Anti-virus engineers named it Nimia. It also has a more popular name-"Panda Burning Incense". It quickly became hundreds of kinds, constantly invading personal computers, infecting portals and destroying enterprise data systems ... Its spread questioned the public safety of the network and triggered a contest between "Tao" and "magic" in the virtual world. Anti-virus engineers and folk anti-virus people are all involved.
191October 65438+ A new variant of the virus "Panda Burning Incense" appeared. The virus author claims that this will be the last update of "Panda Burning Incense".
Is this contest, which lasted for more than two months, over?
Virus found in "honey pot"
165438+2006 10/4, Zhongguancun Rising Company Headquarters 14.
A group of anti-virus engineers surrounded a disconnected computer. With the mouse click, hundreds of panda icons appear on the screen. This is the virus captured by the engineer that day, named "Nimia".
Shi Jun is an anti-virus engineer in the virus group of R&D department of Rising Company. His daily job is to catch the virus circulating on the Internet with dozens of partners, then "disassemble" the virus, study its internal structure, and upgrade Rising's virus database.
In the afternoon, a user submitted a virus sample to them. Later, they found the virus in the "honey pot" of the virus group.
"Honeypot" is a weak server set up by virus groups on the Internet. Engineers deliberately set various vulnerabilities on the server to induce virus invasion. "It's like a trap full of honey made by hunters to attract prey."
After extracting the virus from the honeypot, Shi Jun and his colleagues moved the virus to a computer isolated from the network on the company 14 floor, which is the "dissection table" of the virus.
"After running the virus, all the icons in the system turned into pandas." Rows of panda patterns appeared on the screen in front of Shi Jun. The panda holds three sticks of incense and bows with his hands folded.
After analysis, engineers found that there is a huge infection potential under the cartoon appearance of the virus, and its infection mode and killing method are very similar to the popular "Weijin" virus. Rising Company immediately issued a virus warning.
The virus has spread all over the country.
"The original Nimia was not very powerful." Shi Jun said that with the constant updating of virus authors, its destructive power and infectivity have also increased.
At the end of June 2006, 1 1, there were less than ten varieties of Nimia. However, since June+February, 65438, the virus authors have been updated day by day, and the number of variants has doubled. At this time, "panda burning incense" has replaced the name "Nimaya".
From mid-June to February, 5438, Panda Burning Incense entered a period of rapid mutation. After several large-scale outbreaks, "panda burning incense" has become a word that many computer users relish.
After Christmas, the version of "Panda Burning Incense" has reached nearly one hundred.
Shi Jun said that in late February of 65438 last year, nearly a thousand large domestic enterprises were infected with "panda burning incense" and asked Rising for help. "When the number of virus variants and infected people exceeds a certain number, the spread of the virus will increase geometrically."
On February 26th, 65438, Kingsoft Internet Security Global Anti-virus Monitoring Center issued a virus warning, and "Panda Burning Incense" was committing a crime crazily.
On the 27th, Jiang Min Science and Technology issued an emergency virus alert about "panda burning incense".
On June 7, 2007, the National Computer Virus Emergency Response Center issued an emergency warning. "Through the monitoring of the Internet, it is found that a worm disguised as' panda burning incense' is spreading, and many enterprise LANs have been infected by this worm."
654381October 9, "panda burning incense" continued to spread and began to spread to computer users all over the country.
On this day, "Panda Burning Incense" ushered in a nationwide large-scale outbreak, and the number of its varieties was fixed at 306.
Has recruited users from all over the world.
Xiaojiang is the network manager of an Internet cafe in Heilongjiang Province. From 65438+1October 9 to 65438+1October 10, his internet bar was empty and had no customers. When he turned on more than 40 computers in the Internet cafe, the screen was full of "panda burning incense" icons, and the system crashed and could not run.
"The virus is in the morning of the 9th. It started as a machine. When I was anti-virus, other machines in the LAN were recruited one after another. " Xiao Jiang said.
On the same morning, Mr. Liu, who works in an IT company in Beijing, found that nearly 30 computers in the company were all infected with "panda burning incense". The virus destroyed the program files in the computer and deleted the computer backup, and the semi-finished software under development was destroyed.
Mr. Liu is angry but helpless. In the annual summary report, he deliberately added: "In the future, important programs must be backed up to prevent rogue viruses such as' panda burning incense'."
On the same night, in a newspaper in Beijing, technicians were running around, and dozens of editors and reporters were waiting for them to clear the "panda burning incense" from their computers.
On June 65438+ 10/0, Mr. Zhang, an employee of a Taiwan-funded company in Shanghai, turned on his computer and was greeted by rows of fragrant pandas. Looking around, he found that all his colleagues had the same surprised expression on their faces. Throughout the day, the company's business was paralyzed.
……
According to the help-seeking data of users of "Panda Burning Incense" virus provided by Rising Company, the number of help-seeking users of Rising Company has reached 10 16, and it was 1 1002 on June 9th. Because it is selective for help, and it is limited to genuine users of Rising antivirus software, this data is only the tip of the iceberg.
It is understood that on June 9, 65438, hundreds of thousands of computer users were infected. Among them, Beijing, Shanghai and other cities with concentrated computer users have become the "hardest hit areas".
"Panda" didn't stop there. It continues to burn incense everywhere. With the increase of species, Hong Chao virus spreads endlessly and becomes more and more serious.
Up to now, the "Panda Burning Incense" virus has 4 16 variants, infecting millions of computer users.
65438+1On October 22nd, the National Computer Virus Emergency Response Center issued an alarm again, and a panda was wanted nationwide to burn incense.
The portal website is infected.
65438124 October, the Beijing Municipal Government Information Office opened a special topic on "Panda Burning Incense" virus in official website. In the special topic, the author said: "A virus disguised as" Panda Burning Incense "pattern is committing crimes crazily ... At present, many enterprise LANs and websites have been hit hard, and most netizens have also suffered greatly."
Why is "panda burning incense" difficult to retreat?
"'Panda Burning Incense' is different from previous viruses, and it adopts new means of transmission." Shi Jun said that traditional worms spread to other computers in the LAN through poisoned computers, while "Panda Burning Incense" can spread through websites in addition to integrating all available communication loopholes.
Computers infected with "Panda Burning Incense" will attach the virus to all web files on the hard disk. "If the computers of website editors and journalists are infected,' panda burning incense' may be attached to all pages of the website through the poisoned pages." Shi Jun said that when netizens visit this poisoned website, they will be infected with the "panda burning incense" virus.
From the traditional peer-to-peer to the current peer-to-peer, "Panda Burning Incense" has spread rapidly with the amazing number of visits to poisoned websites.
According to anti-virus engineers, they have detected that "Panda Burning Incense" has infected Tianya Community, Silicon Valley Power, pconline and other portals, and there are traces of "Panda Burning Incense" in the download links of well-known software such as Storm Video. At the same time, "panda burning incense" can also spread viruses with the help of search engines.
"With the help of LAN and portal, a single spark can start a prairie fire, with the help of USB flash drive." Shi Jun said that the three main modes of transmission of "panda burning incense" are the main reasons why the virus is difficult to ebb.
Anti-drug people fight viruses.
Shi Jun said that the virus team of Rising Company has been working overtime since last Christmas. Whenever a new variety of "Panda Burning Incense" is released, engineers immediately collect samples, dissect the virus and upgrade the corresponding killing tools. "During this time, I stayed up late four times."
"The technology of' panda burning incense' is not superb, mainly relying on the author's continuous crazy update. When updating, we will update the killing tool. " Shi Jun said that "Panda Burning Incense" is good at exploiting new loopholes. For example, the variant of 65438+10.8 takes advantage of the latest security vulnerabilities of QQ.
Since the birth of "Panda Burning Incense", the virus version has been revised more than 400 times, and the killing tool developed by Shi Jun and his colleagues has also been upgraded to 10 times.
In addition to anti-virus software companies, "anti-virus experts" scattered among netizens have also played an important role in cracking down on "panda burning incense".
In the anti-virus forum of Kaka's online community, there are many computer experts, mostly amateur programmers, who often study anti-virus technology together. As soon as "Panda Burning Incense" appeared, it attracted their attention.
At the end of June, 5438 +2006 10, the programmer "Farmer" had obtained the samples of the virus at that time and compiled a special killing tool before Rising Company captured the virus. Since then, whenever "Panda Burning Incense" releases a variant, users of anti-virus forums such as mopery and Emma will write a detailed variant analysis report, pointing out the danger and new features of the virus.
"In fact, there are many anti-virus experts among the people," said Shi Jun, who used to be a folk expert himself. He loved to study viruses since high school, and was recruited by antivirus software companies after graduating from college. So he often browses some famous technical forums now, and if folk experts have some good ideas, the virus group will also learn from them.
Shi Jun said that he has a "card"-"unknown virus killing". He said that this anti-virus method can judge the "family characteristics" of the virus. As long as the variety meets a series of characteristics, the killing tool can effectively kill.
Xuan Shi introduced the working principle of this new killing tool, but he asked reporters to conceal the contents when reporting. "It will be very troublesome for the virus author to know. This is our killer."
Unfinished war
65438+1October 19, "Panda Burning Incense" released a new variant, and the virus author also claimed that this would be the last update of "Panda Burning Incense".
The news came that in Kaka community, netizens who were tortured by "pandas burning incense" were full of joy. Happy, they began to reflect on the gains and losses.
In the anti-virus forum, netizen tom2000 published a post entitled "Panda Apocalypse-Reflection after the Storm", which wrote: "How many new viruses/Trojans will learn from the experience of pandas in the future? Everything has just begun! "
Industry experts believe that China's Internet is in its infancy, and most netizens lack the most basic network security knowledge and good online habits. Weak security awareness has brought opportunities for the virus to spread in a large area. At the same time, with the popularity of computers in various industries, the harm caused by viruses will become more and more serious.
On the afternoon of October 24th, 65438/kloc-0, anti-virus engineers discovered a new virus, which was very similar to "panda burning incense". Engineers suspect that the new version of the virus was made by the author of "Panda Burning Incense".
The virus will replace all the icons on the infected user's computer with a human head with two light bulbs at the eye position of the human head.
Anti-virus engineers are worried about whether "light bulb man" will become the successor of "panda burning incense".
"This is an invisible war. For us, the war is still going on. " Wei Shi said.
Who shot "Panda Burning Incense"? What does he want? During the period when "Panda Burning Incense" was raging, there were various speculations about the identity of the author on the Internet. In Baidu's "Panda Burning Incense" Post Bar, hundreds of netizens who suffered from "Panda Burning Incense" posted "Wanted" virus makers, and some netizens claimed to offer a reward of 654.38+10,000 US dollars.
Yesterday, the anti-virus engineer revealed to reporters that the author of "Panda Burning Incense" did not disappear without a trace. In the process of dissecting the virus, they found some mysterious information left in the virus. In these messages, the author of "Panda Burning Incense" calls himself WHBOY-"Wuhan Boy".
There is information hidden in the body of "Panda".
Mopery is the moderator and anti-virus expert of Kaka community anti-virus forum.
From mid-June, 5438+October, 2006/kloc-0, mopery received help from netizens. In the process of helping to solve the computer fault, he got a virus sample, which is the original version of "Panda Burning Incense".
After "dissecting" the virus, in the complicated program code, mopery saw a piece of information unrelated to the program, including a line of letters: "whboy".
The name "whboy" has an unusual meaning for virus researchers. In 2004, whboy released its virus "Wuhan Boy", which is a kind of pilfer date trojan spread through QQ. A year later, due to its madness and wide spread, it was listed as one of the top ten viruses in 2005 by Jiang Min Anti-virus Center.
Since then, whboy has posted on some virus forums and hacker forums, claiming that it can provide the service of stealing QQ numbers, but it soon disappeared until "Panda" appeared.
Mopery made a detailed analysis of "panda burning incense". He found that this virus does not have the most powerful technology, but it has the most mature means of transmission.
Mopery became interested in "panda burning incense". He contacted another farmer, who is an anti-virus expert. On June 25th, 2006, the first killing tool, Nimya Worm Killing, was launched.
"The first panda had no power, but the later varieties were very powerful." MoPerry said that after the first edition of "Panda Burning Incense" was discovered, its varieties reached more than a dozen within one month.
In these variants, every once in a while, the author intentionally left the word whboy in the virus. "He mainly shows us people who analyze viruses, and ordinary users can't see the code."
With the increase of varieties, anti-virus people began to look forward to more news while dissecting the virus.
The virus lists "confirmation units"
/kloc-in early February of 0/6, the variety of "Panda Burning Incense" accelerated. In addition to the word whboy, there is also a line of Chinese characters in the code: "Wuhan boy is infected with downloader." With the increase of varieties, more and more information is attached to the code.
At this time, mopery and Emma have joined the army against "panda burning incense". They analyzed the new panda species and released a detailed virus analysis report on Kaka community anti-virus forum.
Their actions attracted the attention of the virus author "Wuhan Boy". In a virus variant at the beginning of 65438+ 10, the mysterious message was updated again.
"Thanks to mopery for paying attention to this Trojan horse." This new sentence in the message made Mopery laugh and cry. Subsequently, Wuhan boy seems to be infatuated with the model of "thank you unit" listed in the virus. Emma's name was added to the thank-you list in the virus message of 65438+10.5. 654381Oct.9 Thanks for adding the name "Haiyue" to the list of antivirus experts. The sentence "I am convinced ... Emma ..." at the end of the article has been added.
Since then, Wuhan boys have frequently "communicated" with their opponents in this way.
65438+ 10/5, Wuhan boys greeted Taylor 77 in a message: "Taylor 77, I wonder what you want to see me about?" And joked: "The virus I made has burned all the national treasures in the city."
Online World Masters for one month.
16 10/6, Wuhan boys released a new virus variant, which drug addicts used to call "Emma" version. Because in the news of this virus, Emma's name was written 22 times.
On the evening of 65438+ 10 19, "Panda Burning Incense" released its last update. This version is the most comprehensive version of infection.
In the last version of "Panda Burning Incense", Wuhan boy wrote a farewell message: "I am deeply sorry to the netizens and network administrators who have heard of this Trojan horse! Sorry, you have worked hard! Moping, I really want to talk to you! For some reason, I think I'd better forget it! "
Facing the news that "Panda Burning Incense" stopped updating, Shi Jun, an anti-virus engineer, seemed very calm: "We hope the panda storm will end here, but there is a precedent for Wuhan boys to make a slip of the tongue. In short, as long as he updates, we will accompany him to the end. "
For this Wuhan boy who has been fighting for more than a month, but he doesn't know where to hide, mopery's message is: "I hope he can make good use of his own technology to serve the majority of netizens, instead of bringing pain to netizens."
Three versions of the identity of "Wuhan boy"
Although Wuhan boy said that he would not update "Panda Burning Incense", the aftermath of this virus frenzy sweeping the country is hard to calm down. Netizens have speculated on the true identity of the Wuhan guy.
After investigation, people in the industry have three speculations about the identity of Wuhan boys. 1. Wuhan boy is a Wuhan teenager of 15 years. The evidence is the QQ conversation between him and the anti-drug farmers circulating on the Internet. Secondly, Wuhan boy is the vice president of a software company in Guilin. He once wrote rogue software, which originated from the anti-virus forum. Third, Wuhan boy is an employee of a domestic anti-virus software company, deliberately writing viruses and promoting corresponding anti-virus products.
To verify the rumor, the reporter interviewed mopery and Shi Jun, an anti-virus engineer of Rising Company.
MoPerry said that after his verification with the farmer, it was confirmed that the protagonist of the circulated QQ chat clip was the author of another virus, not the Wuhan boy. As for the company's vice president, it is even more unfounded.
As an employee of an anti-virus software company, Shi Jun said that every time a big virus spreads, there are always rumors against the anti-virus software company, but programmers in the anti-virus software industry will not write viruses and disrupt the network. He asked, "Is the flu virus made by doctors?"
Mopery and Shi Jun both said that judging from the message content and program code, Wuhan boy is a veteran with rich experience in virus writing. He often browses Kaka community anti-virus forums and keeps an eye on the virus analysis of mopery and others. There are more than 590,000 members in Kaka community, and Wuhan boys are definitely among them, but it is difficult to narrow this range. "Wuhan boy himself is proficient in network technology and intrusion technology, and it is difficult to trace his true identity through his online traces." MoPerry said.
"Panda Burning Incense" has a commercial purpose.
Shi Jun said that after analysis, they think that "panda burning incense" has a strong commercial purpose. "After users are infected with the virus, they will click on foreign websites from the background. Some variants contain pilfer date trojan, and virus authors can profit from it."
"Today's virus writers are different from those in the 1990s. They no longer aim at showing off technology, but have a clear business purpose. The boundaries between viruses and rogue software are becoming increasingly blurred. " Wei Shi said.
Yesterday afternoon, the staff of Rising Company said that the relevant evidence and virus characteristics of the virus author had been submitted to the National Computer Virus Emergency Response Center. The staff of the National Computer Virus Emergency Response Center said that the relevant data of the "Panda Burning Incense" virus storm, the number of computers affected and the economic losses caused are being counted and will be published on its homepage in the near future.
Regarding whether to report the case to the public security organ, the staff member said that it is not convenient to disclose it at present.
"I believe that one day I will see the true face of Wuhan boy." MoPerry said.
■ Link
Regulations on the Security Protection of Computer Information Systems
Article 23 Whoever intentionally imports computer viruses and other harmful data and endangers the security of computer information systems, or sells special products for the security of computer information systems without permission, shall be given a warning by the public security organ, or fined less than 5,000 yuan for individuals and15,000 yuan for units; If there is illegal income, in addition to confiscation, a fine of 0 to 3 times the illegal income may be imposed.
Twenty-fourth in violation of the provisions of this Ordinance, which constitutes a violation of public security management, shall be punished in accordance with the relevant provisions of the Regulations of the People's Republic of China on Administrative Penalties for Public Security; If a crime is constituted, criminal responsibility shall be investigated according to law.