The Dark Visitor

According to Kingsoft Anti-Virus, the “Crab Group” is one of China’s top-5 virus dissemination families and responsible for the recent infection of around 30 million computers.

Kingsoft’s 2008 Year-End report reveals that within hacker circles, the majority of money is earned by establishing viral dissemination chains.  While a virus author may earn a salary of one million yuan a year (approx USD 150,000), it was possible for a viral dissemination group to earn ten million yuan (approx USD 1.5 million) yearly.

The Crab Group had gained access to a unidentified trusted server in Guangdong, uploading viruses and trojans on popular websites.  The group had been using the “Cat Ringworm” virus, a.k.a Charging Bull, as their primary dissemination tool and infected around 30 million computers.

For background on the Chinese hacker virus industry chain read here, here, and here.

What does the Charging Bull have in common with the Chinese Vampire? According to Dr. Shi Xiaohong, who performed extensive analysis on the two viruses, they were written by the same author.

Sina Tech News has been reporting on the rapid spread of a relatively new virus called “Charging Bull.” Probably got the name from appearing around the same time as the Chinese New Year, Year of the Ox.  Let’s face it, “Charging Ox” does not sound cool.

In June of 08, we told you about Chinese Vampire and later the next month about the big controvery surrounding the original author.

Jiangmin Anti-Virus is warning that the E-Rose Virus is making the rounds this Valentine’s Day.  In 2006, China had the largest number of computers infected from the spread of this malware.

Sometimes it doesn’t really matter how many layers of security your bank has if your personal computer is infected. A victim of Chinese hackers using the Korean bank Hana, may…or may not have learned this lesson:

According to investigators at Seoul’s Gangnam Police Station, the hackers breached the online account of the victim, identified only as Seok, on Jan. 5, and moved money from the account three times, 7 million won at a time, despite Seok having been tipped off by Kookmin Bank earlier that day that her online bank account had been accessed by a user from a suspicious Internet protocol (IP) address based in China that had been used in another hacking attempt in August last year.

The most loyal TDV readers may remember a post from a while back showing some Google searches that turned up more than one hundred Chinese .gov sites with malicious links or defacements.  It appears that there are a few more to add to the list as of late.  One of the Chinese malware blogs that I follow posted a string of blog posts indicating that .gov sites were gettting compromised and having malware embedded in them.

www.sxfc.gov.cn, www.lfzs.gov.cn and a few non-.gov sites had very similar malware links embedded in them.  At the time of this writing, many of the links embedded in the sites are broken but some of the malware is still there for the wget’ing.

After a few redirects, we get to a1.css, which is an FSG packed PE file.  It is well detected by antivirus (38/39 on virustotal.com).  Nothing too interesting.

The Chinese malware that I have come across is either not packed at all or uses well-known packers like UPX and FSG.  What have you TDV readers come across?  Any custom packers?

Yesterday, Jiangmin released their 2008 Computer Virus Epidemic report showing the top 10 viruses for 2008.  The report further noted that online organized crime elements were forming underground industrial chains to manufacture and disseminate viruses.

In 2008, there were 1.09 million viruses intercepted, representing an increase of over 200% from 2007.  The report also stated that over 28 million computers had been infected by viruses and this reflected a drop of 18.39% from 2007 due to enhanced security awareness.

Trojans accounted for 78% of all viruses intercepted, backdoor programs 10%, malicious advertisements 4%, worms 6%, and all others 2%.  Presenting the biggest problem, trojans and backdoor viruses increased 10% when compared to 2007 statistics.

China’s Top 10 Viruses for 2008

1. Trojan/PSW.OnLineGames
2. Trojan/PSW.GamesPass
3. Trojan/Agent
4. Checker/Autorun
5. Backdoor/Huigezi
6. Trojan/PSW.QQPass
7. Exploit.CVE-2007-0071
8. Trojan/StartPage
9. Trojan/DogArp
10. Win32/Infectrpcss

While C and VB languages are a bit more popular, the Chinese programming language “Easy” is coming into fashion.

Chinese hackers used Easy to compile “Worm.Win32.AutoRun.kkr.” According to Micropoint Anti-Virus, the worm’s icon is “” (some of you computer smart guys may need to patch this section up a bit) and when installed won’t reveal hidden documents and conceals known extensions.

Via: Fergdawg

In 2007, the official website of Dolphin Stadium was compromised with malicious code linked to a javascript file inserted into the header of the front page.  The redirect ended up at domain registered in China.

Just sayin’…

From: 022net.com

Do you send text messages to your friends, colleagues and customers wishing them well or a Happy New Year?  The answer for the majority of people is, definitely.  Recently, I’ve received many text messages, all in regards to wishing me well and Happy New Year.

With the New Year approaching, the cell phone virus has entered a period of “extreme danger,” so remind your friends to be on the lookout for spam text messages.

Fortunately all you have to do with spam text messages is delete them but they are no joke.  A viral outbreak can cause the cell phone to stop working,  data loss, spread junk mail and dial out to other phones.  It can also destroy hardware such as the SIM card and chip.

(In here how to defend against viral text messages, not translated.  Skipped to more interesting portion of the article)

Capital media reports that cell phone user Mr. Zhang received a pornographic text message from an unknown number, after opening the text, his cell phone continuously sent messages to people stored in his contact list.  The text message harmed the reputation of over 700 people.  Victims sent their cell phones to the service center in order to remove the virus, costing over 200 yuan.  A security expert said the virus contained a website address and transmitter virus.   After the virus is installed, there is no immediate abnormal behavior but after 30 minutes the virus links to the net and transmits text messages every 10 seconds.  Sending out text messages at this high rate can run up user fees.  It is possible the virus is also able to subscribe users to certain unwanted services, driving up charges.

According to China Mobile, the company blocked over 4 billion pieces of junk mail in the first half of 2008.

On the 21st, Rising Anti-Virus issued a security alert to web users that hackers had installed a trojan on the popular ticketing website piaocn.com.  The virus was located on the http://####.706sese.Cn server.  Users, visiting the website to book tickets, could possibly have the malicious software downloaded onto their computer and lose internet game, online banking or QQ account numbers.

The http://####.706sese.Cn website was ranked the number one offender for spreading malware.  In the last week, it had attacked 1.44 million people.

The Rising malicious website monitoring network showed that there had been a recent increase in the number of trojan infected and phishing websites.  On the 20th, Rising’s “cloud security” system had intercepted 6.83 million web users visiting infected websites.  It was highly likely that these people had downloaded trojans and online game stealing trojans.

A Rising security expert said that presently, ticket sales and movie download sites are the primary targets of hackers to install malicious software and that they contained over 80% of all trojans.

Rising reminded users that hackers were especially activity during holidays such as New Year, Chinese New Year, Christmas…etc, when people are getting tickets home, shopping,  and downloading movies.