The malicious activity that comes from Chinese servers isknown for a long time. In many cases we are seeing the use of Chinese serversby bots that being spread over the web. Most of these bots are beingpropagated in order to steal identity, information, backdoor etc’.

But there is also other activity, unlike these bots that arebeing operated by hackers there is also a cyber-war.

We know that countries are using hacking techniques in orderto espionage against other countries, security organizations employing hackersin order to penetrate to other countries servers, and from the Google incidentin China we actually know something that was clear to everybody – the bigbrother is watching you.  

The “Foreign Policy” web site (http://www.foreignpolicy.com/)published a very interesting article that reviews the top 10 Chinese cyberattacks (that we know of) against US government sites:

http://thecable.foreignpolicy.com/posts/2010/01/22/the_top_10_chinese_cyber
_attacks_that_we_know_of

The Google-China relationship has been the subject of many recentarticles and debates in the media. Across the globe, thousands have protestedagainst Google, claiming that the renowned web browser is lending a hand to thetrampling of human rights in China by allowing the Chinese government to filtersearch results.

Last Tuesday Google announced that it was consideringexiting the Chinese market as the result of a sophisticated online attacktargeted at Google systems – especially Gmail – in order to penetrate the accounts of pro-democracy activists in China.

In the beginning, the assumption was that the hackers(reported by some as being funded by the Chinese government), used a zero-dayAdobe Acrobat Reader vulnerability. However, according to McAfee, there is evidencethat they used a new IE zero-day vulnerability instead.
More information about the IE zero-day vulnerability can be found here:
http://www.microsoft.com/technet/security/advisory/979352.mspx

Link to the Adobe blog post referring the attack:
http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html

It will be interesting to see if Google will carry out itsthreat to leave the Chinese market. My bet is that it won’t.

In the meantime, it is important to note that eSafe customers are protected against both exploits – the Adobe Acrobat exploit and the new IE zero-day exploit.

Once again, eCriminals took advantage of a legitimate and popular website as an attack vector for the purpose of propagating Malweb. Layla.co.il, a popular nightlife website in Israel, was compromised by eCriminals and is serving up a malicious bot to its visitors.


Image 1: Entries in our AID (Attack Intelligence Datacenter) indicating that layla.co.il contains MalWeb.

A hidden IFrame tag has been injected in all pages under “campaign” directory. The IFrame loads a malicious page which will attempt to download and execute a Trojan using one of the following exploits:
1. Microsoft Access Snapshot Viewer ActiveX Control Exploit
2. SWF Exploit
3. PDF Exploit

The downloaded malware executable is a bot instructed to download a rootkit which will function as a sort of keeper for it. The rootkit installs itself as a service named: “DCOM Server Process Launcher DcomLaunchMessenger”.

To evade detection, this Trojan prevents a long list of Antivirus and security applications from running.

Once the bot is launched, it sends some information to its C&C (Command and Control) system hosted at a Ukrainian server.

More than 200000 machines worldwide have been infected by this attack so far; each infected machine joins an army of botnet zombie machines ready to be controlled by eCriminals to launch cyber attacks. The following is a map showing the distribution of infected machines.


Image 2: A distribution map showing the locations of machines infected by the attack.

You may have already gotten yourself familiar with how eCrime works from our past research and field presence, but here is one more great example of this fascinating business: This article at the Washington Post covers the drop in prices of stolen credit cards. It talks about how a surge of “fresh merchandise” has hit the market and commoditized these credit cards to a level where you’d get change from a single dollar… It’s a great example of how eCrime works just like any other business in an economical ecosystem, and adapts to the supply and demand.

Just to complement the article, another contributing factor to the surge in availability is also attributed to the fact that there has been a surge in the availability of FTP credentials leading to legitimate sites. How does these two connect? Simple: FTP sites storing web content, get accessed by eCriminals (through an automated process of course), and the content associated with the website is modified to deliver a MalWeb attack that yields additional Trojan/Botnet infections. This leads to more credentials (both for FTP, as well as for financial services), which get to the market, get sold, and so on… This vicious cycle is feeding itself with more credentials, more access to financial resources, more infected systems in order to enhance the revenues from the eCrime business.

Simply put, the whole picture is what counts, rather than specific incidents. Protection on the other hand, is regarded to as “I have an AV”… leaving virtually millions of systems in the hands of MalWeb and other web threats that have proven to be more effective than thou.

Point in case – get better protection. For the sake of all of us… make sure that you can get protection from as far as your ISP, to as close as your home router, and of course PC. For enterprises it’s been easy with SWG (Secure Web Gateway) products providing that much needed layered protection, but for consumers we have usually smirked and had to dodge the questions of “so what do I do”. Start looking for ISPs that can provide that protection – beyond the “I’ll throw in an AntiVirus and an inkjet printer if you sign a 2 year contract”.