Skip to main content

Hong Kong Security Watch Report (Q4 2016)

Release Date: 27 Jan 2017 3208 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the fourth quarter of 2016.


Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.


The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.


The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 


Highlight of Report

This report is for Quarter 4 of 2016.


In 2016 Q4, there were 13,681 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS1 from 19 sources of information2. They are not from the incident reports received by HKCERT.


Figure 1 –Trend of security events



The total number of security events in 2016 Q4 increased significantly by 102% or 6,907 events. The huge increase was due to the unusually small base last quarter, which was caused by the temporary absence of one of our major data sources, CleanMX. Actually the number this quarter was lower than the average number of the previous four quarters.




Server related security events


Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:


 Figure 2 –Trend and distribution of server related security events


The number of server related security events increased from 4,139 to 9,025(increased by 118%) this quarter.


The domain that hosted the largest number of malware was It hosted 543 or 11% of all malware hosting events. At first sight, this domain looked like a malicious domain: the domain name was composed by seemingly random characters; the administrator email address, [email protected] is used by hundreds of domains. However, WHOIS history showed that a year ago the domain was owned by an organization called “Bao Tou Shi Jiu Yuan Qu Ke Xue Ji Shu Ju” which is the Chinese pinyin roughly translated to The Science and Technology Bureau of Jiu Yuen District, Bao Tou City (a city in inner Mongolia, China), which is a unit in the Chinese Government. btjykjj was the short form of the pinyin name. The domain was not renewed after its expiry a year ago. And then it was registered by its current owner [email protected].


We further discovered that the IP address resolved by this domain was responsible for six more malware hosting events. Among which, at least two of them were suspected to be expired legitimate domains. They were, which is the short form of “Guang An Yue Lai Zhen”, Chinese pinyin translated to Yue Lai Town of Guang An City (a city in Sichuan Province, China) and, which is the short form of “He Fei Jiu Gong Ge”, a decoration company in Anhui Province, China.


These cases showed that cyber crooks are looking for expired legitimate domains for malicious use. These domains can gain trust from the victims easier, due to their seemingly legitimate appearances, especially to the victims who know the legitimate organizations behind. Internet users shouldn’t trust a URL solely based on its domain name. When in doubt, always do further checking before accessing the URL.  



 HKCERT urges system and application administrators to protect the servers.

  • provide strong authentication, eg. two factor authentication, at administrative control interface
  • acquire information security knowledge to prevent social engineering
  • verify any suspicious URLs before visiting



Botnet related security events


Botnet related security events can be classified into two categories:

  • Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
  • Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.


Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:


 Figure 3 –Trend of Botnet (C&Cs) related security events


The number of botnet Command and Control Servers decreased this quarter.


The number of botnet Command and Control Servers decreased this quarter. There was one C&C servers reported in this quarter, which was identified as IRC bot C&C server.


Botnet Bots

The trend of botnet (bots) security events is summarized below:


 Figure 4 - Trend of Botnet (Bots) security events


Number of Botnet (bots) in Hong Kong network increased significantly by 77%. Two new botnets, Mirai and Avalanche contributed almost half of all botnet events.




This quarter, the long term dominance of Conficker ended. Conficker has always been on the top of the chart since our first report, leading others by a far distance. However, it was outranked by a new comer, Mirai.


Mirai is a botnet targeting Internet of Things (IoT) devices. IoT devices are Internet-connected devices such as webcams, routers and smart-TVs, etc. They are usually easy targets as most of them are poorly secured and operated by ordinary people who lack security expertises.

Mirai spreads by using telnet with default passwords to attempt to take control of victim devices. It has a built-in username-password list that contains over 60 default credentials. 5 With this, Mirai easily infected hundreds of thousands of devices over the world. If a user connects an IoT device to the internet without changing the default password, there is a high chance the device will be infected in a short time. 

In September, the botnet launched a massive DDoS attack to the website of cybersecurity blogger Brian Krebs. The website was hit by a scary 620+ Gbps traffic. Shortly after that, a French hosting company, OVH suffered the largest DDoS attack known today – with peak traffic close to 1Tbps. Then, in less than a month, the botnet launched another DDoS attack to a DNS provider DYN. The attack brought down DYN’s service as well as a few websites that rely on DYN’s service.

In November, 0.9 million routers from a German ISP Deutsche Telekom were forced offline by the Mirai botnet. Researchers found that this variant of Mirai botnet used a new way to spread. In addition to the traditional way of using factory default credentials, it can exploit a vulnerability in specific routers made by Zyxel and Speedport. Then it can remotely infect vulnerable devices through TR-069, which is a remote management protocol.

Cleanup of the malware is difficult. Mirai would disable the port used by TR-069 and telnet so as to cripple the ISP’s ability to remotely patch the devices. Users need to power off the routers in order to clear the malware from the memory. However, if the devices are not patched immediately, they may be infected again in minutes as Mirai is active scanning vulnerable internet devices.
In foreseeable future, Mirai will remain a major threat to the internet.



 HKCERT urges users to protect computers so as not to become part of the botnets.

  • change the default passwords of IoT devices immediately
  • set strong password to avoid credential based attack
  • do not expose the devices to the internet, unless necessary.
  • do not use Windows and software that have no security updates
  • if you suspect your device is infected, unplug it from the network immediately




Avalanche, set up in 2009, is a hosting platform made up of around 600 servers worldwide, which was mainly used by cybercriminals to deploy financial crimeware (e.g. Zeus, SpyEye), issue commands to infected devices (e.g. to send out fraudulent emails, conduct money laundering activities). In order to hide the server actual locations, it made use of proxy server and also “double fast flux” techniques, i.e. changing both DNS and IP address of a malicious domain every 5 minutes, for infected devices to connect to the platform.


A joint operation to take down the “Avalanche” cybercrime hosting platform was led by Europol, and conducted with law enforcement, judiciaries, and security researchers from more than 30 countries. In this operation, 5 individuals were arrested, and 39 servers were seized, and 221 servers were put offline by the hosting providers. Over 830,000 website domains were seized, blocked or “sinkholed”.


Around 350 Hong Kong IP addresses were affected. HKCERT has notified the corresponding ISP to contact their affected clients.



 HKCERT urges users to protect computers so as not to become part of the botnets.

  • patch the computers
  • install a working copy of security software and scan for malware on their machines
  • set strong password to avoid credential based attack
  • do not open files from unreliable sources


HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - Pushdo, Citadel, ZeroAcces, GameOver Zeus and Ramnit are still in action.


HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.


Protect yourself and keep the cyberspace clean.



 Users can use the HKCERT guideline to detect and clean up botnets



Download Report


< Please click to download Hong Kong Security Watch Report >


1 IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information