Measuring malware infections in the Chinese Internet

Guest editorial by Oliver Day

In June 2008, StopBadware published a report with statistics (.pdf) based on our sample of infected website data from Google. In those statistics we noted that over half of the infections came from addresses originating in China. We've received some attention for these statistics and I'd like to delve a little further into this. This blog post should provide some insight into those numbers, provide some clarifications on common misconceptions and possibly open up new questions.

The percent of infections claiming to be from China are not an absolute measure and it is safe to assume that there are not only registrations originating from China claiming to be from other countries but also registrations from outside the country claiming to be Chinese. One of the general assumptions I've operated under is that the majority of the infections we see are not operated by those who profit from the infections. Those who do play in the underground economy of identity theft, botnets, etc are the ones who will generally spend the time to fake registration data. Another assumption is that those false registrations are relatively few compared to the bulk of accurate registrations.

In the paper, the authors suggest that many of the infections are from illicit material or from webmasters who cash out their existing web traffic by inserting the iframes themselves. In either case the numbers of infections are measurably high and finding out why is complicated by serveral factors. A staggering growth in online population, both a low per capita Internet Protocol address (IPV4), high relative IPV4 growth and majority of users without sufficient education add unaccounted for variables. With this background in place we can look at some measures of the Internet in China to try and inform our discussion.

The majority of my sources are from the Chinese Internet Network Information Center (CNNIC). They have published remarkably detailed statistics and histories of the Internet in China. One factor that seems relevant is the search market in China. According to a 2007 report issued by CNNIC a majority of Chinese users searching with Baidu instead of Google.

While these two engines matched evenly in the competition for the "high end market," their 2007 report shows a very small amount of this classification of user on the Internet. 71.5% of Chinese internet users fall outside of this range. One of the points we made in a paper I published at WEIS was that the availability of malicious links in trusted gatekeepers, such as Baidu, increases the number of infections globally. Search engines have become manipulated to a degree and links from a credible gatekeeper are leading to Drive By Downloads. The Safe Browsing program virtually quarantines sites from users of Google's search services. While Google isn't able to prevent anyone from literally connecting to a website by typing the URL into their location bar the warnings contained in their interstitial seem to deter a majority of users. Anecdotally we at StopBadware have heard numbers as high as 80% reductions in traffic due to the interstitial program but are still creating a system to measure the true effectiveness on web traffic.

Another factor that complicates our understanding is the way China has setup their Autonomous System (AS) names. In the US AS names generally lead to either a hosting provider or a colocation service. In China however the top infected AS Names are huge backbone providers. When we group our data and find that 60,000 infections are coming from a backbone provider that doesn't give us much to go on. In some US cases involving colocation services, we were able to use rwhois services to get a better idea of who to contact; however, in China there seems to be relatively few rwhois servers on the reported networks. Part of this could be due to the ownership of backbones in China or perhaps due to explosive growth. As shown below by statistics gathered by bgpexpert, the growth of IPv4 addresses in China in the last year exceeds 60%.

This post just scratches the surface for those who are interested in the Internet in China. There are still so many different questions left unanswered when it comes to infections in China and I am still learning how to derive answers. Currently I have been studying some published network maps to get an idea of the ISP landscape in China. I hope to combine this with maps I create using tools like scapy to produce some more answers to the questions I have raised.

* Oliver Day is a security researcher at StopBadware.org, a project of the Berkman Center for Internet and Society at Harvard University.  He has over ten years experience in web and network security, working for companies including @stake, eEye, and Rapid7. He has presented on network security to dozens of Fortune 500 companies and educational institutions and is a staunch advocate of the disclosure process and providing shielding for security researchers. Oliver can be contacted at oday [-at-] cyber.law.harvard.edu.