The Policy of Information Security The Policy of Information Security and Anti-Virus Activities in Chinaand Anti-Virus Activities in China

Zhang JianZhang Jian

National Computer Virus Emergency Response CenterNational Computer Virus Emergency Response Center

Anti-Virus Products Testing and Certification CenterAnti-Virus Products Testing and Certification Center

86-22-6621148786-22-66211487

Http://www.antivirus-China.org.cnHttp://www.antivirus-China.org.cn

Zj@antivirus-China.org.cn Zj@antivirus-China.org.cn

AgendaAgenda The policy of information security in ChinaThe policy of information security in China Antivirus laws in ChinaAntivirus laws in China Responsibility of National Computer Virus EmergenResponsibility of National Computer Virus Emergen

cy Response Center(CVERC)cy Response Center(CVERC) Process of CVERCProcess of CVERC Introduction of China computer virus surveyIntroduction of China computer virus survey The actual state and trend of CVERCThe actual state and trend of CVERC Punish crime that writes or distributes computer virusPunish crime that writes or distributes computer virus Problems faced by us nowProblems faced by us now

Policy and regulator On june 2003, State Information Leadship Group rOn june 2003, State Information Leadship Group r

eviewed and passed “the comments regarding the eviewed and passed “the comments regarding the strengthening of information security safeguard wstrengthening of information security safeguard works” in the group’s third meeting orks” in the group’s third meeting

The National network and Information Security CThe National network and Information Security Coordination Team is responsible for the compreheoordination Team is responsible for the comprehensive coordination works of national information snsive coordination works of national information security safeguard ecurity safeguard

Strategic Guidelines of NationalInformation Security Safeguard Proactive DefenseProactive Defense Comprehensive PrecautionComprehensive Precaution

Proactive defense Solve information security problems with the

thinking of development, security amid development, and development based on security

Implement the information security safeguard, on the basis of grading, classification and phase-in

Strengthen early warning and emergency response, on the basis of secure defense

Strengthen investigation and crack-down on illegal crimes

Realize secure control of network and information system with necessary capabilities and means

Comprehensive Precaution Information security comprehensive precaution

system is composed of protection, detection, response and early warning

Various technologies and management measures be adopted in the areas of prevention, detection, emergency response and crack-down on crimes and the aspects of law, management, operation, technology, talent, etc.

Improve the overall capability of defending information security through the joint efforts of the whole society

Antivirus laws in ChinaAntivirus laws in China

Promulgation of “Computer Information Promulgation of “Computer Information System Security Protection Ordinance of System Security Protection Ordinance of People’s Republic of China” in 1994People’s Republic of China” in 1994

- Promulgation of new “Criminal Law of Promulgation of new “Criminal Law of People’s Republic of China” in 1997People’s Republic of China” in 1997

- Promulgation of “Rules of Computer Virus Promulgation of “Rules of Computer Virus Protection and Disinfections Management” Protection and Disinfections Management” by PSM of PRC in 2000by PSM of PRC in 2000

Definition of Computer Virus in ChinaDefinition of Computer Virus in China

A set of codes programmed or inserted A set of codes programmed or inserted into computer programs, which is able into computer programs, which is able to self-duplicate, harm the computer to self-duplicate, harm the computer function, destruct data and affect the function, destruct data and affect the proper use of computerproper use of computer

- Article 28 “Computer Information System - Article 28 “Computer Information System Security Protection Ordinance of PRC”Security Protection Ordinance of PRC”

“ “Deliberately program and distribute malicious codDeliberately program and distribute malicious codes like computer virus etc., with the result of affectes like computer virus etc., with the result of affecting the proper running of computer system, leads ting the proper running of computer system, leads to destructive consequence ” will be punished. o destructive consequence ” will be punished.

- “Criminal Law of People’s Republic of China”- “Criminal Law of People’s Republic of China”

- Promulgated according to “Computer Information System Security Protection Promulgated according to “Computer Information System Security Protection Ordinance”Ordinance”

- No entities or individual are allowed to publish the false computer virus No entities or individual are allowed to publish the false computer virus prevalence informationprevalence information

- Anti-Virus products testing and certification institutions should conduct timely Anti-Virus products testing and certification institutions should conduct timely analysis and confirmation of the submitted virus samples and report the result analysis and confirmation of the submitted virus samples and report the result to Public Network Information Security Supervision Bureauto Public Network Information Security Supervision Bureau

- Provide education and training to the computer information system operating Provide education and training to the computer information system operating personnel of each entitiespersonnel of each entities

- Use those computer virus protection products which obtained computer Use those computer virus protection products which obtained computer information security system product sales license information security system product sales license

-“Rules of Computer Virus Protection and Disinfections management ”-“Rules of Computer Virus Protection and Disinfections management ”

Antivirus organization in ChinaAntivirus organization in China - National Information Work Leading Committee is in charge of National Information Work Leading Committee is in charge of

information security work in Chinainformation security work in China- Public Security Ministry and its branch are in charge of antivirus case Public Security Ministry and its branch are in charge of antivirus case

in Chinain China- CNCERT/CC is responsible for the coordination of activities among CNCERT/CC is responsible for the coordination of activities among

all Computer Emergency Response Teams within China concerning all Computer Emergency Response Teams within China concerning incidents in national public telecommunications infrastructure incidents in national public telecommunications infrastructure networks like the Internet.networks like the Internet.

- National Computer Virus Emergency Response Center that belongs to National Computer Virus Emergency Response Center that belongs to CNCERT is in charge of virus emergency response work in ChinaCNCERT is in charge of virus emergency response work in China

- Anti-Virus Products Testing and Certification Center is in charge of Anti-Virus Products Testing and Certification Center is in charge of the certification work of anti-virus productsthe certification work of anti-virus products

Responsibility of National Computer Responsibility of National Computer

Virus Emergency ResponseVirus Emergency Response Set up the national computer virus monitoring network in ChinaSet up the national computer virus monitoring network in China

Detect and deal with the computer virus events, and submit the virus infection Detect and deal with the computer virus events, and submit the virus infection report to CNCERT and the department in charge of antivirus report to CNCERT and the department in charge of antivirus

Provide solutions of the computer viruses for the users in China, instruct the usProvide solutions of the computer viruses for the users in China, instruct the user to establish and implement the antivirus countermeasureer to establish and implement the antivirus countermeasure

Provide technical support to related department for implementing the policies Provide technical support to related department for implementing the policies of treating computer viruses in Chinaof treating computer viruses in China

Provide rescue services for the computer users attacked by computer viruses in Provide rescue services for the computer users attacked by computer viruses in ChinaChina

According to the terms of law, coordinate with the Public Security Department According to the terms of law, coordinate with the Public Security Department to punish the criminal activities using computer virusesto punish the criminal activities using computer viruses

Implement technical collaboration and information exchange mechanism with Implement technical collaboration and information exchange mechanism with local and international antivirus researching organizationslocal and international antivirus researching organizations

Train antivirus technical and management practitioners in ChinaTrain antivirus technical and management practitioners in China Hold computer viruses prevalence situation surveyHold computer viruses prevalence situation survey Announce computer virus predictionAnnounce computer virus prediction

How to deal with new virus found by CVERC in ChinaHow to deal with new virus found by CVERC in China -- Virus Virus Emergency Response Center will forward the virus sample to all anti-virEmergency Response Center will forward the virus sample to all anti-vir

us companies when detecting new viruses;us companies when detecting new viruses;-- Anti-virus companies should provide analysis report and virus samples after finAnti-virus companies should provide analysis report and virus samples after fin

ding new viruses;ding new viruses;- Virus Emergency Response Center will provide the analysis report to CNCER- Virus Emergency Response Center will provide the analysis report to CNCER

T , and according to the risk level to suggest whether or not to issue virus outbT , and according to the risk level to suggest whether or not to issue virus outbreak announcementreak announcement

- Monitoring the new virus, if finding the information of virus writer, informing - Monitoring the new virus, if finding the information of virus writer, informing police of detection police of detection

-- Upgrading of software by each of anti-virus companies;Upgrading of software by each of anti-virus companies;

From 2001 to 2004, hold the national wide pFrom 2001 to 2004, hold the national wide prevalence situation survey in China for four trevalence situation survey in China for four timesimes

Hold antivirus conference two times, antivirHold antivirus conference two times, antivirus experts from USA, Japan, Korea, UK, Spaus experts from USA, Japan, Korea, UK, Spain, Russia, Singapore, Philippine and Hongkin, Russia, Singapore, Philippine and Hongkong attended the conference for technical coong attended the conference for technical communion.mmunion.

Introduction of China computer virus surveyIntroduction of China computer virus survey

Computer Vi rus I nf ect i on Rate

73%

83. 98% 85. 57% 87. 93%

50%55%60%65%70%75%80%85%90%95%

100%

2001 2002 2003 2004

Frequency of Computer Vi rus I nf ect i on

0%10%20%30%40%50%60%70%80%90%

1 t i me 2 t i mes Over 3 t i mes

2001200220032004

Virus Infection Rate in Different Period

0. 00%2. 00%4. 00%6. 00%8. 00%

10. 00%12. 00%14. 00%16. 00%18. 00%

May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr.

2001- 20022002- 20032003- 2004

Virus damage rate

43%

64. 05% 63. 57%49. 38%

0%

20%

40%

60%

80%

2001 2002 2003 2004

Mai n channel s of vi rus di ssemi nati on

0%

10%

20%

30%

40%

50%

60%

downl oad orbrowse

E-mai l Local network CD-ROM or fl oppydi sk

2001200220032004

The top 10 viruses in ChinaThe top 10 viruses in China time

No.(2001,5) （ 2002,5 ） (2003,5) （ 2004 ， 5 ）

1 CIH Exploit Redlof Netsky

2 Funlove Nimda Spage Redlof

3 Binghe Binghe Nimda Homepage

4 W97M.marker JS.SeekerTrojan.QQKiller6

.8.serUnknown mail

5 MTX Happytime Klez Lovegate

6 Troj.erase Funlove Funlove Funlove

7 BO Klez JS.AppletAcx htadropper

8 YAI CIH Mail.virus Webimport

9 wyx GopScript.exploit.htm.

pageactiveXCompone

nt

10 Troj.gdoor Troj.netthiefHack.crack.foxma

ilwyx

The actual state and trend of CVERCThe actual state and trend of CVERC

Set up computer virus monitor networkSet up computer virus monitor networkLocal and international antivirus vendors become the member of computeLocal and international antivirus vendors become the member of computer virus emergency response team.r virus emergency response team.Computer users actively submit computer virus prevalence situation.Computer users actively submit computer virus prevalence situation.

Detect and solve computer virus incidentsDetect and solve computer virus incidents– More than 3400 rescue emails and 3000 rescue phone calls procMore than 3400 rescue emails and 3000 rescue phone calls proc

essed in 2004 essed in 2004 – For the 22 times of most emergent virus outbreak like “Mydoom”, “NetskFor the 22 times of most emergent virus outbreak like “Mydoom”, “Netsk

y” and “Sasser” collaborate with computer virus emergency response teay” and “Sasser” collaborate with computer virus emergency response team for providing virus analyzing, monitoring and solutions to computer usem for providing virus analyzing, monitoring and solutions to computer users in China.rs in China.

Buildup special emergency response teams for important events and pBuildup special emergency response teams for important events and period during holidayseriod during holidays

Organize local and international antivirus vendors to set up “Computer virOrganize local and international antivirus vendors to set up “Computer virus emergency response team for both the NPC and CPPCC sessions”us emergency response team for both the NPC and CPPCC sessions”Monitor the computer virus activities during the period of holding NationaMonitor the computer virus activities during the period of holding National conference, ensure the computer security.l conference, ensure the computer security.

The actual state and trend of The actual state and trend of CVERCCVERC（（ ContinuedContinued ））

Announce computer virus pre-cautionAnnounce computer virus pre-caution

Released 50 times of computer virus monitoring weeklReleased 50 times of computer virus monitoring weekly news paper in 2004y news paper in 2004

– Released 52 times of computer virus forecast in Released 52 times of computer virus forecast in 20042004

Establish antivirus propagandize areaEstablish antivirus propagandize area

– Collaborate with CCTV for computer virus foreCollaborate with CCTV for computer virus forecast programcast program

– Collaborate with Xinhuanet for computer virus Collaborate with Xinhuanet for computer virus forecastforecast

– Hold webcast program with XinhuanetHold webcast program with Xinhuanet

Computer virus forecast on xinhuanet

Webcast of xinhuanet

The Headlline News of XinhuanetThe Headlline News of Xinhuanet

Enhance the technical communionEnhance the technical communion

CEO of Microsoft Great China Area

Technical communion with TrendMicro

According to the contribution for the According to the contribution for the development of AVAR in 2003, National development of AVAR in 2003, National Computer Virus Emergency Response Computer Virus Emergency Response Center was awarded as the best membership Center was awarded as the best membership of AVAR 2003.of AVAR 2003.

Best membership of AVAR 2003Best membership of AVAR 2003

Cooperate with Trend Micro Incorporated and Cooperate with Trend Micro Incorporated and set up TrendLab China for tracing internatioset up TrendLab China for tracing international computer virus development trends.nal computer virus development trends.

Trend Lab China

Detect virus PEDetect virus PE__MINCER.A MINCER.A

Detect virus “Hedong”Detect virus “Hedong”

Detect virus “WORMDetect virus “WORM__MYBA.A ”MYBA.A ”

Discover and detect “WORMDiscover and detect “WORM__MUMU.A”\MUMU.A”\

The problem faces us nowThe problem faces us now

--New users continuously increase while lacking ofNew users continuously increase while lacking of

appropriate security knowledge and techniques;appropriate security knowledge and techniques;

- Lacking of a full effective computer virus protection and- Lacking of a full effective computer virus protection and

disinfections training coursedisinfections training course

- Young people lack of legal knowledge regarding computer- Young people lack of legal knowledge regarding computer

securitysecurity

-Lacking of Nation level computer monitoring and pre-caution -Lacking of Nation level computer monitoring and pre-caution systemsystem

Our GoalOur Goal

Effective punishmentEffective punishment

Insuring RecoveryInsuring Recovery

Celerity reactionCelerity reaction

Active PreventionActive Prevention

Timely FindTimely Find

ThanksThanks

National Computer Virus Emergency Response CenterNational Computer Virus Emergency Response CenterAnti-Virus Products Testing and Certification CenterAnti-Virus Products Testing and Certification Center

Http://www.antivirus-China.org.cnHttp://www.antivirus-China.org.cnZj@antivirus-China.org.cn Zj@antivirus-China.org.cn