What is the current state of the
Chinese IT Underground? Are its participants copycats who just
localize successful malware kits, and
port open source malware to web applications in between adding more features within? For the past several years, and more recently with the
anti CNN attacking campaigns courtesy of Chinese hacktivists and the average Internet users, the Chinese IT Underground has demonstrated its self-mobilization capabilities and mindset, which when combined with
basic principles of unrestricted warfare has the potential to outpace any other country's current cyber warfare capabilities - like it is for the time being from a realistic perspective.
In people's information warfare self-mobilization happens consciously, and the anti CNN campaigns perfectly demonstrate this, with an emphasis on how even the non-technical, but Internet bandwidth empowered Chinese user can consciously become a
part of a PuppetNet. And while it may also seem logical that the attacking crowds would already be using a well known set of DoS tools, the most recent case demonstrates their capabilities to code and release such DoS tools on demand. For instance, excluding a
popular in China DIY malware with
custom DDoS capabilities, the rest of the tools were released for this particular campaign.
Furthermore, in between the
average password stealers, and
DIY malware droppers, there are releases going beyond the average tools, which demonstrate a certain degree of creativity - like this one.
Key features :- the GUI C&C's objective is to make it easier to control a large number of infected hosts with an interesting option to measure the bandwidth in order to properly allocate it for DDoS attacks
- has a built-in dropping capability for backdooring the already infected hosts through a web shell
- has a built-in dropping capability of several exploits onto the infected hosts in order to use the infected hosts as infection vectors, a malicious infrastructure on demand
- intranet and Internet port scanning
Scanners result : 13/31 (41.94%)
Trojan.Flystudio.AI
File size: 660659 bytes
MD5...: d3bfb06d992b1274a69a479348f39c60
SHA1..: bc474a8bea0b4a2a4ad446abf6e3b978e1fa79c8
Using a DIY malware kit as a dropper of exploits onto infected hosts, who would later on be used as infection vectors to increase the botnet's population is a new approach applied by the Chinese underground. In comparrison, following an underground's lifecycle, the Chinese one is still more features-centered compared to the Russian one for instance, where once features become a commodity, more emphasis is put into quality assurance and extending the lifecycle of the malware by ensuring it remains undetected for as long as possible - the product concept vs the rootkit stage.
The rise of pro-kosovo web site defacement groups was marked in April, 2008, with a massive web site defacement spreading pro-kosovo propaganda. The ongoing monitoring of pro-kosovo hacktivists indicates an ongoing cyberwar between pro-serbian supporting hacktivists successfully defacing Albanian sites, and building up capabilities by releasing a list of vulnerable Albanian sites (remote SQL injections for remote file inclusion, defacements or installing web shells/backdoors) to assist supports into importing the list within their do-it-yourself web site defacement tools.
