China’s Internet Growth: The Bad News
Posted on July 30, 2007
Filed Under China Internet, Malware, Security |
China has experienced growth in its internet population that even exceeds its overall economic growth. According to Internet World Stats China’s growth in internet population has grown 620% since 2000. With an internet population of 162 million, China is only surpassed by the United States at 211 million, again according to Internet World Stats.
The SANS (SysAdmin, Audit, Network, Security) Institute (link here is the leading organization for internet security training and provides extensive, free, resources to help users and organizations use technology in a secure manner.
An important service they provide the worldwide internet community is the Internet Storm Center (here). Based on firewall logs provided by participating sites, they track suspicious activity across the internet. While not everything they track is sure to be something malicious, they have volunteer “handlers” always on duty to do spot analyses.
The results for China show some disturbing numbers.
The figure to the right compares Internet Storm Center (ISC) data for China and America (China source here America source here).
I’ve highlighted the two interesting numbers in the comparison: average reports from targets (these are reports from participants who pass their firewall logs to ISC) and persistence (the average time in days between first and last reports). Not only do a significantly larger number of reports come from China, they come twice as often.
Furthermore, looking at the other data in the table, China has a lot less sources for possible attacks, but an almost equal number of possible attacks reported.
What all this means is that less computers in China are producing a very large number of potential attacks and the potential attacks are frequently initiated. And this is only the data they collect voluntarily. It’s sure to be only a small percentage of what’s really out there. ISC reckons they only “see” 1 to 10% of affected computers. This is not to say that a large percentage of Chinese internet users are hackers, quite the opposite. These potential attacks indicate that a large percentage of Chinese computers are victims of malware.
Malware is software that damages your computer or steals information that is in or passes through your computer. It’s a broad term, but includes viruses that may irreparably ruin your computer’s configuration, key-stroke loggers that capture what you’re typing (passwords as a target), self-propagating viruses, bots that infect computers and attack targets on the hacker’s behalf, spamming software, and so on.
Symantec’s Internet Security Threat Report for March of 2007 ranks China as number two overall as a source for malicious activity (code, spam, bots, etc.). It describes the increase in bots here:
China had the highest number of bot-infected computers during the second half of 2006, accounting for 26 percent of the worldwide total (figure 5). This is an increase of six percentage points over the previous six months. This increase was driven by a rise in the number of bots in the country rather than a decrease in other countries. This coincides with and illustrates a trend that Symantec first discussed in 2005, in which bot activity in China appeared to be increasing.
Where it begins to get interesting (and this is a great report) is here:
Although China had the most bot-infected computers worldwide, it had only the fourth highest number of known command-and-control servers worldwide (table 4). This discrepancy likely indicates that the majority of bot-infected computers in China are being controlled from servers in other countries. While it is simple to trace a command-and-control server to its location, the server may not reside in the same location as the person who controls it. For example, an attacker in the United States could control a command-and-control server in the United Kingdom to administer bot-infected computers all over the world.
Get the report here, highly recommended.
This is an interesting, and I believe accurate, explanation for the activity seen by the Internet Storm Center. China is a target-rich environment for hackers, and not just for bots.
China Tech News has a story published today that quotes a report from Rising, a Chinese anti-virus company. It leads with:
News from Chinese anti-virus company Rising is that the Chinese mainland has become one of the most serious computer virus-stricken regions in the world with over 35 million computers attacked by viruses in the first half of this year.
(full story here - little of interest other than the paragraph above)
Sophos, another anti-virus vendor, has a report with even more bad news. 30% of the websites that have malware installed on them (as seen by Sophos Labs) are in China. 15% of the spam they observed originated in China, making China number two in their “dirty dozen” list of spam sources (America retains top position by a sizable margin). See here
Spam, viruses, what’s next? Chris Boyd of FaceTime Communications (www.facetime.com) is quoted in IT Week here
“The past three to four months have seen a slow increase in Chinese malware. It used to be the odd file every now and then, but it is now almost every day…
They are starting to realise that you can make silly amounts of money from installing malware,”
He blogs at spywareguide.com where he provides a detailed breakdown of what happens when a user is infected with malware here
Symantec has a quick article describing means and targets to make money.
So if it’s really a jungle out there, what’s causing it? If you review Chris’ post about a malware infection, you’ll see it all begins with a user’s click.
It could be in an email message that slips past a spam filter or it could be in a message on MSN or Yahoo Messenger.
Or it just could be a known vulnerability in MSN or Yahoo Messenger (of which there are plenty). This leads to second likely attack vector: unpatched or poorly configured software.
You can be sure that the first vulnerability a hacker will look for is the easiest one. If your operating system (Windows or otherwise) has a known vulnerability that hasn’t been patched or re-configured, it’s a vector to attack your computer.
A common problem in China is systems administration, by users or by IT staff. In the Windows world in China, not many people seem to take updates very seriously. No updates mean missing patches, missing patches mean unresolved vulnerabilities, unresolved vulnerabilities mean easy pickings for an attacker.
Part of what drives this problem is the ubiquity of unlicensed Windows software in China. With the introduction of Microsoft’s Windows Genuine Advantage tool, some updates are only available to registered copies of Windows. That leaves those with pirated Windows PCs at risk.
I’ll be looking at the security implications of this in my next post. In the meantime individual users can:
1) Make sure your computer is updated
2) Use a third-party software solution for PC security
3) Double-check with the sender of an attachment. If you don’t know them, don’t bother
4) Check Computerworld here for a list of freebie computer security programs for PCs
Further Reading:
An excellent site that tracks new malware found in China is the Chinese Internet Security Response Team. I’m not sure who sponsors it, but it’s pretty good.
The China Computer Emergency Response Team is the Chinese CERT organization. It is part of the Ministry of Information Industry. The important content is in Chinese, but the English page does provide an incident reporting link.
Comments
One Response to “China’s Internet Growth: The Bad News”
Leave a Reply
RSS
[...] about the substance of the attacks in the Der Spiegel article. As I’ve written about before the internet in China is a cornucopia of targets for hacking. Symantec identified China as having [...]