about as much excitement she showed visitors. When a company begins to hack knows the Internet Protocol (IP) address of the node command, it can shut down all communications to those addresses. "Our main goal is to learn about tools and strategies and malware they use, so that we can prevent it," said Stewart.
VIDEO: The Hacking Software Specification What you see
The Internet is like a map, and every point on every IP map belonging to someone with a name and address recorded in the register. Spies, naturally, tend not to use their real names, and the majority of internet addresses Stewart evaluated, identifying details are obviously fake. But there are ways to get at the truth. In March 2011, Stewart was evaluated by a piece of malware that looks different from the work of Russian or Eastern European identity thieves. As he began to explore the command node is connected to the suspicious code, Stewart realized that since 2004, about a dozen were registered under the same name, one or two Tawnya Grilth or Eric Charles, both list two Hotmail accounts usually a city in California. Some are listed in the city of Sin amazed misspelled Digoo.Some also considered to address Chinese espionage campaign documented by other researchers. They are part of a block of approximately 2,000 addresses owned by China Unicom (CHU), one of the nation's largest Internet service providers. Go to hack Stewart led a group of addresses again and again, and he believed that they were used by one of China's top two teams digital spy, which he calls Beijing Group. It's about as far as Stewart and his fellow detectives usually get places and groups can be real, but not in individual hackers. But he had the good fortune over the next few Grilth months.Tawnya registered node dellpc.us command using the URL. It's a little too close to the name of the employer Stewart. So he contacted Stewart said Icann (Internet Corporation for Assigned Names and Numbers), the organization that oversees the Internet address and adjudicate disputes names. Stewart argues that by using the word Dell, hackers violate trademark of employers. Grilth never answered, and Icann Stewart agreed and handed over control of the domain. In November 2011 he could see a computer hack called home from around the world, he watched the development of an active campaign espionage.
Story: The Battle to Protect Confidential Data
He monitors the activities during the three months, a slow computer recognition of victims. January 2012, Stewart mapped 200 compromised machines in the world. Many are in government ministries in Vietnam, Brunei, and Myanmar, as well as oil companies, newspapers, a nuclear safety agency, and embassies in China mainland. Stewart said he had never seen such a wide target focuses on the countries of Southeast Asia. He expanded his search for the IP address listed by Tawnya Grilth or "her" e-mail, jeno_1980@hotmail.com, and found a few more. The contact listed xxgchappy touch. Addresses new lead to more links, including posts to discussion forums and website strategies rootkit.com malware, malware storage where researchers learn hacking techniques from around the world.
VIDEO: Anyone Safe from hackers?
After Stewart discovered something more unusual: One domain is hosted by an actual business, which offered, for a fee, to generate positive post and "like" on social networking sites like Twitter and Facebook (FB). Stewart profile found under the name Tawnya BlackHatWorld hacker forums to promote website and PayPal account (eBay) fees collected and channeled into the Gmail account that includes the surname Zhang. Hacker stewart marvel affected his personal life such degree.In February 2012, Stewart published a 19-page report on the site SecureWorks coincide with the RSA Conference in San Francisco, one of the biggest events in the security industry. He prefaced with an epigraph from Sun Tzu's The Art of War: "We can not enter into alliances until we are acquainted with the information design of our neighbors and our enemies plan" is Stewart not zhang chase. His work was done. He learned enough to protect customers and moving into other paraphernalia of malware. But the report has generated interest in the security of the world, because it is very difficult to find traces of the identity of the hacker. In particular, Stewart's work attracted other tagapagpananaliksik immediately took up the challenge unmasking Tawnya Grilth. That was 33 years tagapagpananaliksik blog under Cyb3rsleuth name, identity he says he continues to run his intelligence than India-based computer company. He asked that his name not be used to avoid unwanted attention, including hacking attempts on company.Cyb3rsleuth said he had found the outing called Eastern European hackers identity and submit claims information on the two individual governmental authorities. Stewart's work inspired him to send his findings public, and he said he expects to dig out more details about the individual hacker will provide evidence of the government to take action. The hackers and people make mistakes, thus misleading find connections that lead to identity, Cyb3rsleuth said.
Story: Mandiant, Go-To Office for Security Attacks on cyber-espionage
As the new Stewart works placed on the ground, lift the window Tawnya Grilth world. There are posts on a car forum, an account with a Chinese hacker sites, and personal photos, including one showing a man and a woman to bundle upwind in what looks like a pagoda in the tourist sites background.Cyb3rsleuth follow hackers attempt to drum up business for services social media campaigns with the alias and forums tied to a Hotmail account. Finally he stumbled into a second business, this one with a physical location. The company, Henan Mobile Network, wholesale cell phones, according to the business directory and post online promotion. Website shop Hotmail account is registered with Jeno and Eric Charles pseudonym.Cyb3rsleuth China evaluated online business directory for technology companies and not just a telephone number for the company but also the contact's name, Zhang, and address in Zhengzhou, a city of more than 8 million in provincial China middle, Henan. List of directories given three account numbers for Chinese QQ instant messaging service called. The service works along the lines of MSN Messenger, each account is assigned a unique number. One of the accounts that use an alternative e-mail that includes xxgchappy deal of work and registered to use "education."
Story: Why hack hacker bill Congress To Stop
Putting e-mail in the Chinese search engine, Cyb3rsleuth discovered that he also registered Kaixin001.com, a Facebook-style Chinese site, a Zhang Changhe, Zhengzhou. Profile image of Zhang Kaixin lotus blossom, a traditional Buddhist symbols. Go QQ account, Cyb3rsleuth find related blogs here, again with a Buddha-themed profile picture, in which users go through Changhe, pronounced the same as the given name of the user Kaixin, although it makes the other characters. Reflections on Buddhism blog content, including, from the posts written in Chinese and titled "repentance": "It's on January 31, 2012 which is now, I've converted to Buddhism for nearly five years. In the last five years, I broke all the Five Precepts, without killing living beings, not stealing, no sexual harassment, no lies, and no alcohol, and I feel very sorry. "In the middle of the list of sins, from a lack of sympathy with the defensive in lies, No. 4:" I am constantly and shamelessly steal, wish I could stop in the future. "
VIDEO: Rep. Mike Rogers: Obama maya either Down-Payment Order
The same number appears in the auto QQ called xCar forum, where users are listed as part of the club for owners of Peugeot, Dongfeng 307 four-door sporty popular among China's middle class emerged and in which users are asked, about the year 2007 on the spot to buy the license holder . In-special plate pictures taken in 2009, Zhang was standing on the beach, squinting in the sun on her back in waves, holding hands with her husband the picture caption saying the same pagoda. His thick hair was cut short in March face.In young, Cyb3rsleuth published what he found on his personal blog, hoping that the government, the research community, or some many victims of hacking. He knew there was no response so far. However, he was happy. He found a ghost face, he said. City sprawls near Zhengzhou Yellow River in Henan province. City government website describes it as Kung-fu fans passing through on their way to the Shaolin Temple, the center of "examples of a very rapidly changing in China (without minor tourism clutter)." Buddhism and martial arts, 56 km south-west. The city is almost serves as a transit hub colossal for moving people and goods by train to other areas throughout China.
VIDEO: Why Iran hackers target U.S. Bank?
Tan, seven-story building with dirty facades and red characters to read the Central Plains Communications Digital Cities around south 500 meters walk from the central train station. The building is full of small shops, many valuable electronics. The address listed for the business Zhang phone on the fourth floor, room A420.Central Plains City of Digital Communications at ZhengzhouUnder dim fluorescent lights, two young employees told reporters they did not know Zhang Changhe or Henan Mobile Network. Commercial building manager, Wang Yan, said the previous tenants moved A420 three years ago, she said she did not know what a business does, except that the owner was not there often and do not last long.A operating Chinese Google searches turn up links to several academic papers co -created by Zhang Changhe. One, from 2005, was associated with the technique of computer espionage. He also contributed to explore Windows rootkit, sophisticated hacker strategy, in 2007. In 2011, Zhang co-create the analysis of the types of security vulnerabilities and attack vectors computer memory for it. This paper identified as Zhang worked with PLA Information Engineering University. China Institute is one of the major centers for electronic intelligence, where professors train junior officers to serve in operations throughout China, said Mark Stokes of the Project 2049 Institute, a think tank in Washington. As the U.S. National Security Agency has a university.
VIDEO: Paul Barrett: Cyber ​​Security Threats Are No Joke
Gated campus of PLA Information Engineering University of Zhengzhou, about four miles north of Zhang Changhe mobile store. The main entrance is at the end of a tree-lined, and the uniformed men and women came and went, with guards checking vehicles and identification cards. Reached on the phone number listed on the blog QQ, Zhang confirmed its identity as a teacher at the university, adding that he is far from Zhengzhou to work trips. Asked whether he still maintained Henan business phone, he said: ". No, sorry "about the link for the hack and domain node command, Zhang said:" I'm not sure "About what he taught at the university:" .. not convenient for me to talk about it "He denied working for the government, said he would not answer further questions about his work, and hung up. The gates to the PLA Information Engineering UniversityStewart will continue to open up clues pointing to Zhang's involvement in computer network intrusion. Piece SecureWorks malware discovered last year and called Mirage infected more than 100 computers, especially in Taiwan and the Philippines. Tawnya Grilth owned by one of the domain ordered. Late last year, Stewart was seen malware hit the Russian and Ukrainian defense and targets. Samples of the types of malware that only he could find in its database is one that phoned home to AlexaUp.info command node. Billing name used for enrollment: Zhang Changhe. Stewart said Zhang is affiliated with Beijing groups, which may involve dozens of people, from infrastructure management command center programmer to translate documents and data stolen. As Stewart discusses it, his voice flat. He's realistic. Sightseeing someone involved in the team does not stop hackers from China computer intrusion. Zhang is a cog in a larger machine and, given how China has become a major operation, to find Zhang more likely to get any easier. It shows enough evidence, Stewart character, and finally the Chinese government can not deny his role. "It may take a few more years like the weight piled on the report very strong evidence that it is ridiculous, and they say, 'Oh, this is us,'" said Stewart. "I do not know that they would stop, but I want to make it more difficult for them to go."