The development of Internet

A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405.

QQ is one of the most popular IM in China.

Number of cases

2700

4545

6633

11614

13650

0200040006000800010000120001400016000

2000 2001 2002 2003 2004

Age of the offenders

4%

45%51%

18 and under18-25over 26

Computer Crime Vs Computer facilitated crime

27%

73%

20%

80%

ComputerCri me

ComputerRel atedCri me

2003 2004

Major categories of cyber facilitated crime

0 10 20 30

Other

Phi shi ng

I PR I nfri ngement

Onl i ne Gambl i ng

Extorti on&Defamati on

Onl i ne predator (murdercase)Contraband sel l i ng

I denti ty Steal i ng

Di tri buti ng obscenei nformati on Fraud

Hacking case: HOW?Major categories of intrusion technology used

by hackers in the cases we investigated

0

10

20

30

40

50

60

70Vul nerabi l i ty of Cl i entSoftware

SQL i nj ecti on

Vul nerabi l i ty of Server(Buff er overfl ow, FormatStri ng, Weakpassword. . . )Soci al Engi neer

XSS

DDOS

Hacking case: HOW?

The following intrusion methods increased rapidly in recent year and became one of the major intrusion technologyLarge-scale intrusion by exploiting

vulnerability of client softwareLarge-scale intrusion by decoying users to

install malicious code through P2P, IM, Email network

Case example A virus on QQ (a most popular IM) were created to s

pread malware in order to creat an IRC botnet: 60,000 hosts were infected.

“Please visit wi.ourmidi.com”

Wi.ourmid.com

How did the criminal (“hackers”) occupy the victim hosts?

0

10

20

30

40

50

60

70

80Buy(downl oad)expl oi t code andmal i ci ous code fromother oneBuy vi cti m hostsfrom other one

Master i ntrusi ontechnl ol gy bythemsel ves

Physi cal access

Those who don’t know a lot about technology make profit by damage the network security directly.Those who know technology make profit by selling technology.

“Hacking” without knowledge of technologyCase example: Netbank accounts stealing

Case outline: In August, a malicious code were widely distributed and more than 300

Netbank accounts were stolen. The suspect intruded into a website and put malicious code on the mai

n webpage. When users browsing the website, the malicious code will be installed

automatically onto the user’s hosts. The malicious code will steal all kind of Netbank accounts and post on

to another website hacked by the suspect. However:

The suspect know nothing about hacking technology. The suspect bought the malicious code and victim websites totally fro

m other hackers. The suspect only working step by step according to the manual provid

ed by other hackers.

Hacking cases: WHY?

0

5

10

15

20

25

30

35

40

45

50Identi ty theft(Onl i negame, netbank,stock)

Maki ng profi t byextorti on, steal i ngfi l e, free i nternati onalphone cal l , etc Onl i ne demonatrati on

For fun, for name.

other

Hacking cases: WHERE?How did they connected to Internet?

0

10

20

30

40

50

60

70

2004 2005

DDN or ADSL

Net café

Wi rel ess connecti on

Mobile/Wireless crime increased at the same time.

Hacking cases: TARGET?

0

10

20

30

40

50

60

70

80

Personal Publ i c Commerci al Educati onal GovernmentalOther

•Personal computers become the major part of victim in computer crime in recent year.

“Preference” of hackers

Small damage

Less profit.

(Newbie)

Severe damage

Less profit.

( Exploit buyer)

Small Damage

More Profit

(Experienced hacker)

Severe damage

More profit.

(Almost none)

Damage to Internet Security

Profit

Why did they become criminal?

They think: It’s not a crime, it’s just a game.A lot of people do it on Internet, so I can do it. I know it’s a crime, but I need money. I can hide myself very well.No one will investigate it.

What we learn from these data

Computer crime and traditional crime are intermingle with each other. XSS vulnerability with phishing DDOS/IRC botnet with extortion …

Current protection technology have not successfully protect against following attack yet. Sql injection XSS Distribute malware over P2P/IM network Social engineering …

What we learn from these data

Those who don’t know a lot of technology cause most of the damage to Internet directly.Their major aim is to make profit by stealing i

dentity, Netbank account, online stock account, online game account etc.

Most of them don’t realized that there activity cause severe damage to Internet security.

What we learn from these data

Exploit/Malicious code seller is one of the most big threat to cyber security. Investigation of exploit and malicious code

should be emphasized by cyber police.

Personal computer is becoming the major target of computer crime.Antivirus software will play a more important

role in cyber protection.

How can anti-virus industry help cyber police?

Report to police authority before publishing the detail information about the malcode/virusWe have investigate the source of several vir

us this year. However, the detail information about the viru

s were published and the suspect never access the related network resource anymore.

If you reporting to us beforehand, the source of most identity stealing malicious code can be revealed.

How can anti-virus industry help cyber police?

Save the trail of virus. When we try to investigate a Botnet in 2003, we try to

trace the source of the malicious code. However, malicious codes on a lot of victim hosts wer

e killed by the anti-virus software.

For example, save the following information Time stamp Hash value. Etc.

How can anti-virus industry help cyber police?

Compare the character of different kinds of virus in order to find out the virus produced by the same author.A criminal is not grown up in one day.They always create more than one kind of

virus.

How can anti-virus industry help cyber police.

Integrate basic forensic analysis function into antivirus software. For example, extract the automatic running program

list, there time stamp and hash value. When the user report an incident to anti-virus

company, you will get more chance to collect the malicious code.

Integrate antivirus technology into popular P2P, IM, Email and WEB server. Just kill the malicious code on personal computer fail

to throttle the spread of malicious code. The malicious code distributed through P2P, IM,

Email and WEB server can hardly be monitored and throttled.

Game Over

Bye bye!