HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the forth quarter of 2015.

Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.

The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.

The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 

Highlight of Report

This report is for Quarter 4 of 2015.

In 2015 Q4, there were 16,144 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS¹ from 19 sources of information². They are not from the incident reports received by HKCERT.

Figure 1 –Trend of security events³

The total number of security events in Q4 2015 decreased by 7% or 1,155 events.

Server related security events

Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:

Figure 2 –Trend and distribution of server related security events⁴

The number of server related security events decreased from 11,348 to 10,514 (decreased by 7%) in Q4 2015.

This quarter, the number of defacement events and malware hosting events decreased significantly by 34% and 24% respectively. However, the number of phishing events almost doubled.

Out of the 3332 phishing URLs, a legitimate domain hitsem.com contributed the most phishing URLs. 1085 URLs or 32.6% of all URLs were from it. The domain hitsem.com was owned by a Chinese company selling integrated circuits and semiconductors. This website was believed to be compromised for phishing.

Botnet related security events

Botnet related security events can be classified into two categories:

• Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
• Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.

Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:

Figure 3 –Trend of Botnet (C&Cs) related security events

The number of botnet Command and Control Servers dropped this quarter.

There were 4 C&C servers reported in this quarter. All were identified as IRC bot C&C servers.

Botnet Bots

The trend of botnet (bots) security events is summarized below:

Figure 4 - Trend of Botnet (Bots) security events

Number of Botnet (bots) on Hong Kong network was steady in last three quarters. The number of the second largest botnet last quarter, Bamital, remains high this quarter. And the eighth botnet, Bedep, which entered top 10 for the first time, got a significant increase of 162%.

Bamital

In Q3 2015, the Bamital botnet entered top 10 for the first time. It appeared in the Hong Kong network in early September and its number burst in late September. Its number remains high in early October. However, it suddenly disappeared afterwards. Only a very low number of events were detected since mid October.

HKCERT hasn’t received any news about the sudden burst and drop in the number of Bamital events. We will keep monitoring this botnet.

Bedep

The Bedep botnet entered top 10 for the first time. This botnet was first discovered in Hong Kong network in September 2015.

Bedep is a Trojan that performs click fraud and visits unwanted websites without the user’s knowledge. After infecting a victim, Bedep would secretly create a hidden virtual desktop that hosts the Internet Explorer COM window invisibly. The malware then can perform different malicious actions in the hidden window.

Firstly, it would generate click fraud traffic to generate revenue. The bot would secretly visit advertisements in the sites hosted by the cybercriminal. Some of the sites were even optimized for ads so that it could show as many ads as possible, in order to maximize the revenue. It also generates click fraud traffic to video clips so as to promote the popularity of them. Some video sharing sites rank videos according to the number of visits. The fraud traffic could help the target video clips to obtain higher ranking. These clips include political clips.

Secondly, it would visit websites serving exploit kits, which could possibly infect the victim computer with even more malwares.
Bedep spreads through malvertising with exploit kits.
 

HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - Pushdo, Citadel, ZeroAccess and GameOver Zeus are still in action.

HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.

Protect yourself and keep the cyberspace clean.

Download Report

< Please click to download Hong Kong Security Watch Report >

¹ IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information

³ The numbers were adjusted to exclude the unconfirmed defacement events

⁴ The numbers were adjusted to exclude the unconfirmed defacement events