One of the principles behind malware is that it follows technologyand mainstream culture. If ninety percent of the world was using theEricOS, the vast majority of threats would be designed to run on theEricOS because otherwise the threat would have nothing to infect.
In China, online computer usage patterns affect the types of malwareSymantec sees there. In particular, if you walk into an Internet cafein China, rarely do you see people using search engines like Google oron Web sites like MySpace. Instead, the vast majority of people haveheadphones on and are playing online games such as Lineage or World ofWarcraft.
Thus, Symantec sees a lot of Infostealers that attempt to stealcredentials for these types of online games. Once credentials arestolen, the hacker logs into the account, steals the virtual items, andthen attempts to sell them for real money through various boardsoutside the virtual gaming world.
An example of this threat is Lingling (Lingling means zero-zero inEnglish). Lingling was spread by hackers using SQL injection to place asmall HTML IFRAME within hacked Web sites. These IFRAMEs would causethe browser to load Javascript that contained a variety of InternetExplorer exploits that eventually downloaded and executed Lingling. Thehackers behind Lingling appear to be the same as those who placed anIFRAME in the Dolphins Stadium Web site in the Superbowl infectionto download a similar executable. Once Lingling is installed, it waitsfor you to play World of Warcraft and then scans memory for yourcredentials and sends them off to the hacker.
We've been tracking how these hackers work including sending downshutdown notices for their executable distribution sites and attemptingto notify Web sites that were hacked. In addition, we've put together avideo describing how the threat works for our Chinese readers. Watch the video of Robert Wang describing Lingling below.