Chinese Hackers Waking up to Malware

An anonymous reader writes "An increase in malware originating from China has not gone unnoticed by security researchers, according to the site ITWeek. The aggravating software has been increasing over the last three months, to the point where some unlucky persons may be getting some every day. Individuals interviewed for the article are seeing an increasing sophistication and independent use of rootkits, new to the Chinese malware scene. 'China has traditionally been a hotbed of password stealers who go after log-in names and passwords for online games such as World of Warcraft. The criminals are after virtual currencies and goods which can be sold on auction websites.' These new types of software are actually encrypted, and can prove hard to dismantle."

Re:Catching up?

[Anonymous Coward]

...because for the most part its all in chinese. think about it, we pretty much have "western" adware and spyware mapped out to the point where we know whos behind what and what the files are doing. security researchers can map out whole families of CWS, even if they don't specifically know whos behind it. throw some chinese adware on a pc however, and even something as basic as the sites popping up is a strange new experience. are the sites legit? hacked? the adware guys current flavour of the month? who knows? and thats before youve even got to the adware. i imagine the problems are multiplied when dealing with something more malicious.

That's still local.

[khasim]

The MAC address and ARP broadcasts are only used for local delivery. Some machine on that local segment had to have already been cracked.

There was a cracked machine sitting inside your firewall and broadcasting on your internal network.

How it was cracked is the first issue.

Using it as a proxy is just weird. It would be more efficient and effective to use it to scan other machines to see if they're vulnerable and to run attacks on your administrator passwords.

Better yet, upload the BIOS info and see if a rootkit can be installed on the motherboard.

It is a strange attack because it doesn't match any of the standard reasons for attacking.

#1. Bandwidth - this for for spam and DDoS attacks.
      1a. Crack one machine and upload the address book and anything that appears to be an email address so infected emails can be sent to those addresses.
      1b. Crack one machine and scan that range to see if any other machines are vulnerable.

#2. Information - compromise one machine / router / whatever and use that to attack important internal machines via worms or password attacks.

The attack you describe is just ... weird. Why attempt to compromise multiple workstations via an outside site? That is too easily noticed. Suddenly all of your workstations are hitting this one site? That's a huge flag in the logs. Even if you hadn't noticed it on the workstations.

And they wouldn't get any more bandwidth from the attack (case #1) nor would they get information that wasn't more easily available (and less noticeable) via other routes (case #2).

One Child Law...

[eklitzke]

I mostly agree with what you had to say. The part about the one child law is not that accurate however, so I wanted to comment on it.

China has bred themselves into a crisis. With their 1 child per couple law that has been in effect for decades, they now have 1 child that is supporting 2 parents who supports 4 granparents as they all move into retirement age. This is a monumental economic problem and is the reason why their economic policy is evolving at a rate that far outpaces the political evolution. External influences are what are changing the Chinese government, causing them to adopt rule sets and make changes that would never come internally.

This hasn't really been in effect for as long as you think. My girlfriend and I are both 20, and her parents were both born well before the one child law. So probably the very first people born under this law have started to have children. I was also told by her family (not sure if this is 100% accurate) that the law works every other generation. So if you were a single child, you can have two children -- and they can have a single child, and their children can have two children, and so forth. In addition to all of this, it is worth mentioning that the population of China is still (slowly) growing, which indicates that the one child law isn't as strictly enforced as you might think.

With respect to the rest of what you said, I agree with a lot of it. External influences dictate a huge amount of the national policy in the country. To even keep up the pace of growth that they have been sustaining for as long as they have shows that they are hugely more aware of international and economic policy than many people give them credit for. At the end of the day, China will do what it needs to do to keep their economy strong and safe.

Re:SOP

[Anonymous Coward]

How does one find what IP ranges Russia and China use?

China:
http://blackholes.us/zones/countries/cn.txt [blackholes.us]

Russia:
http://blackholes.us/zones/countries/ru.txt [blackholes.us]

For iptables:
#wget http://blackholes.us/zones/countries/cn.txt [blackholes.us]
#wget http://blackholes.us/zones/countries/ru.txt [blackholes.us]
#for IPRANGE in `cat cn.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
#for IPRANGE in `cat ru.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done