The Chinese Underground, Part 4: Internet Resources And Services Abuse
This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:
The full paper can be found here.
The third value chain – Internet resources and services abuse – has a somewhat unique role, in that it facilitates all the other value chains. Without malicious servers and bots at their disposal, the theft of both real money and virtual assets would be more difficult.
The architecture of this value chain can be seen here:
Broadly speaking, many similarities exist with other underground economies, although some aspects are unique to the Chinese underground. In particular, the concept of “hanging on” software is unknown outside of China. “Hanging on” software allows people to in effect, voluntarily lend their systems to botnets in exchange for promised payment.
Similarly, there are monetization schemes that are unusual in other countries as well. The sale of fake professional certifications in China is commonplace; the arrests of a gang engaged in this behavior netted 165 people. Other profit methods such as DDoS attacks, spam, malware selling, click fraud, and PPI (pay-per-install) affiliates are already known from other underground communities.
Terminology and Example
An example of these sorts of schemes and attacks was demonstrated in 2009. Two defendants were arrested for carrying out DDoS attacks against an unidentified online game. They were able to blackmail 500 million units of in-game currency, which they sold in the underground for 18,750 renminbi (approximately 3000 US dollars).
The DDoS – referred to as a “swordsman stress test” (剑客压力测试) – was carried out using software purchased in the underground market. The software was purchased for the price of 788 renminbi (approximately 125 US dollars), but came with 500 compromised machines to carry out DDoS attacks. The suspects then bought more compromised machines (which they referred to as “chickens”), to add to the power of their DDoS attack.
Post from: TrendLabs | Malware Blog – by Trend Micro