Feeds

China: Online predator or hapless host?

Reg man asks if all the China-bashing is justified

High performance access to file storage

In order to flourish, this kind of “Crime-as-a-Service” also requires so-called bulletproof hosting firms where hackers can run C&C servers and register malicious domains safe from the prying eyes of law enforcement. “These places provide a safe haven. Two or three different actors in China come to mind, accepting domain registrations which ultimately lead to attack campaigns – it’s a black hole,” said Manky.

“Interestingly China has done something. It had a problem with fraudulent registrations so the government acted to [tighten registration], but … there are still loopholes in the system – not just China but everywhere.”

The latest CNCERT stats reveal 140 malicious domains, just over a third located in mainland China, which could have been hosted in this way by attackers outside of the country.

FireEye EMEA product manager Jason Steer told El Reg that China was number three in the firm’s recent report for hosting C&C systems, below the US and South Korea, but agreed with Manky that this in no way signifies that actors inside the country are attacking global targets in huge numbers.

“Actually, I'd argue something different: attacks coming from within your country indicate that C&C servers are set up in-country to dupe defenders. Attackers are less easy to spot and find with traffic staying in country first and then being moved on,” he said.

“Given the size of China and the size of its PC population, it's an obvious place to attack from – with high speed internet and the same insecure computers running Windows there as they do across the world. As it rolls out high speed internet, clearly it’s a good place to locate systems without questions being asked.”

Home-grown problems

For the record, China's internet population at the end of 2012 stood at 564 million, around 50m more than a year previously. That's still only 42 per cent penetration but still a lot of users to target, meaning China is likely to remain an attractive location for global crime gangs to launch attacks from for some time to come. The vulnerabilities in the nation's address space are also being exploited by home-grown attackers, of course, as a report on China’s Online Underground Economy released last August shows. It claimed that nearly a quarter of the country’s internet users and 1.1m web sites were affected in 2011, at a cost of over 5bn yuan (£526m).

Trend Micro VP of cyber security Tom Kellermann told The Reg that there are over 90,000 members of the Chinese shadow economy.

“Over the past two years there has been an explosive growth in criminal hacking within China targeting Chinese corporations,” he added. “The great firewall of China has numerous vulnerabilities and as the nation becomes global economic hegemon the king of the mountain is beginning to experience the dark side of globalisation.”

China’s challenge is to promote greater levels of information security awareness among its vast populace, especially as more and more users come online for the first time, and tighten up the loopholes which have allowed bulletproof hosters to flourish. Such steps will make it less attractive for criminals – reducing the number of attacks launched by operators outside the country using compromised Chinese IP addresses, as well as cutting its domestic cyber crime problems.

It’s difficult to feel much sympathy with Beijing given the apparent volume and persistence of state-sanctioned attacks originating from within the Great Firewall. But it’s also worth remembering that activity of this kind is certainly being carried out to a lesser or greater extent by all major global powers.

In a notable report from last September, Trend Micro’s Kellermann even concluded that “hackers from the former Soviet bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts”. China’s problem is that it’s currently the noisiest out there. Perhaps if it wants the damaging headlines to go away it needs to get its own house in order and get caught less frequently. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.