Skip to main content

Hong Kong Security Watch Report (Q3 2015)

Release Date: 26 Oct 2015 2452 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the third quarter of 2015.


Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.


The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.


The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 


Highlight of Report

This report is for Quarter 3 of 2015.


In 2015 Q3, there were 17,299 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS1 from 19 sources of information2. They are not from the incident reports received by HKCERT.


Figure 1 –Trend of security events3



The total number of security events in Q3 2015 decreased by 21% or 4,488 events. But the number is still much higher than that two quarters before.




Server related security events


Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:



Figure 2 –Trend and distribution of server related security events4


The number of server related security events decreased dramatically from 16,338 to 11,352 (decreased by 31%) in Q3 2015. The decrease in number was due to the significant drop of phishing events. However, the number of malware hosting events increased by 23%. As a result, the number of server related security events is still much higher than that of Q4 2014 and Q1 2015.


In the report for Q2 2015, we have reported that around 41% of the malware hosting events were related to the Ramnit botnet. In this quarter, the situation continued, the top two most hosted malware can be used to spread Ramnit. Among them, HTML/Drop.Agent.AB is a Trojan that can download additional malware to the infected PC. Though its number was 22% lower than the previous quarter, its related security events still accounted for 28% of all malware hosting events. The other related malware, VBS_RAMNIT.SMC, is a Visual Basic script virus which has the capability to infect certain files such as HTML and JavaScript files. The infected scripts can then install other malware. It accounted for 16% of all malware hosting events. These two malware together contributed to 44% of all malware hosting events.

Other than the Ramnit related malwares, the third largest malware, HTML_DOWN.A also contributed a significant amount of 1239 events, which equal 15% of all malware hosting events. This malware was from a drive-by download campaign called PTDark3. When a user visits an infected site, the malicious code would try to find an exploit that works on the user’s computer. And then it would download the payload and infect the victim. Most of the malware hosting servers were legitimate sites that were compromised.




 HKCERT urges system and application administrators to protect the servers.

  • patch server up-to-date to avoid the known vulnerabilities being exploited.
  • update web application and plugins to the latest version
  • follow best practice on user account and password management

  • implement validation check for user input and system output
  • provide strong authentication, eg. two factor authentication, at administrative control interface
  • acquire information security knowledge to prevent social engineering



Botnet related security events


Botnet related security events can be classified into two categories:

  • Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
  • Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.


Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:



Figure 3 –Trend of Botnet (C&Cs) related security events


The number of botnet Command and Control Servers dropped this quarter.


There were 3 C&C servers reported in this quarter. All were identified as IRC bot C&C servers.


Botnet Bots

The trend of botnet (bots) security events is summarized below:



Figure 4 - Trend of Botnet (Bots) security events


Number of Botnet (bots) on Hong Kong network slightly increased this quarter. Among the top 10 botnets, 6 of them got a double digit decrease in percentages. However, there were two new botnets, Bamital and Nymaim, the former was the second largest botnet this quarter. 


In Q3 2015, the Bamital botnet entered top 10 for the first time. It appeared in Hong Kong network in early September and its number burst in late September. It contributed 1623 events and became the second largest botnet this quarter.
Bamital is a click-fraud botnet. When a user click a legitimate search results from certain search engines, Bamital will redirect them to potentially malicious websites. The cybercriminals can generate profits by redirecting the victims to online advertisements.

In February 2013, Microsoft and Symantec joined force to take down the infrastructures of the Bamital botnet and seized the web servers. Instead of shutting down the botnet, they redirected the users to a warning page that told the victim about the infection and instructions for clean up. This operation was expected to clear most of the infected computers.
Bamital spread by drive-by download and P2P network.



Nymaim is a Ramsonware that locks the victim’s computer and shows a “lock screen” that demands the victims to pay money in order to to get access to the PC again.
Nymaim spread by malicious websites or scam mails.

 yre spreads through spam emails.



 HKCERT urges users to protect computers so as not to become part of the botnets.

  • patch the computers
  • install a working copy of security software and scan for malware on their machines
  • set strong password to avoid credential based attack
  • do not use Windows, media files and software that have no proper licenses
  • do not use Windows and software that have no security updates


HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - Pushdo, Citadel, ZeroAccess and GameOver Zeus are still in action.


HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.


Protect yourself and keep the cyberspace clean.



 Users can use the HKCERT guideline to detect and clean up botnets



Download Report


< Please click to download Hong Kong Security Watch Report >


1 IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information


3 The numbers were adjusted to exclude the unconfirmed defacement events


4 The numbers were adjusted to exclude the unconfirmed defacement events