Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Lion Gu (Senior Threat Researcher)

    The Chinese underground has continued to grow since we last looked at it. It is still highly profitable, the cost of connectivity and hardware continues to fall, and there are more and more users with poor security precautions in place.

    In short, it is a good time to be a cybercriminal in China. So long as there is money to be made, more people may be tempted to become online crooks themselves.

    How can we measure the growth of the Chinese underground economy? We can look at the volume of their communications traffic. Many Chinese cybercriminals talk via groups on the popular Chinese instant messaging application QQ.

    We have been keeping an eye on these groups since March 2012. By the end of 2013, we had obtained 1.4 million publicly available messages from these groups.  The data we gathered helped us determine certain characteristics and developing trends in the Chinese underground economy.

    First, the number of messages showed that the amount of underground activity in China doubled in the last 10 months of 2013 compared with the same period in 2012. Based on the ID of the senders, we also believe that the number of participants has also doubled in the same period.

    Figure 1. Number of underground-related messages identified on QQ per month

    Figure 1. Number of underground-related messages identified on QQ per month

    Cybercriminals are also going where the users are. Many of the malicious goods being sold in the underground economy are targeted at mobile users, as opposed to PC users. A mobile underground economy is emerging in China (something we noted earlier this year), and this part of the underground economy appears to be more attractive and lucrative than other portions.

    Our latest paper in the Cybercrime Underground Economy Series titled The Chinese Underground In 2013 contains the details of these findings related to QQ, as well as other updates dealing with the Chinese underground.

    Posted in Mobile |

    The availability of affordable mobile Internet access has changed the computing landscape everywhere. More and more people are using mobile devices both for work and for entertainment. China is no exception. According to a report published by the China Internet Network Information Center (CNNIC), 81% of Chinese Internet users went online using their mobile phone in 2013. The CNNIC also reported that China ended 2013 with 618 million Internet users and 500 million mobile Internet users.

    This change in user behavior is affecting the cybercriminal underground. Cybercriminals are now more likely to target mobile users, with some “businesses” in the cybercrime underground economy that are specifically aimed at mobile users. One particular business that has found success inside China is sending SMS spam.

    Just as email has been abused by spammers for many years, mobile users are now receiving large amounts of SMS spam as well. Like their email counterparts, SMS spam is used to advertise various products as well as lead users to malicious sites. Sending these messages is cheap, too: sending 100,000 messages can cost only about $450.

    One way SMS spam is sent to these users is using a GSM modem. These modems are devices which, when attached via USB to a PC, can send out text messages to multiple users in a very small amount of time. The device is controlled using an application on the PC. Basic devices will have only one SIM card, but more advanced versions (also known as a GSM modem pool) will use multiple antennas and SIM slots to send SMS messages more quickly. A 16-slot GSM modem pool (like the device below) can send up to 9,600 text messages per hour. They are available for approximately $425 each.

    Figure 1. A GSM modem with 16 SIM card slots

    Other tools that can be used Internet short message gateways. These are devices provided by mobile carriers to allow service providers to send large numbers of text messages. Alternately, a “SMS server” can also be used; These use a software-defined radio (SDR) to impersonate a cellular base station; when phones connect to this “base station” they instead all receive SMS spam.

    Sending spam is only the tip of the iceberg when it comes to these threats. My paper titled The Mobile Cybercriminal Underground Market in China examines similar products, as well as other items for sale in the Chinese cybercriminal underground. The paper offers an overview of some of the basic underground activities in the China mobile space, as well as some of the available products, services, and their respective prices.

    Posted in Bad Sites | Comments Off

    The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts.

    Gathering knowledge about the Chinese underground economy is not particularly difficult, but does pose some challenges. The sites and markets that make up this underground economy are not visible to the public, but are hidden in forums and QQ chat groups. While many underground economies are organized via underground forums, the use of QQ chat groups is unique to China. These sites use their own jargon to name and describe their groups, but cybercriminals familiar with their jargon can easily find what they want.

    In some ways, the Chinese underground is similar to other legitimate economies: it offers a wide variety of products and services at a variety of price points. The services offered include:

    • Distributed Denial of Service (DDoS) kits and servers
    • Remote Access Tools (RATs)
    • Detection evasion services
    • Compromised webhosts
    • Phishing kits
    • Stolen user information
    • Webshells

    In all of these cases, a robust and healthy ecosystem exists, with cybercriminals being able to purchase their chosen product at a variety of price points.

    For example, for denial of service attacks, cybercriminals can choose to rent dedicated servers to mount more large-scale attacks. A modest Atom-based server can cost 599 RMB (US$98.50) a month; a more powerful Xeon server with a 1Gb/s connection can cost 2100 RMB (US$345) a month.

    The variety of prices is most evident in the sale of webshells, scripts that allow an attacker to maintain control over a compromised site. Sites with low page rankings on Baidu and Google can cost around 220-300 RMB (US$36-49) for a bundle of 270 sites; sites with higher page ranks can go for as much as 999 RMB (US$164).

    We hope that this paper will help readers understand the Chinese underground, in order to understand the kind of threats that users are likely to face from these threat actors and prepare the necessary defenses accordingly.

    Posted in Malware | Comments Off

    With Android’s steady growth in the US market and other parts of the world, it’s no surprise that the Android OS is also becoming more and more popular in China. Many users choose to use Android-based devices because of their powerful functions, various phone types, reasonable prices, and plenty of applications. A consequence of this wide-spread usage is that the Android OS is now the second-largest smartphone OS in China.

    This growth of Android users in China, however, seems to do little for the rocky relationship between Google and the Chinese government. It has been reported that access to the Google Android Market has been intermittent since 2009 (Access to the Android Market was last reported blocked in October, but was unblocked again three days after).

    Read the rest of this entry »


    Trend Micro uncovered how cybercriminals may profit from NICKISPY variants. A Chinese website offers mobile phone monitoring tools and services to customers who are given access to the site’s backend to retrieve information. However, such services are not cheap and can cost from US$300–540.

    We’ve been reporting about several NICKISPY variantsAndroid malware that can monitor a mobile phone user’s activities and whereabouts like SMS, phone calls, and location—here on the Malware Blog and we’ve been curious as to how cybercriminals use private information and earn money from stealing it.

    Now, we have a clear example. We found a Chinese website that offers a mobile phone monitoring service. Once a customer decides to employ the service, he/she gets an account to log in to a backend server of the service, from which information gathered from a target device can be viewed.

    The backend service can be accessed through a portal where the user must first send an MMS that includes malware as an attachment to a victim’s mobile phone number. The malware, once installed on the victim’s mobile phone, will be used to monitor information related to SMS, phone calls, device location, and email messages. Reports are then sent back to the backend service, which can then be accessed by the customer through the portal.

    Here is the configuration page of the backend server’s portal:

    Click for larger view

    The Remote Receiver Phone Number filed is the phone number that will receive the reports sent by the service, which contains new activity information from the monitored phone. Note that the customer may choose which number will be displayed as the sender of the MMS. Using a number that the victim is familiar with may convince him/her that he/she is receiving a normal MMS and be completely unaware that a malware was already installed in his/her device.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice