Security Blog

Bankeiya Botnet Detection and Cleanup in Hong Kong

Release Date: 29 / 05 / 2014
Last Update: 30 / 05 / 2014





HKCERT estimated that about 600 computers in Hong Kong were infected by Bankeiya botnet. To avoid your computers become the hacker tools, you can detect if you are infected and clean up your computer with the provided steps.


1. HKCERT operation on Bankeiya botnet infection

In May 2014, HKCERT received report from Symantec Security Response 1 about computers in Hong Kong infected with the Bankeiya botnet. About 600 HK IP addresses were reported to have connected to the sinkhole detection system set up by security researcher. These computers may have been infected by the Bankeiya malware to become part of Bankeiya botnet and made those call home connections. Upon receiving the reports, HKCERT has notified the related ISPs who administrated those IP addresses to alert their customers about the potential infection.


2. Impact of Bankeiya botnet

Bankeiya, is a banking malware botnet with about 20,000 infected computers worldwide. Japan is the most affected country, accounting for 50%, and Hong Kong is the second, accounting for 3%.


Fig 1: Distribution of infected countries (Image source: Symantec)


Bankeiya is a malware targeting Windows operating system which was first discovered in February, 2014. It infects via the compromised website embedded with various types of vulnerability (Microsoft Internet Explorer, Oracle Java etc) exploit codes. One of cases was a famous forum website in Hong Kong being compromised and hosted the Internet Explorer vulnerability (CVE-2014-0322) exploit code to infect visitors’ computers.


The major purpose of malware is to steal banking credentials from infected computers. If a victim login to the targeted Japanese bank website2, it will display a fake pop-up window to trick the victim to input banking credentials. It may also cause the infected computer to download a malicious bitcoin miner software called “jhProtominer” which abuses the resource of victim’s computer to mine for the virtual coin.


3. How to detect and remove Bankeiya malware

If you suspect that your computer was infected by Bankeiya malware, please follow the steps to perform a full system scan.