User:Artyom Mikhailovich Kirilenko/sandbox

= Panda Burning Incense = Panda Burning Incense is a computer worm broke out in China between 2006 and 2007. The virus spreads in various ways including USB, HTML, LAN(local area network). Due to the users’ lack of online security knowledge and most anti-virus software were being ineffective, ‘Panda Burning Incense’ infected a total of 10 million at the pace of 300, 000 each day. The worm switches file icons to a panda holding three incense sticks, causing fatal system error, corrupts data and disables computer functionality. The virus also steals social media and online game credentials from infected computer. Around a thousand of large Chinese corporations reported infection in company intranet and business being suspended as a result. Victims of the worm included internet cafe, IT companies, newspaper offices and the police departments. The infection peaked on January, 9, 2007 reaching beyond 100,000 computers. The virus was frequently updated to cope with antivirus detection. Upon Jan 26, 2007, the number of variants of the worm had increased to 416.

The Chinese police found traces in the virus code and located the suspects. On Feb 3, 2017, 25-year-old Lijun, creator of the worm, was arrested. Investigators collected data evidence on his computer using digital forensics and Lijun was sentenced 4 years in prison. His associates who helped him spread, update and sell the worm also received trail.

Influences
Once infected, icons of files on the computer would be replaced with a cartoon image of a panda holding three incense sticks. Various propagation techniques implemented would make the infected machine spread the worm to more computers through e-mail, USB, LAN, web page, etc. The worm installs trojan horses to steal online credentials from victims by sending them to a preset e-mail address to access and sell the virtual assets. It also corrupted documents, caused system error, blue screen and random rebooting. Apart from individual users, many corporations also suffered losses from the paralyzed business due to disabled computer and loss of data, especially companies in cities like Shanghai and Beijing where computers are concentrated.

Infection
1. Firewall and most contemporary Chinese domestic anti-virus software could not stop the worm from copying itself to the system directory and infecting all executable files on the hard drive. Because of the autorun program, once infected the virus cannot be removed completely unless format the disk or delete all exe. Files. Note that the worm still exists after reinstalling system.

2. The worm adds itself as boot entry. Every 10 minutes, the worm downloads files from a preset address once it starts.

3. When the worm spreads to Windows NT system, it activates trojans. If on another operating system it infects PE files.

4. If a USB drive is plugged in, the worm copies itself to the USB and remains hidden.

5. The worm can infect web pages including HTM, HTML, ASP, PHP, JSP, ASPX, etc.

6. The worm spreads through P2P file sharing, QQ, e-mail, mp3 files, web advertisements.

7. The author can update and maintain the worm remotely.

Message in code
‘The author left the messages in the codes for those who read the code of the virus, primarily write anti-virus programmers, normal users would not see the messages.’ said Mopery, community manager of a computer security community as well as an antivirus experts who fought against the Panda Burning Incense. He discovered a message ‘whboy’ in the code of the virus. It was referred to a password-stealing virus in 2004. ‘Panda Burning Virus doesn’t have the latest technology but was well modified for spreading...The first worm was not disruptive, but the variants are hard to deal with.’ said Mopery.

On January 2007, the author put a new message in the variant worm: ‘Special thanks to Mopery’s concern about this trojan.’ As the virus and antivirus got more updates, the author started adding names onto the acknowledgements. One of the worm variants updated on January 16 was named ‘Emma’ because this name appeared 22 times in the message. The final version of the Panda Burning Incense was published on January 19 and the author had left this final message: ‘My apologies for webmasters those who had infected the trojan. Well done! I’d really like to share something with Mopery but unfortunately for some reasons, forget about it.’

Investigations
Hubei Police identified the creator of the virus by re-engineering the virus binary file. On February 12, 2007, the Police announced that 25-year-old Lijun, the main creator and spreader of the virus, was arrested along with his other 3 associates. The police had seized the computer from suspects’ residence for computer forensics. After making clones out of original hard disk, the investigation team started collecting evidence for a list of crimes:

1.      Whether the data storage device has conditions to created and test computer virus experiments

2.      Whether the suspect has the ability and interest in creating computer virus

3.      Whether the suspect has a motive

4.      Whether the device has the source code and mature product of the virus

5.      Whether the suspect profited from the virus

After examining the hard disk, a range of programs capable of making and testing virus was found, including Delphi7 (integrated development environment) for software development; platform virtualization tool Vmware and program icon customizer. These findings indicate that the suspect’s computer is capable of virus making and testing.

Internet browser bookmarks contain various websites including Hackers forums, trojan and virus-related technologies. In addition, investigators also found programs such as remote control software, nc.exe, Sniffer, DDOS.EXE, Web3389.exe, log cleaner, etc. Electronic book copies and videos of making trojans, cyber-attack were found on the disk and evidence proved that the suspect had accessed these files multiple times. A number of viruses and trojans were found with various functions: multi-threaded port scanner, PHP injection, bundle file, hidden running programs, QQ credential stealing, IE password scanner, etc. Under the document directory, investigators retrieved text files storing IP addresses and game credentials. Some recovered social media chat history proved that the suspect attempted to sell the stolen game credentials for profit. Another document named ‘Billing’ showed 400,000 RMB unidentified income.

Investigation report and evidence were presented to the court and suspects were proved guilty.

Public Reactions
Jan 9, 2007, an internet cafe in Heilongjiang was out of business due to all 40 computers disabled from Panda Burning Incense. At the beginning there was only one infection.

Jan 9, 2007, an IT company in Beijing had almost all 30 computers infected. Data on computers was deleted as well as the backups. Software under development was destroyed.

Jan 9, 2007, editors of a newspaper office in Beijing were unable to work due to malfunctioning computers.

Jan 10, 2007 a Taiwan-invested company in Shanghai were in a state of paralysis due to the Panda Burning Incense infection

Computer users
With the ability to spread in various ways, the worm was able to expand exponentially once enough amount of infections is reached. Besides the nature of the worm, computer users’ lack of online security knowledge was one of the factors why the virus spread so quickly. Computer users didn’t pay enough attention to installing the latest system patches and misunderstanding of anti-virus software. Users thought installing the software can protect their computer from viruses, but new viruses cannot be stopped immediately. Computer security experts need to update the virus library first in order to kill the viruses which require users to timely update the software. Users lack experience and knowledge on not clicking suspicious links as well as distinguishing phishing websites.

Behind the worm
Behind the Panda Burning Incense incident is a computer virus value chain, consisting malware development, selling and purchasing, spreading virus and planting trojans, stealing credentials for virtual assets, disposal, distribution of the spoils. On the other hand, the infected mainframes could be hijacked for sending junk mails, blackmailing website owners or for attacking other websites. This makes another source of money for the worm. The complete system made it possible to generate income by coding viruses.

Social impact
Apart from normal users, victims of the virus also included companies. The virus destroyed data and infected local area network. Without data, computers and network the digital business was completely disabled. This not only creates monetary losses, but also affected the socioeconomic status.

Unemployment
Lijun, who had secondary level education, created of the disruptive worm Panda Burning Incense worm. After graduation, Li had worked as internet cafe administrator and started self-learning IT. He showed great interest in computer security companies and looked for opportunity in major cities including Beijing and Guangzhou. He was rejected by most companies. ‘Li didn’t go to college. His education background might be the primary reason for rejections.’ said Li’s brother, ‘Most companies value applicants based on their education background.’ Perceptions of education might be the reason why Li started creating virus.

Increasing number of computer virus
Rising Antivirus published 2006 Computer Security Report of Chinese Mainland. The report concluded that the Panda Burning Incense writers gained profit by writing virus to infect users and stealing their information for selling. In the year of 2006, the total number of new discovered virus is 234, 211 with 90% of them designed with financial gains. Technology of encrypting virus had made automatic-producing viruses possible reaching the number of 230 thousand. Among these viruses 167, 387 were password stealing which is 71.47% of the total number. On June 2006, the first ransomware appeared in Mainland China.