Up until now, Wicked Rose has been infamous for one thing, being a prolific hacker. He exploited Microsoft Office security holes in the US Defense Department and obtained sensitive data for over two years before being discovered.
But it appears that Wiked Rose is exploring a new career path.
Investigative reporter, Brian Krebs, reports that Wicked Rose, otherwise known as Tan Dailin, has possibly registered an antivirus company, Anvisoft. Krebs explains this discovery and the maze he went through to track the site to Wicked Rose:
A quick review of the Web site registration records for anvisoft.com indicated the company was located in Freemont, Calif. And a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu, a city in the Sichuan Province of China.
Urged on by these apparent inconsistencies, I decided to take a look back at the site’s original WHOIS records, using the historical WHOIS database maintained by domaintools.com. For many months, the domain’s registration records were hidden behind paid WHOIS record privacy protection services. But in late November 2011 — just prior to Anvisoft’s official launch — that WHOIS privacy veil was briefly lowered, revealing this record:Registrant: wth rose Moor Building ST Fremont. U.S.A Fremont, California 94538 United StatesAdministrative Contact: rose, wth firstname.lastname@example.org Moor Building ST Fremont. U.S.A Fremont, California 94538 United States (510) 783-9288
A few days later, the “wth rose” registrant name was replaced with “Anvisoft Technology,” and the email@example.com address usurped by “firstname.lastname@example.org” (emails to both addresses went unanswered). But this only made me more curious, so I had a look at the Web server where anvisoft.com is hosted.
Kreb then used a reverse DNS lookup on Anvisoft’s IP address and tracked it down to three other domains that were once registered to the same email at Anvisoft: email@example.com. And then he discovered that Anvisoft was once registered under the user name, “tandailin.” Then Kreb made the connection to a name he came across a few years ago:
When I saw that record, I was instantly reminded of an infamous Chinese hacker who went by the name Wicked Rose (a.k.a. “Withered Rose“). In 2007, Verisign’s iDefense released a report (PDF) on Rose’s hacking exploits, which detailed his alleged role as the leader of a state-sponsored, four-man hacking team called NCPH (short for Network Crack Program Hacker). According to iDefense, in 2006 the group was responsible for crafting a rootkit that took advantage of a zero-day vulnerability in Microsoft Word, and was used in attacks on “a large DoD entity” within the USA.
Although Kreb can’t confirm that Wicked Rose started Anvisoft, he raises enough questions to justify a serious inquiry:
This may all be a strange coincidence or hoax. Anvisoft may in fact be a legitimate company, with a legitimate product; and for all I know, it is. But until it starts to answer some basic questions about who’s running the company, this firm is going to have a tough time gaining any kind of credibility or market share.
If Wicked Rose did start Anvisoft, then that mean that he’s abandoned his days of international hacking for a more entrepreneurial life? Has Wicked Rose made an ethical turn? The writers at Darknet are not as hopeful:
Even so, the evidence that has been turned up so far is far from conclusive and as well know just because this chap was mixed up in some dubious activity a few years back – doesn’t mean he isn’t ethically sound now. Some of the best ‘whitehat’ security folks have some distinctly grey stains on their hats.
But in China, infamous hackers are usually plucked up by the Chinese state for cushy jobs. Could this be a signal that capitalism is competing against the Chinese state for knowledge workers, like Wicked Rose? Or as China continues to prove, the state and the market can always find new ways to operate together.