Front Line ReportFighting Against Malware in China

ZhaoWei KnownSec

Who am I?Who are we?

About This Presentation

1.Part One: China hacker culture 2.Part Two: Underground industry3.Part Three: How we fight back?

Where are they from? Where are they head to?

Blackhats and WhitehatsWhere we start?

Where we learned?• Coolfire 1996• Isbase 1997• Xfocus 1999• Hack.co.ca• Packetstorm• Core Security• w00w00• Bugtraq• Phrack• EFNET• TESO• The hack’s choice• Daily Dave• FD• ……

Time line:• Unix Hacking• Stack overflow• Format string• Heap overflow• Int overflow• Sql injection• Backdoor• Kenerl Rootkit• Worm(Redcode…)• Mass Injection• XSS and worm• Web2.0

Blackhats and Whitehats4 waves

1. Server Side Wave 1998-20031) IIS, Serv-U, Apache, Samba, Jabberd etc

2. Client Side Trend 2002-20071) Image format: ANI, JPG, BMP etc2) Windows Office doc, ppt etc3) IE: ActiveX, HTML parser, XML parser

3. 3rd party applications attacking 2006-NOW, this one only for profit

Blackhats and WhitehatsWhat are they doing now

• What are they doing now?oWhiteHat:MOST of them are working for

security companies(M,K,S,V,N,T). Security research

Anti-(virus,rootkit,exploit) Developing Scanner and IDS etc.

Find 0days Windows, Linux, Unix Developing exploits

Boring? So some time they get leaked ZDI Underground market

Blackhats and WhitehatsWhat are they doing now

BlackHat: They have their own industry! Developing Worms, rootkit, 0days DDoS websites for profit and fun

China has best anti-DDOS device Stealing all of cool things they like

All kinds of Game,WOW! They control the virtual economy

QQ, 支付宝（ Taobao） , all thing related to money Even some private porn.

Competition on developing exps? No, who can give more money.

Blackhats and WhitehatsFamous Cases

Blackhats and WhitehatsTrend

1.Age: Younger!(maybe not) , Talent and Rich 2.Area: Most are not from the big cities

o Why? Economic related?o More fired engineers more hackers?

3.Blackhat Culture: Baidu zhidao forum, QQ4.Underground Industry: Every one has a role.5.Where: More public forum or QQ not use irc

anymore6.International? Not yet!

Underground Malware Industry

Underground Malware Industry Now

China is not only the world’s factory, but also world’s malware factory

They totally changed our life1. My parents computer!2. Changed how people are using the network/internet3. Users are pushed to learn security

Underground Malware Industry Terms

挂马 (GuaMa), Hooking Horse: Inject malcode into websites网马 (WangMa), Net Horse: Exploits for IE木马 (MuMa), Wood Horse: Backdoor, Rootkit, Downloader etc

箱子 (XiangZi), Box: Some web service store stole information信封 (XinFeng), Envelop: some data contains stolen information免杀 (MianSha), Bypass the Anti-virus…

Underground Malware IndustryMap

E-Dealer

Gaming Team

Traffic Vendor

Security Researcher

Crack/Steal Box

Website Cracker

Plugin Vendor

Virus Developer

Internet Users

$$

E-Property Buyer

Internet

Controlled Traffic

Cracker Area

Inject Mal-Codere-sellers

re-sellers

Surf Internet

Owned Website/Traffic

PAY

Latest hacking tech

PAYLatest virus and malwares

PAY

E-Property TradingE-Property Trading

SALES

Technical Area

Underground Malware Industry

Victim controlled/Privacy leak

Org or Individual

PAY

Selling all kind of information

G-Dealer

Sub-dealer

Website/Pages

Mal Hosting

Underground Malware Industry Trend

  1. From 06-07 they starting using 3rd party vulns，Why?1) Very big local market and huge mount of users2) Users know more about security now(patch system, using

anti-virus etc.)3) Some local security vendors supply patch service to pirate

Windows user (They all love it)4) Windows 0day really expensive now5) Local application vendors are totally lame (sell them Fortify!)

2. They use 0day in massive attack, I never saw this before 2006,This definitely a phenomenon

3. More 0days?1) RealPlayer2) Flash3) XunLei*4) UUSee5) Sina

Underground Malware Industry Technique Trend

 1. They like exploiting logic bugs

1) Baidu Toolbar2) Snapshot

2. Anti Anti-VirusDetect if Anti-virus exist

3. Bypass anti-virus, they charge money to make your malware bypass:1) Kaspersky2) Nod323) Rising4) Kingsoft

Underground Malware Industry 0day Market Underground

 1. They love client-side vulnerabilities.1) Maybe they are more easy to find2) They love local application bugs, cheaper and useful

2. The price is more exciting than ZDI1) Researchers like ZDI2) Black don’t they just use it

3. Sometimes 0day are leaked to market1) Security researchers2) Professional whitehat.

Underground Malware Industry Real Case

 

It’s the most powerful malware hosting box at China Massive injection Worm!

Underground Malware Industry Real Case

 

Underground Malware Industry Real Case

 

Underground Malware Industry Real Case

Underground Malware Industry Next?

 • Web 2.0? SNS worm• Interactive web malware

• Interact with user to make anti anti-virus• Authentication• Flash AS• Silverlight?

How we fight BACK!

How We Fight BACK!

• Law: sue them!• Tech: China web reputation system

How We Fight BACK!Rogue Software

• We started China Anti-Malware Alliance in 2006

• We collect evidence and we sued them• Yahoo China• Ebay China

• Win only 1 of 9 cases, we won the Shanghai case• Some of them are really powerful at the local area

How We Fight BACK!Rogue Software

• Definition of Rogue software now, We win!A call for input from the general public was made on November 8, when the ISC

published its draft proposal and wanted to find out how Chinese web surfers felt about the problem.

Spyware/Adware must also follow at least one of the following additional criteria as set out in Chinese sources:

• Be installed without notification or approval• Not offer an uninstall service or remain after removal• Make changes to the user’s browser or any other settings without permission,

disabling access to the Internet or forcing to visit certain websites• Trigger pop-ups• Collect user data without notification or permission• Mislead users to uninstall non-malicious software• Be bundled with other known malware• Have any other issues that infringe the user's "right to know" and "right to choose."

How We Fight BACK!Malware

• The true problem:• 80-90% victims got infected from the

web• Vulnerabilities in Internet Explorer and

3rd party vulnerabilities• 0day world! Using 0day attacking

people • What we can do for users?

• Make a safer IE?• Make a clean/trustworthy web?

How We Fight BACK!Malware

• An IE security enhancement: • Security plugin our company made:

365menshen (365门神）• Anti Phishing， HIPS• Mark out malware URLs• Supply some web services for customers

• There are other services: • SiteAdvisor, Finjan, MyWOT

• Also IE8 is much better than previous versions

How We Fight BACK!365menshen

How We Fight BACK!Web

• Make a cleaner web• We need find all bad web site in China• We need signatures, sandbox and crawler

• Make more trustworthy web• We need anti phishing• May be Phishtank• Need a trusted source

How We Fight BACK!Crawler and Sandbox

• We are not Google• Lacking enough bandwidth • Not enough servers (just mist/water vapor

rather than a cloud )• So these make our sandbox different

• The main idea is not get infected • Lightweight, faster• Behavior basis (APIs)• Suitable for China

How We Fight BACK! Crawler and Sandbox ScanW

• We start at 2006• We learned from:

• Google safe browsing• Microsoft HoneyMonkey• McAfee SiteAdvisor

• We based on:• Vmware Server 2.0• Python 2.5• Django 1.0• C

• We try to move these things to:• Google APP

engine(GFW?)• Or using Hadoop(java)?

Demo

1. Ecosystem plus Free Anti-virus softeware

2. Pushing SDL to software vendors

3. Web server side ecosystem?

China Marketing

Q/AThank You!

ic@scanw.com