HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the third quarter of 2014.

Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.

The Hong Kong Security Watch Report aims to provide the public a better “visibility” of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.

The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 

Highlight of Report

This report is for Quarter 3 of 2014.

In 2014 Q3, there were 18,087 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS¹  from 19 sources of information².  They are not from the incident reports received by HKCERT.

Figure 1 –Trend of security events³

Server related security events

Server related security events include malware hosting, phishing and defacement. Their trend and distribution is summarized below:

Figure 2 –Trend and distribution of server related security events⁴

The number of server related security events significantly increased by 36% in Q3 2014.

In this quarter, the numbers of defacement events decreased by 35% while the number of phishing events and malware hosting events increased by 19% and 269% respectively.

The sharp increase of malware hosting events was due to a few mass compromise cases. It can be revealed from the IP/URL ratio, which increased from 4.45 to 14.12. The most serious case contributed 2110 malware hosting URLs. After investigations, a large number of the URLs were hosted in servers that used out-of-dated software, which may be the causes of the compromises. HKCERT cannot emphasize more on the importance of applying security patches. Websites and server administrators should pay attention to the vulnerabilities of the software and patch them in time.

This quarter, we discovered a phishing campaign targeting Alipay, which is a popular online payment system. Among the 3048 phishing URLs, around half of them got a similar pattern of [a/b][1-4].asp, e.g. “a1.asp” or “b3.asp”. An optional parameter, “?bank=[bankname]”, which specifies the bank logo to be used in the phishing page, can also be added, such as “a1.asp?bank=ccb”. All those URLs were linking to fake Alipay login pages. Careless users who enter their Alipay login credentials will give out that sensitive information to the cyber criminals and may incur financial loss. According to our data, this pattern was first discovered in March, and then the number started to increase in the following months. We have passed this case to the related parties to follow up and will keep monitoring such phishing URL patterns.

Botnet related security events

Botnet related security events can be classified into two categories:

• Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
• Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.

Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:

Figure 3 –Trend of Botnet (C&Cs) related security events

The number of botnet Command and Control Servers increased this quarter.

There were 5 C&C servers reported in this quarter. Three of the reported servers were identified as Zeus C&C servers, while the other two were IRC bot C&C servers.

Botnet Bots

The trend of botnet (bots) security events is summarized below:

Figure 4 - Trend of Botnet (Bots) security events⁵

Number of Botnet (bots) on Hong Kong network decreased in this quarter.

In Q3 2014, the number of botnet infections in Hong Kong decreased by 20%, 9 of the top 10 botnets have their numbers decreased or roughly unchanged.

Conficker, Zeus and ZeroAccess have constantly been the top three botnets since we started collecting data in Q2 2013. Among them, the number of ZeroAccess events recorded the largest drop last year. Its number dropped from 2802 as of Q3 2013 to 1062 as of Q3 2014. It’s a drop of 37.9% or 1740 events. Its number was dropping steadily at a rate of 300-500 events every quarter. If the rate persists, the number of ZeroAccess events will drop below 1000 at the end of this year.

HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - Pushdo, Citadel, ZeroAccess and GameOver Zeus are still in action.

HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.

Protect yourself and keep the cyberspace clean.

Download Report

< Please click to download Hong Kong Security Watch Report >

¹ IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information

³ The numbers were adjusted to exclude the unconfirmed defacement events

⁴ The numbers were adjusted to exclude the unconfirmed defacement events

⁵ The number botnet(bots) security events in Q4 2013 was adjusted due to the update of numbers of the Zeus botnet.