How we work as a national CERT in
China
ZHOU Yonglin
CNCERT/CC, China
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
2
Internet Development in China
Source: MIIT and CNNIC
By the end of June 2010,
• The number of Internet users was about 420 million,
counting for 31.8% of total population.
• Broadband users was nearly 364 million
• Mobile Internet users was nearly 277 million
•
The commercial applications showed remarkable increase.
• The users of online-shopping, online-payment, online-banking
were 142 million, 128 million and 122 million, counting for
33.8%, 30.5%, 29.1% of total Internet user.
•
•
Online video users was about 265 million
Benefitting from mobile phone development, the onlinereading users reached 188 million.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
3
Internet Security Situation in China:
Malicious code activity
• In the first half of 2010, CNCERT monitored:
• Trojans activity:
• control servers counting by IP：247,235
• compromised hosts counting by IP ：3,966,329
• IRC-Bot activity:
• control server counting by IP ：6,451
• compromised host counting by IP ：3,148,046
• In the whole year of 2009, about 28 million Conficker worm infected
computers were in China.
The statistic of control servers counting by country or region,
Jan to June 2010
The statistic of control servers counting by nation or region,
Jan to June 2010
ohters
47.63%
Canada
1.23%
Others
41.69%
Chinese
Hongkong
1.43%
US
17.38%
Russia
2.16%
UK
3.22%
Japan
3.79%
Korea
4.42%
Brazil
4.71%
India
8.64%
Taiwan,
China 5.39%
US
24.21%
Turkey
7.98%
Japan
1.59%
India
6.94%
Mexico
1.99%
FranceArgentina
2.47% 2.49%
Taiwan, Brazil UK
China 2.84% 5.08%
Internet Security Situation in China:
Website defacement
•
In the first half of 2010, CNCERT monitored:
– Number of all defaced website: 14,907，decreased
21.75% than the same period of 2009。
– Defaced government website：2,574, increased
222.56% than the same period of 2009
The monthly number of defaced website
Jan to June 2010
25000
3500
2889
3000
2304
2500
2000
2748
2782
2303
798
15000
1881
10000
1500
2574
18253
12333
5000
1000
500
20000
The number of defaced website
First half of 2010 and 2009
0
74 17
40 15
43 17
21 9
30 44
32 30
1月
2月
3月
4月
5月
6月
2009年上半年
非政府网站
0
中国大陆
中国香港
中国台湾
2010年上半年
政府网站
•
•
•
Internet Security Situation in China:
More…
DDOS attacks
Phishing
Smart Phone malware
– ‘DuMusicPlay’ infection: nearly 1 million in first week
of Sep.
– ‘Mobile Skull’ infection: nearly 560 thousand in same
week.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
6
About CNCERT
•
•
•
•
Full name: National Computer network Emergency technical
Response Team Coordination Center of China
CNCERT/CC is a National level CERT organization, which is
responsible for the coordination of activities among all
Computer Emergency Response Teams within China
concerning incidents on national public networks.
It provides computer network security services and technology
support in the handling of security incidents for national public
networks, important national application systems and key
organizations, involving detection, prediction, response and
prevention.
It collects, verifies, accumulates and publishes authoritative
information on the Internet security issues. It is also
responsible for the exchange of information, coordination of
action with International Security Organizations.
About CNCERT
•
•
•
CNCERT has 31 branches around the nation,
located at each capital of provinces.
CNCERT is a leading organization on cyber
security industry. Also take the role of network
and information security committee of Internet
Society of China.
CNCERT is a full member of FIRST and APCERT.
Connections and working mechanism
•
Supporting government
– Ministry of Industry and Information Technology who is in
charge of the Internet and telecommunication
infrastructure security and coordinating the safeguarding
of online government information system, and social
critical information systems
• CNCERT: Collecting security info. of ICT field and issue advisories,
coordinating ISPs, DNRs to clean malware control servers,
monitoring attacks to government online systems, etc.
– Other governments
• CNCERT: following the cross-department working mechanism,
provides technical supports like vulnerability evaluation, incident
handling,… etc.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
9
•
Uniting Industries and initiatives Industrial Selfdiscipline
CNVD- China National Vulnerability Database
Geneva, 6-7 December 2010
ANVA – Anti Network Virus Association
Addressing security challenges on a global scale
10
CNCERT played key role on cyber safeguarding
of national events
2008 Beijing Olympics
Nation Leaders’ Online Talks
Shanghai EXPO 2010
2010 Guangzhou Asian Games
•
Actively join international cooperation
– Join FIRST and APCERT and relevant events
– Sign MOU with CERTs in other countries or regions, who have
common interest on incident handling and information
sharing.
– Carry out joint activity during critical period or incident.
• Notice potential conflicts on Internet during hot foreign
affairs
• Waledac botnet handling: Microsoft initiated Waledac
campaign in US. Feb 2010, according to MS’s request,
CNCERT quickly stopped 16 malicious domain names
registered in China.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
12
ACKNOWLEDGEMENT
Many thanks to ITU-T secretariat, workshop chairman and
coordinators for your kind invitation and helps.
Many thanks to the development of Internet and
telecommunication technology by which I can join you
remotely. Yes, that is what our cyber security guys are
fighting for! 
CONTACT
zyl AT cert DOTorg DOTcn
+86 10 8299 0355
www.cert.org.cn