Posts by nart

Crime or Espionage?

ZeuS is a well known crimeware tool kit that is readily available online. The tool allows even the most unskilled to operate a botnet. Typically, Zeus has been associated with banking fraud. Recently, there have been a series of attacks using the Zeus malware that appear to be less motivated by bank fraud and more focused on acquiring data from compromised computers. The themes in the emails — often sent out to .mil and .gov email addresses — focus on intelligence and government issues. After the user receives such an email, and downloads the file referenced in the email, his or her computer will likely (due to the low AV coverage) become compromised by the ZeuS malware used by the attackers and will begin communicating with a command and control server. It will then download an additional piece of malware, an “infostealer”, which will begin uploading documents from the compromised computer to a drop zone under the control of the attackers. Are these series of attacks connected? Are these events indicating a blurring of the boundaries between online crime and espionage? Or are government and military personnel just another target for online criminal activity?

This post was inspired by a recent post at What appears to be a one-off attack using Zeus, I believe, is actually another round of a series of Zeus attacks. These attacks appear to be aimed at those interested in intelligence issues and those in the government and military, although the targeting appears to be general rather than targeted.

Round 1

On February 6th, 2010, Brian Krebs reported that attackers using the Zeus trojan targeted a variety of .gov and .mil email addresses in a spear phishing attack that appeared to be from the National Security Agency and enticed users to download a report called the “2020 Project.” The command and control server used in the attacks was

Round 2

Following the publication of the article by Brian Krebs, attackers took portions of his article and used them as lure in further spear phishing attacks. Sophos Labs analyzed the sample that used Kreb’s post. A post on by Jeff Carr regarding the spear phishing attack was also used in another attack. I documented these attacks in “The ‘Kneber’ Botnet, Spear Phishing Attacks and Crimeware“. The key command and control server in this case was also

Round 3

In early March 2010, more emails began circulating, one of which encouraged users to download malware from ( This malware used ( as a command and control server. In addition to sharing an IP address, both domain were registered by The attack continued using the domain names,, and ( which were hosted on The domain names used in these attacks were variations of domain names owned by Jeff Carr who has aptly characterized these attacks as a “Poisoning The Well” attack.

Round 4

In June 2010 another campaign began. The lure of the attack emphasizes Jeff Carr’s book “Inside Cyber Warfare: Mapping the Cyber Underworld” with the text copied from The command and control server in this case was

Round 5

Mila Parkour recently posted details of an interesting attack on The email used in the attack appeared to be from “” with the subject “Intelligence Fusion Centre” and contained links to a report EuropeanUnion_MilitaryOperations_EN.pdf that exploits CVE-2010-1240 in order to drop a ZeuS binary.

File name: EuropeanUnion_MilitaryOperations_EN.pdf
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e
VT: 11/41 (26.8%)

File name: exe.exe
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5
VT: 3/41 (7.3%)

File name: ntos.exe
MD5: 28c4648f05f46a3ec37d664cee0d84a8
VT: 4/39 (10.3%)

First, the ZeuS malware connects to ( to receive the Zeus config file. Second, the malware connects to ( to download an infostealer. Finally, the infostealer connects to (

MD5: 4f47b495caae1db79987b34afc971eaa
VT: 3/ 42 (7.1%)

The domain name was registered by “Maria Laguer” with the email address, which was also used to register (the name is also associated with other ZeuS domain, see MDL). The decrypted ZeuS config file from contains two additional domain names: and The domain names were used as part of a previous ZeuS campaign that used as a command and control server. IN addition the location of the malware,, was also used in a previous campaign that had as the command and control server.

One of the email addresses ( that was used to propagate the malware associated with also delivered the emails containing malware hosted on, which was registered by the infamous and used in attacks in May. The domain was hosted on along with which was used as a command and control server.

The boundaries between the online crime and espionage appear to be blurring making issues of attribution increasingly more complex. Are online criminals simply targeting those interested in intelligence issues as well as members of the government and military for fraud? Have they determined that they can exploit such persons for fraud in addition to selling and sensitive data acquired to those who would be in the market for such information? Or is the campaign more specifically oriented toward espionage using ZeuS and the malware ecosystem as convenient cover? While these questions are unlikely to be ever definitively answered, we can begin to assess qualitative changes in attacks by tracking them overtime and carefully linking together seemingly disparate peices of data. This post was made possible by a wide variety of sources that each posted components of these attacks. While there is a need to protect certain sources as well as operation security so that the “bad guys” are not tipped off and continued research into their malicious activities remains possible, information sharing remains a key component malware research.

Dynamic Malware Binaries

I recently found the distribution point for a malware affiliate that dynamically generates a new binary (but the same malware) every time it is queried. The malware distributers periodically query the affiliates distribution point to receive a new binary. However, any queries to the distribution location results in a binary with a different hash value. I generated a sample of 10 binaries and uploaded each of them to to find out if the changes being made to the binary disrupted the ability of anti-virus software (AV) to detect the malware. While just under 40% of the AV products that VT uses detected the software, the ones that did detect the malware continued to detect it despite the changes to each individual binary that caused the hash value to change.

Here are the results:

Sample 1
2010-08-24 19:51:04
16/42 38.1%

Sample 2
2010-08-24 19:51:14
15/41 36.6%

Sample 3
2010-08-24 19:51:26
15/41 36.6%

Sample 4
2010-08-24 19:51:39
14/40 35.0%

Sample 5
2010-08-24 19:51:52
15/40 37.5%

Sample 6
2010-08-24 19:52:06
16/42 38.1%

Sample 7
2010-08-24 19:52:19
16/42 38.1%

Sample 8
2010-08-24 19:52:37
14/39 35.9%

Sample 9
2010-08-24 19:52:50
16/42 38.1%

Sample 10
2010-08-24 19:53:03
16/42 38.1%

AV 01 02 03 04 05 06 07 08 09 10
CAT-QuickHeal x x x x x x x x x x
McAfee x x x x x x x x x x
VirusBuster n
F-Prot x x x x x x x x x x
BitDefender x x x x x x x x x x
Sophos x x x x x x x x x x
Comodo x x x x x x x x x x
F-Secure x x x x x x x x x x
DrWeb n
McAfee-GW-Edition x n n n n x x x x x
Emsisoft x x x n x x x n x x
eTrust-Vet x x x x x x x x x x
Authentium x x x x x x x x x x
GData x x x x x x x x x x
VBA32 x x x x x x x x x x
Sunbelt x x x x x x x x x x
Ikarus x x x x x x x x x x
Panda x x x x x x x n x x

x = detected
– = not detected
n = not tested

Black Hat SEO, PPC & RogueAV

Search Engine Optimization (SEO) is a term that refers to efforts to increase the rankings of a website so that it appears in the top results when searching for particular key words in a search engine. Black Hat SEO refers to “unscrupulous” SEO techniques often used to promote Rogue/Fake security software and pay-per-click (PPC) advertisement schemes. (See “Poisoned search results” by Sophos for details. See Trend Micro’s posts Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks and Making a Million, Part Two—The Scale of the Threat for an understanding of PPI/PPC relationships as well as RogueAV/FAKEAV). Using Black Hat SEO malicious actors are able to have their content displayed in search engines when users search for particular, usually popular, keywords. When users click on these links, they are taken to either PPC websites or RogueAv websites. The malicious actors are paid for this traffic by their PPC and RogueAV affiliates.

Dancho Danchev recently profiled a campaign using compromised .nl and .ch websites to push PPC and RogueAV installations. This post provides some additional details on the campaign.

The actors behind the campaign are using, among other techniques, compromised FTP accounts to upload malicious files to web servers around the world. Compromised FTP credentials are readily available for purchase in the malware ecosystem and are often used to propagate malware. Malicious files are uploaded to compromised websites with snippets of text based on particular search phrases. This files are designed so that when users search for certain key words in search engines, these malicious sites are high ranked in the results. While the search engines see this content, when users click on links they are redirected to the malicious server and on the PPI affiliates or RogueAV landing pages.

The servers used by the malicious actors to receive incomping requests from the compromised web servers are using numerous domain names that resolve to several IP addresses (see and Despite the multiple IP addresses and domain names, they all really point to the same server. Based on “referer” logs generated by the malicious server used in the campaign, I’ve compiled statics on the amount of traffic generated by the campaign to the “/liq/?st=” page between 2010-03-15 and 2010-08-18.

A total of 5,054,990 unique IP addresses generated a total of 9,003,188 page views between 2010-03-15 and 2010-08-18. Most of the traffic (45.99%) originated from the USA. Significant traffic was also generated from the United Kingdom, Canada, Australia and India.

Country Pageviews
US 4141181
N/A 2120320
GB 584884
CA 426338
AU 192713
IN 145287
NL 94310
DE 75934
PH 72625
FR 47163

The traffic to the malicious server is primarily generated from search engine results. was the most prominent referrer with 52.18% of all the traffic. While Yahoo! was also a source of a significant amount of referrals, Bing only accounted for 631 referrals.

Referer Pageviews 4698249 610156 532038 479531 241546 174538 99944 92154 87652
N/A 77259

The following table shows the keywords that appeared most frequently in the queries users entered into search engines. The queries ultimate brought the user to the malicious actors’ server and on to their PPC and/or RogueAV affiliates landing pages.

Keyword Pageviews
free 621148
printable 574588
powered 251541
letter 193575
phpbb 171689
template 168488
kids 133337
worksheets 129167
with 129162
sale 115484
pictures 110804
sample 108331
grade 105488
coloring 98791
weather 85056

In total, 81.89% of all the pageviews were from computers running Windows (XP, Vista, 7) with 49.82% from XP systems. Most of these systems were probably redirected to RogueAV landing pages (I have not seen RogueAV targeting any platform other than Windows). Realizing that income can be generated from non-Windows traffic as well, the malicious actors redirected traffic to a PPC affiliate.

Operating System Pageviews
Windows NT 5.1 4485923
Windows NT 6.0 1855129
Windows NT 6.1 1032128
Linux i686 297166
Intel Mac OS X 10_5_8 203142
Intel Mac OS X 10.5 86777
Intel Mac OS X 10_6_3 85120
Intel Mac OS X 10_6_4 73613
Intel Mac OS X 10.6 68535
CPU iPhone OS 3_1_3 50709
Intel Mac OS X 10_4_11 50346

Microsoft’s Internet Explorer accounted for 58.92% of the total pageviews, followed by Firefox. Mobile phones (iPhone, Blackerry, Android) accounted for 172,674 pageviews.

Browser Pageviews
IE 8.0 2420222
IE 7.0 1852866
IE 6.0 1026844
Firefox 3.6.3 585996
Firefox 3.5.5 268225
Chrome 5.0.375 222611
Firefox 3.6.8 214800
Safari 4.0.5 199939
Firefox 3.6.6 177534
Chrome 4.1.249 169083

How does it work?

Malicious files are uploaded to the compromised sites that contain links and text based upon lists of search queries. The snippets of text and links are used to boost the ranking of these sites in search engines. As a result, when users query search engines, the compromised websites appear in the results. When users visit these sites they are redirected to a server under the control of malicious actors.

These pages sometimes redirect users to RogueAV landing pages, and, other times display the content of the SEO pages that are generated to improve the search engine ranking for the malicious actors.

When users click the links in the search results, they are redirected to the malicious actor’s server and on through to wither their PPC affiliate’s or their RogueAV affiliate’s landing pages. In the case of RogueAV, these landing pages display a “scare page” that prompts the user to install the RogueAV software. redirects to which redirects to which redirects to which redirects to which then redirects to the RogueAV affiliates which redirects to[redacted] which redirects to[redacted] to download the executable packupdate9_289.exe.

File name: packupdate9_289.exe
MD5: ec28207e2e63f62e6c6d71cbabeaa151
VT: Result:6/ 40 (15.0%)

The domains of the RogueAV affiliate change frequently. In addition, the RogueAV binaries also change frequently. These changes make it more difficult for security products to protect users. For example, in this case only 6 of 40 AV products on VirusTotal detected the RogueAV binary.

On some occasions, users are redirected to a PPC affiliate. This allows the malicious actors to earn income for the traffic being pushed to the PPC affiliates search engine. redirects to redirects to redirects to

After passing through a variety of redirects through the malicious actor’s server ( and the user ends up at the PPC affiliate page.

Some visitors are directed to download a malware binary posing as Adobe Flash Player.

MD5: 658bb224c030542de22a9997e65f27e5
VT: 14/ 42 (33.3%)
Anubis Report

Traffic from over 5 million IP addresses totaling over 9 million page views in the last five months (2010-03-15 and 2010-08-18) passed through a malicious server and on to either PPC affiliates or RogueAV landing pages. This case is a good example of the profit-driven malware ecosystem. The malicious actors behind the campaign acquired (possibly from a third party) compromised FTP credentials for legitimate websites and used Black Hat SEO techniques to poison search engine results. They then redirected a significant amount of traffic through their own malicious infrastructure through to their PPC and Rogue AV affiliates. The malicious actors behind this campaign did not need a high degree of technical proficiency, the ability to program deceptive viruses and trojans or 0day exploits (or any exploits at all). All they did was leverage resources within the malware ecosystem in order to act as a “traffic broker” and redirect traffic to others within the malware ecosystem in order to generate income.

Traffic Direction Systems

Traffic Direction Systems (TDS) are used as landing pages that direct traffic to malicious content based on a variety of criteria such as operating system, browser version and geographic location. There are a variety of TDS systems available including Sutra TDS ( Finjan posted an interesting analysis of one campaign (it no longer appears to be available) in which they tracked the use of the TDS through from the use of a malicious iframe embedded in a compromised website to an exploit pack that attempts to compromised the user based on the types of (vulnerable) software the user has installed.

The statistics pages of some of sites using SUTRA TDS (, and were retrieved from the Google cache. ( ( (

I found it interesting that the highest percentage of traffic to and was from Russia. The top referrers were generally porn sites and pay-per-click sites. Pay-per-click sites are an important part of converting botnet traffic into income. In a great two-part post (Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks and Making a Million, Part Two—The Scale of the Threat) Trend Micro explores the relationship between these pay-per-click traffic brokers, click fraud and botnets.

Two of the top referrers to and were pay-per-click brokers and

Now, its not entirely clear what activities, and are engaged in, but some additional searches revealed connections with malicious activity.

For example, the email address used to register ( was also used to register which Malware URL has linked to the distribution of RogueAV/FAKEAV software. The email address used to register and ( has been linked to several trojans by

While there are malicious activities associated with common IP addresses and email addresses it is important to note that the details of linkages between all the activities remain unclear. Domain names registered with one email address maybe sold to or used by someone else. Moreover, many malicious sites may be hosted on a single IP address especially when one can purchase crimeware-friendly hosting. So, while the activity can be located within concentrations of malicious activity, and it makes sense to cluster this activity, it is important to remember that there are complex linkages between criminal actors in the malware ecosystem.

The Ambler Botnet

[UPDATED to include and]

In the past, the operators of large botnets sought to expand the size of their operations and cared little for the details of any individual compromised computer — one bot was as good, for the most part, as any other. Any one of the thousands of computers under their control could be used to send spam or participate in a denial of service attack. But now not all compromised computers are of equal value to botnet operators. As the focus of botnet activity becomes increasingly extractive — with an emphasis on stolen credit card numbers, credentials and private information — the geographic location of compromised computers has become an important factor for botnet operators. The geographic origin or stolen credit cards, or “dumps”, for example, is an important factor in pricing.

Geographic location is also important when botnet operators attempt to monetize their operations. The various compensation rates for pay-per-click and pay-per-install schemes — especially RogueAV/FAKEAV — are specific to the geographical location of the victim. Some of these schemes even restrict propagation in certain countries. There are botnets with victims that are highly concentrated by geographic location as well as targeted efforts to propagate botnets within specific regions.

This development may also be an effort by botnet operators to improve their operational security in response to the efforts by security researchers. As the risk of “take down” increases, botnet operators may be partitioning their operations to minimize the damage. As Dancho Danchev explains, this may also obscure the work of a single group by making it appear as if these disparate operations are the work of many unaffiliated groups.

The Ambler botnet is based on a trojan, Win32/Ambler, that has been actively spreading since at least October 2008. There are a variety of Win32/Ambler variants and many command and control servers. Win32/Ambler itself is a keylogger — malware that captures the keystrokes entered on a compromised computer — but also specifically targets those that use the online banking services of Bank of America. Win32/Ambler is also often found bundled with other malware.

The following post is the result of an investigation of six command and control servers –,,, and and – associated with Win32/Ambler. From these servers 1.8 gigabytes of data was collected. This data contains sensitive and private information from 11,251 compromised computers (38,920 unique IP addresses). It is not clear to me if the operators of these command and control servers are connected to each other, or if they are four separate botnets that happen to be using Win32/Ambler. Three of the C&C’s are hosted in China, and three are hosted in the US.

Geographic focus
These six control servers appear to be very focused with the vast majority of compromises in Italy, Russia and the United Kingdom, with one C&C focusing on the US. The majority of the compromised computers checking in with’s two Ambler installations are from Italy (and the ones detected as EU may be Italian as well.) Those checking in with and are almost entirely Russian. The compromised computers checking in with are mostly from the US. Finally, those checking in with and are primarily from the United Kingdom. There appears to be an effort to segment compromised computers at the country level among these command and control servers.

IP’s vs. Hosts
Estimating botnet size is not simply counting IP addresses. When looking at IP addresses, 38,920 unique IP addresses were found. But when counting the unique identifiers the malware assigns to each machine, the actual size of the botnet is 11,251 compromised machines. And even that number contains all machines that “checked in” with the C&C. It may include machines that are no longer compromised or no longer exist. The timestamps associated with the capture of information range from 04/16/2010 to 08/08/2010.

Captured data
The keylogger captured the keystrokes typed by the user as well as the location of the resource into which the the users entered the information. As a result broad range of content was captured including logins and passwords to email accounts, ftp accounts social networking sites and corporate and government web portals. The text of what users were searching for in search engines as well as chat conversations were also captured.

Two malware samples were found on the command and control servers:

The malware connects to the command and control server and a text file is created for each individual compromised computer. Captured information, primarily keystrokes, is uploaded and stored in these text files. There are some specific tags that delineate types of data. For example, “****BOAEMAIL****” and “****BOAQUES****” are used to identify the email address and answers to security questions for Bank of America (BOA) online banking clients. It also retrieves any stored information in protected storage, such as passwords, and marks it with “*******PROTECTED STORAGE*******” in order to identify it. the files also contain a listing of file paths for specified directories “****GETFILE PATHS****” as well as a list of the volumes available “****VOLUMES LIST****”. This allows the botnet operators to target specific files and directories for extraction.

The details for each command and control server are displayed below. (
( had two instances of the Ambler command and control backend at different directory locations). has address
inetnum: –
netname: DIGILAND
descr: Beijing Digiland media technology Co. Ltd
descr: Apt2 No5 Jinyuanzhuang AVE shijingshan district Beijing
country: CN ( has address
NetRange: –
OriginAS: AS32475
Country: US ( has address
inetnum: –
netname: SUNINFO-MDC
descr: Beijing Sun Rise Technology CO.LTD
descr: Tedatimes Center, Suite 1908, Tower4, No.15 Guanghua Road,
descr: Chaoyang District, Beijing, 100026, PRC
country: CN ( has address
inetnum: –
netname: SUNINFO-MDC
descr: Beijing Sun Rise Technology CO.LTD
descr: Tedatimes Center, Suite 1908, Tower4, No.15 Guanghua Road,
descr: Chaoyang District, Beijing, 100026, PRC
country: CN ( has address
OrgName: Layered Technologies, Inc.
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US ( has address
OrgName: Layered Technologies, Inc.
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US

In order to get a sense of the crimeware neighbourhood in which these control servers reside, is a great resource that can be used to identify other malicious domain names registered with the same email address and other domain names hosted on the same IP address.

The email addresses and used to register and were also used to register a variety of domain names that are hosting ZeuS elements as well as the Eleonore, Phoenix and Nuclear exploit kits. The IP addresses, and are also hosting a variety of malware including ZeuS, Russkill and YES exploit kit.

This does not mean that all of these activities are directly connected, but rather, that these activities are taking place within a malware ecosystem designed to maintain and monetize the operations of botnets. Botnets often rely on crimeware friendly hosting services, so it is not uncommon to see malicious activity concentrate around particular servers or networks. However, it does indicate that the botnet operators are connected with the malware ecosystem and leveraging the services offered within it to sustain and monetize their operations.

Human Rights and Malware Attacks

Human Rights and Malware Attacks

by Nart Villeneuve

On March 18, 2010, unknown attackers sent a spear phishing email that appeared to be from Sharon Hom, the Executive Director of Human Rights in China (HRIC), to a variety of organizations and individuals. Leveraging the trust and recognition of HRIC, the attackers’ email encouraged recipients to visit a compromised website that contained malicious code designed to allow the attackers to ultimately take full control of the visitor’s computer. These targeted malware attacks are now becoming commonplace, further extending the threat faced by civil society organizations.


One of the domains used in this attack,, has been used in a variety of attacks and has been documented by Mila at


Internet censorship is but one component of “a matrix of control” that acts to restrict and control information flow in China. The combination of censorship along with surveillance aims to influence behavior toward self-censorship so that most will not actively seek out banned information, let alone the means to bypass these controls. Those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats—not simply censorship.

A 2008 report titled Breaching Trust: An Analysis of Surveillance and Security Practices on China’s TOM-Skype Platform uncovered that Skype and its Chinese partner Tom Online operated a surveillance network which insecurely captured millions of records including contact details for any text chat and/or voice calls and the full text of sensitive chat messages. A large portion of these captured messages concerned a political campaign that urged Chinese citizens to quit the Communist Party.

There have been an increasing number of targeted malware attacks against civil society organizations, human rights groups, media organizations, and Tibetan supporters. Typically, the targeted user receives an email, possibly appearing to be from someone they know who is a real person within his or her organization, with some text—sometimes specific, sometimes generic—that urges the user to open an attachment (or visit a web site), usually a PDF or Microsoft Office document .

If the user opens the attachment with a vulnerable version of Adobe Reader or Microsoft Office (other types of software are also being exploited) and no other mitigations are in place, their computer will likely be compromised. A clean version of the document is typically embedded in the malicious file and is opened upon successful exploitation so as not to arouse suspicion of the recipient.

Then the user’s computer checks in with a command and control server. At this point, the attacker has full control of the user’s system. The attacker can steal documents, email and send other data, or force the compromised computer to download additional malware and possibly use the infected computer as a mechanism to exploit the victim’s contacts or other computers on the target network.

In the last year, the Information Warfare Monitor has uncovered two cyber-espionage networks, investigated numerous targeted malware attacks, and published two reports: Tracking GhostNet: Investigating a Cyber Espionage Network and Shadows in the Cloud: An Investigation into Cyber Espionage 2.0.

The first, GhostNet, was a network of over 1200 compromised computers spread across 103 countries, 30 percent of which we identified and determined to be “high-value” targets, including ministries of foreign affairs, embassies, international organizations, news organizations, and a computer located at NATO headquarters. While we were able to determine that these entities had been compromised, we were only able to theorize about what type of data the attackers were able to acquire.

Our follow-up investigation uncovered the Shadow Network, and unlike GhostNet we were able to acquire the data stolen by the attackers. We were able to access just one portion of the Shadow Network that was primarily focused on extracting sensitive information from India. We recovered a wide variety of documents, including one document that appeared to be encrypted diplomatic correspondence, two documents marked “SECRET,” six as “RESTRICTED,” and five as “CONFIDENTIAL” which appear to belong to Indian government entities including the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.

The nature of the compromised entities and the data stolen by the attackers do indicate correlations with the strategic interests of the People’s Republic of China, but, we were unable to determine any direct connection between these attackers and elements of the Chinese state.



On March 18, 2010, attackers sent a “spear phishing” email that appeared to originate from Sharon Hom’s email account to several different organizations and individuals. The subject of the email was “Microsoft, Stool Pigeon for the Cops and FBI” and the email contained a JPG attachment. However, the attackers’ objective was for the targets to visit the link contained in the email. The link,, redirected to which was compromised by the attackers and in which they had inserted code that caused visitors to the website to open a malicious PDF from This PDF exploited Adobe Reader and compromised the visitors computer. Compromised computers then connected to a website under the attackers’ control,, and downloaded additional malware before ultimately connecting to a command and control server, 360liveupdate. com, in China.

Spoofed Email

From: Sharon Hom <>
Sent: Thursday, March 18, 2010 9:46 AM
: Microsoft, Stool Pigeon for the Cops and FBI


I’ve got my hands on a copy of the leaked, confidential Microsoft “Global Criminal Compliance Handbook,” which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on. Attachments are scanned copies of documents.

For the whole documents, please visit

Email Headers

Although the email appeared to be from HRIC it was actually sent from the following location:

Sender: <>
: from ( [])
X-mailer: Foxmail 5.0 [cn]


The email headers reveal that the attackers actually sent the email from the following IP address:
OrgName: DCS Pacific Star, LLC
: 5050 El Camino Real, #238
City: Los Altos
StateProv: CA
: 94022
Country: US

The email encouraged recipients to visit, the website of an organization called the Coalition for Citizen’s Rights. This organization is a vocal opponent of the Chinese government.

The attackers compromised the website and inserted malicious code that caused vulnerable visitors to silently load a malicious PDF document that infected the users computer with malware.

Image 1 Compromised site: ->

Image 2 js_men.asp

The malicious PDF was hosted on (, a website located in Taiwan. This malicious file has very low antivirus coverage. Only eight out of forty-two anti-virus products detected the file as malware.

Item 3

Filename readme.pdf
Filetype PDF
MD5 72bdca7dd12ed04b21dfa60c5c2ab6c4

Virustotal: 8/42 (19.05%)

The malware dropped by the malicious PDF issued another connection, this time to ( This is a server under the control of the attackers. The malware made a request for another executable, which appeared to be encrypted and which no antivirus products detected as malicious.

Item 4

GET /fun.exe HTTP/1.1

Filename fun.exe
Filetype EXE
MD5 ec16143a14c091100e7af30de03fce1f

Virustotal: 0/42 (0%)

Interestingly, the IP address of ( is assigned to the same company, DCS Pacific Star, LLC, as the IP address used to send the malicious email (

The new malware downloaded from ( began encrypted communications with a command and control server located in China at

Image 5

The command and control server is located in Jiangsu Province, China:
: –
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
: Beijing 100088
: CN


The nexus of censorship, surveillance, and malware attacks enable strict information control policies in China that extend beyond China’s boundaries to affect civil society organizations around the world. An increasing number of targeted malware attacks against civil society organizations are being reported. In many cases, the attacks can be traced back to command and control infrastructure located in China. These attacks leverage trust among members of social and political networks using human rights themes and spoofed identities to encourage targeted users to execute malicious code. From that point, unknown attackers have full control over the users’ computers and can conduct surveillance, exfiltrate sensitive information, and use the computer as a staging ground for future attacks.

The original version of this article is available here and in Chinese here.

A Random Walk Through the Malware Ecosystem

The forum at is a location where buyers and sellers of stolen credit card information conduct exchanges. There are many forums like this that are part of the thriving market that sustain the “botnet ecosystem.” The servers that host these types of forums are typically involved in a variety of nefarious activities. This one hosts a variety of malicious software:

www.sokam .info /admnew2/Dr.exe (VT: 33/40 (82.50%)
infoshok .info /exe.php?606717496665bcba (VT: 20/40 (50.00%))
superhomelawn .com /per4d/load/load.exe (VT: 5/41 (12.20%))
senders2010 .com /sites/up.bin (zbot/zeus)
keroholek .net /tt/stat/index.php (zbot/zeus)
newdaypeace .org /npd2e/bb.php?… (oficla/sasfis)

The sites are hosted on – SUNINFO-MDC which is located in China.

One “trusted” seller (meaning that the forum administrator had vouched for him/her) known as mrdump caught my attention. mrdump’s minimum order is now $1000 USD. In addition to advertising his/her services on the forum, mrdump included his/her website,

The site is hosted on – SUNINFO-MDC in China and, as usual, these a fair amount of nasty stuff, mostly zeus/zbot (,, hosted on the same server. Another zeus/zbot command and control server found on the same server is:

There is also a BlackEnergy command and control server hosted on the same server: It was a fairly small botnet (total bot’s: 171, bot’s per hour: 213, bot’s per day:437, bot’s for all time:1816) and was issuing the following command “flood http” — instructing the bots to DDoS Recently, the command has been changed to “die”.

One interesting find pertains to the rivalry between Zeus and SpyEye. The same server hosts which is a known zeus/zbot command and control server. Well it turns out that it is also a Spy Eye command and control server: (27/41 (65.85%)) (VT: 10/41 (24.4%)) (VT: 35/41 (85.37%)) (VT: 35/40 (87.5%)) (VT: 8/40 (20%))

I recall someone (I am pretty sure it was Dancho Danchev — UPDATE: and it was here and here (thx @danchodanchev)) — reacting to this rivalry by saying that the criminals don’t really care, they’ll use any malware kit that works.

Or something like that.

Sometimes, we get sidetracked by the tools, but it’s the crime that pays.

Thanks for the malware

I checked inbox today and found an interesting email:
More… »

Blurring the Boundaries Between Cybercrime and Politically Motivated Attacks

An emerging area of inquiry in security research is the blurring boundaries between cybercrime and other, more targeted forms of attack, and more specifically attacks that appear to be politically motivated. These attacks often take the form of targeted malware attacks that act as a form of surveillance in which sensitive documents and communications are captured from the targeted organizations and individuals or politically motivated Denial of Service attacks that aim to punish, disrupt and/or censor the ability of the targets to communicate to the world.

One of the themes that informed the “Shadows in the Cloud” report was the (potential) relationship between crimeware networks and cyber-espionage. The boundaries between the two appear to be blurring making issues of attribution increasingly more complex. It may also indicate that there is an emerging market for sensitive information and/or politically motivated attacks as crimeware networks seek to monetize such information and capabilities.

I explored this theme in a report on a case related to Kneber botnet documented by NetWitness in which a known ZeuS-based botnet, typically used to steal banking information and other credentials, was specifically targeting .mil and .gov email addresses with spearphishing attacks and then dropping a second piece of malware, an infostealer, on the compromised systems that uploaded sensitive documents to a drop zones in Belarus and Russia. This botnet was engaged in all sorts of other malicious activity associated with cybercrime.

When it comes to DDoS attacks a similar pattern is observed. Jose Nazario of Arbor Networks wrote a very interesting paper that analyzed politically motivated DDoS attacks (and is basically the inspiration for this blog post). The numerous DDoS attacks described in this paper are very interesting, some are punitive attacks others appear to be an effort to censor political speech (something I worked on at ONI in the past with Kyrgyzstan in 2005 and Belarus in 2006). In the paper Nazario dicusses the role that well known BlackEnergy-based botnets played in the DDoS attacks on Georgian websites during the Russia-Georgia conflict in 2008. In a really amazing presentation Jose Nazario and Andre DiMino of Shadowserver document the attacks on Georgia. But what is most interesting, in this context, are the other unrelated targets that the same botnets also attacked. The RU-GE case is a great example of the blurring boundaries between crimeware networks, politically motivated attacks a censorship.

On a much smaller scale, I observed some recent attacks in which a BlackEnergy-based botnet attacked a variety of unrelated targets but eventually attacked political websites. The botnet was discovered while analyzing data captured from the computer of a Tibetan political figure. Due to the character of the network Greg Walton and I concluded that the attack was not targeted and was not related to the Tibet or to the political activities of the individual who was compromised. However, I continued to monitor the botnet.

The botnet had two command and control domain names and both hosted on the same IP address (, China Netcom). The command and control interface was not password protected and I was able to access it and determine the size of the botnet. According to the statistics in the interface, had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the recorded 64346 infections. According to the statistics in the interface, ( had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the recorded 51813 infections. This is not a particularly large botnet at all, but the attackers could access at least 6000 bots at any given time.

This botnet attacked a variety of websites, however, four of them caught my attention.


2009-12-15 05:00:01
flood http

The attackers began flooding on 2009-12-15. The attacks appear to relate to Ukrainian news stories (here, here, here and here) which broke around the same time as the attacks started involving a judge named Oleg Bachun and two competing websites and While the former was supportive of the judge the latter implicated him in illegal activities. Since I am relying on Google Translate it would be great of some Russia and Ukrainian speakers could provide a more in-depth assessment of what happened in the case as well as to the domain names involved as it appears from the reports that was transfered to the owner of


2010-01-16 18:00:01 – 2010-01-20 06:00:02
flood http

Rights in Russia reported that “a website run by an opposition group in Ingushetia,, suffered a DDoS attack after publishing comments critical of the region’s authorities.” Ingushetia is located near Chechnya and is a politically sensitive area. reported the DDoS on their livejournal site and the broader implications in this article. This is not the first time there have DDoS attacks related to this region. Jeff Carr reported on another DDoS attack and implicated the RBN in the attack.


2010-01-22 12:00:01 – 2010-01-26 15:00:02
flood http

This website,, is also related to Ingushetia and reported DDoS attacks (here too) earlier this year. Several other related sites were also reported to be inacessible. The timing of the inaccessibility of the sites and the DDoS attacks on and also correlate with reports of an explosion of a gas pipeline in Ingushetia.


2010-01-25 08:00:02 – 2010-01-27 02:00:01
flood http

The website was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

These attacks are fairly small when compared with others and fly under the radar screen of most. They show that small scale attacks designed to censor opposing views occur with frequency against key websites and during critical time periods. It is clear that those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats from targeted malware through to DDoS and not simply censorship in the form of Internet filtering. Finally, these attacks demonstrate that botnets involved with criminal activity are being used to conduct both political and apolitical DDoS attacks

Sites DDoS’d by this botnet:

flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http index.php
flood http personal subscribe subscr_edit.php
flood http
flood http
flood http index.php
flood http index.php?f=stat&act=online&server=0
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http index.php
flood http,
flood http
flood http showgroups.php
flood http
flood http
flood http,,,
flood http
flood http
flood http,
flood http index.php
flood http
flood http
flood http index
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http index.php
flood http
flood http
flood http
flood http
flood http
flood http
flood http
flood http index.php
flood http
flood http 111 XXX_DETKA
flood http 157 xxx
flood http
flood http
flood http index.php
flood http
flood http index.php
flood http index.php
flood http
flood http
flood http
flood http
flood http
flood http forum
flood http
flood http
flood icmp
flood syn 80

Shadows in the Cloud

Last year, at just about this time, the InfoWar Monitor (IWM) released the “Tracking GhostNet” report which detailed our investigation into a cyber-espionage network that has compromised 1200+ computer systems spread across 103 countries, including ministries of foreign affairs, embassies, international organizations, news organizations, and even a computer located at NATO headquarters.

I remember when I stumbled upon the GhostNet attacker’s command and control interface by Googling a string of text from the network traffic obtained during our field investigation from a compromised computer at the Dalai Lama’s office in Dharamsala , India. To my surprise Google returned several results, which I clicked, and was suddenly looking at an interface that allowed the attackers to fully control a network of compromised computer system. When the report came out and I realized the significance of the find I thought that there was no way it would happen again. I was wrong.

Today the IWM and the Shadowserver Foundation have released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” (mirror) in which we document another targeted malware network. (NYT coverage here). We started by exploring one of the malware networks described in the GhostNet report but was an entirely separate malware network that had also compromised computers at the Dalai Lama’s office. I cannot stress just how important the trust, collaboration and information sharing across all those involved in this report from the Citizen Lab, SecDev , and Shadowserver, along with the Dalai Lama’s Office were to the success of the project.

As a result we were able to document another network of compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations as well as numerous other institutions, including the Embassy of Pakistan in the United States.

In the report we enumerated a complex and tiered command and control infrastructure. The attackers misused a variety of services including Twitter, Google Groups, Blogspot, Baidu Blogs, and Yahoo! Mail in order to maintain persistent control over the compromised computers. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in China.

This time, unlike GhostNet, we were able to recover data, some of which are highly sensitive, from a drop zone used by the attackers. One day, while exploring open directories on one of the command and control servers I noticed that there were files in a directory that was normally empty. It turned out that the attackers were directing compromised computers to upload data to this directory; the attackers subsequently moved the data off to another location and deleted the files at fairly rapid, but intermittent time intervals.

We recovered a wide variety of documents including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED” and five as “CONFIDENTIAL” which appear to belong to the Indian government. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.

Based on the character of the documents (and not IP addresses) we assessed that we recovered documents from the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. In addition, we recovered documents from India’s Military Engineer Services (MES) and other military personnel as well as the Army Institute of Technology in Pune, Maharashtra and the Military College of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh. Documents from a variety of other entities including the Institute for Defence Studies and Analyses as well as India Strategic defence magazine and FORCE magazine were compromised.

Questions regarding those who are ultimately responsible for this cyber-espionage network remain unanswered. We were, however, able to benefit from a great investigation by The Dark Visitor who tracked down lost33, the person who registered some of the Shadow network’s domain names that we published in the GhostNet report and his connections ot the underground hacking community in China. Based on the IP and email addresses used by the attackers we were able to link the attackers to several posts on apartment rental sites in Chengdu.

This, of course, does not reveal the role of these specific individuals nor the motivation behind the attacks. However, the connection that The Dark Visitor drew between lost33 and the underground hacking community in China does indicate that motivations such as patriotic hacking and cybercrime may have played a role. Finally, the nature of the data stolen by the attackers does indicate correlations with the strategic interests
of the Chinese state. But, we were unable to determine any direct connection between these attackers and elements of the Chinese state. However, it would not be implausible to suggest that the stolen data may have ended up in the possession of some entity of the Chinese government.

Now having reported this incident to the China CERT — which handles security incidents in China — I look forward to working with them to shut down this malware network.

This is an investigation in progress. There are many threads in this investigation that have still to be fully explored. I hope that this report provides enough detail to allow others with different specializations to continue to explore aspects of the Shadow network enriching our collective understanding of this incident and the broader implications regarding both cyber-crime and cyber-espionage.

Vietnam & Aurora

[UPDATE: See “Vecebot Trojan Analysis” by SecureWorks.]

A while back I wrote a post about “Aurora Mess” in which I tried, unsuccessfully, to make sense of the different assessments of the attacks on Google and at least 20 other companies within the security community. I was trying to grapple with the way in which Google and McAfee were characterizing the attacks as sophisticated while Damballa labeled them amateurish and connected them to some common cybercrime activities. Well, it turns out that it was a confusing for a reason. (And is still confusing, check out Damballa’s reaction to “Aurora Lite“)

Some of the domain names included as part of Aurora turned out to be not part of Aurora. McAfee explains:

While originally some of these domains and files had been reported to be associated with Operation Aurora, we have since come to believe that this malware is unrelated to Aurora and uses a different set of Command & Control servers.

Turns out that these domain names (, once included as part of Aurora – an attack traced to China — were now traced Vietnam. It looks the domains were erroneously included as part of Aurora because they were discovered during the Aurora investigation:

We suspect the effort to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks. While McAfee Labs identified the malware during our investigation into Operation Aurora, we believe the attacks are not related.

Neel Mehta of Google noted that there may be a political dimension to the attacks:

The malware infected the computers of potentially tens of thousands of users who downloaded Vietnamese keyboard language software and possibly other legitimate software that was altered to infect users. While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes. These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.

In terms of the attack vector, McAfee’s Kurtz stated:

We believe the attackers first compromised, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse. The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead.

To Summarize, from Google and McAfee, we have:

  • Command and control servers are
  • The botnet started in late 2009, coinciding with the Aurora attacks, which would make the date mid-December
  • There were targeted attacks that encouraged the download of malicious software from which had already been compromise and was hosting the malware
  • The malware, W32/VulcanBot, was disguised as a Vietnamese keyboard driver
  • This botnet DDoSed sites that opposed a bauxite mine in Vietnam

The website that may have been DDoS’d in connection with the bauxite mine may have been

The AP’s Ben Stocking reports that:

Last fall, the government detained several bloggers who criticized the bauxite mine, and in December, a Web site called, which had drawn millions of visitors opposed to the mine, was hacked.

Stocking also reported:

Vietnam has hired a Chinese company to build the plant to process bauxite taken from the mines and hundreds of Chinese are reportedly working there.

Vietnam has some of the world’s largest reserves of bauxite, the primary ingredient in aluminum. The government has argued that the mine would bring economic benefits to the impoverished Central Highlands.

Opponents say the project would cause major environmental problems and have raised the specter of Chinese workers flooding into the strategically sensitive region.

OK, so maybe there is a China connection. Or maybe not.

McAfee points out that:

The command and control servers were predominantly being accessed from IP addresses in Vietnam.

Ok, back to the Aurora mess. Damballa found a sample on 2009-08-19 which they classified as Fake AV / Scareware masquerading as Microsoft Antispyware Services. This malware used several of the same command and control servers as noted by McAfee ( along with more,, and

8 April 2009 – bb2aa6bf91388242dcff552eb476c545
16 April 2009 – 4488dea2071f0818d3b6269a061c2df6
3 December 2009 – 69baf3c6d3a8d41b789526ba72c79c2d
20 January 2010 – 7ee6628b8caeef57607e5426261b8c0c

McAfee has the date for W32/Vulcanbot as 01/23/2010 nine months after a sample was submitted to a ThreatExpert with common command and control servers. Is this really a new botnet? What are the apparently politically motivated attacks doing with rogue AV and typical crimeware junk? Without detailed information about the Vietnamese case its very difficult to make an accurate assessment.

GoDaddy, .CN, Malware & Freedom of Expression

The domain registrar GoDaddy testified before the U.S. Congressional-Executive Commission on China and stated that they would “discontinue offering new .CN domain names” citing concerns over an “increase in China’s surveillance and monitoring of the Internet activities of its citizens” and the “chilling effect” that the retroactive application of new requirements on .CN domain names would have.

CNNIC, which regulates the .CN ccTLD, introduced new requirements in December 2009 on registrations which many in the security community welcomed. .CN domain names are often used for malicious purposes. McAfee has listed .CN as one of the riskiest ccTLD’s. and (two amazing malware/security resources) have collected numerous .CN domain names used to distribute malware. The AV company Kaspersky noted:

Over the last 3–4 years, China has become the leading source of malware. Chinese cybercriminals have shown themselves to be capable of creating such huge volumes of malware that over the last two years, antivirus companies have, without exception, put most of their effort into combating Chinese malware.

However, a lot of the malware activity coming from China is because Eastern European criminal networks moved and are now abusing Chinese infrastructure, .CN domains as well as IP addresses.

Sophos noted that the regulations were having an effect. There was a decrease in spam and Sophos attributed this to the new CNNIC regulations. Symantec noted that .CN registrations used for spam were down and .RU registrations had taken their place.

Others were unsure. StopBadWare noted that since there was a 5 day grace period that would be enough time for the malicious use of .CN domain names. Many, including Isaac Mao, also raised privacy and freedom expression issues arguing that this was a crackdown on freedom of expression.

GoDaddy is now framing their decision to “discontinue offering new .CN domain names” as a freedom of expression issue. Back in 2004 I wrote about GoDaddy’s practice of denying access to its services form certain countries. Others have also had issues with GoDaddy regarding freedom of expression. In other cases, GoDaddy (among other registrars) have been criticized for being too slow to act.

So in trying to get an understanding of what’s going on, I found portions of GoDaddy’s testimony quite interesting. In particular, I’m interested in the emphasis on “Chinese nationals.”

On February 3, 2010, CNNIC announced that it would reopen .CN domain name registrations to overseas registrars. However, the stringent new identification and documentation procedures would remain in effect. CNNIC also announced an audit of all .CN domain name registrations currently held by Chinese nationals. Domain name registrars, including Go Daddy, were then instructed to obtain photo identification, business identification, and physical signed registration forms from all existing .CN domain name registrants who are Chinese nationals, and to provide copies of those documents to CNNIC. We were advised that domain names of registrants who did not register as required would no longer resolve. In other words, their domain names would no longer work.

Now, what I am unclear on is how the requirements affects non-Chinese national who a registering malware domains, pushing rogue antivirus, sending spam and all sorts ofnasty things. These regulation seems to largely target Chinese nationals — not the nationals of other countries who may be using .CN domains for malicious purposes. GoDaddy concluded:

The intent of the new procedures appeared, to us, to be based on a desire by the Chinese authorities to exercise increased control over the subject matter of domain name registrations by Chinese nationals.

We believe that many of the current abuses of the Internet originating in China are due to a lack of enforcement against criminal activities by the Chinese government. Our experience has been that China is focused on using the Internet to monitor and control the legitimate activities of its citizens, rather than penalizing those who commit Internet-related crimes.

I’m having trouble evaluating GoDaddy’s new found (to me anyway) commitment to freedom of expression. I do welcome it and I hope they are serious about it and demonstrate their commitment by joining the Global Network Initiative. But I’m hoping that they don’t confine their interest in freedom of expression solely to China but rather evaluate and assess freedom of expression and privacy across their business operations.


WP: In response to new rules, GoDaddy to stop registering domain names in China
Dancho Danchev: “With CN/RU requirement for scanned IDs in order to register a domain,underground services are already monetizing the Photoshop-ing process.”

Rogue AV, ZeuS and Spear Phishing

Brian Krebs just posted a great article about, an affiliate program for malware distributors, who get $1 per install. But they don’t just spread rogue (fake) anti-virus software, they also spread ZeuS:

Distributors or “affiliates” who sign up with, for example, are given access to an installer program that downloads not only rogue anti-virus but also ZeuS, a stealthy piece of malware that specializes in mining online banking credentials from infected PCs.

There are some very interesting things about this development:
1. The email address used to register is
2. is the email address used to register, the domain used in targeted spear phishing attacks
3. The binary that the malware distributors were given to spread (baba913304d400802be62e815579c41a) is the same as the binary used in a targeted spear phishing attack
4. The website that hosted the malware in the spear phishing attack was the same as the one used in another spear phishing attack that used portions of Brian Krebs’ article as lure.
5. The command and control for a number of these attacks was

Krebs lays out an impressive analysis of the broader ecosystem of these criminal networks. It is even more interesting when we factor in the attacks against .mil & .gov email addresses and the extraction of sensitive documents — as opposed the banking credentials usually targeted by ZeuS — and the sensitive nature of the entities from whom these documents were ex-filtrated.

All for $1 a piece. ->

Yesterday Google began redirecting requests for to effectively ending its years of self-censorship in China. To be clear, Google has not ended censorship in China — Google has ended its own self-censorship.

While searches within the .hk google are not censored by Google, they will still be affected by China’s keyword filtering. This means that queries for certain terms will not get through to search engine and the end user in China will not get any results.

Even if a user in China uses search queries that are not filtered by China and retrieves results from google’s .hk version, they will still be affected by China’s filtering if they click on the link and try and view those results directly.

What’s the difference? Users in China will be affected by China’s filtering, not Google’s. The difference is in the user’s experience — instead of retrieving results and carrying on as if censorship did not exist (disclaimer aside), the user now experiences the censorship first hand.

It is true that the user will not get any results from Google for queries that are filtered by China. this may results in quantitatively less information, but necessarily qualitatively (see here and here). Even if a controversial site slipped through the self-censorship, it would be picked up by China’s filtering if the user tried to access it directly.

The move removes Google from an ethically challenged situation and has raised awareness globally regarding China’s censorship practices.

Remember: Microsoft and Yahoo! are still censoring their China facing search engines.

Google, Yahoo, Microsoft Still Censoring In China

Today MSNBC reported that Google “appears” to have stopped censoring its search engine in China,

This is not true.

In Search Monitor Project: Toward a Measure of Transparency I tried to carefully document the different censorship practices among Google, Yahoo, Microsoft and Baidu. (Here are some more posts on this issue.) In short, it is difficult to determine the relationship between queries and censorship, so I focused on domains.

NBC assumed that the censorship was keyword driven (there are some key word driven elements) but a lot of it is based on de-listing (or not indexing) web sites.

For what it is worth, I noticed that a lot of the content I found to be blocked in 2008 was available BEFORE the Google announcement in January. For example, around the Olympics in Beijing a lot of previously blocked content was accessible (although the search engines were still censoring more than China was at that time).

But anyway, a closer look at the current search engine censorship reveals some interesting issues. Here’s a search for Tiananmen, notice the “tankman” picture is there, twice.

But look closely, what is Google indexing? Why those domains are “” and “”. Baidu and 163, both very popular domestic Chinese sites. The images are not hosted on thoese sites, but are linked from them. So both Baidu and 163 are displaying page that have the image too!

What about Yahoo ( and Microsoft’s Bing (with region set to PRC)? Yep, these images are there too!

Although Google has consistently performed better (as in less censorship) in my tests over the years, Google’s censorship behaviour is not all that different than the rest.