On October 7, 2007, Internet communications in the Jinqiao district, Macheng city was suddenly broken. After recovering "automatically," sporadic interruptions continued to occur over the next three days. The Ministry of Telecommunications tried to find the answer.
At that moment, the cybercafe owner Zhao Shuting reported to the Macheng police: "We received a note. The other party said that your cybercafe goes off line frequently because we did this to you and not because of any telecommunication problem. But if you buy our software, your cybercafe will be able to operate normally. If you don't, I can paralyze your cybercafe. The other party asked for 8,000 yuan."
The provincial public security bureau and the Huanggang city public security bureau's Internet supervisory squad quickly joined the investigation. The police believed that the attacker may well be a user at that cybercafe and they were right as they arrested a man named Gao.
Gao admitted that he was dissatisfied with the cybercafe owner and asked the netizen nicknamed "Black Pretty Point" to launch a cyber-attack on the cybercafe. The police then went to Jinan city in Shandong province in search of "Black Pretty Point." But they missed him on several occasions. Finally, in April 2008, "Black Pretty Point" was apprehended.
The police found out that "Black Pretty Point" was not just a computer hobbyist who wanted to play pranks. Instead, he was a sales representative for a "trojan horse chain."
So the police followed the leads provided by "Black Pretty Point" and went four times to Shijiazhuang and five times to Guangzhou/Shenzen. They arrested "Black Pretty Point"s upper link "The Moment When The Snow Fell" and the downward link "Good Mood" and exposed the complete "trojan horse chain."
"Black Pretty Point" is a 22-year-old man named Han. At the time of the crime, he mobilized several dozen "zombie" computers to attack the cybercafe in Macheng. Each attack lasted 5 to 10 minutes. The attack went on for two and a half days. The computer virus that controlled the "zombies" were supplied by "The Moment When The Snow Fell." The latter is a 20-year-old man named Yang who is well known for writing trojan horse software such as "Little Mice" and "Persistent Downloader." "Black Pretty Point" was the sales representative for "The Moment When The Snow Fell," being responsible for the distribution, sales and representation. "Good Mood" is a man named Li who was many responsible for running the trojan horse software to steal people's QQ accounts and online game user ID's to resell for profit.
In October 2007, "Black Pretty Point" got acquainted with "The Moment When The Snow Fell" and offered 500 yuan to buy hacker software. "The Moment When The Snow Fell" spent one week to write the "Little Mice" trojan horse software and handed it over to "Black Pretty Point."
"The Moment When The Snow Fell" also wrote other trojan horse software such as "Persistent Downloader" and "Anger Suppression Test," charging anywhere between several hundred yuan to ten thousand yuan. In order to prevent anti-virus software from erasing the trojan horse virus, "The Moment When The Snow Fell" also provided updates at 1,000 yuan per month maintenance fee. Within six months, "The Moment When The Snow Fell" earned 190,000 yuan.
"Black Pretty Point" earned more than 200,000 yuan in less than six months. But the people under him earned every more. Since the "zombie" computers can be accessed at will, they represent endless wealth. At the hacker websites, "zombies" are openly sold from as low as 0.1 yuan to 1,000 yuan each. Once a hacker purchases a "zombie," he can steal all the bank accounts, game accounts, passwords, game equipment, game currency, QQ currency and so on. These are then resold to "sales people."
It is also possible to use the "zombie" machines to boost up traffic volume for advertisement revenue and website rankings. Conversely, "zombie" machines can be used to extort small- and medium-sized enterprises to pay "protection money."
According to the China Computer Network Emergency Technical Centre, the trojan horse industry generated more than 238 million yuan in revenue while causing 7.6 billion yuan in damages.
After the police cracked the Macheng case, they found out that the three criminals were members of the "Black Hawk Security Network." The police then spent the next six months obtaining more evidence and making preparations. On November 26, 2009, more than 50 police officer raided Black Hawk Security Network locations in Wenzhou (Zhejiang), Huangshan (Anhui), Luihe and Xuchang (Henan). The police arrested the three ringleaders, froze more than 1.7 million yuan in assets and took away 9 servers and 5 computers. The website was shut down.
According to the investigation, two Henan male Li and Zhang started the Black Hawk Technology Limited Company in March 2006. The website "Black Hawk Security Net" then became the biggest hacker training website in all of China.
The website generates revenue through membership fees. In return, members receive training in hacker techniques. The website also provides several thousand different trojan horse viruses for members to download. Since 2005, the website has more than 12,000 paying members and more than 170,000 regular members. Membership dues totaled more than 7 million yuan.
Li and Zhang were formally arrested on December 31, 2009. "Black Pretty Point" and the instigator of the Macheng attack named Gao have already been sentenced to 2 and 3 years in jail respectively.