Review: China in Symantec’s Internet Security Threat Report

Posted on September 24, 2007
Filed Under China Hackers, China Internet, China Online Games, Malware, Security |

IT security vendors generate a lot of research on threats to secure computing. While it can be self-serving (fear is a potent sales tool), the reports generally provide a reasonable insight into security on the internet. Many (if not most) people and organizations are often unaware of security breaches, and when they do find out they certainly don’t like to admit it.

So we’re left with studies from independent organizations, law enforcement, and vendors. None should be taken individually at face value, reports are based on their own research, observed traffic, incident reports from customers, etc., etc. Which brings us to Symantec, known for their Norton line of anti-virus products. They released their semi-annual Internet Security Threat Report this month. The purpose is to track “current trends and impending threats” as well as make recommendations for “protection against and mitigation of these concerns”.

The report is long, fairly detailed, and of interest to anyone who wants to get an understanding of the current security environment on the internet. It should be used as a guide to an overall understanding of the state of internet security, rather than as a compendium of quantitative data.

Symantec developed the chart below based on data from their software, Bugtraq, a vulnerability mailing list they sponsor, their own vulnerability database, and their own research network.

symatec.jpg

It provides a useful starting point to look at what’s happening with internet security in China.

#2 Overall

China had the second highest amount of malicious activity during the first six months of 2007, accounting for 10 percent of malicious activity detected worldwide, the same rank and percentage as in the previous reporting period. China has the second highest number of Internet users in the world, surpassed only by the United States. However, users in China spend more time online, on average, than those in the United States.

The overall ranking is the most compelling (#2!) and perhaps the most misleading. “Malicious activity” for a country includes both the initiator and the quarry. Symantec tried to further analyze the results by dividing the number of malicious activities by the number of internet users in the countries covered. China didn’t make it into the top ten (no result was given). Israel was first, followed by Canada, followed by the US. That users in Canada and Israel spend a lot of time online, thereby exposing themselves to attack for a longer period is cited as a reason. Then, as their quote above prompts, why didn’t China make the top ten?

While I don’t necessarily disagree (especially when I look at the key metric of attack rank), Symantec’s reasoning is a little sloppy here.

#2 in Malicious Code
Symantec uses malicious code to describe trojans, viruses, worms, and back doors. While rating China as #2 is roughly consistent with reports from other vendors and researchers, no actual country data is provided. Only a single chart breaks it down regionally, with the Asia-Pacific-Japan (APJ) region coming in:

What is interesting is the section titled Malicious code targeting online gaming:

…In 2007, the online gaming market in China, where there were 30 million Internet gamers by the end of 2006, is expected to grow by 35 percent…

…The total annual wealth created within virtual worlds has been placed at approximately 10 billion USD…

…In the first half of 2007, the most common malicious code sample targeting online games was the Gampass Trojan (table 10). This Trojan is notable because the attacker can use it to target one of several online games, including the Lineage, Ragnarok Online, Rohan, and Rexue Jianghue games. These games are more popular in the APJ region than the rest of the world. As a result, 84 percent of worldwide potential infections by Gampass during this period originated in that region…

…Another indication of the growing appeal of targeting online gaming is that both Gampass and Lineage were also two of the most downloaded components of multistaged downloaders this period. This indicates that attackers see value in targeting online gamers since many of the other top downloaded components are used for more common types of identity theft such as stealing online banking account credentials.

In the executive summary Symantec suggests that virtual worlds may become a highly effective place to launder money. Online gaming is helping to push internet adoption in China, and because it involves virtual-to-real money it’s a ripe target. What the report lacks in China-specific data for malicious code, it makes up for it by underlining this emerging trend.

And just on a general note: the biggest threat from malicious code is not a virus infection. Trojans, small programs designed to run independently on a computer and contact their controller to pass data (usually keystrokes) account for 54% of malicious code. Viruses’ days as a serious internet threat are over, who cares about screwing up someone’s computer when you can steal some valuable data instead?

#3 in Zombie Spam
A result of being infected by malicious code is that your computer may become part of a zombie spam network. With anti-spam legislation proliferating internationally, spammers have figured out that using other people’s PCs is a much less risky form of making money.

Worms (self-propagating malicious code) and trojans are delivered via email and links that exploit known browser and operating system vulnerabilities. They are the most likely means of turning a PC into a spam zombie. Zombies are given data and instructions by the hacker and execute them autonomously.

Sophos had China at #2 last year, with a decline in the first quarter of this year. #2 or #3 makes little difference, it’s just an indication of poor computer management by users, administrators, and ISPs.

#5 in Command and Control Servers
Command and control servers control computers that have been infected by bots. China comes in at #5 with the US as #1. As the report says:

China also ranked only fifth for bot command-and-control servers, despite the fact that it ranked number one for bot-infected computers. This discrepancy in numbers may indicate that bot-infected computers in China are being controlled by command-and-control servers outside of China. Since the United States has the highest number of command-and-control servers by a large margin, it is likely that bot-network owners in that country are using bot-infected computers in China to conduct attack activity. Thus, some malicious activity attributed to China may not be the result of attackers located there, although the same caveat would also apply to malicious activity originating in other countries as well.

I’ve read in blogs and forums in the hacking community about Chinese targets. Not for cyberespionage, mind you, just as easy pickings. While there’s a great deal of technical knowledge in China about using computers, there’s very little effort put into administering them. The wide use of pirated software contributes to this: even if someone bothered to automatically update their Windows operating system, only “critical” updates are installed on pirate versions. That leaves plenty of opportunities to exploit.

Bots (and the networks they are part of) can be considered distinct from zombies as they can relay information back to the controller.

The report goes on to mention that bots are now moving away from a command-control model to a more distributed framework using DNS (fast flux DNS). Instead of communicating (via the internet relay chat protocol) with a single, specific, host, the IP address for the server changes in minutes, connecting the bot to a different server in the same bot network. Very tricky and very effective.

#18 in Phishing Sites
This finding is consistent with other vendors and researchers. However, I’m not convinced. Given all the rest of what happens on the internet in China, I’m surprised that this rating is so low. I have no data of my own (other than my own experience), but it doesn’t make sense that this effective trick wouldn’t be used by China’s hacking community.

Symantec bases its numbers on their two million dummy email accounts that “attract email messages from 20 different countries around the world”. Maybe their Symantec Probe Network, like me, can’t read Chinese.

#1 in Bots

China had 29 percent of the world’s bot-infected computers, more than any other country China had the highest number of bot-infected computers during the first half of 2007, accounting for 29 percent of the worldwide total (figure 3), up from 26 percent in the second half of 2006. This continues a trend that was first discussed in the first half of 2005, which saw an increase in bot activity in China during that period…

Symantec has observed that bots usually infect computers that are connected to high-speed broadband Internet through large Internet service providers (ISPs) and that the expansion of broadband connectivity often facilitates the spread of bots. China’s Internet infrastructure is currently expanding rapidly. However, it is worth noting that China’s increase in bot-infected computers appears to be slowing. This may be a sign that the security infrastructure as well as awareness is beginning to catch up with Internet user growth…

Beijing was the city with the most bot-infected computers, accounting for seven percent of the worldwide total.

China leads the world in bots, but Symantec sees the infection rate leveling off:

However, it is worth noting that China’s increase in bot-infected computers seems to be slowing. In the first half of 2006, the percentage of worldwide bot-infected computers situated in China increased from nine percent to 20 percent. In the second half of 2006, the rate of increase slowed to six percentage points, from 20 percent to 26 percent. In the first half of 2007, it went up only three percentage points. This may be a sign that security awareness, practices and infrastructure are beginning to catch up with the rapid
growth of Internet usage in China.

I don’t think so. Symantec “observes” bot activity, either at its data center or from reports derived from its software deployments world-wide. While I believe this is useful for identifying a trend, it can’t encompass the entire internet in China. I’m guided more by their assertion that as more users in China connect via broadband, more computers will become infected. As long as people, in China or elsewhere, treat their computers as appliances that “just work” rather than machines that need maintenance this number will only increase.

#2 as a Source of Attacks
The well-respected Internet Storm Center tracks the source of probable internet based attacks and China has been a consistent #2 (behind the US) for a number of years. Symantec only confirms this. It is quite possible that these attacks have been orchestrated elsewhere and China is only providing an easily exploitable platform for attacks. Nevertheless, China’s rise in the ranks as a source of internet security threats matches its equally fast adoption of internet technology.

What’s the Takeaway?
Symantec knows a good business opportunity when it sees one. If there was ever a market that needed IT security it’s China.

The report can be found here. Recommended not so much for China content, but just as a good overview of where threats are heading on the internet

Comments

Leave a Reply