14
Nov 12

Infamous Hacker Heading Chinese Antivirus Firm?

facebooktwittergoogle_plusredditpinterestlinkedinmail

What does a young Chinese hacker do once he’s achieved legendary status for developing Microsoft Office zero-day exploits and using them to hoover up piles of sensitive data from U.S. Defense Department contractors? Would you believe: Start an antivirus firm?

That appears to be what’s happened at Anvisoft, a Chinese antivirus startup that is being somewhat cagey about its origins and leadership. I stumbled across a discussion on the informative Malwarebytes user forum, in which forum regulars were scratching their heads over whether this was a legitimate antivirus vendor. Anvisoft had already been whitelisted by several other antivirus and security products (including Comodo), but the discussion thread on Malwarebytes about who was running this company was inconclusive, prompting me to dig deeper.

I turned to Anvisoft’s own user forum, and found that I wasn’t the only one hungry for answers. This guy asked a similar question back in April 2012, and was answered by an Anvisoft staff member named “Ivy,” who said Anvisoft was “a new company with no past records, and we located in Canada.” Follow-up questions to the Anvisoft forum admins about the names of company executives produced this response, again from Ivy:

“The person who runs anvisoft company is not worth mentioning because he is unknown to you.  Yes, the company is located at Canada. 5334 Yonge Street, Suite 141, Toronto, Ontario M2N 6V1, Canada.”

A quick review of the Web site registration records for anvisoft.com indicated the company was located in Freemont, Calif. And a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu, a city in the Sichuan Province of China.

Urged on by these apparent inconsistencies, I decided to take a look back at the site’s original WHOIS records, using the historical WHOIS database maintained by domaintools.com. For many months, the domain’s registration records were hidden behind paid WHOIS record privacy protection services. But in late November 2011 — just prior to Anvisoft’s official launch — that WHOIS privacy veil was briefly lowered, revealing this record:

Registrant:
   wth rose
   Moor Building  ST Fremont. U.S.A
   Fremont, California 94538
   United States
Administrative Contact:
      rose, wth  wthrose@gmail.com
      Moor Building  ST Fremont. U.S.A
      Fremont, California 94538
      United States
      (510) 783-9288

A few days later, the “wth rose” registrant name was replaced with “Anvisoft Technology,” and the wthrose@gmail.com address usurped by “anvisoftceo@gmail.com” (emails to both addresses went unanswered). But this only made me more curious, so I had a look at the Web server where anvisoft.com is hosted.

The current Internet address of anvisoft.com is 184.173.181.194, and a reverse DNS lookup on this IP address tells me that there are at least three other domain names hosted at this address: nxee.com, oyeah.com, and coversite.com. The latter forwards to a domain parking service and its WHOIS information is shielded.

But both oyeah.com and nxee.com also were originally registered to wth rose and wthrose@gmail.com. And their WHOIS records history went back even further, revealing a more fascinating detail: Prior to being updated with Anvisoft’s corporate information, they also were registered to a user named “tandailin” in Gaoxingu, China, with the email address tandailin@163.com.

Image: iDefense

When I saw that record, I was instantly reminded of an infamous Chinese hacker who went by the name Wicked Rose (a.k.a. “Withered Rose“). In 2007, Verisign’s iDefense released a report (PDF) on Rose’s hacking exploits, which detailed his alleged role as the leader of a state-sponsored, four-man hacking team called NCPH (short for Network Crack Program Hacker).  According to iDefense, in 2006 the group was responsible for crafting a rootkit that took advantage of a zero-day vulnerability in Microsoft Word, and was used in attacks on “a large DoD entity” within the USA.

“Wicked Rose and the NCPH hacking group are implicated in multiple Office based attacks over a two year period,” the report stated.

iDefense analysts also include a section with pictures of Wicked Rose, explaining that Rose’s real name is Tan Dailin, and that he is a now-28-year-old who cut his teeth at the Sichuan University of Science and Engineering in Zigong, a city in the Sichuan Province of China.

The report said that at the time, Rose administered his hacking team’s Web site at ncph.net, and ran his own personal blog at mghacker.com. According to historic WHOIS records, the email address used to register mghacker.com was  tandailin@163.com, the same email address in the historic WHOIS records for Anvisoft’s online properties.

Some more tantalizing clues: According to iDefense, one of Dailin’s buddies in NCPH — a hacker nicknamed “Rodag” — also ran his own blog. Rodag appears to still be blogging there, so I had Google Translate show me his latest postings: Turns out, earlier this year Rodag urged readers to download and install Anvisoft Smart Defender, calling it a “security aid from abroad” that offers “superior performance” and is “very simple and beautiful.”

Until recently, another site registered to tandailin@163.com — the now-defunct ww4g.com — featured on its home page a long review of Anvisoft, explaining to readers “why you need a good antivirus.”

This may all be a strange coincidence or hoax. Anvisoft may in fact be a legitimate company, with a legitimate product; and for all I know, it is. But until it starts to answer some basic questions about who’s running the company, this firm is going to have a tough time gaining any kind of credibility or market share.

Tags: , , , , , , , , , , , , , , , , ,

71 comments

  1. interesting but viewdns.info doesn’t appear to do the same thing as domaintools, more like dnsstuff.com OTOH they do seem to be selling zone files :

    http://viewdns.info/data/

    which appear to be terribly out-of-date. for example:

    1,290,856 .ca domains

    .ca actually now has over 2MM registrations.

    http://cira.ca/news/news-releases/canada-reaches-two-million-ca-internet-addresses/

  2. It might be worth taking a closer look at the street addresses given by Anvisoft as well as the address in CA. Googling on “5334 Yonge Street, Suite 141, Toronto” produces 197000 hits. Just browsing the first entries suggests that it is a maildrop for many strange businesses.

    The address in Fremont as given by the WHOIS-record does not seem to exist.

  3. Is this company gonna be taken down?

  4. O email do Ceo da empresa anvisoftceo@gmail.com

    Pergunta para recuperar senha é em chines

    您的车牌号是多少?

  5. Last Updated on: 05-Jul-12

    Registrant:
    Anvisoft Technology
    Number 36, Tianyi Street, High-tech Zone,
    Chengdu, Sichuan 610000
    China

    Administrative Contact:

    Technology, Anvisoft anvisoftceo@gmail.com

    Number 36, Tianyi Street, High-tech Zone,

    Chengdu, Sichuan 610000

    China

    +0.8613438331441

    Technical Contact:
    Technology, Anvisoft anvisoftceo@gmail.com
    Number 36, Tianyi Street, High-tech Zone,
    Chengdu, Sichuan 610000

    China

  6. Queried rwhois.theplanet.com with “184.173.181.194″…

    %rwhois V-1.5:003fff:00 rwhois.softlayer.com (by Network Solutions, Inc. V-1.5.9.5)
    network:Class-Name:network
    network:ID:NETBLK-SOFTLAYER.184.173.128.0/18
    network:Auth-Area:184.173.128.0/18
    network:Network-Name:SOFTLAYER-184.173.128.0
    network:IP-Network:184.173.181.192/29
    network:IP-Network-Block:184.173.181.192-184.173.181.199
    network:Organization;I:nxee.com
    network:Street-Address:Tianyi street , Idealism Center
    network:City:Chengdu
    network:Postal-Code:610000
    network:Country-Code:CN
    network:Tech-Contact;I:sysadmins@softlayer.com
    network:Abuse-Contact;I:abuse@softlayer.com
    network:Admin-Contact;I:IPADM258-ARIN
    network:Created:2011-10-10 04:34:17
    network:Updated:2012-12-02 03:03:13
    network:Updated-By:ipadmin@softlayer.com


Read previous post:
Microsoft Patches 19 Security Holes

Microsoft today issued six software updates to fix at least 19 security holes in Windows and other Microsoft products. Thirteen...

Close