Chinese Government office involved in Malware distribution

Finjan conducted a study prompted by the increased volume of attacks coming from China.

The study maps how users PCs are being infected by Trojans distributed from China that then steal data from organizations and details some of the sites that are involved in the process.

Finjan's Malicious Code Research Center (MCRC) have detected malicious activity by groups that distribute their content using obfuscated code and a network of websites to bypass traditional information security technology.

Finjan investigated a very sophisticated attack that used zero-day exploits (malware for which there is no security patch) as well as other new hacking techniques and discovered a centralized group of activity based from China, one of the websites in the group belongs to a Chinese governmental office.

Finjan researchers found that some sites in the network lead to Trojan sites that exploit the users' browser and then download the Trojan and install it on the users desktop.

Once the users PC has been infected the Trojan starts to send data to other websites in the network which are hard to detect.

Additional sites in the network monitor and control the attack using statistics about how many users visit the site and how many got infected.

The Trojans also collect data from the user, including which operating system is used, the applications that are running, their personal information such as user names and passwords, and what security systems are installed, AV, Spam, firewalls, etc.

The information collected by the Trojan network is then fed into other sites which refine the attack.

A snapshot picture showing the names of the websites and how they interlink is available here

The names of some of the websites have been partially obscured as the sites are still active and highly malicious.

More ever, this snap shot focused on just one specific Trojan sample, while inspecting the hacker activity it was discovered that many more Trojan networks exist that use the same infection and control process.

"This development is disturbing for governments, enterprises and individuals alike." Finjan CTO Yuval Ben-Itzhak, continued, "Signature-based technologies like Anti-virus and URL Filtering are limited, against this type of attack, the number of vectors and sophisticated structure of the network of websites has been designed to by-pass traditional information security technology based on signatures and URL filtering.

To defend against this type of attack security solutions need to employ real-time content inspection technology that analyzes each and every piece of web content in real-time, regardless of its original source or domain name. It is also important to have proactive protection in your web security solution that is able to understand in real-time what malicious code intends to do, before it does it.

Finjan are currently in the middle of the study, and have released this interim update due to recent reports that the Director-General of MI5 has sent a confidential letter to 300 chief executives and security chiefs at banks, accountants and legal firms in the UK last week warning them that they were under attack from Chinese state organisations.

The various techniques used to direct users to the malicious sites in China have been revealed by Finjan in the past year, they include being directed from trusted sites that have been hacked, links from spam email, Instant Messaging infections, infected content inserted into legitimate web 2.0 sites, and copy cat domain names.