That doesn't mean that it's actually Chinese users doing anything though. China has a lot of software piracy in their culture, where piracy is, malware and botnets are rife.
I find that debatable, they are still guilty to some extent because of their inaction to do anything (effective) against these botnets. whether 'action' would refer to users installing a decent anti-virus, or an ips blocking and isolating obviously infected hosts.
Of course, this is a whole different level of culpability than if they were actually condoning large scale attacks on other countries infrastructure.
The fact remains that if I were to plot the amount of ip's that come knocking at my non-production server you'd see over 50% coming from china.
17.18% of all desktop OS-es connected to the internet are Windows XP, the version for which Microsoft doesn't publish updates. Most of these computers are in China. Also "in 2009, approximately 80% of software sold in China was pirated."
The average weekly income of a Chinese worker is around 100 USD. He is not going to buy new software even if it costs the same as in the US. It typically costs even more.
Don't be surprised bots have easier targets there.
I find it very hard to believe myself, because when you can obtain for free, why not go for the latest, shiniest version? But the reality is, most of Chinese computers are still stuck with XP, whatever the reason is.
XP was made for much weaker machines, older hardware. When you earn 100 USD per week you don't upgrade hardware as long as you can. Just as an example from another part of the world, I live in Europe and I've used a Sony notebook from 2002 until the last year, when the hardware started to fail. I guarantee you that Windows 7 can't be installed on it. Even the newer Ubuntu versions weren't installable from one point on.
Ever heard of PPStream or PPTV? Well, good news is that both software open some sort of transparent http proxy listening on 0.0.0.0, obviously it's for helping the p2p.
tail -n 50 /var/log/auth.log
Nov 12 15:33:28 VPS-3167 sshd[11950]: Connection closed by 122.225.97.110 [preauth] [SNIP]
Nov 12 20:12:51 VPS-3167 sshd[12016]: Connection closed by 61.174.50.164 [preauth] [SNIP]
Nov 12 20:40:44 VPS-3167 sshd[12031]: Connection closed by 122.225.97.72 [preauth]
The list goes on and on, and the ip's in the last fifty lines were all Chinese or Russian, still they could also have been hacked themselves.