A preamble to a computer worm

I recently downloaded the source-code for 30 Chinese computer worms and Trojan horses. The code makes for interesting reading, but the comments are all in the GB2312 character set, so I have to convert to UTF-8 in order to read them.

When these things first appeared in the wild, they had a deliberate anonymity. Their original developers had given them names like Golden Pig and Chinese Vampire, and adorned their code with comments to describe and explain their effects. But before releasing them, the developers stripped them of all of their identifying and explanatory information, and sent them out into the world nameless and unexplained.

Those who discovered and analyzed them gave them new names. They disassembled their code, but they couldn't recreate the comments and non-semantic details that the original developers created.

It is interesting to look at the original source code for some of these things, for the subtle details you would not see in disassembled code. In this post, I will just give the preamble that appears at the top of one source file that is part of something the author called the Chinese Vampire, written in 2008. Reading this feels kind of like reading the mummy's curse.

Chinese Vampire Source Code
Author: God of the Black Net
After you buy the source code, please do not casually distribute it. Please treasure the product of the author's labor.
If you get lost in the code, the coding style and comments are not generally to blame. Those that I have already changed are very good, quite clear and easy to understand.

It does not use any C++, just simple C code, but edit it using VC++6.0. Once you edit it, you can use it. It has already passed hundreds of tests, so it is quite perfect, and there is no need to edit it very much.
If you can't get rid of it, contact the author and ask for a special killer.

This comment reveals a couple of interesting details about the Chinese Hacker world, at least as it was in 2008 (six years ago, now). First, the Chinese Vampire was for sale, a stock tool that could be purchased and customized. Second, there was an expectation that the author should be remunerated for his hard work.

A brief history of Chinese hacking: Part III

(The following draws extensively from an online text titled "The Record of X on the Rise of the Chinese Hacker", supplemented from other sources.)

In the last two posts, I have mentioned two galvanizing events for the Red Hacker movement: Violence against ethnic Chinese in Indonesia; and the NATO bombing of the Chinese embassy in Belgrade.

Two months after the bombing of the embassy in Belgrade, the government of Taiwan announced a 'Two States' policy, which undermined the long-held idea that China and Taiwan were a single country suffering a temporary disunion. Seasoned by the 1998 action against Indonesia and the May 1999 action against the United States, the Red Hacker apparatus was ready to turn and defend the honor of the motherland on the battlefield of Taiwan's networks.

They attacked the website of the Executive Yuan of Taiwan, as well as many other websites, deploying newly developed tools like Glacier (冰河, a trojan horse) for the first time, and NetSpy (a tool for uploading and downloading files from a server, apparently).

In 2000, the number of internet cafes mushroomed, and the hacker spectrum broadened. The old Black Hackers were still around, but the ready availability of technology led to a large number of careless, headstrong and unskilled teenagers pursuing the black hacker path. These "script kiddies" were nicknamed the Little Blacks (小黑黑) by an influential female hacker of the time named Wollf.

Alongside the Black and Red hackers, there also arose Blue Hackers (篮客, lán kè), who were relatively unconcerned with cheap tricks and politics, and intensely passionate about computer security.

In 2001, after the South China Sea collision incident, a small American hacker group called PoizonBOx defaced at least a hundred Chinese websites, and reportedly 80,000 Chinese hackers returned fire beginning on May 4. Most of these were unskilled script kiddies, so the damage done did not reflect their large numbers, and some considered the action to be a farce. As far as I can tell, 100-600 websites were vandalized, and the White House website suffered a DOS attack that blocked access from May 4 to May 8.

In the years between 2000 and 2002, Chinese hackers created and released the Code Red, Code Blue and nimda computer worms. But many also undertook a serious discussion of the ethical dimensions of hacking, and of hacking culture. They began to discover and publish their own findings on network and software vulnerabilities, which have been picked up by international security research organizations.

A brief history of Chinese hacking: Part II

(The following draws extensively from an online text titled "The Record of X on the Rise of the Chinese Hacker", supplemented from other sources.)

I ended the last post with the emergence of the Chinese hacktivist alliance in response to violence against ethnic Chinese in Indonesia in 1998. This era also saw the emergence of the Green Corps and the Chinese Green League. (I'm not sure what the significance of the color "green" is in these names, but I wonder if it doesn't relate to the color of CRT screens).

Webpages discussing the technical details of hacking began to proliferate, and Chinese hackers eagerly undertook to study the relevant technologies. The most famous hacker of this period may have been Xiǎo Róng (小榕), creator of tools like Stream of Light (流光, a vulnerability scanner), Tracing Snow (溯雪, a password cracker) and Chaos Knife (乱刀).

1999 saw a dramatic increase in the number of internet users in China, and it also saw the NATO bombing of the Chinese embassy in Belgrade, which many Chinese saw as a deliberate act of retribution on the part of the United States for China's criticism of NATO action in Yugoslavia.

The second day after the bombing of the Chinese embassy in Belgrade, the first Red Hacker website was born, initially called the Chinese Hacker's Rallying Point for the Motherland (中国红客之祖国团结阵线), and later renamed the Chinese Hacker's United Front for the Motherland (中国红客之祖国统一战线).

This site drew intense interest from Chinese citizens around the world, and the Red Hackers carried out widespread attacks on American websites and email servers.

Hacking tools created in this period included NetSpy (inspired by Cult of the Dead Cow's Back Orifice), Glacier (冰河, a trojan horse), Black Hole (黑洞), Network Thief (网络神偷), Gray Dove (灰鸽子), XSan and YAI.

Glacier, Black Hole and Network Thief are still considered by many to be essential tools for the Chinese hacker. "Official" development of Glacier has ceased, but users have forked off many versions of their own.

A brief history of Chinese hacking: Part I

(The following draws extensively from an online text titled "The Record of X on the Rise of the Chinese Hacker", supplemented from other sources.)

China's earliest online community arose in the mid-1990s, with a small number of people using PCs and dial-ups to interact with each other on bulletin-board systems. Between 1994 and 1996, BBS servers proliferated in major Chinese cities, and interest in copying software and breaking license controls on software also grew, creating the first generation of Chinese hackers.

Internet access came to China in 1996, and the BBS culture moved from dial-ups and isolated servers to the internet. It is interesting to me that the BBS format is incredibly prevalent on Chinese websites today, while they have been basically replaced by social networks in America. It was during this period that a man named Gao Chunhui created the first personal website in China, and it is said that his personal site at that time was dedicated to the topic of breaking software registration controls.

This era also saw a brief period of phreaking (电话飞客), but advances in telecom technology rapidly put an end to that.

In 1998, a Taiwanese student named Chen Ing-Hau released the Chernobyl virus, which caused billions in economic damage in mainland China. Because the author was a Taiwanese student, some Chinese users perceived the damage done by the Chernobyl virus as a politically motivated attack.

Also in 1998, amid the deepening Asian Financial Crisis, there was widespread violence against ethnic Chinese in Indonesia. Chinese internet users formed teams that flooded Indonesian government email accounts, and they tried to bring down Indonesian websites with ping-based DOS attacks. In order to coordinate these attacks, a group was formed called the Chinese Hacker Emergency Meeting Center (中国黑客紧急会议中心). This might be considered the first Chinese hacktivist alliance.

So, from the very beginning, Chinese hacking has been closely tied to nationalist sentiments.

The proper names of the saha islands

In a couple of recent posts, I've been gnawing on the names of some islands at the mouth of the Tumen river, where the word saha appears to mean "island".

Initially I was working from European maps, which alternated between saba and saha, and I had thought that the word must be saba.

However, today I remembered a volume at the Bibliothèque national de France containing a long list of Manchu place names. I skimmed through it, and managed to find the page shown below, which now allows me to give the proper names for the islands, as transcribed from Manchu script.

The islands listed on Danville's map are (from South to North) Taitou saha, Siské loun, Tayam ou saha, Sarbatchou saba, Mama saba, and Youanga toun. The names, as transcribed from the page below in Manchu script, are Daidu saha, Sishe tun, Dayanggū saha, Sarbacu saha, Mama saha and Yohangga tun (not shown on this page, but on a later page).

Also listed on this page is a river called Fiya bira (bira meaning "river"), which bears a passing resemblance to the ethnic name Fiyaka.

A possible candidate for the saha-islanders

In my last post I remarked on the word saha, apparently meaning "island" in the names of some islands just north of the mouth of the Tumen river.  As far as I can tell, this is not a word in a known language of the area.

In this post, I will propose two possible candidate ethnic groups for the speakers of that language. The following text is a Manchu-language description of groups of people called Fiyaka and Kiyakara who brought tribute to the Qing:

fiyaka, fiyaka sunggari ulai dergi ergi ten i bade bi, mederi tun i jakarame son son i tembi. nimaha butame gurgu buthašame banjimbi. hahasi hehesi gemu indahūn sukū be etuku arafi etumbi. juwari forgon de nimaha sukū i arambi. banin doksin becunure de amuran. tucire dosire de kemuni jeyengge agūra gaifi yabumbi. aniyadari seke jafambi.

kiyakara, kiyakara huncun mederi, jai fucin yose i jergi birai biturame son son i tembi. haha hehe gemu ferten de muheren etufi jurhun isire menggun teišun i araha niyalma be miyamigan obume tuhebumbi. hahasi buhū i sukū be mahala arambi. bosoi etuku etumbi. bethe niohušulembi. hehesi funiyehe be tuhebume, sifikū sifirakū, adasun de halai hacin i šeoleme wangnambi. boo ūlen jahūdai weihu be gemu alan i weilembi. ese asu baitalame bahanarakū. nimaha šakarame gurgušeme banjimbi. banitai heolen sula iktambume asaraha hacin akū. ceni ba i ici gisurere be kiyakaratambi sembi. aniyadari seke jafambi.

"The Fiyaka. The Fiyaka are in the high places on the east side of the Sunggari river. They are scattered along the island(s) of the sea. They make their living fishing and hunting. Men and women all make and wear clothing of dog skins. In the summer they make them from fish skins. By nature they are cruel and they love to fight. When they are out and about they walk carrying bladed spears. Every year they bring sable as tribute.

"The Kiyakara. The Kiyakara are scattered along the Hunchun Sea, and along such rivers as Fucin and Yose. The men and women all wear rings in their noses, and hang figurines as ornaments made of silver and copper as much as an inch long. The men make hats from deerskin, wear cloth, and go barefoot. The women let their hair down, and do not wear hairpins. They embroider their lapels with all kinds of different designs. They make every kind of house and boat from birch bark. They do not know how to use nets. They make their living by spearing fish and hunting. They are naturally lazy and idle, and do not customarily accumulate and set aside stores. The speech of their land is called kiyakaratambi. Every year they bring sable as tribute."

The Fiyaka and Kiyakara occupied similar territories, as far as I can tell. Both groups are now said to have been Tungusic, but I think the evidence for this is based largely on the fact that Tungusic speakers are known to have lived in the areas they inhabited. The same section of the tribute records also mentions Nanai (heje) and Udeghe (nadan hala), as well as non-Tungusic Ainu (guye or kuye) and Nivkh (kilen).

In what language does saha mean "island"?

This evening, I have been poring over Danville's beautiful 18th century map of Korea and Manchuria, looking at the tangled area where Korean toponyms give way to Manchu/Jurchen (and other non-Korean) toponyms.

I started out hunting for two places called (in Manchu) ehe kuren and gūnaka kuren, which I expect to find on Danville's map with a spelling like *eghe couren, *counaca couren. I have not found them yet, but I have found something else that is interesting.

All along the Korean coast, small islands are given names ending in tao, which no doubt corresponds to Chinese 島, "island" (Mandarin dǎo).

Some Korean islands with names ending in "tao"

Along the Japanese coast, of course, we have small islands whose names end in sima, corresponding to the Japanese word shima, "island".

Some Japanese islands with names ending in "sima"

But at the mouth of the Tumen river, there is something I did not expect. Some of the islands have names ending in toun, which must be Manchu tun, "island", and some have names in loun, which I am certain is a scribal error for toun. But others have names in saba and saha, which I don't recognize.

A mix of islands with names ending in "toun/loun" and "saba/saha"

I expect saha is a scribal error for saba, because I see the same error in the name of one of the tributaries of the Tumen, called Cahari at one point and Cabari at another. It is more likely that the correct form is saba because intervocalic -h- is rare in these place names, being usually represented by -kh- or -gh-. But in what language does saba mean island?

Note 3 February 2014: It turns out I was wrong. The word is saha, as I note in a later post. I've corrected the remainder of this post.

The major language families of the area (broadly speaking) are Tungusic, Japonic, Korean, Nivkh, Ainu, Mongolic and Chinese. Of all of these, the only thing I have found so far that looks similar is Korean seom 섬, "island", which really looks closer to Japanese shima, as far as I know.

It looks like there is a somewhat large island called mama saha, and a smaller one called sarbatchou saha. Given similar island names throughout the world, it would not surprise me if these are "mother island" and "daughter island", so maybe that is a place to start.

In Manchu, sargan means "woman" or "wife", and sargan jui means daughter. However, Tsintsius lists this as a Manchu morpheme only, not attested in other Tungusic languages, so it falls into what I call the "enigmatic vocabulary" of Manchu: common words with no known origin.

I have often felt that the enigmatic vocabulary of Manchu provides evidence of close contact between the ancestors of the Jurchens and speakers of an otherwise unattested language. Under this theory, words like sargan would have been loaned into Manchu from the other language, which then disappeared. If sarbatchou saha really does mean "daughter island", perhaps it comes from the same source language, or a close relative.

A close study of the place names in Danville's map may lead to more interesting discoveries.

North Korea: Nomadic Empire in a Bottle

I've been trying to understand North Korea lately.  It occurred to me last night that North Korea is a lot like a nomadic empire, but one that is so constrained geographically and politically that it cannot expand.  I wonder how it will evolve.

If you read the secret histories of the Mongols and the Manchus, you find that Genghis Khan and Nurhaci rose to power in similar ways.  Each one felt betrayed again and again by the outside world, to the point that his only recourse for justice was conquest, and Heaven pitied him and granted him victory.  Both were able to transform the fabric of their societies, building a military order that was integrated into the social order.

The narrative in North Korea seems similar: betrayed and humiliated by Japan and the West, the Glorious Leader formed the Juche Idea and the Songun policy.  The fabric of society has been transformed, and the military order is integrated into the social order.  But where does a nomadic empire go when it can't expand?  How many generations will the army stand, unable to move?

Kim Jong-un seems to be trying to reform North Korea's economy, but the Juche Idea permeates society, and probably shapes the way he thinks.  How can this situation possibly evolve from here?

渤海 Language

There was a kingdom called 渤海 in what is now North Korea and North-Eastern China.  For nationalistic reasons, certain modern nations are keen to assert that the people of that kingdom belonged to their own ethnic group and spoke their own language. The system of romanization you use has intense political ramifications. (Just read the talk pages on Wikipedia for this and related kingdoms.)

In order to sidestep this debate, I will use Chinese characters instead of contested historical names throughout this post.

No texts in the 渤海 language survive, so all we can do is speculate based on historical sources.  In fact, it appears that the 渤海 may have used the Chinese language as their literary language, based on a passage from the history of the Jurchen Jīn dynasty:

乙未，诏百官诰命，女直、契丹、汉人各用本字，渤海同汉人。
On the yiwei day, [the emperor] issued edicts to the hundreds of officials.  For the Jurchens, Khitans and Chinese, he used their own scripts; For the 渤海, [he used] the same as the Chinese.

Ethnically, the Jurchens seem to have believed that they were related to the 渤海, since the Taizu of the Jīn dynasty promulgated an edict saying:

女直、渤海本同一家。
The Jurchens and 渤海 are originally one family.

Indeed, the history of the Jurchen Jīn says:

粟末靺鞨始附高麗，姓大氏。李績破高麗，粟末靺鞨保東牟山。後爲渤海，稱王，傳十餘世。有文字、禮樂、官府、制度。有五京、十五府、六十二州。 

The 粟末靺鞨 allied themselves to 高麗, and took the surname Dashi.  After [the Tang official named] Li Ji destroyed 高麗, the 粟末靺鞨 guarded over Dongmo Hill.  Later, they became the 渤海, were called kings, and for ten generations had writing, laws, music, official courts, systems, customs, five capitals, fifteen prefectures, and sixty-two districts.

The 粟末靺鞨 here are one of the seven tribes of 靺鞨 from whom the Jurchens held themselves to be descended.  The characters 粟末 are reconstructed as *sok-mat in OCM (Minimal Old Chinese), and represent an ancient name for the Sunggari river (now called Songhua).  I expect the river name was something like *sugmar, which became *sumgar through metathesis, *sunggar through assimilation.

If we assume that the collective name of the seven tribes, 靺鞨, was pronounced the same as the phonetics 末曷, then that gives is an OCM reconstruction of *mat-gât.  The Early Middle Chinese reconstruction of 渤海, for comparison, is *bət-xəy'.  It seems like it is not entirely impossible to say that the name 渤海, which appeared in the Táng, is a later form of the older 靺鞨, having undergone some sound changes.  The sound change from m > b is not well represented, though we do find it in the Manchu words for "monkey", monio and bonio.

The language of 渤海, if it was anything other than pre-Jurchen, should have left some loan words in Manchu.  Indeed, the Manchu language has a large store of enigmatic words whose etymologies can't be found in Tungusic, Mongolic or Chinese.  Much of these will no doubt be Khitan, but some of them may be 渤海.  Khitan itself is likely to have some 渤海 loans, as well.

Someone really needs to do a careful archeology of Manchu in order to make sense of the enigmatic vocabulary.  Among the words whose origins are indeterminate are many words containing palatal velars (represented by -giy-, -kiy-, -hiy- in the Manchu script), including the name of the Manchu royal clan, gioro.  The following relatively common words are also enigmatic: boigon, "family"; boo, "house"; bonio, "monkey"; abka, "heaven"; aga, "rain"; wece-, "to shamanize"; ganio, "supernatural".

Someone also needs to do an analysis of the pre-Chinese place names of the Changbaishan, among which there are a fair number with palatal velars.  I wonder if a careful linguistic archeology might not reveal the presence of an otherwise unattested substratum language in the area of the Yalu river and Changbaishan.

The Roasted Cake Song

There is a Classical Chinese text called the Roasted Cake Song (燒餅歌), supposedly composed by the Ming official Liu Ji (劉基) who was posthumously named Liu Bowen (劉伯溫).  The song is cryptic, and is traditionally held to be prophetic, but is often considered a recent hoax.

I can't comment on whether it is prophetic or not, but I am pretty sure it is not a recent hoax.  Here is a page from the Old Manchu text Jiu Manzhou Dang, detailing a letter sent by the Manchu chieftain Nurhaci to the Khalkha of the Five Encampments in 1620.  I translate the highlighted section below.

The highlighted section says (in Old Manchu):

te geli liobe uwen-i gisunde latunahabi.  tere liobe uwen serengge dūleke julgei [n]iyalma kai. ganio joriha gese. liobe uwen-i gisun ehe sain ojibe emgeli jorime waciha kai.

Which I translate as:

Now again [events] adhere to the words of Liu Bowen.  That Liu Bowen was a person of the ancient past.  It is like he indicated supernatural things.  Regardless of whether his words were of good or evil, what he indicated came to pass.

So, at the very least, we can say that in 1620 there was some text attributed to Liu Bowen that was considered to be strange and prophetic.  It is possible that the Roasted Cake Song that survives to the present day is a hoax, but unless there is something in the content of the surviving text that is clearly anachronistic, we can probably assume that it dates at least to 1620.