Google hacked by Chinese

play evony at work

I have written on here before about Titan Rain, the ongoing attacks on American computers allegedly by the Chinese. Here is what Wikipedia has to say:

Titan Rain was the U.S. government‘s designation given to a series of coordinated attacks on American computer systems since 2003. The attacks were labeled as Chinese in origin, although their precise nature (i.e., state-sponsored espionage, corporate espionage, or random hacker attacks) and their real identities (i.e., masked by proxy, zombie computer, spyware/virus infected) remain unknown. The designation ‘Titan Rain’ has been changed, but the new name for the attacks is itself classified if connected with this set of attacks.

In early December 2005 the director of the SANS Institute, a security institute in the U.S., said that the attacks were “most likely the result of Chinese military hackers attempting to gather information on U.S. systems.”

Titan Rain hackers gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA.

This is very serious stuff. And if they can get into heavily defended top secret computer systems just imagine how easily they could get into yours or into the systems of your place of work. Against this background we have this amazing announcement from Google:

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers……….….more

So there you have it, official. The Chinese put malware on people’s computers which they then use to their own ends. What better way to achieve this than by using a browser video game? The client software for browser video game is on literally tens of millions of Western computers. The operators of these games even encourage you to put it on your work computers. And there is nothing to stop them then extracting all the information they want. Passwords, credit card numbers, email addresses etc. And your virus software will not show this up, because it is not a known virus. And your firewall will not protect you because you installed the client. I wrote an article on here “Is Evony Malware?”. Here is one of the comments that a reader called Lee added to this article:

I am a student studying computer games design at uni and decided to investigate Evony.com.
Just to see what some of these games are like etc. etc.
The game is actually kind of cool (found myself addicted and even spent a little money on it).
But I started to notice HUGE bandwidth use by the site as I played.
I am not the only one either, there are comments on the evony forums about this.
This is odd because all of the client info, the animations etc. are all downloaded in one big download at the start.
There is no streaming media so I began to wonder what was going on.

To cut a long story short I decided to break the law and reverse engineer Evony’s client.
Not to cheat. Not to rip them off or even to use even a scrap of the code.
But just to poke about a bit and find out what was going on, maybe even offer them some ways to improve things.

Aside from the fact that the whole thing is very poorly constructed (it is really very beginner coder level stuff. Reminds me of a lot of
what the first year students produce for assignments) it contained some very interesting information.

Included with the client are 2 peices of tracking software that monitor your web use and which applications you have open while the client is running.
These do not install independently on the machine though due to the limitations of flash and do not actually damage anything.
But they harvest massive volumes of information. My firewall was blocking a lot of outgoing transmissions and it turns out that these
were the data trying to be sent out. So they know nothing about me. lol.
However there is a LOT of data coming IN over the ports the client uses. In otherwords it is downloading something into my cache for use later.
I have bandiwdth restriction which slows these types of tricks down and I completely clear my cache every couple of hours if I am heavily using the net.

I also noticed that all the varanbles etc. are named Civony still and that there are multiple references to UMGE.
Even a couple of folders are simply called UMGE, one of these folders contains one of the spyware programs.
So I can only guess at where the data would end up if I didnt have a good firewall.

There are also commented out sections in the code which contain references to UMGE and Lam himself, though low on details.

Thank you for reading this.

Lee

Please note that I am not saying that Evony is malware or is associated with malware in any way. I am just repeating what other people have said. But personally I would not install it on my computer.

So take care out there. Only play browser games from reputable companies that you know the provenance of. Who owns them, where they are based, their phone number etc. To let just any browser game put their client on your computer is very dangerous, they can do anything they want once it is loaded and you won’t know anything about it and can’t prevent it.

21 Comments


  1. Right now I am very glad that I sit in front of a mac.

    I have been very sceptic to Evony since the game came out. The way they market there game and so on. Thanks for the good information.


  2. What’s a mac to professional hackers? Let’s get serious, they got into Nasa, your mac would be like a doormat.


  3. Are you serious ? I see you are who apple market for, how exactly is your mac going to protect you from Chinese hackers.


  4. You completely ignored 5 paragraphs from the google article and completely changed the purpose of the story.


  5. @ Millen – I use a Mac as well, and while there is definitely truth to the belief that they are less susceptible to attacks (note that I say “less susceptible to” not “better defended against”), the belief that a Mac is invulnerable to an attack like this is naive if not downright stupid. This, and most information gathering spyware/malware, monitor the packets of data sent to and from your computer. These things work *regardless* of what operating system you are using because they’re operating system independent, they’re simply monitoring your internet traffic.

    Before you make the dangerous assumption that you are safe because of the computer you use, educate yourself on the subject please.


  6. @Anonymous.
    You plainly don’t understand. This is not a news site so there is no story to change the purpose of.
    This is a blog of my articles about the game industry. These articles, mainly analysis, say exactly what I want them to say. And in this instance the analysis is that it is best to take care with Chinese sourced browser games because they could be used to put trojans on your computer. The Google article was included by way of evidence that this is the sort of activity that the Chinese get up to.


  7. P.S you don’t think Google the world’s number 1 search engine does not farm dater. What a Joke.


  8. Ok, I play Evony in-browser only. I have never downloaded their I-client and I never will.

    My research suggests that I’m fairly safe from any data-mining, hijacking as long as I don’t download and install their client.

    Is this correct? I can’t seem to find a 100% solid answer on this and any input would be appreciated.

    Btw, I like your blog Mr. Everiss. Keep it up, interesting stuff.


  9. As I understand it Evony is Flash, not Acrobat PDF. Does it use pdf’s to deliver any content?

    I mean there’s no way I’m EVER going to give Evony my financial information and people that do that aren’t too bright. And I haven’t downloaded and installed any client so I’m not too worried.

    Then again, an hour after my previous post my yahoo email had an email to myself from myself about Viagra in my spam box.

    I’ve never experienced any issues and I’ve been playing Evony for about 3 months now so it could just be coincidence.


  10. @C.Castro
    When you first play Evony it loads its client into your computer, you can’t play it without the client.


  11. Thanks Bruce,

    Does anybody know where the client downloads to? What directory? Is it a temporary directory?

    Maybe this is the wrong forum to ask but the internet at large doesn’t seem to know and there’s been alot of earnest Evony discussion on this blog.

    Any help would be appreciated.


  12. @ C. Castro,

    The client can be found on your hard drive. In my case the game was loaded when it was known as Civony, but two core files were found listed as Evony. This means that it is possible that the client file names can be changed to obstruct identification and removal. The only sure way to be safe is to contact a specialist or reformat your hard drive. But this can be a complex affair for many general users.

    Conventional computer alert software does not identify the client. It downloads without consent. It bypasses conventional application security systems on all machines I am aware of, including Macs. This means that all computer users really need to appreciate the risks involved.

    I always check the domain of any product before using it. In my case the records showed that Civony was registered to Eric Lam through Go Daddy in the United States. The company concerned was named as UMGE in China. As these checked out I was prepared to sample the product. Of course, there was no indication that it downloaded a client and I only found out afterwards.

    Since this time Evony denies any association with Eric Lam, UMGE or China. As Eric Lam and UMGE are facing a lawsuit against Microsoft in the US, this alone should help you understand why this product is totally unsafe.

    Here is wishing you well in identifying the client on your hard drive and removing it.

    AC


  13. Part 2

    Most importantly Assist Strategic Business Solutions is registered with AUSTRADE (formerly the Australian Trade Commission). Here is the link that conforms this http://www.austrade.gov.au/SupplierDetails.aspx?ORGID=ORG8000003494&folderid=1736. As the details can be edited, here is the claim made by Benjamin Gifford on the AUSTRADE website:

    Company Details

    Company Name Assist Strategic Business Solutions Pty Limited
    Trading As (No name offered)

    ASSIST Strategic Business Solutions has helped and provided our clients with time constricted solutions which succeed. ASSIST has a broad spectrum of services and experience in many industries. Give us a call and give us your problems. We are mainly able to assist SME’s and large not for profit entities and pride ourselves in being the first point of contact and provide the best solution possible. This allows our clients to focus on core business functions and know that they will be given personal care. It’s more than just providing solutions – it’s about taking stress away.

    Our main objective is to work side-by-side with your company, offering the best service and advice while at the same time documenting our processes so that there is an exit strategy. At ASSIST, you are in control and come first.

    Contact Details
Company Name: Assist Strategic Business Solutions Pty Limited 
Phone: +61 2 9524 0525
Email: ben@asbs.net.au 
Web: http://www.asbs.net.au

    Address
Lvl 1, 90 Karimbla Road 
Miranda 
NSW 2228

    Postal Address
PO Box 126 
Miranda 
NSW 2228

    Contact
Name: Benjamin Gifford 
Phone: +61 2 9524 0525 
Email: ben@asbs.net.au

    The above information offered to the AUSTRADE conflicts with the address offered on Facebook as being 5 Gillwinga Avenue, Caringbah, Australia. Indeed, it offers a different phone number too, namely +61 2 9525 5799, aAs can be evidenced here in the Facebook capture http://www.popehat.com/2009/10/20/who-in-the-world-is-benjamin-gifford/ taken on or before 20th October. Naturally Assist Strategic Business Solutions will have to comply with the AUSTRADE regulations. This could prove interesting.

    Benjamin Gifford of Assist Strategic Business Solutions is the Vice Development Officer of Evony. Because Benjamin Gifford has formally stated that Evony has never had any association with Eric Lam, UMGE or China (the parties involved in the Microsoft v Lam Defendants lawsuit within the US http://news.justia.com/cases/featured/washington/wawdce/2:2009cv00815/160320/). This means that Benjamin Gifford and Assist Strategic Business Solutions are misrepresenting the facts to over ten million consumers from his base of operations in Australia. The reason they are embarking on this course of action is likely to shield the assets being accumulated by Civony/Evony (estimated to be around $30 million a month) from any court orders that could be placed on the Lam Defendants. This would account for why Benjamin Gifford of Assist Strategic Business Solutions has placed a fraudulent lawsuit on Bruce Everiss and has threatened other media bodies through the Australian legal system, because the Lam Defendants are on trial in the US and it would have been unwise for them to issue legal proceedings themselves. This will account for why they have chosen to abuse the New South Wales legal system with the assistance of Benjamin Gifford and Assist Strategic Business Solutions of Australia, a company registered through AUSTRADE. Of course, they would have known that media bodies do not risk financial damages over libel, therefore they could be assured that the media would withdraw associating Evony with the Lam Defendants if threatened with a lawsuit. As business entities the media advisors would have viewed the liabilities of the Evony story as outweighing the value of its reportage. This will account for the media stories being stopped as this example shows http://www.guardian.co.uk/technology/gamesblog/2009/jul/15/games-evony-spam-internet. However, bloggers tend to view issues very differently, they are more interested in justice than revenue, this is why they are rightfully gaining popularity with readers.


  14. Part 3

    Think about it. No one knows which country Evony operates from. Therefore no one knows which country is to receive the taxes taken from its extensive revenues or where to address any complaint to it or its official regulators. The Lam Defendants are on trial in the US through ten charges being made by Microsoft, including the first ever case of internet click fraud. UMGE, one of the Lam Defendants, is the company that originally acknowledged ownership of Civony/Evony, is based in China and is associated with making illegal money through gold farming. Evony is now registered as a US LLC but it operates through Benjamin Gifford of Assist Strategic Business Solutions in Australia. In addition it has issued libel lawsuits through the Supreme Court of New South Wales to parties in the UK for reporting about its activities. Part of this evidence pertains to claims made before Evony LLC was formally registered as a legitimate offshore company within the US.

    Due to the actions of Benjamin Gifford of Assist Strategic Business Solutions, it means that all Civony/Evony users can now view Australia as a country of Civony/Evony operation. The Australian body responsible for targeting illegal Australian practices is the Australian Competition and Consumer Commission (ACCC) http://www.accc.gov.au/content/index.phtml/itemId/815323. I think it is fair to cite the words used by the Australian Competition and Consumer Commission, because with over ten million Civony/Evony users around the world, some may wish to contact this body directly. Here are the grounds on which one contacts this body:

    Report a business if you think it may be:

    – misleading or deceiving a consumer or doing something that is likely to be misleading or deceptive

    – putting undue influence or pressure on an especially disadvantaged or vulnerable consumer or using unfair tactics against them (acting unconscionably)

    – using undue harassment or coercion to get a consumer to buy or pay for goods or services

    – selling a product that is unsafe or does not comply with mandatory product safety or information standards.

    For those that wish to challenge the actions made on behalf of UMGE and Evony LLC by Benjamin Gifford of Assist Strategic Business Solutions, Australia, here is the link http://www.accc.gov.au/content/index.phtml/itemId/142. The core material to read can be found under consumers and making a complaint. Naturally any complaint can be copied to other parties, like the US Attorney General’s office in Delaware and consumer regulators in your own country. Also be aware that AUSTRADE, the body that has registered Assist Strategic Business Solutions also has Chinese offices http://www.china.embassy.gov.au/bjng/Austrade2.html and US offices http://www.austrade.com/USA-Offices/default.aspx listed under the Australian Embassy. Indeed if the complaint pertains to pornography, harassment, abuse or financial fraud (because these actions have been reported on the Evony forum), then it is advisable to contact the police in your country too for advice.

    Do of course be aware that Benjamin Gifford functions within the Evony forum under the name of Thalin Athasian. All posts or communications that expose the association of Evony with the Lam Defendants are denied, edited or deleted. In this respect Benjamin Gifford and Assist Strategic Business Solutions in Australia are directly involved in blocking consumer concerns from being raised with UMGE, the Chinese company behind its US front, Evony LLC, through Australia.

    AC


  15. Can I just point out that the general belief is that Macs are less susceptible to viruses, not to “attacks”.

    An “attack” does not necessarily rely on deploying then using software on your computer, unlike a virus, where deploying software and infecting computers is the entire point.

    An “attack” can be carried out with the end user being entirely passive.

    Cheers,

    Steve


  16. Steve is correct. It is entirely possible to make a flash client that can be used for data mining on both OSX and Windows, they exist in vast quantities already.
    Though from what I can tell from the evony client it is very specific to Windows. But it would be very easy for them to add some mac specific code to allow them to do things to mac users.

    If you are going to allow these things onto your computer the best you can do is make sure that wherever it originates from is known and trustworthy.

    For Windows users:
    That said all flash files will be initially downloaded into a cache in order to run in your browser. As Flash cannot run arbitrary code on your machine (not without some serious stack overflows and other amusements) it will likely only stay there. Run the windows Disk Cleanup. Also use firefox, the flash plugin in firefox helps to prevent a couple of easy Flash attacks and firefox can be set to auto clean it’s cache.
    If you are extra paranoid run Spybot S&D and run a search. It will clean out any remaining system cache files and check for tracking cookies.

    For Mac Users:
    Flash is kept isolated from the rest of the system, like anything else downloaded into the background. Just watch your system resources with one of the free software gadgets you can get from the mac website and if you see huge spikes while running any Flash client then it could be that you are being watched (or it is just an appallingly made program.. or both).
    Use Firefox for your web browser and set it to auto clean your cache when it closes (Windows users can do this as well, but windows will still keep a copy if it is running something nasty as it cannot delete active processes/files. If you boot into safemode, open firefox and then close it again with the cache set to auto clean it will work the same as the mac though. 🙂 ), this should solve the problems with the client being kept on your computer.


  17. It is interesting that KINGSORY is not only almost idential functionally to EVONY, but some (SOME) of the code is also identical.

    Evony, however, without a doubt is performing background tasks for data mining. It would take ages to go through the decomp. code and find everything, but something is amiss…

    That being said – there are some simple facts – FLASH is lousy for producing this type of application. It inherently fails to collect garbage and inevitably leaks like a sieve….

    If I examine packets passing through my firewall, the information passed appears to be minimal and more geared towards marketing requirements than anything (ie. peoples habits and interests).

    As an added note – and because I HAVE to say it – to the Mac user who said he is lucky to own one – congrats for owning one!! – I am sure it is a pretty colour !!!

    Now – when writting a virus or malware of any type (Trojans, Virus, Spy etc etc)… one tends to target the 90% market share (win) and not the tiny share (unix)…

    However – there are viruses out there for ALL platforms. The windows target is just a lot bigger….

    It is just as easy to write a virus for a UNIX/LINUX based OS as it is for Windows – there are JUST as many potential holes; just as many opportunities.

    So…. good luck with that false sense of security…. And if you want to run Evony or similar… use an isolated VM instead….(For those with Mac – you can get VM software for them also – although it is not needed as they are 100% perfect – and SO cute…. like my playstation)


  18. i have found malware hidden in zentia also and upon trying to uninstall it opened 263 interent windows so it didnt like that idea..after removing scans showed trojan downloaders and win 32 trojans so the chinese arent the only ones. zentias home company also has the new lego universe game putting p2p networks into peoples pcs so just a word or warning be careful what new games you try in your computer the results could be disasterous.

Comments are closed.