Exploit code for China's "Green Dam" censorship app permits remote control of any Chinese PC

Wikileaks has published what is said to be proof that computers compliant with "Green Dam" can be maliciously controlled, using vulnerabilities in that censorware.
Green Dam is a new Chinese state censorship program mandated to be provided with all PC's sold in China after July 1, 2009. The program "complements" the existing internet censorship system, and extends it to many third party applications, such as Skype and text editors which are monitored for the use of forbidden phrases such as "falun gong". This ZIP file provides a web page and associated computer code that can be used to remotely take control of any computer system running the Green Dam software. The only requirement is that the user is enticed to look at a site hosting a copy of the exploit page. The technique used is a buffer-overflow using Microsoft's ".net" encoding.
Chinese Green Dam censorship system exploit, 22 Jun 2009 (Wikileaks, via @ClayShirky)


  1. yeah, which is why every line, cable, microwave relay and other connection will be severed in about 30 seconds when the rest of the world catches on.
    Actually, how DO you you make a plan to chop a country out of the web? Install secret switches in submarine cables under guise of breaks?

  2. And why can’t they just use a Linux distribution?

    From what I gather, they only have a Windows client.

  3. I wonder if it will block the download of Linux live CD ISO files?

    If the authorities ever came around to inspect your computer they may frown on a non-windows o/s installed on the hard drive.

  4. I’ve worked for ISP operations for years, including international internet connectivity, and isolating a country like China would be hard, but feasable.

    First, China has three primary internet feeds: underwater cables, satellite, and land-lines. While you could destroy the infrastructure of each, you’d be shooting yourself in the foot — other countries rely on those cables and satellites, and may object to a heavy handed approach.

    Fortunately, there’s an easier way: peering.

    China Telecom is the primary ISP for mainland China. They peer with many ISPs, both large and small, usually here in the US. They also have some paid connections to get them to the rest of the Internet that can’t or won’t peer with them.

    If China started being a massive bot-net, a whole lot of NOCs would start noticing traffic overloads on peering and backbone circuits, customer complaints, and if the botnet was being used for an attack, monitoring tools such as Arbor Netflow would pick that up. At that point, peering coordinators would attempt to contact China Telecom, most likely fail, and shut down their peering.

    This would force traffic over to paid connections, which are subject to the usual TOS agreements, which preclude DDOS attacks and similar activity. So, those would go down.

    Now, there would probably be some ISPs either cooerced into keeping peering up, or too lazy to depeer or filter these attack, so some traffic almost certainly will leak through. This traffic, if it grew to be large enough to be an issue, would most likely result in ISPs enacting edge-filters to look for ChinaTel’s ASN, 4134, and just drop those packets on the floor.

    Policy at different NOCs I’ve worked in ranged from just shutting down the ChinaTel peer when the DDOS attacks got too annoying, to complex filters and blackhole policies to limit the damage they could do.


  5. Somebody should make a virus that uses the exploit to disable the “green dam”. Problem solves itself.

  6. Daemon – “update” viruses are notoriously bad ideas – one of those really REALLY bad ideas that look totally brilliant until you see what they become “in the wild”.

    Apropos to the discussion at hand, much like Communism.

  7. first off my idea on how to shut down all the computers which are turned into a botnet. have a program installed on each and every one of them that has an override kill switch built into it. call it like… green dam or something. especially since they will be installing this on all new computers meaning it could have a hardware component too.
    better idea though. The Chinese government itself hijacks the computers for it’s own military botnet. Eh? Eh? Then it uses a China sized botnet to dns the hell out of it’s opponent and cripple their computer networks. imagine trying to mobilize without any telecoms, yeouch. . . . oh shit

  8. @6 Daemon,

    It’s been done, the Welchia worm tried to patch systems and remove the msblaster worm. But caused a major headache because of the amount of network traffic it generated that it slowed down portions of the internet pretty bad.

  9. thank you for your explanation #5 Anonymous you sound like a person that know’s a scary amount of detail?! could someone use this for good rather than evil, maybe a botnet of truth turned upon it’s creator/thief/dictator/master, Tienanmen Square, Tibet, Falun Gong. Give them what they fear the most..just a thought.feel the love! >:^]

  10. Have you considered Green Damn It and biz as usual in China?

    Mandatory. Not mandatory. Mandatory for Acer of .tw. Mandatory for Sony, from the land of the Rising Sun. And really mandatory for China’s own, Lenovo. They’ve already loaded Green Damn It. HP and Dell. Not mandatory. They held their water.

    So… to bad for numbers one and two. Probably. Not on the payroll. Lenovo? They’ll get compensated at Hodge Podge to keep up the Green Damn It. You, know, to make up for the “penny stock elevator going down” situation. That won’t show up on the Stockholders report, but it will be there.

    After that? Dell and HP’s in Shanghai. Lenovo’s in Zhejiang and fill in the province here. And on and on. Has to be.

    The catsouttathebag on a regional basis.

    Not going back in there. Take care of business as usual and get on with it.

Comments are closed.