Panda Case Offers Inside Look at Underworld of Chinese Hacking

WUHAN, China—Some of today's biggest cybersecurity worries trace their roots to this central Chinese city, where a hacker with a junior high school education slapped cartoon pandas onto millions of computers to hide a destructive spy program.

The Panda Burns Incense computer worm, created by 27-year-old Li Jun, wreaked havoc for months in China in 2006 and 2007, eventually landing Mr. Li in jail. Jumping one computer to another by tricking users into opening what appeared to be a friendly email message, the Panda funneled passwords, financial information and online cash balances from game Web sites to Mr. Li's cohorts—leaving a panda as its calling card.

Sina Corp.

Panda virus creator Li Jun

When Google Inc. last month alleged that it and more than 20 other companies were breached in a cyberattack it traced to China, the attack, dubbed Aurora, appeared orders of magnitude more complex than the Panda attack. Unlike the Panda attack, which left a calling card and spread quickly and randomly, the perpetrators of Aurora targeted specific employees within the companies they attacked and went to great lengths to cover their tracks.

There is no evidence thus far that the Google hack has any connection to the Panda's pandemonium. What is clear is that Mr. Li learned his craft and launched his attack within a hacker network in China that remains an active and growing threat to global computer users.

The identity, motivation and methods of Chinese hackers are rarely traceable. But based on interviews with security experts, forensic reports from independent tech firms, and the hackers themselves, the Panda case offers a rare window into how the underground world of Chinese hacking operates.

Mr. Li's Panda attack became known as "the first case of organized cybercrime in China, using a computer virus," according to U.S. technology security firm Symantec Corp. Once a computer was infected, the desktop icon of every executable file, such as Microsoft Corp.'s Word, would change into a picture of a panda. Clicking the panda would prompt the computer to immediately download software from the Internet that in turn allowed Mr. Li's computers to siphon off financial information stored deep inside it.

Cyber experts say hacker forums are very likely fertile recruiting grounds for the Chinese government, which is increasingly anxious about its own cybersecurity. In fact, one person formerly involved in spreading the Panda virus says he was later hired to work with Chinese police to break into accounts of Internet users. That couldn't be independently verified.


China rejects as nonsense that it is a hacker haven. "The government has never supported or been involved in cyber attacks, and it will never do so," Peng Bo, an official with the State Council Information Office's Internet Bureau, told state media in mid-February. "In fact, China is the country worst hit by worldwide hackers."

Investigators probing the Google matter still don't know where it began but have been examining whether computers at China's Shanghai Jiaotong University and Lanxiang Vocational School in Shandong Province were involved in the attacks, according to a person briefed on the matter. The New York Times reported Thursday that the attacks have been traced to computers at the two schools.

Mr. Li was released from prison in December after serving three years of a four-year term for destruction of property related to hacking. He declined a formal interview, but in a series of brief phone calls, online chats and email messages, he said he is looking for a "fresh start," perhaps as a cybersecurity specialist, a so-called "white hat." After his release from jail, Mr. Li spent a few days at his parent's red tiled three-floor house outside Wuhan. Instead, he has crisscrossed the country with his Acer laptop to visit others involved in the Panda attack. Mr. Li says he's interested in working with former co-conspirators on legitimate businesses.

Mr. Li's hacking career began in May 1999, a month before his 17th birthday, when U.S. warplanes bombed China's embassy in Belgrade. Angered by the strike, Mr. Li, who was hanging out at cybercafes in Wuhan, stopped playing computer games to become a hacker.

Mr. Li took lessons from a childhood acquaintance named Lei Lei. He learned how to control thousands of computers as zombie-slaves, or "chickens" in Chinese slang, to attack Websites, Mr. Lei said in an interview. While students in Beijing pelted the U.S. Embassy with rocks, the two skinny teenagers, from the second floor of a dimly lit Wuhan cybercafe called the "Network Club," waged their own "U.S. hacker war," disrupting 20 or 30 U.S. Websites, according to Mr. Lei. "We were too young at the time, doing wild things," Mr. Li said by email.

Over the next few years, the two hacked as teammates, stealing money from Internet users, Mr. Lei recalls. They downloaded simple attack programs found on the Internet to break into gaming accounts to steal and then sell virtual-money credits used by players. To advance in their games, players buy special weapons and other items, which are tradeable for cash.

Mr. Lei, 27, spent a year in the same jail as Mr. Li in Hubei province on similar charges for the Panda attack and was released in 2008. Today he works for his father's manufacturing firm in Wuhan and plans to open an Internet security business. A fan of American hip-hop music, he still flouts authority, steering his luxury Toyota the wrong way down Wuhan streets during an interview to avoid traffic.

Imaginechina/ZUMA Press

The Panda Burns Incense computer worm wreaked havoc in China..

The two hackers say they sharpened their skills as part of an online hacker alliance that took its name from a Qing Dynasty insurgency group, the Small Swords Society. Mr. Li adopted the online moniker WHboy, for Wuhan.

In general, Chinese hackers don't fit the Hollywood stereotype of geeky loner-geniuses in American basements or steely smooth Russian mobsters who design and execute hits, reaping all the benefits, cybersecurity experts say. On the contrary, China's hacker community is a widely dispersed, fragmented chain of digital craftsmen. In Chinese, hackers are known as "heike," or black guests.

"As for Chinese hackers, their overall technological skill isn't as good as American or Russian hackers," Mr. Li said in an email, answering questions from the Wall Street Journal. "However, China has the biggest population of hackers in the world." Noting his own communication with foreign hackers, he added, "I often downloaded hacker software from their sites to compare them with programs I wrote or other Chinese hackers wrote."

In China's hacking community, each person does a specific job and, rather than working for a big score, gets paid piecemeal by selling his work, cybersecurity experts say. The programmer of malicious programs usually assembles his program, as Mr. Li did, with lines of computer code he bought elsewhere. The operation works like an assembly line: The programmer then makes customers of others who pay to undertake the broader attack, spreading the malicious software, triggering it and sharing the payoff.

"The chain business is uniquely Chinese," says a Chinese security expert for a major U.S. technology company in Shanghai. Hacker conspiracies in China are structured like multi-level sales networks and even pyramid schemes, he said, not tight-knit criminal gangs that write "technically clean" code designed from the ground up.

Like most Chinese hackers, Mr. Li says he was nurtured inside the informal but active network of online chat rooms where technology break-ins are plotted. According to hackers and Internet security people, such forums are little more than criminal training schools and hardware stores, a cyber underworld where the locks on technological secrets that power online games, bank Websites and Apple Inc.'s iPhone undergo brutal stress tests from the world's largest Internet population.


To sidestep laws against selling malicious software, programmers euphemistically advertise their hacks as "training" and "tutoring," hackers say. Would-be distributors tout themselves as "mail senders," while "script kiddies," keen to build an underworld reputation, will buy hacker tools and pull the trigger.

Anyone along the chain can tweak a virus, for instance, so it attacks another target or trolls for different data. The bounty, benignly called "envelopes," is for sale too: source codes to mimic existing Websites sell priced at 50 yuan, about $7, and data from their users go for 500 yuan. Forum owners and participants mask their identities. The chief barrier to participation is the Chinese language.

Hacker "crowd sourcing"—when large numbers of people contribute to writing code and executing it—reduces the risks individuals face and leaves the network intact if someone does get caught or a forum is shut, Internet security experts say.

By October 2006, looking to filch from several types of online accounts at once, Mr. Li turned to these forums, hoping to steal enough money to buy a Land Rover, he recalled in an email sent to the Wall Street Journal.

Using a Dell computer in a rented apartment in central Wuhan, Mr. Li designed his panda worm, now formally known as W32.Fujacks, to deliver a package of software to Internet users that would steal virtual-money credits and other items from 10 different sources like online game sites. The software exploited poorly protected firewalls to infect virtually any computer connected to the Internet.

Mr. Li fished these hacker forums for usable lines of code, settling on script for a worm called Nimaya. For feedback, in the hacker equivalent of a professional peer review, he dropped samples of his own work into bulletin boards like, according to Mr. Lei. Hacking "can't have made such fast progress and be here today without innovation, sharing and exchanging of technologies," Mr. Li said by email.

Weeks later, Mr. Li branded his tens of thousands of lines of code with an icon stolen from a chatting website called QQ: a black-and-white panda gripping three incense sticks. He offered the tool that siphoned money out of sites for sale, initially tapping 10 distributors who he charged about $120 each.

With "astonishing frequency," according to Symantec, the panda replicated itself by the millions. For some recipients, it was a reminder of a bug dubbed "ILOVEYOU" that had spread from the Philippines six years earlier. But the panda added a malicious feature: hackers could deploy its "backdoor" to grab virtual money from popular online games, including those run by Tencent Inc. A spokeswoman for Tencent said many companies were affected and declined to comment on the Panda case.

Mr. Lei recalls the two spent every waking moment trying to resell their virtual trove. They fenced it at 10% discounts to face value to online buyers, "like on Ebay," Mr. Lei said. How much the scam brought in isn't known, but Mr. Lei says they could earn $1,200 some days. They partied and Mr. Li bought a $2,000 computer but otherwise Mr. Lei says they didn't spend their winnings much.

Soon Chinese Internet users, including government agencies, were decrying the "poisonous panda." Modified or copycat versions of the panda started doing other kinds of damage: turning screens blue, slowing computer speeds, crashing systems and erasing programs.

By early 2007, the two realized the Panda was "out of control" and set plans to flee to western China. By then, police had tracked the Panda to the $72-per-month apartment in Wuhan rented by Messrs. Li and Lei. Only Mr. Li was home when they swooped in on Feb. 3.

Mr. Li appeared in court handcuffed with a newly shaved head and was convicted of destroying property and stealing $18,000.

Mr. Lei was caught later. Police arrested others in Zhejiang, Yunnan and Shandong provinces for their involvement in the Panda attack, some of whom were jailed as well. Many others were never identified, including people who spurred the Panda's spread and profited from it.

As Mr. Li began his four-year sentence, state media pictured him behind bars in a yellow jumper using a prison computer to exterminate his panda virus. (It didn't work. Last November, McAfee Inc., the Internet security firm, warned fresh strains of the panda bug were spreading.)

In December, Mr. Li was released early for good behavior. His first call was to Mr. Lei.

To his fast-expanding 17,000 following on a Twitter-like service, Mr. Li issued a cryptic message about what he planned for the future: "Bread will come. Milk will come. Everything can be restarted all over again."

Write to James T. Areddy at