160 likes | 168 Views
This research paper explores the underground economy and malicious websites on the Chinese web, including the modeling of individual actors and market interaction. A case study on the Panda Worm is also included. The measurements and results of the underground black market and public virtual assets marketplace are discussed, leading to a conclusion about the findings.
E N D
Studying Malicious Websites and the Underground Economy on the Chinese Web Presented to Prof. Dr. Eduard Heindl Presented by Ramesh Babu Vadde Manjula BCM SS 2012 Based on Research Work of Jianwei Zhuge et al. (Jinawei Zhuge et al. 2009)
Agenda • Introduction • Underground Economy Model • Modeling the Individual Actors • Market Interaction • Case Study: Panda Worm • Measurements and Results • Measurements on the Underground Black Market • Measurements on the Public Virtual Assets Marketplace • Conclusion
Introduction • The World Wide Web is popularizing very • quickly • Up to the end of December 2011, there were • 2.30 million websites • The Well-Known websites are categorized • into four: • search engines, navigation sites, • online-business platforms, and online • entertainment • Besides these, are online-games sites • 324 million online games users, accounting • to 63.2% of the total Chinese Internet Users Fig 1 Scale and popularizing rate of Chinese internet users1 1 China Internet Network Information Center (CNNIC). The 29th Statistical Reports on the Internet Development in China, January 2012. http://www1.cnnic.cn/uploadfiles/pdf/2012/2/27/112543.pdf.
Figure 3: QQ IM and AA Coins 3 Figure 2: Online Games and Virtual Goods in China 2 2,3, First, Improving Security Together. Minghua Wang, Malicious Websites on the Chinese Web Overview and Case Study. http://www.first.org/conference/2008/papers/wang-minghua-slides.pdf
Underground Economy Model • Malicious Website - redirects the visitor to an exploit host, which then attacks the • victim and causes malware infection, this kind of attack is also called drive-by- • download attack. • Web-based Trojan - is a kind of malware performing client-side attack, which is • typically implemented in web script languages such as JavaScript, and exploits • certain system- or application-level vulnerabilities to obtain complete control of • the client system once the vulnerable client visits the host web page of the web- • based Trojan. • Stealer Trojan - is a kind of Trojan horse malware with the purpose of stealing • valuable information or assets from the victims, such as pairs of account and • password • Web-based Trojan Netwotk - is a network constructed and operated by the • blackhats to make profit by exploiting the vulnerable client systems and stealing • of the virtual assets, it contains the surface malicious websites, and the behind • Web-based and Stealer Trojans
Underground Economy Model Modeling the Individual Actors Malware Writer - Driven by economic profits and sell their tools, malware, and evasion service for making money. They are able to find vulnerabilities or use recently public disclosed vulnerabilities and the corresponding exploits. Furthermore, these actors have the technical skills to develop their own exploits, or Trojans based on the original vulnerability reports and available exploit codes. Website Masters/Crackers Website Master - Attract visitors with the help of free goodies, e.g., free movies, music, software, or tools. Sell the traffic (i.e., website visits) of their websites to Envelopes Stealers by hosting the web-based Trojans. Website Crackers - Hack into well-known, but unsafe websites. Redirect the traffic for this website to another malicious machine
Underground Economy Model - Modeling the Individual Actors Envelopes Stealers Envelopes - Jargon word used in the underground market. Means the stolen pair of account and password. Envelopes Stealers - Have very limited technical knowledge. Buy Trojans, malware generators and website traffic. Create a web-based Trojan network from which they can harvest envelopes. Sell the harvested envelopes to Virtual Asset Stealers. Virtual Asset Stealers - Do not have any technical knowledge about hacking and programming. - Have a rather good understanding of the underground market. - Buy envelopes from the Envelopes Stealers, log-in to the online games or QQ accounts to steal valuable virtual assets like game equipments or QQ coins.
Underground Economy Model - Modeling the Individual Actors Virtual Asset Sellers - Setting up virtual shops Taobao, PaiPai, eBay. Sell virtual asset to Players on the public marketplaces. For example, they typically buy QQ coins on bulletin boards and then sell the coins for 0.5 – 0.8 RMB on Taobao, making a certain profit with each transaction. Players - Enthusiastic online games players or QQ users - Spending large amounts of money on the virtual assets - Commonly male teenagers who dispense their Parents - Foundation of the whole underground market since they stimulate demand for all virtual goods and drive the market.
Underground Economy Model Market Intraction Figure 4: Interaction of the individual Actors within the Underground Market on the Chinese Web4 4 Jianwei Zhuge et al. (Jinawei Zhuge et al. Studying Malicious Websites and the underground economy on the Chinese Web, 2009)
Underground Economy Model • Case Study • Case study done by Jianwei Zhuge et al. (Jinawei Zhuge et al. 2009) • famous security incident on the Chinese World Wide Web in 2007 • Li Jun (Virus Writer), Wang Lei (a Website Master) and Zhang Sun (an • Envelopes Stealer) are the key actors • Li Jun implemented the Panda Worm based on his experience from • implementing several other kinds of malware • Li Jun made an estimated profit of about 150, 000 RMB, and Wang Lei • and Zhang Sun made 80,000 and 12,000 RMB profits respectively • - were arrested and put in Jail in 2007
Measurements and Results Measurements on the Underground Black Market Figure 5: Posters per Month from January 2006 to September 20075 5Jianwei Zhuge et al. (Jinawei Zhuge et al. Studying Malicious Websites and the underground economy on the Chinese Web, 2009)
Measurements and Results - Measurements on the Underground Black Market Figure 6: Posts and Replies per Month from January 2006 to September 20076 Measurements on the Public Virtual Assets Marketplace There were total 42,561 online shops with 34,450 active deals. Total numbers of successful deals in 2007 were found to be 8,907,568 virtual assets . The estimated value of total virtual assets on Taobao platform was 223 Million RMB. 6Jianwei Zhuge et al. (Jinawei Zhuge et al. Studying Malicious Websites and the underground economy on the Chinese Web, 2009)
Conclusion • Malicious websites have become a major threat to the normal Internet users in China • Web-based Trojan network driven by the economic profits, and launched by the experienced and well organized black hats • Hundred of malicious hosts distributed at different locations within China, and even abroad
Bibliography Alexa, The Web Information Company. Global Top 500 Sites, June 2012. http://www.alexa.com/topsites/global. Chengyu Song, Jianwei Zhuge, Jinpeng Guo, Thorsten Holz, Wei Zou, and Xinhui Han. “Studying Malicious Websites and the Underground Economy on the Chinese Web”, 2009. China Internet Network Information Center (CNNIC). The 29th Statistical Reports on the Internet Development in China, January 2012. http://www1.cnnic.cn/uploadfiles/pdf/2012/2/27/112543.pdf. First, Improving Security Together. Minghua Wang, Malicious Websites on the Chinese Web Overview and Case Study. http://www.first.org/conference/2008/papers/wang-minghua-slides.pdf Internet World Stats, Usage and Population Statistics. Asia Stats, December 2011. http://www.internetworldstats.com/stats3.htm. Jianwei Zhuge, Jinpeng Guo, Minghua Wang, Yonglin Zhou, Yuejin Du, Weimin Sun, and Xulu Jiao. “Malicious Websites on the Chinese Web: Overview and Case Study”, 2009.