Slashdot Mirror
Chinese Hackers Waking up to Malware
An anonymous reader writes "An increase in malware originating from China has not gone unnoticed by security researchers, according to the site ITWeek. The aggravating software has been increasing over the last three months, to the point where some unlucky persons may be getting some every day. Individuals interviewed for the article are seeing an increasing sophistication and independent use of rootkits, new to the Chinese malware scene. 'China has traditionally been a hotbed of password stealers who go after log-in names and passwords for online games such as World of Warcraft. The criminals are after virtual currencies and goods which can be sold on auction websites.' These new types of software are actually encrypted, and can prove hard to dismantle."
That which serves ads must be news.
The MAC addresses of your router shouldn't matter. They're LOCAL machines.
So the "proxy" you describe would have to have been a local machine, too.
How did they get through your firewall to establish a local proxy?
Many, if not most, of the "citizens" of the Soviet Union didn't care because the collapse was something they had been hoping for ever since Russia occupied their countries. It meant they could actually buy food in stores, cross the border and not have to support the ethnic russian population. Nevermind the fact that the Soviet Union made Hitler seem relatively harmless considering the number of people murdered or sent to prison camps.
I'm not going to criticize what it COULD have done. Obviously, there are some machines on that portion of the network that are not sufficiently hardened and that will be dealt with. The delivery mechanism of the malware had to be an internal user with overblown desktop privs, but having inhereted this 5,000 node network 4 months ago that's an issue we're addressing with the AD and antivirus rollout.
As to what would make sense for them to hack, I think it would make MORE sense for them to try to capture web-based logins such as gmail, et al, since those would be easier for them to access then actually cracking through a Cisco ASA or a pix and getting access to a machine with nothing more then MS Office and a desktop. At least those are tangible hacks that can be compromised instantly regardless of where in the world the attack originated.
It was a very weird attack. My nUbuntu laptop was affected by the iframe which was one of the instant alerts that this had to do with MAC or IP hijacking rather then just a simple virus like a worm. The network logs were immediately noticed, but how many small networks without sysops do you think will be able so sufficiently notice and protect against this. This is going to be a very successful attack, and it's the first Chinese attack I have ever seen to this measure.
If you're half as beautiful naked, you'd be 4 times as beautiful with twice as many clothes on.
You just don't get it. With a MAC address attack, as long as any machine on the local network is compromised, they control all traffic on that network. You have to resort to non-networked methods of fixing machines. Additionally, you can have that one machine process things locally to minimize the much more likely to be noticed internet traffic. After scraping some information, let the arp poisoning expire and they can sit undetected for a long time until they decide to wake up again.
As long as any machine on the entire internet is compromised they can redirect machines to proxy through it to control vast networks of machines. Make the worm self modifying to keep track of a list of compromised machines with open internet access and you have a really tough to beat worm.
These attacks are targeted at businesses not individual users. They don't want your email addresses. They don't want it for DoDDs attacks. They want to sit there and listen for banking information or insider information for stock market manipulation or to sell trade secrets. Spam and DoS are kid stuff. This is done by the big boys.
Criminal activity, like fire and corrosion, has existed for as long as we have been here on earth. We should know by now how to intelligently mitigate the ill effects.
Its dangerous not to understand fire and light one. Its dangerous to expose your machine to the internet and not know exactly what its doing.
Your experience mirrors exactly what I studied at an internet security class...
I have been fussing and fuming immensely at internet businesses - especially the financial sector - about the lunacy of having javascript or any other scripting language on a site where personal info is handled. I tell them I consider it "pornsite programming" and has NO business on a legitimate business site.It is the rootkit/keylogger which is my prime fear. And I know I have left the door wide open when I visit a site where I accept their scripts to run in my machine. I am then wide open for hostile redirection, "drive-by" downloads, and phishing.
The main problem I face is the business people I have to talk to are multimillionaires who may know how to promote an online brokerage, but don't know squat about internet security. Yes. The big-name guys are the worst.
They hire programmers who are far better at making the executive think they are worth a salary than they are about programming. They will do stupid things online like using javascript links instead of simple HTML links to force us to enable scripting. And use crazy things like pop-ups when our browsers have no problem opening up another window in an HTML link.
I feel any financial webmaster who forces javascript on his customers is just about as idiotic as a bank clerk who writes the combination of the safe on the safe, and leaves the key to the bank under the doormat. Its a sure sign that the webmaster has found a boss who hasn't the foggiest concern about security on the internet.
I have had to leave several stockbrokers because of this issue.
I wonder how anyone would hire such ignorance of internet security in a position where he is dealing with money and sensitive information. My only conclusion was that those doing the hiring were just as ignorant, and had no business handling other people's money. My guess is that he probably played a nice game of golf or maybe looked pretty in a suit, and he was paid so much that people will not verify his technical expertise.
I see Javascript on a bank? Geez, put my money in a shoebox and leave it under the bush. Oh yes, be sure to have me agree the EULA which denies any responsibility on their part. Gotta be businesslike, ya know. Its part of that thing called TRUST, meaning I am to HOPE I don't get nailed by a criminal while submitting to their demand that I use risky technologies for their convenience.
I find it very scary when I am held hostage to enforced ignorance ( IP law ) of how my stuff works. It could be as simple as a farmer seeing his corn field on fire, yet not being allowed to know that if he turned his irrigation system on, it would put it out.
If we are so anxious to legally protect IP, then also make the purveyor of said protected IP legally responsible for what it does, just as a parent is responsible for what his kids do, and we will see virus vulnerabilities plummet.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
http://it.slashdot.org/comments.pl?sid=227013&cid
Quote: It was a very weird attack. My nUbuntu laptop was affected by the iframe which was one of the instant alerts that this had to do with MAC or IP hijacking rather then just a simple virus like a worm. Web application security is the new "buffer overflow" of the security world.If you think only MS products are affected by this , have a good time getting pwned...