Slashdot Mirror
Chinese Hackers Waking up to Malware
An anonymous reader writes "An increase in malware originating from China has not gone unnoticed by security researchers, according to the site ITWeek. The aggravating software has been increasing over the last three months, to the point where some unlucky persons may be getting some every day. Individuals interviewed for the article are seeing an increasing sophistication and independent use of rootkits, new to the Chinese malware scene. 'China has traditionally been a hotbed of password stealers who go after log-in names and passwords for online games such as World of Warcraft. The criminals are after virtual currencies and goods which can be sold on auction websites.' These new types of software are actually encrypted, and can prove hard to dismantle."
Malware Rootkits AdWare is all pretty standard stuff.
How exactly is this news?
Maybe the sony rootkit was a front to steal national secrets?
for sale
I'm a self-modifying sig virus
http://en.wikipedia.org/wiki/Code_Red_worm
This article is interesting because a) I've seen it firsthand this past week, and b) Some of these are actually very sophisticated attacks.
One of our buildings was going through an antivirus upgrade over AD when it got hit. Every machine in the building was getting an iframe in the web browser from some Chinese ISP (usa.d3a.us) that would bracket the computers web browsing session throughout its duration. The iframe contained javascript designed to capture passwords from gmail and other public websites, in essence a browser-based keylogger. Of course, blocking the offending domains through our filter got rid of the iframe, but it still affected websites because now they all had broken source code (wonderful XML render errors on just about every website, including google).
Then the hunt was on.
The 'sophistication' I witnessed comes from the fact that no matter how many of these boxes we cleaned and patched, the iframe source code kept popping up everywhere. I ran a Wireshark on it and discovered something rather interesting (to me anyways). The software was attacking the router's ARP table, by feeding it a bogus mac address (one of the infected machines) in essence redirecting all network traffic to a software-based proxy. Tracking down machines via MAC address and patching them eventually resolved the issue long enough to update the antivirus on the network, but I left the place somewhat in awe of what I had just seen, having most of my network antivirus experience involve easily blockable/patchable worms and viruses.
While an ARP attack isn't all that uncommon, the presence of Chinese characters on every infected machine was a dead giveaway. Not exactly something I'd ever seen from a country more historically known for installing local keyloggers to steal WoW accounts.
But or a good hour or two, I was getting my ass handed to me, and I had to completely disconnect the building from the WAN. In addition, our AV (very big-name corporate AV firm), didn't do shit on it. After the update I had to submit samples to the AV company to get a permanent patch upstream.
If you're half as beautiful naked, you'd be 4 times as beautiful with twice as many clothes on.
This subject is worthy of a book, however, I'll try to convey some level 5 thoughts and hopefully it'll make sense:
The Chinese government will reign in the criminal elements. They can't afford them damaging their economy. There is too much business to be done in order to keep their economy afloat that if we threatened to cut their internet access, they would go out and put the criminals in prison for life.
China has bred themselves into a crisis. With their 1 child per couple law that has been in effect for decades, they now have 1 child that is supporting 2 parents who supports 4 granparents as they all move into retirement age. This is a monumental economic problem and is the reason why their economic policy is evolving at a rate that far outpaces the political evolution. External influences are what are changing the Chinese government, causing them to adopt rule sets and make changes that would never come internally.
Example: SARS...
People started flying out of China with this illness (SARS). Communist China denied the problem even existed. The World Health Organization stepped in and grounded all flights departing from specific regions of China, causing a panic in the Business world supporting the Chinese economy. This forced China to recognize the problem and adopt new information sharing rules whereby we now know about the Asian Bird Fru YEARS before it becomes a global pandemic (if it ever does). This is an external change that never would have come internally from their own country.
China monitors their internet very closely, they know who the criminals are. They will be shut down soon because to let them continue would 1) be an embarassment to China, and 2) could have disasterous economic consequences.
As a simple reference: The United States currently consumes 40 Quadrillion BTU's of energy per year from all sources. China consumes 7 QBTU and needs to get to 14 QBTU within the next 10 years in order to keep their economy from collapsing. They have a lot of work to do and they're not going to let malware authors derail their country. If they get derailed, they're going to be headed in the same direction as the Soviet Union. China will do anything to prevent that from happening, including invading their neighbors. China is a nation of pride, there is no way they're going to let their nation fail.
When the Soviet Union collapsed, the citizens didn't much care because at least the Vodka was still cheap!
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
The MAC addresses of your router shouldn't matter. They're LOCAL machines.
So the "proxy" you describe would have to have been a local machine, too.
How did they get through your firewall to establish a local proxy?
That's not us. For better or worse...
In Soviet Washington the swamp drains you.
Deja-vu, anyone?
Everything I needed to know about life, I learnt from Blake's Seven
Without intellectual property laws, is it even technically illegal to steal passwords in China? I mean, the downsides are obvious, but I don't think that Chinese law is prepared for this sort of thing.
Only on Slashdot...
The MAC address and ARP broadcasts are only used for local delivery. Some machine on that local segment had to have already been cracked.
... weird. Why attempt to compromise multiple workstations via an outside site? That is too easily noticed. Suddenly all of your workstations are hitting this one site? That's a huge flag in the logs. Even if you hadn't noticed it on the workstations.
There was a cracked machine sitting inside your firewall and broadcasting on your internal network.
How it was cracked is the first issue.
Using it as a proxy is just weird. It would be more efficient and effective to use it to scan other machines to see if they're vulnerable and to run attacks on your administrator passwords.
Better yet, upload the BIOS info and see if a rootkit can be installed on the motherboard.
It is a strange attack because it doesn't match any of the standard reasons for attacking.
#1. Bandwidth - this for for spam and DDoS attacks.
1a. Crack one machine and upload the address book and anything that appears to be an email address so infected emails can be sent to those addresses.
1b. Crack one machine and scan that range to see if any other machines are vulnerable.
#2. Information - compromise one machine / router / whatever and use that to attack important internal machines via worms or password attacks.
The attack you describe is just
And they wouldn't get any more bandwidth from the attack (case #1) nor would they get information that wasn't more easily available (and less noticeable) via other routes (case #2).
...to the point where some unlucky persons may be getting some every day.
:)
TFS makes it sound as if that is a bad thing.
Welcome to Slashdot, I guess.
Actually, my SOP is just to block all IP traffic from China and Russia and other such nasty places. That helps a LOT with all kinds of malware and spam.
I don't respond to AC's.
use linux and this wouldnt be happening
I mostly agree with what you had to say. The part about the one child law is not that accurate however, so I wanted to comment on it.
This hasn't really been in effect for as long as you think. My girlfriend and I are both 20, and her parents were both born well before the one child law. So probably the very first people born under this law have started to have children. I was also told by her family (not sure if this is 100% accurate) that the law works every other generation. So if you were a single child, you can have two children -- and they can have a single child, and their children can have two children, and so forth. In addition to all of this, it is worth mentioning that the population of China is still (slowly) growing, which indicates that the one child law isn't as strictly enforced as you might think.
With respect to the rest of what you said, I agree with a lot of it. External influences dictate a huge amount of the national policy in the country. To even keep up the pace of growth that they have been sustaining for as long as they have shows that they are hugely more aware of international and economic policy than many people give them credit for. At the end of the day, China will do what it needs to do to keep their economy strong and safe.
#include ".signature"
"All your base are belong to us" in Mandarin Chinese?
How does one find what IP ranges Russia and China use?
If you want news from today, you have to come back tomorrow.
Get some spam... check the originator. Use and check the country or origin. If it's a zombie, there's not much you can do. If it's from China or a former Soviet state, then use Sam Spade again to look up the ISP's netblock, and block all IP traffic from that block of IP's.
I don't respond to AC's.
Why aren't Microsoft or Windows mentioned in the headline or summary, since they are the enablers of this entire phenomenon?
you had me at #!
So there were Linux boxen and Firefox browsers on the inside as well, and they were effected by the attack in the third or fourth wave.
Did you miss that part about there having to be a box (still) pwned on the inside? Yeah, once there's a bot on the inside, no standard browser is safe, but how did that bot get in?
Sure, it _might_ have been a Linux box poorly administered, but then again it might have been just about _any_ MSWindows box.
Odds? Come on, be serious.
The culprit is Bill Gates for insisting on selling OSses and office applications that are unsafe at any speed.
The other culprit is us for buying his hacktrap. We couldn't wait for a safer pace of development, so we drank the koolaid.
Comcast blocks mail from my ISP. I can't contact my sister from that mail address to her comcast address. I told them about that, and they said _I_ have to access their blacklist page and tell them through that that my ISP is legit after all. No, I can't tell them by e-mail, even if I use google mail to contact them. So my sister doesn't use comcast mail, and will soon not use comcast at all.
How does one find what IP ranges Russia and China use?
China:
http://blackholes.us/zones/countries/cn.txt
Russia:
http://blackholes.us/zones/countries/ru.txt
For iptables:
#wget http://blackholes.us/zones/countries/cn.txt
#wget http://blackholes.us/zones/countries/ru.txt
#for IPRANGE in `cat cn.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
#for IPRANGE in `cat ru.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
OK, so who sold us the first cup of koolaid? was it the 6502 people, or was it intel 4004. The pace has increased continually since there were computers that were smaller than a room.
I don't understand what my business blocking IP traffic from China and Russia has to do with your sister's problems with Comcast.
I don't respond to AC's.
I believe the "koolaid of the day" today is Javascript, Media players, and Instant Messenger apps.
Javascript was used to do this particular one. If javascript had not been present here, this would not have happened. I see Javascript to secure computing much as I see a spilled puddle of gasoline to fire safety.
Now, if we could just all agree on a standard public format for images, media, and IM, we could have TRUSTED, PUBLICALLY VERIFIABLE programs to read the file and properly present it as image or sound.
The trusted programs mentioned would be incapable of anything but what they were designed to do.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Funny you would mention the escape sequences :-) Several weeks ago my main Windows XP MCE computer, with hundreds of gigabytes of stuff (none pirated) stored on it had an incident. I had cygwin loaded and updated. I had developed a simple c++ (gnu) program to create html web pages. I was in a cygwin bash window, and I accidentally cat'ed the binary (a.out) of my c++ page generator. Several lines of binary goop appeared on the screen and then the computer froze up. I meant seriously frozen, including the caplock button no longer toggling the led. I tried to reboot and found the entire system was gone. There was no bootable image, no F8 safe booting options. The hard drive partition was gone, and with it all my files, source code (several days worth) and many things I had downloaded such as public domain ISO images for ubuntu and Oracle Linux... Now I realize it is my responsibility to keep my files backup up, but this was my main, "use every day" box, heavily loaded with MSDN Visual Studio, and Tech Net Plus licensed software. I takes approximately three days of continuous work to load up and configure that box that way, not counting the downloads I would have to redo. All of this because the accidental displaying of binary data in the cygwin bash window blew away everything. This was the final fuck you from Windows and Microsoft for me. It should not be possible to cause that much destruction in such a way. I have now switched completely from the Microsoft environment for all daily work and play. It's too bad about cygwin being part of this trouble, because I thought highly of cygwin for quite some time now. Now I am using a Mac OS X Tiger powered G4 17" flat panel Mac for email, web, downloading and develpment coding. BBEdit is very cool. I am using ubuntu to cross develop for the gumstix platform (http://www.gumstix.com). I am running Scientific Linux on an old laptop, and between these systems, everything I currently need to do is being done. I have partaken heavily of the Unix koolaid, but for now, it is sweet.
that you paint russia and china with probably picks up my provider in the swath, too
so, if there is some reason you need me to send you e-mail, i have no way to tell you that you have me blocked
so whats the sense of chinese wall?
I have NEVER seen an ansi bomb do THAT much destruction!
Although the embedded "echo 'y' | format c:" came close. Remember that one? Deadly.
I had renamed my format and fdisk command names to mitigate those.
I long for those days where if someone came and messed up my machine, seeing what they did and cleaning up after them was about as simple as mitigating my dog's accidents. It was obvious where the mess was, one just got out the mop or backup disk and cleaned it up. Didn't have to beg someone else for help.
Once the courts decided that Microsoft's "click" agreements and EULAs could legally shield them from product liability, we've had buggy code. I guess we would still have exploding cars if the courts told Ford that they could escape their exploding Pinto tank liability by printing up a little KeyTurn agreement which deemed Ford harmless and you agreed by turning the engine start key.
Just as RIAA is trying to rid the world of piracy by lawsuits, the very same paradigm would be very effective in getting Microsoft and others not to release buggy code that others depend on. But it takes a court system and a Congress that considers our nation's computing infrastructure to be as important as having cars that don't explode.
To me, that should have been part of the DMCA, that is to have companies RESPONSIBLE for the code if they are going to deliberately encrypt/obfuscate it in the light rendering its internal operations opaque to the end user.
But, our Congress is not like my parents. I had to eat my peas if I wanted dessert.
RIAA talked them out of the pea part, and just got the dessert.
I feel the public should hold Congress accountable for this mess, and elect people who WILL codify corporate responsibility into law, just as the RIAA and BSP got Congress to codify the end user's responsibility into law.
Note I never said DMCA was BAD law, I just claim its an UNEQUAL, UNFAIR law because it only represents ONE party's interest.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]