This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:
- Part 1: Introduction
- Part 2: The Four Value Chains
- Part 3: Virtual Assets Theft
- Part 4: Internet Resources And Services Abuse
The full paper can be found here.
The fourth and final value chain is focused on the creation of tools and the training of would-be hackers. Without tools and trained personnel, any underground community is bound to collapse sooner rather than later.
The basic structure can be seen below:
There are three basic parts of this particular value chain. Some blackhats focus on looking for software vulnerabilities and creating exploits for these vulnerabilities. These are then sold in online marketplaces, where other blackhats can use these for their own purposes.
Other blackhats focus on creating and developing attack tools and malware. In addition to writing the tools, some blackhats work to ensure that these tools cannot be detected by antivirus software. The end products – Trojan horses, attack tools, and other malware – are similarly traded in online marketplaces, and sold to other cybercriminals to be used for purposes, such as those outlined in the earlier blog entries.
The Chinese underground possesses clear mechanisms for training new members of the community. In many cases, there is even a clear master-apprentice methodology in training inexperienced members, who then gain further experience (and profit) by taking part in other cybercrime schemes. Alternately, training materials for self-study are also created and sold.
Broadly speaking, blackhat activities are called “hackers’ jobs” (heike renwu, 黑客任务), with the cybercriminals referring to themselves as “hackers” (heike, 黑客). Experienced members interested in teaching their knowledge will post ads saying they are “seeking an apprentice” (shoutu, 收徒). Conversely, new members looking for a coach will post ads saying they are “seeking for master” (baishi, 拜师).
Trojan horses (muma, 木马) are frequently shortened to just “horse” (ma, 马) in the underground. Trojan writers are called muma zuozhe (木马作者). AV software evasion is known miansha (免杀).
The case of the “blandness” Trojan gang, arrested in 2009, highlights the importance of this particular aspect of the Chinese underground – as well as its scale.
The malware in this case was created by two of those arrested, who go by the names Lu and Zeng, both residents of Shenzhen. From June 2007 to August 2008, the pair wrote Trojans that stole the login credentials from more than 40 online games. At the same time, Zeng was looking for a partner who could help sell these tools to other individuals. In February 2008, he found a partner: a certain Yan, who named the Trojans the “blandness horse” (温柔马) series.
By the time Lu and Zeng were arrested, they had developed 28 different variants that stole a total of 5.3 million login credentials. Each pocketed 645,000 renminbi, or more than 100,000 US dollars. Yan took in 310,000 renminbi, or slightly under 50,000 dollars. The three ringleaders, along with 11 other defendants, were eventually sentenced to three years in prison, with an additional six months in probation.