Botnet master abuses Facebook for pocket money, researchers reveal

Buddha. Image from ShutterstockA Chinese hacker’s main job may well be running a botnet of malware-clotted zombie PCs, but there’s always time left in the day for selling fake Likes, apparently.

It is not every day that remorseful confessions over lapsed adherence to the Five Precepts of Buddhism help researchers identify a hacker.

In early 2012, hacker Zhang Changhe admitted, on Chinese social network Kaixin001, to breaking all Five Precepts of Buddhism.

Sexual misconduct, lying, and drinking aside, Zhang Changhe wrote that he also stole “continuously and shamelessly,” though he hoped that he could stop stealing in the future.

Turns out that Zhang Changhe runs a botnet. (Perhaps that is what he was alluding to when he spoke of stealing “continuously and shamelessly”?)

Two security researchers, Dell SecureWorks’s Joe Stewart and a 33-year-old blogger called “Cyb3rsleuth”, claim that Zhang Changhe also reportedly works for the Chinese army and teaches at PLA Information Engineering University, a center for electronic intelligence, comparable to the US’s National Security Agency’s university.

Botnet. Image from Shutterstock

The whole fascinating story of unearthing a hacker is covered by Bloomberg BusinessWeek.

It tells the tale of how Joe Stewart and “Cyb3rsleuth” tracked Zhang Changhe down, following the trail of zombie computers infested with malware that Zhang left behind as he built his botnet.

Beyond running the botnet, working for the army and teaching at the university, hacker Zhang Changhe is said to look after a few side businesses: selling fake Likes on Facebook pages, artificially swollen follower lists on Twitter, and votes on other social networks such as Digg.

The bogus-thumbs-up service was even promoted on a BlackHat forum.

Post on Blackhat forum

Now Facebook, for its part, really doesn’t want fake Likes. It wants Likes to be as pure a reflection of real users, in a real community who like real things, as it can get.

To that end, in August, Facebook said it was grappling with the issue of fake Likes, noting that it was increasing its automated efforts to remove Likes that may have been gained by means that violate Facebook’s Terms.

A few months later, in October, Facebook tackled a bug that saw Like counters ticking up in double-time when users shared links in private Facebook messages.

Facebook LikeVigorous protection of its Like integrity is tied up in Facebook’s business model: businesses pay to boost visibility of friends’ Likes, or to try to sell apps a user might want based on his or her Like history.

Fake Likes dilute that advertising model, substituting bots for real, live humans with real, live wallets who Like, and sometimes (businesses hope), buy real things.

The Bloomberg article starkly illustrates what a daunting task Facebook, Twitter and other social networks have when it comes to handling well-funded, well-organized, methodical attacks carried out by legions of hackers in countries such as China.

It also paints a clear picture of how difficult it is to put a face on network intrusion and other malfeasance.

Bloomberg reports that “Cyb3rsleuth” subsequently published all his findings about Zhang Changhe on his personal blog. The hope is that that someone – be it a government, the research community, or some of the many victims whose sites or computers had been attacked – would do something.

So far, nobody has, as far as “Cyb3rsleuth” knows.

Imagine the frustration: a researchers finally track a hacker down only to encounter a culture of government denial.

Even if Zhang is never stopped, let alone arrested, “Cyb3rsleuth” and Stewart’s work deserves kudos for adding to our understanding of how cybercriminals operate – broken Precepts, remorse-laden postings and all.

If you’re on Facebook, and want to learn more about security and privacy issues on the social network, consider joining the Naked Security Facebook page.

Buddha and botnet images from Shutterstock.

Hat-tip: Bloomberg BusinessWeek