Case Focus On the morning of July 18, 2009, the private car license plate quota network that was unique in the country and has been in operation for 6 years has immediately become the focus of widespread concern and suspicion from all walks of life. Some of the participants involved in the auction even gathered at the auction company. Encircle. After 22 days and nights of careful investigation, the Shanghai police will eventually capture the mysterious hackers hidden in the vast sea of ​​people.
Auction cancellation Nowadays, with the improvement of living standards, more and more citizens in Shanghai have begun to join the ranks of "car owners". However, unlike other cities in the country, since the beginning of 2003, the private car license quota auction office in Shanghai has bought a new car. All citizens must follow the Shanghai private car bidding auction procedure to participate in the monthly online bidding auction to obtain private. Car license plate.
At 10:00 am on July 18, 2009, this month's private car bidding auction was started in the "People's Eyes". Mr. Li bought a new Toyota car as early as two months ago, and he was not able to take part in the license plate auction for three consecutive months. Because there is no license plate to drive on the road, I have to park my car in the garage to "sleep". This time he holds the mentality that he is determined to win as long as the price is below 30,000 yuan. He will not wait for the fourth time to participate in the auction.
As usual, Mr. Li sat in front of the computer and first entered the starting price of 100 yuan > minute, two minutes, with the timer beating continuously, until the end of the first stage of the 11-point auction, the starting price of 100 yuan is still The silk does not move. According to the auction rules, it means that Mr. Li is very likely to get the license plate quota for about 100 yuan. "Is the miracle really happening, do I really hit the Universiade?" Staring at the computer screen, Mr. Li couldn't believe his eyes: the auction price of such a t can never be seen in the history of license plate auctions. Ah, he immediately jumped up with excitement.
However, Miss Zhao’s "condition", which also participated in the auction, is completely different from Mr. Li. From 10:55, she has never been able to log into the auction company's online auction system. I don't know why she repeatedly clicked on the page, she couldn't get in, like a crash. She wondered if there was a problem with her computer. So I quickly changed a computer and logged in but still couldn't get in. She was stunned. In fact, as in the case of Miss Zhao, from 10:55 in the morning, many Shanghai residents who are preparing to participate in the auction are unable to enter the online auction system.
It is said that the auction of private car licenses was suddenly cancelled inexplicably, and immediately caused great repercussions among the masses of Shanghai residents. It became the focus of public attention because this monthly license plate auction is related to the vital interests of many Shanghai residents. They have called or rushed to the auction company to ask for details. Some of the excited bidders even encircled the auction company's staff.
―The number has entered the online auction system, and the citizens who successfully bid for 100 yuan said: “We originally thought that the price could be accepted at around 30,000 yuan. Now, after the miracle of 100 yuan, how can the auction company cancel the cancellation? And it doesn't explain the reason. It must be that they want to rely on the 100 yuan price. We must discuss it and protect our legitimate rights and interests." Many citizens who cannot enter the online auction system are also depressed: Why? Today, the licensing system can't get in, and there has never been such a thing. We have everything in place, waiting for today to take a good license, you can drive on the road and think that it will be so bad. Now that the temporary license is about to expire, we don’t know what the price will be next month. The auction company will compensate us for the loss.
At the same time, some lawyers also said that the auction company unilaterally canceled the auction, violated the contract law, infringed the legitimate rights and interests of the majority of bidders, and was willing to provide legal services free of charge to bidders. Faced with the questions and accusations of the majority of bidders, The relevant person in charge of the Shanghai International Commodity Auction Company, which is responsible for the license plate auction at the "Fengkou Langjian", said: According to the past situation, in the last 5 minutes of the end of the first stage of the bidding, there will be a large number of bidders entering a bidding peak but this But the sky is uncharacteristic, and only a few bidders are willing to bid enough to enter our licensing system. This resulted in an anomaly situation: a large number of bidders were unable to log in to the system normally, while bidders who had entered the system on the other side could not normally bid, resulting in the auction not working properly. At the same time, the network security system also appeared an alarm. After the auction house made a report and communicated to the relevant departments according to the plan, it decided to cancel the auction on the same day at 11:20.
For some bidders, after they started the auction at the lowest price of 100 yuan, because they could not continue to bid in the auction system, so the i should be based on the price of 100 yuan, the person in charge explained, "In our In the notice to the customer, we have a clear rule. When the system is affected by force majeure, the auctioneer is our auction company and has the right to terminate the auction according to the law and relevant regulations. "However, the explanation of the auction company did not dispel the doubts of the general public and the bidders, and they continued to talk to the auction company without hesitation.
What happened to the normal private car license plate auction system, the matter immediately attracted the attention of the Shanghai Municipal Party Committee and the Municipal Government, instructing the public security organs to quickly intervene in the investigation, and as soon as possible to solve the case and publicize the facts of the case. The Shanghai Municipal Public Security Bureau's Computer Network Information Security Supervision Office of the Xin'an Office immediately mobilized the elites of the city's Xin'an Department to form a "7-8" task force. The investigators first carefully analyzed the data in the online auction system of the license plate on July 18. They found that according to common practice, the number of people who usually draw cards is between 15,000 and 25,000, and the number of licenses issued by the government is between 6,000 and 8,000. If the auction is normal, the capacity of the network system is more than enough. , will not be affected. However, on July 18th, there was no abnormal link request in the online auction system. Although these abnormal link requests were logged into the system, during the auction process, these link requests neither bid nor participate in the card-making operation. It looks very weird. Further statistics show that the number of these abnormal link requests is quite amazing. There are more than 340,000 abnormal IP addresses: the address has access to the auction system, and in any previous auction, the number of the auction system is only one or two thousand. People enter.
Suddenly, 340,000 people poured into the license plate online auction system. What kind of situation will happen in the network? In the interview, the investigators made an image to the reporter: this is like a road that can only drive eight cars. After a few hundred cars, the next road blocked the road. The abnormal link request is to block the online auction system of the license plate and prevent the bidder from accessing normally. The essence is that i is a kind of cyber attack behavior that takes a large number of initiating service requests and occupies some legitimate resources of the network system, thereby causing normal bidders to enjoy such system services. At this point, the investigators determined the nature of the case through analysis with the expert consultation: this is a typical case of "denial of service attack: strike". The computer terminal devices that are not normally accessing the bidders are remote computers controlled by others, and are often referred to as broiler chickens by experts.
The investigators further explained that "broiler chicken" actually refers to some personal computers, including some enterprises' network servers, which are computers that are illegally manipulated by others. The scary thing is that these "broiler" bidders do not know that their computers have been controlled by others. Units and departments operating with computer network systems continue to strengthen the system's security measures to avoid "hackers".
It is also involved in hacking because these are all hackers operating in the background of the computer.
After the investigation of investigators and experts, the time when the secretly manipulated "broiler chicken" attacked the license plate auction system was at 10:55 on the morning of July 18. Because a large number of bidders want to improve the hit rate, they choose to log in to the system at the last moment, and the attacker selects the moment when the large number of bidders log in. By launching a network attack, many bidders are blocked in the normal bidding. Outside the scope.
In the deadlock, the investigators first analyzed the motives of the criminal suspects. Since the criminal suspects attacked the auction system at the critical moment of the license plate auction, the attacker hiding behind it must want to reach some sort of Purpose of interest. Because it is a bidding, the price will go higher, and if the attack is successful and the price is low, then someone will be profitable. In other words, some people want to use the cyber attack to get a license plate at a low price.
To this end, the investigators first selected some bidders who bid for the auction at a low price, that is, between 100 yuan and 400 yuan, as the key investigation object. According to the auction system, more than 8,000 people are already participating in the bidding auction before the system is attacked. There are more than 2,000 people bidding for the auction in the range of 100 yuan to 400 yuan. However, in the investigation of the more than 2,000 low-price bidders, the police did not find any suspicious clues, so the scope of investigation expanded to more than 8,000 people who participated in the auction that day. Very often, a suspicious person entered the police's sight. This person is specialized in the business of taking a license plate on the Internet. In a strict sense, this business is not formal and he does not have a business license. The investigator will summon him to the task force for interrogation. According to him, he only used the 700 yuan commission for each customer to take the cards, and he promised to use the lowest price to help find the license plate, there is no other violations.
The investigator found that the man used a computer program software that violated the rules during the process of taking the cards. Under the repeated questioning of the investigators, he had to say truthfully: "The police, I don't think you will have such a professional standard. In fact, this is a small plug-in that I designed and developed myself. After installing it on a computer, I can read it in real time. Take the lowest price at the time of the draw, then I will add 300 yuan to the lowest price, so I can guarantee the license plate. I know that this is not allowed, and I am willing to accept your punishment." The investigator carried out his software. After testing and analysis, I believe that this software does not have the ability to launch a cyber attack. From the perspective of his profitability, there is no additional benefit in addition to the commission. Thus, the suspected man was excluded from the possibility of profiting from the implementation of cyber attacks.
Immediately afterwards, the investigators conducted an investigation around whether the suspect had other motives for committing crimes, such as retaliation for the purpose of focusing on competition in commercial cases. However, after repeated investigations, no valuable clues were found. The case suddenly fell into a slap in the face.
Looking for "broiler chicken"
According to related computer experts, from the principle of "denial of service attack", it basically follows such a network path: it is to use someone else's machine as his "broiler" or downtime, and then implant his Trojan virus program. . Therefore, if the implanted Trojan virus program can be found in those "broilers", it is possible to follow the source of the Trojan virus program and step closer to the operator behind the scenes.
The expert's guidance opened the investigator's ideas and immediately adjusted the investigation plan. During the license plate auction on July 18, there were more than 340,000 abnormal access links, and the investigators decided to start with the abnormal access links with large traffic. The investigator likes to say that if I am going to enter a room alone, I can knock on the door and go in. There is no need to bring hundreds of people to the wall, and at the same time, knock on the door and rush together. Therefore, the traffic with particularly large traffic is definitely not normal.
According to the data extracted from the license plate auction system, the investigators found that the top 25 丨P addresses with the highest traffic volume were located in major cities such as Hebei, Anhui, and Henan. In order to be able to extract the Trojan virus program samples from 25 "broilers" with large attack traffic, the investigators continued to investigate in various provinces and cities for many days, but the results were not satisfactory. Most of these "broiler chicken" users are local Internet cafes. Around July 18th, they found that their computer Internet speed and the apparent slowness of operating the computer, the computer operating system was reinstalled, so that some of the original data disappeared completely interrupted.
To this end, the investigators had to turn around the gun and redirect the investigation to those "broilers" with relatively small attack traffic. However, among the many small-volume bidders, there are normal bidders and abnormal bidders; there are correct data and erroneous data, all of which are mixed up, and it is undoubted that you need to extract the samples of the Trojan virus program you need. Is a needle in a haystack. However, the investigators were not intimidated by the difficulties. They launched the police of the network supervision departments of the various public security sub-bureaus in the city, working day and night, working in tandem, sitting in front of the computer, searching one by one, picking one by one. , pick out the suspicious data strips to identify. In this way, the investigators confirmed a "broiler chicken" belonging to the individual bidder in a large amount of computer data. Then, the investigators called the bidders one by one: get in touch.
Hard work pays off. After more than ten days of extensive investigations, the investigators successfully extracted the Trojan virus program samples with the active cooperation of many individual bidders. After careful comparison, it was confirmed that the online auction of Shanghai private car license plate quotas on July 18th. A Trojan used when the system implemented an attack.
The goal is to find the suspect who manipulates the Trojan virus program. With the cooperation of experts, the investigators finally found that a man named Zhou Xiongfeng in Shanghai had a close relationship with the control terminal of the Trojan virus. This person is proficient in computer technology and has strong hacking capabilities. And very coincidentally, he bought a new car in the first two months. On July 18, he also participated in the license plate auction. This time, his suspicion is even bigger.
The hacker was arrested in the early morning of August 9, 2009. According to the clues he had mastered in advance, the investigator decisively attacked and arrested Zhou Xiongfeng, a suspect in a residential building in Anting Town, Shanghai.
Zhou Xiongfeng, 23, is from Huzhou, Zhejiang.
Unbelievably, although he only has a junior high school education level, he is very proficient in computer network hacking techniques. After the arrest, he immediately explained that he was the day of the auction on the morning of July 18th. What was the motive for implementing his entire bidding system? According to him, he bought a new car a few months ago, thinking Last license. But look at the auction price of the Shanghai license is more than 30,000, almost half of the price of the car, my heart is very uneven. As a result, he used his well-versed hacking techniques to attack the auction system, so that he could get a license at a lower price. After observation, he found that the more people bid, the higher the price will be; the number of people bidding will be small, and the price will fall. Most of the bidders flocked in the last 5 minutes of the first stage of the auction. As long as the number of people entering the system was limited during the last 5 minutes, the person who wants to log in could not log in. This month's license plate auction price will definitely fall, and you can shoot the license plate at a low price.
To this end, the criminal suspect Zhou Xiongfeng decided to launch a large-discharge denial of service attack on the server of the Shanghai International Commodity Auction Co., Ltd., which is responsible for the signing, on the day of the auction on July 18th. In advance, Zhou Xiongfeng has purchased 5,400 "broilers" from the accomplices and Shandong Shaobo Wang Yongfeng. After Zhou Xiongfeng downloaded the Trojan virus program from the Internet to Wang Yongfeng through MSN, Wang Yongfeng made the virus software into a BT download seed, hidden. In some downloads of pornographic videos, spread on the Internet. As long as users download these videos, the virus will attack, causing these computers to be "hijacked" by them. The instructions of Zhou Xiongfeng are illegally controlled by Zhou Xiongfeng.
At 10:55 am on July 18, Zhou Xiongfeng used his server located in Nanchang, Jiangxi Province, through the "darkshell" control terminal, ordered more than 5,400 computer broilers illegally controlled by him, and the private car of Shanghai International Commodity Auction Co., Ltd. The online auction server of the quota implemented a large-volume denial of service attack, which caused the server to fail to operate normally, which led to the cancellation of the private car auction in Shanghai in July.
According to Zhou Xiongfeng's account, on August 11, the investigators captured the 21-year-old suspect Wang Yongfeng in Xianshang, Hubei. So far this case has been successfully broken.
The police reminded all units and departments that are using computer network systems to operate, and should constantly strengthen the system's security defense measures to avoid being attacked by hackers on the Internet. At the same time, as users of personal computers and online bidders, they should also do well. The necessary protection, do not casually browse pornographic video sites, in case your computer is "hijacked" by hackers as "broiler chicken", and is easily used by criminal suspects as a tool to implement online crime.
Before the squad, the second branch of the Shanghai People's Procuratorate was arrested for arresting Zhou Xiongfeng and Wang Yongfeng for allegedly damaging the computer information system. Waiting for them will be severely punished by law.
Long Sleeve Shirts & Leggings
Guangzhou LIDONG Garment Industrial Co., Ltd. , https://www.lidongapparel.com