Safeguarding China Operation (Part 1)——Analysis and Response to Major Worm and Botnet Events
The original report is in Chinese, and this version is an AI-translated edition.
On the occasion of the 75th anniversary of the National Day, Antiy CERT has gathered and sorted out the historical work in security event handling, major event analysis, advanced threat analysis, etc. In order to summarize experience, refine rules, and improve deficiencies, our subsequent analysis and response work can more effectively support the national security struggle.
Threat analysis and response is an important capability spectrum of Antiy. Antiy conducts a series of work such as threat perception, capture, analysis, disposal, tracing, reporting, and exposure for attack activities, attack equipment, and threat actors, continuously promotes iterative improvements in core engines and product and service capabilities, and effectively supports public security governance and national security struggles.
In 2004, Antiy established the Antiy Computer Emergency Response Team based on the virus analysis group, which was later renamed Antiy Security Research and Emergency Response Center, namely Antiy CERT. According to the working principle of “starting at the first time, responding to multiple threats at the same time, three systems linkage, and four operation planes coordination”, a working mechanism was established. For major security events and advanced threat response and disposal, an overall combat readiness mobilization mechanism was formed. Antiy has been elected as the national (class A) support unit of the National Internet Emergency Center for eight consecutive terms (sixteen years).
Today we bring you the first part of Antiy’s emergency response and threat analysis work track – responding to and handling major worm propagation and botnet infection events.
With the popularization of the Internet, there have been many large-scale worm outbreaks, including Code Red, Shockwave, and Blaster. These worms spread rapidly, seriously disrupting the operation of Internet infrastructure, and quickly infecting and even controlling a large number of host nodes. In the process of responding to and handling these worms, Antiy gradually formed a set of analysis processes including vulnerability propagation availability analysis, worm infection capture, sample analysis, writing free immunization and disposal tools, and publishing analysis reports. It also enabled Antiy’s earliest entrepreneurs to complete the transformation from traditional virus analysis engineers and development programmers to network security engineers. This formed the emergency awareness foundation of Antiy’s “first-time launch”, and the relevant ability accumulation also formed a good working foundation for Antiy’s subsequent analysis of more complex attack activities such as APT attacks and targeted ransomware attacks.
1.Antiy’s Historical Response to and Handling of Major Worms and Botnet Infections
August 2001
| Event | “Red Code Ⅱ” worm |
| Contribution | First capture, analysis report, special detection tool, standard detection tool  Figure 1 ‑1 “Red Code Ⅱ” worm special detection tool |
| For more information | “IIS Worm Red Code” (published in Antiy Technical Articles Compilation (Volume 3)) |
January 2003
| Event | SQL Slammer |
| Contribution | First capture, propagation mechanism analysis, rapid repair tools  Figure 1 ‑2 Slammer worm patch check tool |
March 2003
| Event | Dvldr |
| Contribution | First capture, in-depth analysis report, full network survey support, geographic traceability  Figure 1 ‑3 Dvldr worm detection tool  Figure 1 ‑4 Security patch batch distribution tool provided by Antiy for colleges and universities |
| For more information, see | Emergency Worm.Dvldr Situation Analysis Report “Report on Correlation Analysis of Worm Families Based on Password Cracking Mechanism” (All published in Antiy Technical Articles Compilation (Volume 3)) |
July 2003
| Event | Blaster |
| Contribution | Capture warning, in-depth analysis report, special detection, immunity tools  Figure 1 ‑5 Blaster special detection and immunization tool (co-produced by Harbin Institute of Technology and Antiy)  Figure 1 ‑6 MSBlast immunization procedure |
August 2003
| Event | WelChia |
| Contribution | Capture warning, analysis report, immunization tool, network management batch disposal tool  Figure 1 ‑7 AV Lecah’s popular worm special detection tool adds protection against WelChia worms |
May 2004
| Event | Sasser |
| Contribution | Capture warning, analysis report, special detection tool, network sky homology analysis and source location determination  Figure 1 ‑8 AV Lecah’s popular worm special detection tool adds protection against Sasser worms |
| For more information, see | “Virus Homology Analysis Based on Typical Development Methods and Coding Psychology” (published in Antiy Technical Articles Compilation (I)) |
January 2005
| Event | RBOT and SDBOT botnets |
| Contribution | Capture warning, analysis report, special detection tool, provide clues to capture the author Figure 1 ‑9 AV Lecah’s popular worm special detection tool adds protection against RBOT and SDBOT botnets |
August 2006
| Event | Mocbot |
| Contribution | Special detection tools, monitoring and analysis, large-scale containment solutions  Figure 1 ‑10 AVL PK Ultimate Special Detection Tool detects and kills popular worms and Trojans at the time |
December 2006
| Event | Fujacks |
| Contribution | Capture warning, analysis report, special detection tool  Figure 1 ‑11 “Fujacks” virus special detection tool |
May 2017
| Event | WannaCry |
| Contribution | First release of complete analysis, special detection, immunity tools, memory key extraction (recovery) tools, and traceability support  Figure 1 ‑12 WannaCry special detection tools  Figure 1 ‑13 WannaCry immunity tool  Figure 1 ‑14 WannaCry file decryption tool |
| For more information | Antiy’s in-depth analysis report on the ransomware worm “WannaCry” Antiy’s protection manual for dealing with the ransomware “WannaCry” Antiy analyzes the payment and decryption process of the ransomware worm WannaCry Antiy worm-like ransomware WannaCry immunity tool FAQ 4 In response to the ransomware “WannaCry”, Antiy released a boot guide |
June 2017
| Event | Dark Cloud III |
| Contribution | Analysis report, special detection tool  Figure 1 ‑15 Dark Cloud III special detection tool |
| For more information | Antiy’s sample analysis and solutions for “Dark Cloud III” |
January 2018
| Event | Gafgyt |
| Contribution | Jointly released with Telecom Cloud, infection status |
| For more information | Uncovering the story behind the IoT botnet Gafgyt family and the NetCore 53413 backdoor |
August 2019
| eEvent | Mykings |
| Contribution | Release analysis reports and infection status |
| For more information | Analysis report on the recent activities of Mykings botnet |
April 2020
| Event | Tsunami |
| contribute | Release analysis report and global infection situation |
| For more information | Analysis of the precise deployment of Tsunami botnet and “Magic Shovel” mining trojan |
September 2022
| Event | Lilith |
| Contribution | Publish analysis reports and traceability background |
| For more information | Follow-up analysis of Lilith botnet and the Jester hacker group behind it |
November 2022 – March 2023
| Event | Mining |
| Contribution | Release analysis reports and mining topics |
| For more information | Analysis of Typical Mining Families Part 4: LemonDuck Mining Botnet Analysis of Typical Mining Families Part 3: Sysrv-hello Mining Worm Analysis of Typical Mining Families Part 2: TeamTNT Mining Organization Analysis of Typical Mining Families Part 1: Outlaw Mining Botnet |
December 2023
| Event | Mirai |
| Contribution | Analysis reports, new variants |
| For more information | Analysis of Mirai botnet variant “Aquabot” and Yayaya Miner mining trojan |
Appendix: About Antiy
Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.
Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.
Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.
Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.
Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.