[ISN] Chinese hackers wake up to malware riches

From: InfoSec News (alerts@private)
Date: Thu Mar 15 2007 - 22:19:39 PST


http://www.vnunet.com/vnunet/news/2185650/chinese-hackers-wake-malware

Tom Sanders in California
vnunet.com 
16 Mar 2007

Security researchers are noticing an increase in malware originating 
from China, which is adding to the challenge of investigating online 
pests.

"The last 3-4 months there has been a slow increase in Chinese malware. 
It used to be the odd file every now and then. Now it's almost every 
day," Chris Boyd, director of malware research with security vendor 
Facetime Communications told vnunet.com.

The region of Southeast Asia traditionally has been a hotbed of password 
stealers that go after login names and passwords for online games such 
as World of Warcraft. Criminals in those cases are after virtual 
currencies and goods that they then sell on auction websites.

The increase that Boyd is witnessing signals a larger trend where 
Chinese criminals are developing their own file downloaders and 
rootkits. Such pests can be used to control botnets, install adware and 
evade detection by security software. Just like in other parts of the 
world, money is the big driver behind this.

"They are starting to realize that you can make silly amounts of money 
from installing malware," said Boyd.

Roger Thompson, chief technology officer with Exploit Prevention Labs, 
shared Boyd's observations. He saw Chinese malware activities increase 
last January, when what is believed to be group of Chinese attackers 
hacked into the Superbowl website. The same group has been linked to a 
series of other online attacks.

Most of the recent zero-day vulnerabilities in Word and Excel that have 
emerged over the past months too are linked to Chinese hackers, Thompson 
said.

"I always thought that the face of the new generation of hackers would 
be Chinese. There is just so many of them, and they are an emerging 
technology power." Thompson told vnunet.com.

Chinese malware writers use essentially the same principles as their 
colleagues in other parts of the world. They copy exploits that other 
attackers have found. And in the constant battle against security 
software, malware code is encrypted and downloaders constantly switch 
the malware files that they fetch.

"It is old technology," commented Shane Coursen, a senior technical 
consultant with Kaspersky Labs. "The password stealers are basically a 
glorified keylogger."

But Boyd is seeing more advanced malware coming out if China as well. 
Earlier this month he dissected a Trojan dubbed Symfly. In addition to 
downloading multiple adware applications, it installed the Alexa 
toolbar. The tool is a legitimate application from web retailer Amazon 
that measures the popularity of websites. Next, the Trojan builders 
would open a series of websites in an apparent attempt to boost the 
Alexa ranking of those sites.

Local programmers also have developed rootkit technology that hides 
software from security software. Some of these can't be detected with 
current rootkit removal tools, and generally can be "completely 
horrendous", Boyd said in reference to the rootkit that ships with the 
Agent.bgg Trojan.

Chinese malware furthermore can be more difficult to dissect. Chinese 
websites for instance sometimes use seemingly random domain names which 
letter and number combinations are believed to have a symbolic 
significance.

Online gangs in the West often user random domain names to host 
malware-spreading websites. The malware is typically hidden behind 
seemingly legitimate content. The random domain names make it harder to 
determine if a legitimate website has been hacked to host malware, or is 
actually operated by criminals.

Most Chinese websites also forge registration information to evade local 
censors even if they don't publish any controversial materials. This 
again makes it harder to notify the owner of a hacked website and have 
the malware removed.


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Mar 15 2007 - 22:25:29 PST