Skip to main content

Hong Kong Security Watch Report (Q1 2016)

Release Date: 29 Apr 2016 2759 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the first quarter of 2016.


Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.


The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.


The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 


Highlight of Report

This report is for Quarter 1 of 2016.


In 2016 Q1, there were 35,100 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS1 from 19 sources of information2. They are not from the incident reports received by HKCERT.


Figure 1 –Trend of security events3


The total number of security events in Q1 2016 increased sharply by 117% or 18,956 events. The increase was mainly contributed by malware hosting events.




Server related security events


Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:



Figure 2 –Trend and distribution of server related security events4


The number of server related security events increased from 10,514 to 31,269 (increased by 197%) in Q1 2016.


This quarter, the number of defacement events and phishing events increased by 34% and 4.7% respectively, while the malware hosting events increased by more than three folds, reaching a record breaking 26,630 events. This number alone is higher than the total event numbers of any previous quarters.


This extraordinary number was due to mass compromises of a few legitimate websites. The top four malware hosting domains were all hosting legitimate mainland websites. They alone hosted around 9,000 malware hosting URLs, accounting for about 1/3 of all malware hosting events. Three of them were using outdated software, which was likely to be the source of compromise. HKCERT always emphasis the importance of patching, which can avoid the attacks via known vulnerabilities.



 HKCERT urges system and application administrators to protect the servers.

  • patch server up-to-date to avoid the known vulnerabilities being exploited.
  • update web application and plugins to the latest version
  • follow best practice on user account and password management

  • implement validation check for user input and system output
  • provide strong authentication, eg. two factor authentication, at administrative control interface
  • acquire information security knowledge to prevent social engineering



Botnet related security events


Botnet related security events can be classified into two categories:

  • Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
  • Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.


Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:



Figure 3 –Trend of Botnet (C&Cs) related security events


The number of botnet Command and Control Servers dropped this quarter.


There were 3 C&C servers reported in this quarter. All were identified as IRC bot C&C servers.


Botnet Bots

The trend of botnet (bots) security events is summarized below:



Figure 4 - Trend of Botnet (Bots) security events




Number of Botnet (bots) on Hong Kong network decreased significantly this quarter. The number of the second largest botnet last quarter, Bamital, disappeared in Hong Kong network, causing the significant drop in event number. However, the eighth botnet, Bedep, continued to grow.

Researchers found that there were strong connections between Bedep and the infamous Angler Exploit Kit.
An exploit kit is a software system designed to upload and execute malicious code on the victims. When a victim’s browser was directed to a malicious website that hosts an exploit kit, the kit will exploit security holes, known as vulnerabilities, in order to infect the user with malware. The entire process can occur completely invisibly, requiring no user action.

Angler was one of the most popular exploit kits. It first appeared in late 2013, and since then has significantly grown in popularity in the cyber underworld.
Researchers found that two thirds of Angler’s payloads were some variations of ransomware and noted one of the other major payloads was Bedep.

Exploit kits rely on existing vulnerabilities to attack. To avoid falling victim to exploit kits, users should ensure their software, such as the browsers, and the operating system are up to date. It could greatly reduce the risk from attacks by exploit kits. Users should also install security software such as antivirus or intrusion prevention systems, which can block certain attack patterns.


 HKCERT urges users to protect computers so as not to become part of the botnets.

  • patch the computers
  • install a working copy of security software and scan for malware on their machines
  • set strong password to avoid credential based attack
  • do not use Windows, media files and software that have no proper licenses
  • do not use Windows and software that have no security updates


HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - Pushdo, Citadel, ZeroAcces, GameOver Zeus and Ramnit are still in action.


HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.


Protect yourself and keep the cyberspace clean.



 Users can use the HKCERT guideline to detect and clean up botnets



Download Report


< Please click to download Hong Kong Security Watch Report >


1 IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information


3 The numbers were adjusted to exclude the unconfirmed defacement events


4 The numbers were adjusted to exclude the unconfirmed defacement events