Chinese hackers wake up to malware

Criminal switch from copycats into malware authors

Security researchers are noticing an increase in malware originating from China, which is adding to the challenge of investigating online threats.

"The past three to four months have seen a slow increase in Chinese malware. It used to be the odd file every now and then, but it is now almost every day," Chris Boyd, director of malware research at FaceTime Communications, told vnunet.com. 

China has traditionally been a hotbed of password stealers who go after log-in names and passwords for online games such as World of Warcraft. The criminals are after virtual currencies and goods which can be sold on auction websites.

But FaceTime is reporting a new trend of Chinese criminals developing their own file downloaders and rootkits.

This malware can be used to control botnets, install adware and evade detection by security software. Just like in other parts of the world, money is the big driver.

"They are starting to realise that you can make silly amounts of money from installing malware," said Boyd.

Roger Thompson, chief technology officer at Exploit Prevention Labs, agreed with Boyd's observations. 

The company reported an increase in Chinese malware activity in January, when a group of Chinese attackers hacked into the Superbowl website. The same group has been linked to a series of other online attacks.

Most of the zero-day vulnerabilities in Word and Excel that have emerged over the past months are also linked to Chinese hackers, according to Thompson.  

"I always thought that the face of the new generation of hackers would be Chinese. There is just so many of them, and they are an emerging technology power," he told vnunet.com.

Chinese malware writers use essentially the same techniques as their colleagues in other parts of the world, copying exploits that other attackers have found.

In an attempt to evade security software, the malware code is encrypted and downloaders constantly switch the malware files that they fetch.

"It is old technology," said Shane Coursen, a senior technical consultant at Kaspersky Labs. "The password stealers are basically glorified key-loggers."

But Boyd is seeing more advanced malware coming out of China. Earlier this month he dissected a Trojan dubbed Symfly. In addition to downloading multiple adware applications, the malware installed the Alexa Toolbar. 

The tool is a legitimate application from web retailer Amazon that measures the popularity of websites. The Trojan creators open a series of websites in an apparent attempt to boost the 'Alexa' ranking of those sites.

Local Chinese programmers have also developed rootkit technology that hides software from security applications.

Some of these cannot be detected with current rootkit removal tools, and can be "completely horrendous", Boyd said in reference to the rootkit that ships with the Agent.bgg Trojan. 

Chinese malware can also be more difficult to dissect. Local websites sometimes use seemingly random domain names with letter and number combinations that are believed to have a symbolic significance.

Online gangs in the West often user random domain names to host malware-spreading websites. The malware is typically hidden behind seemingly legitimate content.

The random domain names make it harder to determine whether a legitimate website has been hacked to host malware, or is actually operated by criminals.

Most Chinese websites also forge registration information to evade local censors, even if they do not publish any controversial material. This again makes it harder to notify the owner of a hacked website to have the malware removed.