The online underground in China: Part 2

By | August 27, 2012

Posted in: Network Security Trends

Last time we looked at how members of the Chinese online underground manipulate and steal real assets and virtual assets, the virtual cash and gear that sell for real dollars on the open market. Today we’ll take a look at the abuse of Internet resources and services, and the Blackhat services, the engine that in effect makes it go, with the services and training that fuels the engine.

The abuse of the Internet has developed in the absence of coordinated governance and regulation – it’s still something of a hodge-podge. Computing capacity, storage, bandwidth, IP addresses, network traffic and sensitive data. Botnets provide the standard means to abuse these resources. In China, most bots are installed through malicious email or messaging, exploited vulnerabilities and dumping Trojans via drive-by downloads.

Botnets can be used in a variety of ways, often they are multi-purposed. They can install banking Trojans to steal real-world assets or gaming Trojans to steal virtual assets. They can be used for spamming, DDoS attacks or extortion, click fraud and theft of privacy information.

Web servers are particularly coveted, as page views are valuable to Blackhats. Blackhats use hacking techniques or purchase them from the underground market. In addition, business servers and sensitive data are highly prized.

Another method is a large number of computers that are not compromised, but via software that people allow to be installed for a small fee. Multi-level marketing is a legal use of excess computer or even networking resources. These are used in much the same way as bots, sometimes by Trojans installed on the systems, all with murky legal implications.

More recently, particularly in China where they are immensely popular (more than 356 million subscribers), there are a wide variety of  malicious code targeting smart phones. There are special considerations, as they include privacy information that is directly linked to credit cards. Malicious bundled applications, email and text messages are the primary avenues. Crimes include charging, SMS and MMS spamming, click fraud, PPI fraud, rank/credit/vote cheating service and theft of privacy information.

Even non-tradable resources and services can be subject to extortion (nice website, shame if something were to happen to it).

The Blackhat services and products are the engine that makes the online underground go. They discover vulnerabilities, and develop Trojans and other attack tools and sell them to the miscreants in the other three value chains. In addition, they will hire out their services to launch attacks on behalf of their employers. They provide training services to new entrants, providing new blood for the cause.

One of the more celebrated cases, the “blandness” Trojan gang, which accounted for about half the Trojan market share at the time. Up to the time of their arrest, the culprits developed 28 different models of the “bland” Trojan to exploit various online games and stole 5.3 million credentials.

Unlike the West, which uses IRC chats, the Chinese online underground iweb forums and QQ chatting groups. By studying these groups and understanding the evasive lingo, the report pieces together a rough guess at the size of the damage.

So, here are the rough stats:


  • Real asset theft: Threatened population, 38.8 million; damages, $339 million

  • Virtual assets: Threatened population, 38.4 million; damages, $225 million

  • Virtual assets: Threatened population, 33.6 million; damages, $228 million

  • Hacked websites: 1.1 million, $70 million

You May Also Be Interested In: