"The last 3-4 months there has been a slow increase in Chinese malware. It used to be the odd file every now and then. Now it's almost every day," Chris Boyd, director of malware research with security vendor Facetime Communications said.
The region of Southeast Asia traditionally has been a hotbed of password stealers that go after login names and passwords for online games such as World of Warcraft. Criminals in those cases are after virtual currencies and goods that they then sell on auction websites.
The increase that Boyd is witnessing signals a larger trend where Chinese criminals are developing their own file downloaders and rootkits. Such pests can be used to control botnets, install adware and evade detection by security software. Just like in other parts of the world, money is the big driver behind this.
"They are starting to realise that you can make silly amounts of money from installing malware," said Boyd.
Roger Thompson, chief technology officer with Exploit Prevention Labs, shared Boyd's observations. He saw Chinese malware activities increase last January, when what is believed to be group of Chinese attackers hacked into the Superbowl website. The same group has been linked to a series of other online attacks.
"I always thought that the face of the new generation of hackers would be Chinese. There is just so many of them, and they are an emerging technology power." Thompson said.
Chinese malware writers use essentially the same principles as their colleagues in other parts of the world. They copy exploits that other attackers have found. And in the constant battle against security software, malware code is encrypted and downloaders constantly switch the malware files that they fetch.
"It is old technology," commented Shane Coursen, a senior technical consultant with Kaspersky Labs. "The password stealers are basically a glorified keylogger."
But Boyd is seeing more advanced malware coming out if China as well. Earlier this month he dissected a Trojan dubbed Symfly.
In addition to downloading multiple adware applications, it installed the Alexa toolbar. The tool is a legitimate application from web retailer Amazon that measures the popularity of websites. Next, the Trojan builders would open a series of websites in an apparent attempt to boost the Alexa ranking of those sites.
Local programmers also have developed rootkit technology that hides software from security software. Some of these can't be detected with current rootkit removal tools, and generally can be "completely horrendous", Boyd said in reference to the rootkit that ships with the Agent.bgg Trojan.
Chinese malware furthermore can be more difficult to dissect. Chinese websites for instance sometimes use seemingly random domain names which letter and number combinations are believed to have a symbolic significance.
Online gangs in the West often user random domain names to host malware-spreading websites. The malware is typically hidden behind seemingly legitimate content. The random domain names make it harder to determine if a legitimate website has been hacked to host malware, or is actually operated by criminals.
Most Chinese websites also forge registration information to evade local censors – even if they don't publish any controversial materials. This again makes it harder to notify the owner of a hacked website and have the malware removed.
.jpg&h=140&w=231&c=1&s=0)
iTnews State of Security Breakfast
iTnews State of Data & AI Breakfast
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
Security Exhibition & Conference
_(1).jpg&h=140&w=231&c=1&s=0)
