Chinese Hackers Waking up to Malware 65
An anonymous reader writes "An increase in malware originating from China has not gone unnoticed by security researchers, according to the site ITWeek. The aggravating software has been increasing over the last three months, to the point where some unlucky persons may be getting some every day. Individuals interviewed for the article are seeing an increasing sophistication and independent use of rootkits, new to the Chinese malware scene. 'China has traditionally been a hotbed of password stealers who go after log-in names and passwords for online games such as World of Warcraft. The criminals are after virtual currencies and goods which can be sold on auction websites.' These new types of software are actually encrypted, and can prove hard to dismantle."
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Informative)
China:
http://blackholes.us/zones/countries/cn.txt [blackholes.us]
Russia:
http://blackholes.us/zones/countries/ru.txt [blackholes.us]
For iptables:
#wget http://blackholes.us/zones/countries/cn.txt [blackholes.us]
#wget http://blackholes.us/zones/countries/ru.txt [blackholes.us]
#for IPRANGE in `cat cn.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
#for IPRANGE in `cat ru.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
And you end up blocking me, too (Score:1)
Re: (Score:1)
broad brush (Score:1)
so, if there is some reason you need me to send you e-mail, i have no way to tell you that you have me blocked
Re: (Score:3, Informative)
Re: (Score:3, Funny)
That's a tough one to notice, eh? Ads in Chinese... "I don't understand this shit, maybe it's free pr0n!"
Adware is adware, rootkits are rootkits... I don't care what language they're in - English, Chinese, Swahili or even Basic.
They're annoying all the same.
Re: (Score:1)
Using HijackThis and other security tools provided I managed to get rid of that damn spyware with the help of an expert from a forum.
If you can stay away from those suspicious chinese sites please do.
Else it's going to be hectic for you later.
Re:Catching up? (Score:5, Insightful)
That which serves ads must be news.
Re: (Score:1)
Yeah, there was a token amount of "news" hidden in the corner of the screen, but not such that it inteferred with the zillions of ad links there.
> Ah yes, his heads' been ripped off. I shall get him another. | echoreply [echoreply.us]
"Heads'" contains one too many characters.
National Security Nightmare? (Score:2, Funny)
Re: (Score:2)
Hacked By Chinese! (Score:1)
Pretty cool stuff, actually (Score:5, Interesting)
One of our buildings was going through an antivirus upgrade over AD when it got hit. Every machine in the building was getting an iframe in the web browser from some Chinese ISP (usa.d3a.us) that would bracket the computers web browsing session throughout its duration. The iframe contained javascript designed to capture passwords from gmail and other public websites, in essence a browser-based keylogger. Of course, blocking the offending domains through our filter got rid of the iframe, but it still affected websites because now they all had broken source code (wonderful XML render errors on just about every website, including google).
Then the hunt was on.
The 'sophistication' I witnessed comes from the fact that no matter how many of these boxes we cleaned and patched, the iframe source code kept popping up everywhere. I ran a Wireshark on it and discovered something rather interesting (to me anyways). The software was attacking the router's ARP table, by feeding it a bogus mac address (one of the infected machines) in essence redirecting all network traffic to a software-based proxy. Tracking down machines via MAC address and patching them eventually resolved the issue long enough to update the antivirus on the network, but I left the place somewhat in awe of what I had just seen, having most of my network antivirus experience involve easily blockable/patchable worms and viruses.
While an ARP attack isn't all that uncommon, the presence of Chinese characters on every infected machine was a dead giveaway. Not exactly something I'd ever seen from a country more historically known for installing local keyloggers to steal WoW accounts.
But or a good hour or two, I was getting my ass handed to me, and I had to completely disconnect the building from the WAN. In addition, our AV (very big-name corporate AV firm), didn't do shit on it. After the update I had to submit samples to the AV company to get a permanent patch upstream.
Firewall? (Score:2, Insightful)
So the "proxy" you describe would have to have been a local machine, too.
How did they get through your firewall to establish a local proxy?
Re: (Score:2)
Example
Such as: who has 10.0.0.1 (router IP), tell 10.0.0.x
Response: XX:XX:XX:XX has 10.0.0.1 (local machine pretending to be router announcing every 2 seconds)
That's still local. (Score:4, Informative)
There was a cracked machine sitting inside your firewall and broadcasting on your internal network.
How it was cracked is the first issue.
Using it as a proxy is just weird. It would be more efficient and effective to use it to scan other machines to see if they're vulnerable and to run attacks on your administrator passwords.
Better yet, upload the BIOS info and see if a rootkit can be installed on the motherboard.
It is a strange attack because it doesn't match any of the standard reasons for attacking.
#1. Bandwidth - this for for spam and DDoS attacks.
1a. Crack one machine and upload the address book and anything that appears to be an email address so infected emails can be sent to those addresses.
1b. Crack one machine and scan that range to see if any other machines are vulnerable.
#2. Information - compromise one machine / router / whatever and use that to attack important internal machines via worms or password attacks.
The attack you describe is just
And they wouldn't get any more bandwidth from the attack (case #1) nor would they get information that wasn't more easily available (and less noticeable) via other routes (case #2).
Re: (Score:3, Insightful)
As to what would make sense for them to hack, I think it would make MORE sense for them to try to capture we
Re: (Score:2)
Re: (Score:2, Insightful)
As long as any mach
Re: (Score:2)
Re: (Score:2)
It always occured to us first when arpwatch was going mad.
And as you said: AV Vendor had no signatures whatsoever, only after submitting samples S***** came up with new signatures.
In fact S***** was installed on those computers and quite happy with a completely overtaken machine sniffing the ne
Re: (Score:2, Insightful)
Criminal activity, like fire and corrosion, has existed for as long as we have been here on earth. We should know by now how to intelligently mitigate the ill effects.
Its dangerous not to understand fire and light one. Its dangerous to expose your machine to the internet and not know exactly what its doing.
Your experience mirrors exactly what I studied at an internet security class...
Re: (Score:2)
It is similar to turning off the streetlights in a high crime area so you can't see the crime.
Closed and gizmo happy --- it WILL be insecure.
Open and obvious works like the Unix Honor Virus --- it doesn't seem to go anywhere. (although I think somebody had a very cute very sma
Re: (Score:1)
You are so right.
For years, until this MSIE "proprietary" crap came along, I was used to going to "view document source" if anything didn't render correctly. I could usually spot in a few minutes of seeing the HTML tags what went wrong.
At least I KNEW the worst any webmaster could possibly do to me is give me a page that would not render.
No matter what he did, I could at least see anything he sent me in a text editor, such as if his ad overlaid the tex
Re: (Score:1)
Re: (Score:1)
It will be short lived (Score:5, Interesting)
The Chinese government will reign in the criminal elements. They can't afford them damaging their economy. There is too much business to be done in order to keep their economy afloat that if we threatened to cut their internet access, they would go out and put the criminals in prison for life.
China has bred themselves into a crisis. With their 1 child per couple law that has been in effect for decades, they now have 1 child that is supporting 2 parents who supports 4 granparents as they all move into retirement age. This is a monumental economic problem and is the reason why their economic policy is evolving at a rate that far outpaces the political evolution. External influences are what are changing the Chinese government, causing them to adopt rule sets and make changes that would never come internally.
Example: SARS...
People started flying out of China with this illness (SARS). Communist China denied the problem even existed. The World Health Organization stepped in and grounded all flights departing from specific regions of China, causing a panic in the Business world supporting the Chinese economy. This forced China to recognize the problem and adopt new information sharing rules whereby we now know about the Asian Bird Fru YEARS before it becomes a global pandemic (if it ever does). This is an external change that never would have come internally from their own country.
China monitors their internet very closely, they know who the criminals are. They will be shut down soon because to let them continue would 1) be an embarassment to China, and 2) could have disasterous economic consequences.
As a simple reference: The United States currently consumes 40 Quadrillion BTU's of energy per year from all sources. China consumes 7 QBTU and needs to get to 14 QBTU within the next 10 years in order to keep their economy from collapsing. They have a lot of work to do and they're not going to let malware authors derail their country. If they get derailed, they're going to be headed in the same direction as the Soviet Union. China will do anything to prevent that from happening, including invading their neighbors. China is a nation of pride, there is no way they're going to let their nation fail.
When the Soviet Union collapsed, the citizens didn't much care because at least the Vodka was still cheap!
Re: (Score:1)
Re: (Score:2)
So, yes, when it came to "shutting down" DVD pirates, they made a few walk the plank just for show... then business as usual.
There is nothing but shame that can come to China if they let cyber crime run rampant within China as well as against other externally connected
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
One Child Law... (Score:4, Informative)
I mostly agree with what you had to say. The part about the one child law is not that accurate however, so I wanted to comment on it.
This hasn't really been in effect for as long as you think. My girlfriend and I are both 20, and her parents were both born well before the one child law. So probably the very first people born under this law have started to have children. I was also told by her family (not sure if this is 100% accurate) that the law works every other generation. So if you were a single child, you can have two children -- and they can have a single child, and their children can have two children, and so forth. In addition to all of this, it is worth mentioning that the population of China is still (slowly) growing, which indicates that the one child law isn't as strictly enforced as you might think.
With respect to the rest of what you said, I agree with a lot of it. External influences dictate a huge amount of the national policy in the country. To even keep up the pace of growth that they have been sustaining for as long as they have shows that they are hugely more aware of international and economic policy than many people give them credit for. At the end of the day, China will do what it needs to do to keep their economy strong and safe.
Slashdot crowd is safe! (Score:3, Funny)
That's not us. For better or worse...
No news like old news (Score:2)
Without intellectual property... (Score:1)
Re: (Score:2)
Oh hmm. (Score:2, Funny)
TFS makes it sound as if that is a bad thing.
Welcome to Slashdot, I guess.
use linux (Score:1)
Hello? This is a WINDOWS problem (Score:2)
Re: (Score:1, Insightful)
http://it.slashdot.org/comments.pl?sid=227013&cid= 18388731 [slashdot.org]
Quote:
It was a very weird attack. My nUbuntu laptop was affected by the iframe which was one of the instant alerts that this had to do with MAC or IP hijacking rather then just a simple virus like a worm.
Web application security is the new "buffer overflow" of the security world.If you think only MS products are affected by this , have a good time getting pwned...
and what was the pwn3d box on the inside running? (Score:1)
Did you miss that part about there having to be a box (still) pwned on the inside? Yeah, once there's a bot on the inside, no standard browser is safe, but how did that bot get in?
Sure, it _might_ have been a Linux box poorly administered, but then again it might have been just about _any_ MSWindows box.
Odds? Come on, be serious.
The culprit is Bill Gates for insisting on sel
Re:regarding the koolaid... (Score:1)
Re: (Score:1)
I believe the "koolaid of the day" today is Javascript, Media players, and Instant Messenger apps.
Javascript was used to do this particular one. If javascript had not been present here, this would not have happened. I see Javascript to secure computing much as I see a spilled puddle of
Re:regarding the koolaid... Regarding escape seq,, (Score:1)
Re: (Score:1)
I have NEVER seen an ansi bomb do THAT much destruction!
Although the embedded "echo 'y' | format c:" came close. Remember that one? Deadly.
I had renamed my format and fdisk command names to mitigate those.
I long for those days where if someone came and messed up my machine, seeing what they did and cleaning up after them was about as simple as mitigating my dog's accidents. It was obvious where the mess was, one just got out the mop or backup disk and cleaned it up. Didn't have to beg someone
confused... (Score:1)