Qihoo 360 Fakes A Microsoft Security Patch

| About: QIHOO 360 (QIHU)

Qihoo 360 Technology Co. Ltd (NYSE:QIHU) has been in the news. Let's just dive right into the latest Qihoo scandal in China. News title:

"Qihoo 360 falsely reports loopholes in the Windows system to force the installation of their 360 browser."

(The above was professionally translated and will be cited throughout this article as "Qihoo 360 Falsely Reports." Originals are here; you can read them in the Google translator, for example here. 8/1/2012)"

Here's what happened:

"There have been users who have posted screenshots online which show the 360 Security Defender wrongly detecting holes in the Windows system and thereby recommending users to install an upgrade patch."

"After the upgrading is completed, only then do they realise the 'patch' is the 360 browser. It is understood that the user patch from the 360 Security Defender, allegedly supposed to fix loopholes in the Windows system, immediately transforms itself into the 360 browser upon installation of the patch." (Qihoo 360 Falsely Reports)

Now, here's a screenshot that accompanied one of the many articles (I added the Google translator and the orange lines to highlight the key points. By the way, of the screenshots I found, this was the one with the best resolution: you can find it here, click the image to enlarge it.)

Qihoo Security Guards fake Hotfix

I've experienced the proof firsthand. Upon reading online blogs and articles, I found URLs to the patch(es) and was able to download them from Qihoo's official site. As of this writing I am still able to download them. I introduce them here, with the warning that the company has been accused of malware in the past. Here are the links.

It is possible that the files will be removed and/or the access blocked upon the publication of this article. Again, I'm not recommending the files. I only present them as evidence of the counterfeiting.

Take a quick look. Which files are from Microsoft Corp. (NASDAQ:MSFT) and which are from Qihoo 360 ?

5 Qihoo Downloads

All of them were downloaded from Qihoo's 360safe.com, AKA, 360.cn ‒ and all of them were made by Qihoo 360.

SystemExplorer page and properties tool

(To see this System Explorer page click here.)

In the image below, you can see that the icon on the left is a short-cut to Qihoo's browser; the icon in the middle is a short-cut to Microsoft's browser; and the last icon is Qihoo's counterfeit Microsoft "security patch." Note how there is much more similarity to Microsoft's icon than to Qihoo's.

Three icons, qihoo

Besides using Microsoft's Icon and color, Qihoo's fake patch also takes advantage of file naming convention.

"According to evidence from the users, the 360 browser upon downloading as a patch changes its name to 'Windows-KB360018-v7-x86.exe,' which is markedly similar to actual Microsoft patches in name. "(Qihoo 360 Falsely Reports)

Here's what they mean. Of the two filenames below the first is Qihoo's and the second is Microsoft's (found here):

DOS window with two filenames

"Windows" of course refers to Microsoft's most famous product and "KB" stands for "Knowledge Base." A user is supposed to be able to go to Microsoft's Knowledge Base, access the reference number, and get more information.

I invite the reader to try to find Windows KB360018. Now, if there is no KB360018 entry in Microsoft's knowledge base, then Qihoo 360 has no other reason for referencing "Windows" in the filename other than to further a user's natural expectation that the software comes from the trusted source, Microsoft.

Let's go back to the Qihoo Security Guards screenshot. You may have noticed that there were other hotfixes listed. One had a KB reference number, 2728973. You can actually go to Microsoft's website and look that KB reference number up.

I did just that. Now, either somebody on Qihoo's team has a great sense of humor or Qihoo's listed hotfixes have an ironic coincidence. The KB2728973 reference for the patch next to the fake one reads: "Microsoft Security Advisory: Unauthorized digital certificates could allow spoofing." A Microsoft warning about "spoofing" next to a fake Microsoft hotfix!

See illustration, or click here to go to Microsoft's Knowledge Base #2728973.

MSFT warning about spoofing next to spoofed hotfix

OK then, with common sense certainty we know that Qihoo faked a Microsoft patch. And understandably, some users were confused. Here's a comment found on the official Qihoo 360 BBS, run through the translator.

360 official blog, confused about patch

(Original, here.)

Qihoo's tactics were exposed and spread through the blogosphere.

"Recently, Qihoo 360 has once again been exposed for malicious and deceptive fraud against users, and this has sparked widespread backlash in the blogging scene." (Qihoo 360 Falsely Reports)

This next piece was found on Weibo's ultra-popular micro-blogging site (run through Google's translator):

Confused on Weibo

These sorts of blogs are abundant, see some of them here. As you can see in the above Weibo "micro-blog," and in others, screen shots were popular. See a very popular series of screenshots, here. Many were also widely distributed in the press.

Someone even made a video of the "hotfix" installation process: here.

same browser iconsI wonder how many novice users thought they not only installed a Microsoft patch but actually thought they also had a new upgraded Microsoft browser?!

(Internet Explorer and Qihoo Browser Icons.)

What does Microsoft think about all this? News reports in China said that Microsoft was investigating the matter, but did not have any comments at this time. (Originals, here; Google Translator, here) Here's a community response on answers.microsoft.com. The original was in Chinese, I had it professionally translated.

"As you may have already heard from the news, the recently released update for the "360 Browser" has fraudulently been released in Microsoft's name by 360, and is not actually a patch from Microsoft. This matter is currently under investigation." (Original is here.)

Or perhaps there is a special arrangement between Qihoo and Microsoft for the transition from IE6?

There is an interview online where someone named Huan Ren, said to be a Qihoo 360 employee, was quoted as saying:

"… in particular Qihoo 360 has a partnership with Microsoft that upgrades the default browser on Windows XP from IE6 to IE8." (Already translated, here)

But if so, why wouldn't the file properties and digital signature involve Microsoft's name alongside Qihoo's? And why would the icon look like a cheap screenshot?

low resolution screen short next to real icon

The point we need to make here is that if a Hacker wanted to borrow the credibility of Microsoft to get his users to convert from the IE6 to his own browser, why not 1) copy the Microsoft icon and the 2) filename conventions (complete with Knowledge Base reference) and then take another important step: 3) scare the users. Tell them that they're in a high risk situation.

Here's an excerpt from an article published on Zdnet.com.cn. This one is translated by Google:

"360 security guards to remind the user's computer a 'high-risk vulnerabilities need to install a named KB360018' IE6 kernel upgrade patch 'Special Note' Do not stop to repair. Users follow the prompts to upgrade, it will force the installation of the 360's security browser. " (Original, here; Google Translated, here.)

A novice user wouldn't know the difference either way and a knowledgeable user would expect a Microsoft "patch" to contrast with Qihoo's look and feel ‒ which this one did. (Of course, reports tell us that this wasn't a patch at all but a conversion from Microsoft's to Qihoo's browser).

This next micro-blog appeared just before the scandal entered the mainstream media:

kb fake, hooligans

(Google translated.)

"Hooligan?" I think US investors are the last to learn. This kind of association with Qihoo is nothing new to the Chinese reader.

"Previously, incidents where users were forced to install software which subsequently modified the registry such that it cannot be deleted were fairly common. A classic example would be Qihoo 360's predecessor, 3721, for which Mr Zhou Hong Yi has thereby been called the 'Father of rogue software'. (Qihoo 360 Falsely Reports)

In fact if you just do a raw search for "The father of rogue software" (That is, don't even mention Qihoo or the CEO) you come up with … the CEO of Qihoo. Search here. ("The father of rogue software" = "流氓软件之父". Check the translation here.)

Hackers fake security updatesBut faking a patch is nothing new to US readers either.


As Microsoft warns us,

"Rogue security software might also attempt to spoof the Microsoft security update process." (here)

Here's an article with another KB-fake:

"Have you received an email seemingly from Microsoft's security team telling you to "Update your Windows"? Have you been sent a file called KB453396-ENU.zip and told to run it on your Windows computer?" ~ Fake Microsoft security update spreads Autorun worm

As for forcing out rivals,

"Previously installed browsers are rendered inactive instantly and the default browser is locked as the 360 browser, with the homepage fixed as hao.360.cn." (Qihoo 360 Falsely Reports)

Of course, this was a little over the top. But in general this is the way it is… not just in China but in the browser business at large: bigger players trying to limit their smaller rivals with "innovation" and "security." As a consequence, I don't think Qihoo's number one revenue driver ‒ the advertisement laden default page to the browser‒ will survive the next technology cycle.

It's the law of the jungle over there. Over here too. Here's Apple locking out major browsers with impunity, because, well, everybody likes 'em … that, and, oh yeah, they're really big.

Now that Micrsoft, with its Office Suite, is set to enter this arena with its new tablets, the future of third-party browsers is being debated. Will Microsoft create so much friction for rival browsers that users just follow the path of least resistance … resulting in Microsoft's inevitable retrieval of browser market share? If they can copy Apple's strategy, you can bet they will. And I do believe that Qihoo will not be spared.

Here's what everyone is saying about the next browser war:

Why Is Microsoft Trying to Hobble Firefox on Windows 8 Tablets - and Why Does It Matter?

"Microsoft is getting cut a lot of slack for its anticompetitive stance, because it is casting the anti-features for developers in the name of "protecting users from malware." It's OK if Microsoft cuts off competing applications at the knees, because it's trying to prevent malware."

Whether one agrees with Microsoft here or not, one has to admit that Qihoo did not help the counter-argument with recent "events."

So, it is a jungle out there, but the problem with the law of the jungle is that you have to be the Gorilla to win it. That would be Microsoft, not Qihoo.

Disclosure: I am short QIHU.

Additional disclosure: I am long MSFT

About this article:

Tagged: , , , Internet Service Providers, China, , SA Submit
Problem with this article? Please tell us. Disagree with this article? .