Current situation of cyber crime in China

Download Report

Transcript Current situation of cyber crime in China 

The development of Internet
A cow was lost in
Jan 14th 2003. If
you know where it
is, please contact
with me. My QQ
number is
87881405.
QQ is one of the most
popular IM in China.
Number of cases
2002
2003
13650
2001
11614
4545
2000
6633
2700
16000
14000
12000
10000
8000
6000
4000
2000
0
2004
Age of the offenders
4%
51%
45%
18 and under
18-25
over 26
Computer Crime Vs Computer facilitated crime
20%
27%
73%
Computer
Crime
Computer
Related
Crime
80%
2003
2004
Major categories of
cyber facilitated crime
Other
Phishing
IPR Infringement
Online Gambling
Extortion&Defamation
Online predator (murder
case)
Contraband selling
Identity Stealing
0
10
20
30
Ditributing obscene
information
Fraud
Hacking case: HOW?
Major categories of intrusion technology used
by hackers in the cases we investigated
70
Vulnerability of Client
Software
60
SQL injection
50
40
30
Vulnerability of Server
(Buffer overflow, Format
String, Weak
password...)
Social Engineer
20
XSS
10
0
DDOS
Hacking case: HOW?
 The following intrusion methods increased
rapidly in recent year and became one of
the major intrusion technology
 Large-scale intrusion by exploiting
vulnerability of client software
 Large-scale intrusion by decoying users to
install malicious code through P2P, IM, Email
network
Case example
 A virus on QQ (a most popular IM) were created to
spread malware in order to creat an IRC botnet:
60,000 hosts were infected.
Wi.ourmid.com
“Please visit
wi.ourmidi.com”
How did the criminal (“hackers”)
occupy the victim hosts?
80
70
60
50
40
30
20
10
Buy(download)
exploit code and
malicious code from
other one
Buy victim hosts
from other one
Master intrusion
technlolgy by
themselves
Physical access
0
Those who don’t know a lot about technology make profit by damage the network security directly.
Those who know technology make profit by selling technology.
“Hacking” without knowledge of technology
Case example: Netbank accounts stealing
 Case outline:
 In August, a malicious code were widely distributed and more than 300
Netbank accounts were stolen.
 The suspect intruded into a website and put malicious code on the
main webpage.
 When users browsing the website, the malicious code will be installed
automatically onto the user’s hosts.
 The malicious code will steal all kind of Netbank accounts and post
onto another website hacked by the suspect.
 However:
 The suspect know nothing about hacking technology.
 The suspect bought the malicious code and victim websites totally
from other hackers.
 The suspect only working step by step according to the manual
provided by other hackers.
Hacking cases: WHY?
50
Identity theft(Online
game, netbank,stock)
45
40
35
30
25
Making profit by
extortion, stealing
file,free international
phone call,etc
Online demonatration
20
15
10
For fun, for name.
5
0
other
Hacking cases: WHERE?
How did they connected to Internet?
70
60
DDN or ADSL
Net café
50
Wireless connection
40
30
20
10
0
2004
2005
Mobile/Wireless
crime increased
at the same
time.
Hacking cases: TARGET?
80
70
60
50
40
30
20
Personal
Public
Commercial
Educational
Governmental
Other
10
0
•Personal computers become the major part of victim in computer crime in recent year.
“Preference” of hackers
Damage to Internet Security
Profit
Small damage
Less profit.
(Newbie)
Severe damage
Less profit.
( Exploit buyer)
Small Damage
More Profit
(Experienced
hacker)
Severe damage
More profit.
(Almost none)
Why did they become criminal?
 They think:
 It’s not a crime, it’s just a game.
 A lot of people do it on Internet, so I can do it.
 I know it’s a crime, but I need money.
 I can hide myself very well.
 No one will investigate it.
What we learn from these data
 Computer crime and traditional crime are
intermingle with each other.
 XSS vulnerability with phishing
 DDOS/IRC botnet with extortion
…
 Current protection technology have not
successfully protect against following attack yet.





Sql injection
XSS
Distribute malware over P2P/IM network
Social engineering
…
What we learn from these data
 Those who don’t know a lot of technology
cause most of the damage to Internet
directly.
 Their major aim is to make profit by stealing
identity, Netbank account, online stock
account, online game account etc.
 Most of them don’t realized that there activity
cause severe damage to Internet security.
What we learn from these data
 Exploit/Malicious code seller is one of the
most big threat to cyber security.
 Investigation of exploit and malicious code
should be emphasized by cyber police.
 Personal computer is becoming the major
target of computer crime.
 Antivirus software will play a more important
role in cyber protection.
How can anti-virus industry help
cyber police?
 Report to police authority before
publishing the detail information about the
malcode/virus
 We have investigate the source of several
virus this year.
 However, the detail information about the
virus were published and the suspect never
access the related network resource anymore.
 If you reporting to us beforehand, the source
of most identity stealing malicious code can
be revealed.
How can anti-virus industry help
cyber police?
 Save the trail of virus.
 When we try to investigate a Botnet in 2003, we try to
trace the source of the malicious code.
 However, malicious codes on a lot of victim hosts
were killed by the anti-virus software.
 For example, save the following information
 Time stamp
 Hash value.
 Etc.
How can anti-virus industry help
cyber police?
 Compare the character of different kinds
of virus in order to find out the virus
produced by the same author.
 A criminal is not grown up in one day.
 They always create more than one kind of
virus.
How can anti-virus industry help
cyber police.
 Integrate basic forensic analysis function into
antivirus software.
 For example, extract the automatic running program
list, there time stamp and hash value.
 When the user report an incident to anti-virus
company, you will get more chance to collect the
malicious code.
 Integrate antivirus technology into popular P2P,
IM, Email and WEB server.
 Just kill the malicious code on personal computer fail
to throttle the spread of malicious code.
 The malicious code distributed through P2P, IM,
Email and WEB server can hardly be monitored and
throttled.
Game Over
Bye bye!