RESEARCHBRIEF. Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market

Transcription

1 RESEARCHBRIEF Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market Lion Gu After taking a grand tour of the Chinese underground market last year, let s revisit it and see what has changed since then.1 In the past, we noted that Chinese cybercriminals adapted well to their environment, trailing their sights on online gamers and mobile users, the majority of the Internet users in the country. They continue to adapt well, as the market has now reached a similar level of maturity as the rest of the global cybercriminal underground. 1 The Chinese underground market is hidden to the public but is not very difficult to find. Cybercriminals frequent forums and QQ chat groups. Though forums remain the most popular cybercrime platform in many countries, China is unique in that QQ chat groups were also frequently used. Each cybercrime group has a unique ID. Would-be customers can simply search for a certain group of interest in QQ to gain access to its service and product offerings.

2 Chinese Underground Offerings: What s in Store for Cybercriminals? Every local underground market is unique. The Chinese underground market is a lot like any Chinese market though. It offers many kinds of goods for which interested buyers can bargain. Sellers normally post ads with pretty pictures and descriptions to entice buyers. Everything you can possibly need is readily available. The Chinese underground market is now rife with a variety of service and product offerings that any threat actor would love to get his hands on. Service Offerings Like underground markets in other countries, notably Russia, offerings like distributed denial-of-service (DDoS), antivirus, phishing, webshell creation, and blackhat search engine optimization (SEO) services abound in the Chinese underground market. 2 The following are just some of the services available to cybercriminals: Figure 1: Gh0st DDoS Kit console DDoS attack: Cybercriminals carry out DDoS attacks by sending too many requests to a target site, causing what s known as a flooding that renders a site inaccessible for a given amount of time. Antivirus/Detection evasion: Since many potential attack targets may employ some kind of antivirus protection, evasion services have become a staple underground offering. These allow cybercriminals to test their malware against known antivirus solutions before actual use, increasing their chances of launching a successful attack. Figure 2: A no-detection demo from an antivirus service provider Because malware sometimes evade antivirus detection with the help of fake certificate signatures, malware-signing services are also offered underground. 2 white-papers/wp-russian-underground-101.pdf 2

3 CHINESE UNDERGROUND SERVICE OFFERINGS SERVICE PRICE DDoS attack SYN packet attack Sell Challenge Collapsar (CC) packet attack Darkshell DDoS Kit rental Dedicated 1Gbps Internet connection, 8G memory, and Xeon E7 CPU server rental Dedicated Atom 330 (1.60GHz)/2G/250G server rental Dedicated E5200 (2.5GHz)/2G/320G server rental Dedicated E5400 (2.7GHz)/2G/320G server RMB 1,000 (US$ or )for 10G/day RMB 450 (US$73.22 or 54.27) for 1G/day RMB 500 (US$81.35 or 60.30)/month RMB 2,100 (US$ or )/month RMB 599 (US$97.46 or 72.24)/month RMB 699 (US$ or 84.30)/month RMB 799 (US$130 or 96.36)/month Antivirus/Detection evasion Undetected by Chinese antivirus solutions Undetected by global, especially South Korean, antivirus solutions (e.g., ALYac, AhnLab, AVG, Kaspersky, Avira, Virus Chaser, Avast, and ESET products) RAT bundle undetected by local antivirus solutions (e.g., Qihu 360, Kingsoft, and Guanjia products) Malware signing RMB 1,500 (US$ or )/month RMB 500 (US$81.35 or 60.30)/month RMB 400 (US$65.08 or 48.24)/month RMB 400 (US$65.08 or 48.24)/week Product Offerings Going it alone is also an option for those who wish to do so. Cybercriminals who wish to launch their own attacks and control every step of the process have the option instead to buy various products from their peers such as: Compromised hosts: Cybercriminals also sell compromised hosts to peers to serve as malware download sites and DDoS attack or computation task executors (i.e., used to mine Bitcoins because the process requires a lot of processing power). Remote access tool (RAT): A RAT allows user to remotely access and control computers. But RATs can be used for malicious purposes, too. We call these malicious counterparts usually sold underground remote access Trojans. Figure 3: A TYT RAT ad Phishing kit: Because a lot of money can be gained by compromising users personal accounts, phishing kits abound in the Chinese underground, too. 3

4 Webshell: This refers to a script that is usually left on a compromised site to maintain control of it. It is also used for blackhat SEO attacks since compromised sites are normally used to increase a malicious site s ranking to gain as many visitors as possible. Figure 4: Phishing page demo Those who do not want to go through the trouble of creating phishing pages and/or sites but wish to collect stolen credentials for various purposes can opt to buy these instead. Stolen credentials like addresses or user-name and password combinations are often used to instigate targeted attacks. Bank account credentials, meanwhile, are normally used for identity spoofing and other fraudulent financial activities. Stolen online gaming account credentials are also especially sold in the Chinese underground, most likely due to the country s huge online gaming community. Figure 5: Stolen account checker kit 4

5 CHINESE UNDERGROUND PRODUCT OFFERINGS PRODUCT PRICE Compromised hosts Windows 2003 Windows XP Registered in South Korea and Japan Camera connected RMB 3 (US$0.49 or 0.36)/host RMB 0.20 (US$0.03 or 0.02)/host RMB 1 (US$0.16 or 0.12)/host RMB 100 (US$16.27 or 12.06)/500 hosts RAT Gh0st 3.75 with 1 month antivirus service Terminator with 1 month antivirus service Chicken Farm with 1 month antivirus service Average price without antivirus service RMB 400 (US$65.08 or 48.24) RMB 400 (US$65.08 or 48.24) RMB 600 (US$97.62 or 72.36) RMB 30 (US$4.88 or 3.62) Phishing kit RMB 1,000 (US$ or ) Stolen credentials Local accounts for sites like mail.cn.yahoo.com, and 1,300 new U.S. and European accounts for sites like com, and 100,000 38M South Korean and Japanese accounts New DNF, an online game, accounts RMB 1,000 (US$ or ) RMB 2,000 (US$ or ) RMB 1,000 10,000 (US$ ,627 or ,206) RMB 0.30 (US$0.05 or 0.04)/account ID Webshell packages for blackhat SEO purposes 270 Baidu rank 1 3 sites/month 270 Baidu rank 2 4 sites/month 270 Baidu rank 3 5 sites/month 270 Baidu rank 4 6 sites/month 270 Google rank 1 3 sites/month 270 Google rank 2 4 sites/month 270 Google rank 3 5 sites/month 270 Google rank 4 6 sites/month Google rank 1 Japanese sites Google rank 2 Japanese sites Google rank 3 Japanese sites Google rank 4 Japanese sites Google rank 5 Japanese sites Google rank 6 Japanese sites RMB 300 (US$48.81 or 36.18) RMB 580 (US$94.37 or 69.95) RMB 720 (US$ or 86.84) RMB 999 (US$ or ) RMB 220 (US$35.79 or 26.53) RMB 340 (US$55.32 or 41.01) RMB 400 (US$65.08 or 48.24) RMB 520 (US$84.60 or 62.71) RMB 15 (US$2.44 or 1.81)/site RMB 25 (US$4.07 or 3.02)/site RMB 45 (US$7.32 or 5.43)/site RMB 90 (US$14.64 or 10.85)/site RMB 180 (US$29.29 or 21.71)/site RMB 360 (US$58.57 or 43.42)/site 5

6 The Thriving Chinese Underground: What Does It Mean for Users? The Chinese underground market, like others, continues to thrive. It now offers a wider variety of services and products that any cybercriminal would love to get his hands on. The service and product offerings in this report are just some of those available to enterprising cybercriminals. Only the most popular offerings have been included here. Even so, however, it is not difficult to see that user data and popular sites are favorite cybercriminal targets. Because cybercriminals find a great deal of value from stealing and buying stolen personal credentials, users should make sure they practice safe computing habits. Visiting only trusted sites; making sure their computers, devices, software, and apps are always updated with the latest patches; and steering clear of dubious s are strongly advised. Those who have their own sites, users and businesses alike, should also make sure that these are secure and do not reveal sensitive and confidential data. Staying abreast of the latest underground developments and protecting assets in line with improvements in cybercrime and attack tactics and tools is also a must. TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an as is condition. Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners N. De Anza Blvd. Cupertino, CA U.S. toll free: Phone: Fax: