Tom Sanders in California
16 Mar 2007
Security researchers are noticing an increase in malware originating
from China, which is adding to the challenge of investigating online
"The last 3-4 months there has been a slow increase in Chinese malware.
It used to be the odd file every now and then. Now it's almost every
day," Chris Boyd, director of malware research with security vendor
Facetime Communications told vnunet.com.
The region of Southeast Asia traditionally has been a hotbed of password
stealers that go after login names and passwords for online games such
as World of Warcraft. Criminals in those cases are after virtual
currencies and goods that they then sell on auction websites.
The increase that Boyd is witnessing signals a larger trend where
Chinese criminals are developing their own file downloaders and
rootkits. Such pests can be used to control botnets, install adware and
evade detection by security software. Just like in other parts of the
world, money is the big driver behind this.
"They are starting to realize that you can make silly amounts of money
from installing malware," said Boyd.
Roger Thompson, chief technology officer with Exploit Prevention Labs,
shared Boyd's observations. He saw Chinese malware activities increase
last January, when what is believed to be group of Chinese attackers
hacked into the Superbowl website. The same group has been linked to a
series of other online attacks.
Most of the recent zero-day vulnerabilities in Word and Excel that have
emerged over the past months too are linked to Chinese hackers, Thompson
"I always thought that the face of the new generation of hackers would
be Chinese. There is just so many of them, and they are an emerging
technology power." Thompson told vnunet.com.
Chinese malware writers use essentially the same principles as their
colleagues in other parts of the world. They copy exploits that other
attackers have found. And in the constant battle against security
software, malware code is encrypted and downloaders constantly switch
the malware files that they fetch.
"It is old technology," commented Shane Coursen, a senior technical
consultant with Kaspersky Labs. "The password stealers are basically a
But Boyd is seeing more advanced malware coming out if China as well.
Earlier this month he dissected a Trojan dubbed Symfly. In addition to
downloading multiple adware applications, it installed the Alexa
toolbar. The tool is a legitimate application from web retailer Amazon
that measures the popularity of websites. Next, the Trojan builders
would open a series of websites in an apparent attempt to boost the
Alexa ranking of those sites.
Local programmers also have developed rootkit technology that hides
software from security software. Some of these can't be detected with
current rootkit removal tools, and generally can be "completely
horrendous", Boyd said in reference to the rootkit that ships with the
Chinese malware furthermore can be more difficult to dissect. Chinese
websites for instance sometimes use seemingly random domain names which
letter and number combinations are believed to have a symbolic
Online gangs in the West often user random domain names to host
malware-spreading websites. The malware is typically hidden behind
seemingly legitimate content. The random domain names make it harder to
determine if a legitimate website has been hacked to host malware, or is
actually operated by criminals.
Most Chinese websites also forge registration information to evade local
censors even if they don't publish any controversial materials. This
again makes it harder to notify the owner of a hacked website and have
the malware removed.
Visit the InfoSec News Security Bookstore