639:
341:
was busy during the time the blog was down, but that his new job allows him more time to blog. Chinese officials removed both blogs after his arrest in April 2009. Rodag also blogs, but the most recent post is from August 2008. His last post is on IE vulnerabilities that attackers can used to exploit a user's desktop.
640:
http://translate.googleusercontent.com/translate_c?hl=en&sl=zh-CN&u=http://rodag.blogbus.com/&prev=/search%3Fq%3D%2522Rodag%2522%2BNCPH%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26sa%3DN%26start%3D10&rurl=translate.google.com&usg=ALkJrhjw6MkFKtUDy7hEQmRqzlEPcW5t8w
340:
posts as "the most revealing and damning thing I have ever seen a
Chinese hacker write." After the interview with Time reporter Wicked Rose took down the group's blog and his blog. In July 2008 the group's blog returned, but with modified content. Withered Rose also began blogging again, saying he
326:
reporter Simon
Elegant interviewed eight members of the group in December 2007 as part of an article on Chinese government cyber operations against the US government. During the interview the members referred to each other using code names. Security firm iDefense has published reports on the group
312:
After winning the military network attack/defense competition, the group obtained a sponsor who paid them 2000 RMB per month. IDefense believes their sponsor is likely the People's
Liberation Army (PLA) but has no definitive evidence to support this claim. After the 2006 attacks took place, their
295:
information or from employee databases or mailboxes of a company's system. He may also conduct analysis on user ID's which allows them to track and understand their activities. Finally he conducts the attack using the information collected and someone is likely to open the infected document.
173:
which instructed him to participate in the
Chengdu Military Command Network Attack/Defense Competition. After winning the local competition, he received a month of intense training in simulating attacks, designing hacking tools, and drafting network-infiltration strategies. He and his team
238:
Security researchers discovered the rootkit on 18 May 2006 attackers utilized it in attacks on the US and Japan. Attackers introduced it to the US in an attack against a
Department of Defense entity. They used two different versions of the rootkit in attacks during May and June 2006.
242:
According to F-secure, GinWui is "a fully featured backdoor with rootkit characteristics." It is distributed through Word documents. The backdoor GinWui creates allows the controlling hacker control over certain processes of the compromised computer including the ability to,
151:
codes used in attacks with over a period of 90 days during the summer of 2006. They are also known for the remote-network-control programs they offer for download. Wicked Rose announced in a blog post that the group is paid for their work, but the group's sponsor is unknown.
299:
Spear phishing attacks attributed to NCPH increased in sophistication over time. While their phishing attacks in the beginning of 2006 targeted large numbers of employees, one attack attributed to the group later that year targeted one individual in a US oil company using
278:
developed by Wicked Rose and not available in the public domain at the time. The group graduated from their early attacks exploiting only
Microsoft Word, and by the end of 2006, they were also using Power Point and Excel in attacks. NCPH utilizes these exploits in
210:
of China (HUC). Wicked Rose credits the
Chinese hacker WHG, also known as "fig" as one of the developers of the GinWui rootkit. WHG is an expert in malicious code. Security firms researching Wicked Rose's activities have connected him with the Chinese hacker group
327:
and their exploits and devoted a webinar to the group, their capabilities, and relationships with other
Chinese hackers. Scott Henderson, Chinese linguistics and Chinese hacker expert, has also devoted several blog posts to the group and their ongoing activities.
174:
represented the
Sichuan Military Command in a competition with other provinces which they went on to win. Wicked Rose is also credited with the development of the GinWui rootkit used in attacks on the US Department of Defense in 2006.
127:. While the group first gained notoriety after hacking 40% of the hacker association websites in China, their attacks grew in sophistication and notoriety through 2006 and received international media attention in early 2007.
335:
All four core members of the group have blogged about their activities at one point or another. The group's blog NCPH.net also offered network-infiltration programs for download. Scott
Henderson describes Wicked Rose's early
168:
Wicked Rose, also known as Meigui (玫瑰), is the pseudonym of the Chinese hacker Tan Dailin. He is first noted as a hacker during the "patriotic" attacks of 2001. In 2005, Wicked Rose was contracted by the
197:
The group expelled the hacker WZT on 20 May 2006. Although the cause is unknown, the group ejected him soon after the zero-day attacks were publicly disclosed. WZT was a coding expert within the group.
274:
IDefense links NCPH with many of the 35 zero-day and proof-of-concept codes used in attacks against Microsoft Office products over a period of 90 days during the summer of 2006 due to the use of
466:
177:
As the group's leader, he is responsible for managing relationships with sponsors and paying NCPH members for their work. In April 2009 he was arrested after committing
160:
The group had four core members in 2006, Wicked Rose, KuNgBim, Charles, and Rodag, with approximately 10 members in total. The group's current membership is unknown.
185:, HackerXFiles, and 3800hk, possibly for the purpose of committing blackmail. the organizations attacked collected information on the attack and turned it in to the
266:
According to Information Systems Security, the rootkit also obtains kernel-level access to "...trap several functions and modify information passed to the user."
235:
Wicked Rose is the creator of the GinWui rootkit. His code and support posts are on Chinese hacker message boards, and was also available from the NCPH blog.
227:
suite products. After their founding in 2004, the group earned a reputation among hacking groups by hacking 40% of the hacker association websites in China.
510:
615:
421:
189:. The authorities conducted an investigation and shut down his website. Hackbase reported Wicked Rose was arrested and faces up to 7 years in prison.
223:
The group is known for its remote-network-control programs they offer for free on their website and the exploitation of zero-day vulnerabilities of
494:
Webcast: China's Wicked Rose and the NCPH Hacking Group | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills
291:
On his blog, Wicked Rose discussed his preference for spear phishing attacks. First, during the collection phase information is gathered using
682:
447:
470:
702:
140:
170:
537:
396:
301:
178:
186:
655:
514:
672:
493:
619:
677:
697:
597:
212:
292:
589:
581:
415:
182:
128:
707:
573:
224:
148:
124:
65:
541:
322:
144:
280:
691:
534:
593:
350:
207:
552:
313:
sponsor increased their pay to 5000 RMB. The group's current sponsor is unknown.
601:
400:
206:
Former NCPH member associates with the Chinese hacker Li0n, the founder of the
577:
136:
92:
585:
467:"The Dark Visitor » A Rose by Any Other Name…Sometimes, Not So Sweet!"
17:
275:
132:
120:
143:
in May and June 2006. iDefense linked the group with many of the 35
247:
Create, read, write, delete, and search for files and directories,
69:
511:"The Dark Visitor » Withered Rose…law done come and got him"
337:
262:
and lock, restart, or shutdown Windows, among other activities.
616:"The Dark Visitor » Chinese hacker Withered Rose returns"
673:
link to the iDefense Webcast (Internet Explorer only)
461:
459:
457:
455:
99:
88:
78:
58:
50:
35:
489:
487:
505:
503:
501:
171:Sichuan Military Command Communication Department
443:
441:
439:
437:
435:
433:
431:
572:(6). New York: Taylor & Francis Ltd.: 2–6.
564:Dunham, Ken (Dec 2006). "Year of the Rootkit".
8:
259:Get information about the infected computer,
30:
391:
389:
387:
385:
304:emails and infected Power Point documents.
656:""Wicked Rose" and the NCPH Hacking Group"
383:
381:
379:
377:
375:
373:
371:
369:
367:
365:
29:
654:Ken Dunham; Jim Melnick (November 2012).
119:) is a Chinese hacker group based out of
84:4 core members, approx. 10 members (1996)
31:Network Crack Program Hacker (NCPH) Group
361:
420:: CS1 maint: archived copy as title (
413:
139:(Wicked Rose) with attacks on the US
7:
113:Network Crack Program Hacker Group
25:
250:Access and modify the Registry,
448:Enemies at The Firewall - TIME
1:
179:distributed denial of service
566:Information Systems Security
135:, developed by their leader
703:Hacking (computer security)
553:Threat Description:Ginwui.A
724:
187:public security department
578:10.1080/10658980601051797
535:“玫瑰黑客”网络犯罪团伙网站已被查封-资讯-黑基网
270:Microsoft Office Exploits
256:Start and kill processes,
683:Enemies At The Firewall
105:KuNgBim, Charles, Rodag
141:Department of Defense
253:Manipulate services,
27:Chinese hacker group
302:socially engineered
32:
661:. KrebsOnSecurity.
540:2010-01-06 at the
213:Evil Security Team
131:linked the GinWui
109:
108:
16:(Redirected from
715:
678:The Dark Visitor
662:
660:
642:
637:
631:
630:
628:
627:
618:. Archived from
612:
606:
605:
561:
555:
550:
544:
532:
526:
525:
523:
522:
513:. Archived from
507:
496:
491:
482:
481:
479:
478:
469:. Archived from
463:
450:
445:
426:
425:
419:
411:
409:
408:
399:. Archived from
393:
225:Microsoft Office
149:proof-of-concept
125:Sichuan Province
66:Sichuan Province
46:
44:
33:
21:
723:
722:
718:
717:
716:
714:
713:
712:
688:
687:
669:
658:
653:
650:
648:Further reading
645:
638:
634:
625:
623:
614:
613:
609:
563:
562:
558:
551:
547:
542:Wayback Machine
533:
529:
520:
518:
509:
508:
499:
492:
485:
476:
474:
465:
464:
453:
446:
429:
412:
406:
404:
397:"Archived copy"
395:
394:
363:
359:
347:
333:
319:
310:
289:
272:
233:
221:
204:
195:
166:
158:
102:
81:
74:
42:
40:
28:
23:
22:
15:
12:
11:
5:
721:
719:
711:
710:
705:
700:
690:
689:
686:
685:
680:
675:
668:
667:External links
665:
664:
663:
649:
646:
644:
643:
632:
607:
556:
545:
527:
497:
483:
451:
427:
360:
358:
355:
354:
353:
346:
343:
332:
329:
318:
317:Media coverage
315:
309:
306:
288:
287:Spear Phishing
285:
281:spear phishing
271:
268:
264:
263:
260:
257:
254:
251:
248:
232:
231:GinWui Rootkit
229:
220:
217:
203:
200:
194:
191:
165:
162:
157:
154:
107:
106:
103:
100:
97:
96:
90:
86:
85:
82:
79:
76:
75:
73:
72:
62:
60:
56:
55:
52:
48:
47:
37:
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
720:
709:
706:
704:
701:
699:
698:Hacker groups
696:
695:
693:
684:
681:
679:
676:
674:
671:
670:
666:
657:
652:
651:
647:
641:
636:
633:
622:on 2010-09-09
621:
617:
611:
608:
603:
599:
595:
591:
587:
583:
579:
575:
571:
567:
560:
557:
554:
549:
546:
543:
539:
536:
531:
528:
517:on 2010-06-23
516:
512:
506:
504:
502:
498:
495:
490:
488:
484:
473:on 2010-07-13
472:
468:
462:
460:
458:
456:
452:
449:
444:
442:
440:
438:
436:
434:
432:
428:
423:
417:
403:on 2011-08-16
402:
398:
392:
390:
388:
386:
384:
382:
380:
378:
376:
374:
372:
370:
368:
366:
362:
356:
352:
349:
348:
344:
342:
339:
330:
328:
325:
324:
316:
314:
307:
305:
303:
297:
294:
286:
284:
282:
277:
269:
267:
261:
258:
255:
252:
249:
246:
245:
244:
240:
236:
230:
228:
226:
218:
216:
214:
209:
201:
199:
192:
190:
188:
184:
180:
175:
172:
163:
161:
155:
153:
150:
146:
142:
138:
134:
130:
126:
122:
118:
114:
104:
98:
95:(Wicked Rose)
94:
91:
87:
83:
77:
71:
67:
64:
63:
61:
57:
53:
49:
38:
34:
19:
635:
624:. Retrieved
620:the original
610:
569:
565:
559:
548:
530:
519:. Retrieved
515:the original
475:. Retrieved
471:the original
405:. Retrieved
401:the original
351:Honker Union
334:
321:
320:
311:
298:
290:
273:
265:
241:
237:
234:
222:
208:Honker Union
205:
196:
176:
167:
159:
116:
112:
110:
80:Membership
54:hacker group
308:Sponsorship
293:open source
193:Controversy
181:attacks on
164:Wicked Rose
18:Wicked Rose
692:Categories
626:2010-02-19
521:2010-02-19
477:2010-02-19
407:2011-01-25
357:References
219:Activities
202:Associates
137:Tan Dailin
117:NCPH Group
101:Key people
93:Tan Dailin
602:229563212
586:1065-898X
283:attacks.
36:Formation
598:ProQuest
594:20293217
538:Archived
416:cite web
345:See also
331:Blogging
183:Hackbase
145:zero-day
129:iDefense
59:Location
708:Malware
276:malware
156:Members
147:hacker
133:rootkit
41: (
600:
592:
584:
121:Zigong
89:Leader
659:(PDF)
590:S2CID
70:China
582:ISSN
422:link
338:blog
323:Time
111:The
51:Type
43:1994
39:1994
574:doi
123:in
694::
596:.
588:.
580:.
570:15
568:.
500:^
486:^
454:^
430:^
418:}}
414:{{
364:^
215:.
68:,
629:.
604:.
576::
524:.
480:.
424:)
410:.
115:(
45:)
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.