Heres a little contribution to all of those who live and/or use their personal computers when in China. Seeing how tremedously much most of you
guys have contributed with for all the newcomers. me included. I figured it was the least i could do in return.
I will be updating accordingly. If anyone has any questions or need help, just PM me or add me on MSN or QQ
I received an inquiry before today from one of the members here, and i have seen many occurances related to security and safety regarding the
use of your own personal computer in China. As well as VPN and/or Proxy related programs.
I just read in a thread Lain experienced a DNS Spoof attack when at a hotel. So to start off somewhere to give a picture about how much more your computers
are under constant threat compared to home i will give some input to hes experience.
Lain: There is a reason why your security soft detected a DNS poisoning in China. Or more commonly known as an ARP Poisoning attack. If you understand how it works then you will see its a quite simple but effective way to do 2 things.
1. Redirect you elsewhere when you type
www.youtube.com you might end up instead at
www.china.gov 2. By intercepting all traffic to and from your computer that is sent in CLEAR TEXT, and most traffic is. Even login forms etc. Only SSL or HTTPS sites sends your information encrypted.
At the hotel there are 2 scenarios. Either the hotel runs an constant ARP Poisoning for a simple fact. It will make your VPN or Proxy server useless. Because your traffic is redirected before the Proxy or VPN gateway. I know for a fact that simple but very effective technique is used widely in China to make make simple Proxy or tunneling useless. If you ever experienced your proxy or vpn works great at site a but wont at site b. It means they run ARP Poisoning as a protective measure.
How does it work? Geniously. And anyone can do it, even my mum. This is a stoneold technique still used for alot of hacking purposes. You take your computer and goes to say starbuck. You hook up. You get a dynamic IP, DNS and Gateway. Now the gateway is the same for every computer in that same network, and it is just what it says. A gateway to internet, it routes the packets to and from the internet and delivers them accordingly to the client computers. Now when ur hooked up, you can perform an ARP Poisoning attack in the local network you just need a specific software and minimal understanding, its nothing hightech. You can then target specific clients in the network or all. The more clients you are gonna poison the heavier load on your machine. When you start poisoning what happens is your computer will intercept all traffic and act as a hub between the clients and the gateway.
For what reason? For a Cybercriminal there are tons of possibilities. For example, you can alter the route for any ip or DNS entry. So when everyone tries to surf to
www.hotmail.com your computer reroutes that to the gateway and changes the destination to say
www.cia.gov but thats no point really, other then causing confusion. A cybercriminal would have a webserver running with an anonymous host, probably in Russia. This homepage looks exactly like hotmail.com but its actually just a fake login form that will catch your username and password. You wont notice anything because after its been snatched it will redirect you to the real hotmail.com and sending the login form so everything will appear normal. But you were just raped in the b, and there were no lube used in the process. The cybercriminal most likely has zero interest in your hotmail account. But many other accounts where you most likely use the same email as username and same password as login. Say Facebook. This summer an infamous lil hacker in Russia had 1.5 million facebook logins. That he sold openly, yes the Russian underground hacking scene isnt that hard to find nor the Chinese. But even though both foreign governments and security companies knows perfectly well who and what theres not much they can do. They are protected by laws in their countries that doesnt classify their actions as any crime until they actually use it for a criminal purpose. But they never do, they announce they sell the information. The buyers we will never know. But its they who will use it for criminal purposes. This little dude sold 1.5 Facebook accounts in less then a day at 30cent a piece if i recall. Thats quite some money for a kid in Russia. Most people have no idea how much money there is in this business. Facebook announced he was bluffing yet several security companies assured it was not. Facebook even knowing, that last summer the same kid sold around 500k FB accounts the same way.
Instead of redirecting the users traffic, you can also "sniff" all the data packages and log it. 90% of what the computer sends and receives is unencrypted in plain text form. He can then afterwards do the tedious work of reading all your chats, mails, logins etc from these logged packets.
Anyone can do this, all he/she needs is a computer and easy to come by software.
The ARP Poisoning attack actually cant gain access to your computer directly, and your security program actually cant do much to prevent it. It can detect an ongoing Poisoning attack and deny to respond to it. But your traffic is still intercepted before it hits internet.
A poisoning attack usually will degrade the performance of a network if there are many clients connected and it might feel like ur back to surfing at 14.4bps. Most people
have no clue at how vulnerable they are.
If you are in China, you are at the very center of the source to 80% of all malicious sourcecode. There is a reason why the Ukraine, Russia and China has the best hackers in the world. Because their laws allow them to. It ifs not illegal to write malicious source code, it is illegal when you use it for a criminal purpose. The writers never do. They write highly sophisticated trojans (and much else) that are then being sold on underground forums to private buyers who then uses these trojans to in many cases make BIG $. The infamous bankingbot (trojan) Zeus sells for about 4000 us$ with all addons. Sounds ridiculous? yes .. yet there are Thousands of buyers paying that.
Your commercial security softwares will be completely defenseless against these threats more or less due to a simple fact. 90% of all Anti Virus / malware products rely on an ancient technique. they identify the threat by finding a unique signature. Just like every individual has a unique DNA strain, every file/process has a unique signature. That means first the threat has to be identified, then analyzed, first then can they issue a definitions update for your Security software. If you are in China you are the first potential target before it even gets spread outside Asia. What makes it even more difficult is that these hackers are pretty damn good at what they do. many have circumvented the possibility to capture a digital signature of their program. There are numerous techniques like polymorphing that will actually have the program act as a continuously chameleon, Virtualization techniques that makes the code overwrite and scramble itself over and over. Yes, one could say that the makers of these sophisticated threats are way ahead of the security companies.
My advice if ur in China hehe, remember this. These sophisticated programs do not act like the traditional viruses. In most cases once a computer is infected they will do close to no noise and you wont notice its there. But behind the curtains they can log and monitor everything you do, everything you type and so on. However, that is selldom the purpose. The purpose is to make your computer a tool, that they will use to carry out other tasks in a combined network of all infected computers. That can be 10, 100, several thousand, or yes .. several million. And noone has a clue. Well, not amongst the users of said systems. the analysts know because we can see the patterns in the traffic on internet that somethings going on. There is actually a splendid site hosted in China that tracks all control centers for the Zeus bot at.
www.abuse.ch (ignore the security warning, its safe).
It is close to impossible today to have a bulletproof protection on your computer. Not even i can and i've worked with this for long enough to puke on it sometimes hehe.
Some security companies have dared to step out of the stoneage though and developed *smart* detectors that will actually judge the files or processes in your computer by their actual behaviour, in realtime. These are called behavioural blockers for most times. Another new technology is Cloud scanning and Cloud Communities which will be where the future development leans at. The idea is pretty genious, it does however require that you are online or it wont work. how it works in short is that all computers running this security software, hook up with eachother. When an anomality occurs it gets detected almost instantly and all clients connected are aware within seconds. Thats why its called 0-Zec, meaning realtime protection from unknown threats or outbursts. The power behind Cloud Communities relies on the size of connected machines. Chinese security developer Rising has the largest Cloud Community in Asia, and for a Security product the largest in the world with its 250 million users.
The safest bet when in China is to rely on the Chinese or Korean security products. They will be the first that will even be able to protect you. These products are actually very good ones when compared to the major commercial names. Dont rely on the Russian products (Kaspersky, Dr.Web, Agnitum etc) They are fine softwares but they are lagging behind. Dont believe all the fluff you see in reviews and magazines. Its hilarious BS at best. And what is best now, may very well not be in 6 months.
I would strongly discourage the use of either free (limited) versions or cracked/pirated versions when it comes to your protection. Its not much money in the end, the developers NEED it and it may very well save you from a complete disaster either privately or economically.
If you live in China now, i would recommend u to remove your probably western developed product and replace it by any of the following 3 and they are ranked in preferred order.
Rising
(straightforward, biggest suite recommended)http://www.rising-global.com(The chinese mainsite offers newer and more stuff but only in Chinese)http://www.rising.chJiangmin
Dont get fooled by the silly UI. This is a very powerful and effective program. Again chinese versions are usually abit newer and offer more functionality.
The protection modules are the same thoughhttp://www.jiangmin.comKingsoft
Didnt impress much by a year ago but has rapidly grown to one of the better solutions in the region. They also offer a free 100% cloud based
Antivirus that uses almost no computer resources at all. They also have a M$ Office clone which is pretty impressive offering all the functionality
of the Microsoft Office core components (not outlook). And is even smaller then Open Office and at the fraction of the price. Can recommend.www.kingsoftresearch.comAhnlabs inc
South korean protection suite. An alternative, but falls a little behind the other 3www.ahnlabs.comAll the above solutions are despite the seemingly huge number of integrated modules very light on computer resources. No these are not Norton products that installs
1.5GB worth of slow bloatware on your computer.
Advanced usersFor those feeling at home pretty well with a computer. And wants the optimal security. There are some alternative protection programs that will coexist with
your security package but is specialized at protecting you against the more unusual type of threats your normal solution wont pick up on. If anyone need help
regarding their functionality or installation etc. just PM me
Behaviour Blocker: (still #1 B-Blocker by far)
Emsisoft Mamutuhttp://www.emsisoft.com
Advanced Rootkit protection:
Unhackmehttp://www.regrun.comIP Blocker (Extremely powerful protection if you fully understand how to use it)
Beethink IP Blockerhttp://www.beethink.comWill update further tomorrow..
