1

Studying Malicious Websites and the Underground Economy on the Chinese Web

Presented to Prof. Dr. Eduard HeindlPresented by Ramesh Babu Vadde ManjulaBCM SS 2012

Based on Research Work of Jianwei Zhuge et al. (Jinawei Zhuge et al. 2009)

2

Agenda• Introduction• Underground Economy Model

• Modeling the Individual Actors• Market Interaction• Case Study: Panda Worm

• Measurements and Results• Measurements on the Underground Black Market• Measurements on the Public Virtual Assets Marketplace

• Conclusion

3

Introduction• The World Wide Web is popularizing very quickly• Up to the end of December 2011, there were 2.30 million websites• The Well-Known websites are categorized into four:search engines, navigation sites, online-business platforms, and online entertainment• Besides these, are online-games sites• 324 million online games users, accounting to 63.2% of the total Chinese Internet Users

Fig 1 Scale and popularizing rate of Chinese internet users1

1 China Internet Network Information Center (CNNIC). The 29th Statistical Reports on the Internet Development in China, January 2012. http://www1.cnnic.cn/uploadfiles/pdf/2012/2/27/112543.pdf.

4

Figure 2: Online Games and Virtual Goods in China 2

Figure 3: QQ IM and AA Coins 3

2,3, First, Improving Security Together. Minghua Wang, Malicious Websites on the Chinese Web Overview and Case Study. http://www.first.org/conference/2008/papers/wang-minghua-slides.pdf

5

Underground Economy Model• Malicious Website - redirects the visitor to an exploit host, which then attacks the victim and causes malware infection, this kind of attack is also called drive-by- download attack.• Web-based Trojan - is a kind of malware performing client-side attack, which is typically implemented in web script languages such as JavaScript, and exploits certain system- or application-level vulnerabilities to obtain complete control of the client system once the vulnerable client visits the host web page of the web- based Trojan.• Stealer Trojan - is a kind of Trojan horse malware with the purpose of stealing valuable information or assets from the victims, such as pairs of account and password • Web-based Trojan Netwotk - is a network constructed and operated by the blackhats to make profit by exploiting the vulnerable client systems and stealing of the virtual assets, it contains the surface malicious websites, and the behind Web-based and Stealer Trojans

6

Underground Economy ModelModeling the Individual ActorsMalware Writer - Driven by economic profits and sell their tools, malware, and evasion service for making money. They are able to find vulnerabilities or use recently public disclosed vulnerabilities and the corresponding exploits. Furthermore, these actors have the technical skills to develop their own exploits, or Trojans based on the original vulnerability reports and available exploit codes.Website Masters/CrackersWebsite Master - Attract visitors with the help of free goodies, e.g., free movies, music, software, or tools. Sell the traffic (i.e., website visits) of their websites to Envelopes Stealers by hosting the web-based Trojans.Website Crackers - Hack into well-known, but unsafe websites. Redirect the traffic for this website to another malicious machine

7

Envelopes Stealers Envelopes - Jargon word used in the underground market. Means the stolen pair of account and password. Envelopes Stealers - Have very limited technical knowledge. Buy Trojans, malware generators and website traffic. Create a web-based Trojan network from which they can harvest envelopes. Sell the harvested envelopes to Virtual Asset Stealers.Virtual Asset Stealers - Do not have any technical knowledge about hacking and programming. - Have a rather good understanding of the underground market. - Buy envelopes from the Envelopes Stealers, log-in to the online games or QQ accounts to steal valuable virtual assets like game equipments or QQ coins.

Underground Economy Model - Modeling the Individual Actors

8

Virtual Asset Sellers - Setting up virtual shops Taobao, PaiPai, eBay. Sell virtual asset to Players on the public marketplaces. For example, they typically buy QQ coins on bulletin boards and then sell the coins for 0.5 – 0.8 RMB on Taobao, making a certain profit with each transaction.

Players - Enthusiastic online games players or QQ users- Spending large amounts of money on the virtual assets- Commonly male teenagers who dispense their Parents- Foundation of the whole underground market since they stimulate demand for all virtual goods and drive the market.

Underground Economy Model - Modeling the Individual Actors

9

Underground Economy Model

Figure 4: Interaction of the individual Actors within the Underground Market on the Chinese Web4

4 Jianwei Zhuge et al. (Jinawei Zhuge et al. Studying Malicious Websites and the underground economy on the Chinese Web, 2009)

Market Intraction

10

Underground Economy ModelCase Study- Case study done by Jianwei Zhuge et al. (Jinawei Zhuge et al. 2009)

- famous security incident on the Chinese World Wide Web in 2007

- Li Jun (Virus Writer), Wang Lei (a Website Master) and Zhang Sun (an Envelopes Stealer) are the key actors

- Li Jun implemented the Panda Worm based on his experience from implementing several other kinds of malware

- Li Jun made an estimated profit of about 150, 000 RMB, and Wang Lei and Zhang Sun made 80,000 and 12,000 RMB profits respectively

- were arrested and put in Jail in 2007

11

Measurements and ResultsMeasurements on the Underground Black Market

Figure 5: Posters per Month from January 2006 to September 20075

5Jianwei Zhuge et al. (Jinawei Zhuge et al. Studying Malicious Websites and the underground economy on the Chinese Web, 2009)

12

Figure 6: Posts and Replies per Month from January 2006 to September 20076

6Jianwei Zhuge et al. (Jinawei Zhuge et al. Studying Malicious Websites and the underground economy on the Chinese Web, 2009)

Measurements and Results - Measurements on the Underground Black Market

Measurements on the Public Virtual Assets MarketplaceThere were total 42,561 online shops with 34,450 active deals. Total numbers of successful deals in 2007 were found to be 8,907,568 virtual assets . The estimated value of total virtual assets on Taobao platform was 223 Million RMB.

13

Conclusion• Malicious websites have become a major threat to the normal Internet users in China• Web-based Trojan network driven by the economic profits, and launched by the experienced and well organized black hats• Hundred of malicious hosts distributed at different locations within China, and even abroad

14

Questions?

15

Thank You

16

BibliographyAlexa, The Web Information Company. Global Top 500 Sites, June 2012.http://www.alexa.com/topsites/global. Chengyu Song, Jianwei Zhuge, Jinpeng Guo, Thorsten Holz, Wei Zou, and Xinhui Han. “Studying Malicious Websites and the Underground Economy on the Chinese Web”, 2009. China Internet Network Information Center (CNNIC). The 29th Statistical Reports on the Internet Development in China, January 2012. http://www1.cnnic.cn/uploadfiles/pdf/2012/2/27/112543.pdf.First, Improving Security Together. Minghua Wang, Malicious Websites on the Chinese Web Overview and Case Study.http://www.first.org/conference/2008/papers/wang-minghua-slides.pdf Internet World Stats, Usage and Population Statistics. Asia Stats, December 2011.http://www.internetworldstats.com/stats3.htm. Jianwei Zhuge, Jinpeng Guo, Minghua Wang, Yonglin Zhou, Yuejin Du, Weimin Sun, and Xulu Jiao. “Malicious Websites on the Chinese Web: Overview and Case Study”, 2009.