Seeking Alpha

Matt Berry's  Instablog

Matt Berry
Send Message
Follow me on Twitter: I'll be publishing on my blog from now on. I usually send my reports through a newsletter first. Join the mailing list at Interests: -- reading up on bounded rationality, behaviorism, and philosophy -- writing... More
My blog:
3 Foot Crowbar
My book:
The Mechanics of Virtue: A cynic's guide to righteous behavior
View Matt Berry's Instablogs on:
  • Qihoo 360 Accused Of Faking A Microsoft Patch

    [To go back to the main article, see "Table of Contents"]


    After spending two weeks on this, I have concluded that Qihoo did indeed counterfeit Microsoft's security patch. Below you can see some of the evidence during the "gathering process."

    If you are new to this page, please skip down to the August 1 entry to begin.


    I got ahold of Windows-KB360018-v4-x86.exe and re-analyzed it at Same SHA256. The filename has now updated to Windows-KB360018-v4-x86.exe. The filename -- WindowsXP-KB999999-x86.exe -- shows up in "more details" as the original filename.


    Thanks to Richard X Roe for pointing me in this direction and giving me an education on SHA256. (Any mistakes here are mine. Please correct me in the comment section if any of my information/assumptions are off.)

    As I understand it, each executable program will/can have a unique encrypted ID generated. For Qihoo and its recent scandal, we are referring to the SHA256 ID (Secure Hash Algorithm 256 bits).

    The SHA256 ID for the Microsoft Update which is said to be FAKE is the same on both systemexplorer and virustotal. However the names were different.

    (I will shorten the names for convenient reading.) What on is kb360 was kb999 on virustotal. The date is 2012.

    What on system explorer is kb999 does not have the same SHA256 ID as the original kb999 on virus total. The date is 2011.

    Before I updated the filename by re-analyzing it, this is how the two appeared in

    (click to enlarge source material)Change the Name, SAME SHA256

    Go to ...

    kb360: here

    kb999: here

    Click on the button "MD5" to connect with Virus Total. Click "more details" to see the former filename.

    1. Was Qihoo covering its tracks and/or avoiding being labeled a threat on Virus Total?
    2. Users on systemexplorer are flagging Qihoo's software as a "Threat." If they are correct, should the same software on VirusTotal be flagged as well?


    Video claiming to capture installation process: here.


    As if the issue were not confusing enough, articles today emerge accusing Kingsoft of virtually the same abuse, and using almost identical language as found in the charges leveled against Qihoo. Click here. [updated 08/04/2012]

    [Back to Qihoo 360]


    Here's a screenshot widely published in China, to which I have added some detail:

    (click to enlarge)Qihoo fake patch kb360018

    The red circle and red text were not mine. I added the call-outs framed in orange and using orange arrows.

    You can see the translation in the Google translator at the top or click here for a "live" translation.

    You can also see in the lower call-out that "" assigns the patch to Qihoo 360 and not to Microsoft. Click Here.

    I have been unable to confirm a response from Microsoft, although several blogs have reported that there has been response: IE, that its not Microsoft's patch. See below.

    [See end of blog for claim that Qihoo had a partnership with Microsoft to update the IE browser.]

    Articles for August 2, 2012 through Google Translator:

    "360 counterfeit Microsoft released a Patch With the latest progress,Microsoft official responded that "(KB360018) is certainly not Microsoft's products" incident in an interview. For how Microsoft will deal with this event, Microsoft officials without further response. Microsoft said that the relevant treatment temporarily can not be revealed to the media."

    "Up to now, Microsoft's official response, 360 did not further respond, but the events of the "patch" incident further expansion of the trend, the outside world has shown great interest in how Microsoft will deal with this event."

    August 1, 20012:

    [All excerpts below were professionally translated, except where noted otherwise.]

    News appeared today accusing Qihoo 360 of faking a Microsoft patch in order to fool users into installing its own browser, locking them into Qihoo's default home page, leaving them unable to install it, and turning rival browsers into "Zombies."

    First, let me take the devil's advocate.

    I looked but could not find a mention of this by Microsoft, and one should expect one to follow at some point if this story is true.

    I found a blog which translated through Google which appeared to suggest the same: he found no mention (at this time) by Microsoft.

    I myself had installed the Qihoo 360 Safe browser this last weekend and had no trouble with the uninstall procedure. I did not install the patch however (as far as I know). (I did however install the antivirus, but after I had already installed the browser.) Also the problem involved IE6, and I was unable to get Microsoft to uninstall below IE7. So I was unable to give it a full test.

    On the other side of the argument,

    Mr Fu Sheng, the CEO of Kingsoft Internet Security, directly accuses Mr Zhou Hong Yi in a microblog,

    "The browser from 360 masquerades itself as a legitimate Microsoft update patch to trick users to install it, isn't this a problem? How are you going to remedy it? Mr Zhou?""

    The incident appeared in today's news (August 1, 2012), in an article that I ordered a translation for. Here are some excerpts and some screen shots that accompanied the article.

    Published through several news organizations, one of which was

    See it in the Google Translator, here; in the original Chinese, here. See all articles of the same title, here.

    Title: Qihoo 360 falsely reports loopholes in the Windows system to force the installation of their 360 browser.

    "Recently, Qihoo 360 has once again been exposed for malicious and deceptive fraud against users, and this has sparked widespread backlash in the blogging scene. There have been users who have posted screenshots online which show the 360 Security Defender wrongly detecting holes in the Windows system and thereby recommending users to install an upgrade patch. After the upgrading is completed, only then do they realise the "patch" is the 360 browser."

    The "patch" disables rival browsers:

    " Previously installed browsers are rendered inactive instantly and the default browser is locked as the 360 browser, with the homepage fixed as".

    QIHU accused of Fake MSFT patch

    [For a larger sample of screenshots -- apparently in sequential order -- here]

    A bit more technical information was provided:

    "According to evidence from the users, the 360 browser upon downloading as a patch changes its name to "Windows-KB360018-v7-x86.exe", which is markedly similar to actual Microsoft patches in name. "

    And then the past of the Qihoo CEO was resurrected:

    "Previously, incidents where users were forced to install software which subsequently modified the registry such that it cannot be deleted were fairly common. A classic example would be Qihoo 360's predecessor, 3721, for which Mr Zhou Hong Yi has thereby been called the 'Father of rogue software'."

    (For more on 3721, click here.)

    • Qihoo claims partnership with MSFT to upgrade browser?

    Huan Ren was said to Claim that Microsoft and Qihoo have a "partnership" with the Browser (emphasis mine):

    "Huan (Qihoo 360): The situation was much worse 2 years ago. Since then, IE6 market share has dropped from 60% to 20% thanks to a collective effort from all these browser vendors, but in particular Qihoo 360 has a partnership with Microsoft that upgrades the default browser on Windows XP from IE6 to IE8. In addition, even for those users who choose not to upgrade browsers, the Qihoo 360 browser brings an IE8 rendering engine to them. That turns out to be a big factor in phasing out IE6."

    This interview had been translated into English and was said to be "filed" in June 2012. See "Interview: Huawei, Maxthon, Qihoo 360, UC Web, and the Chinese Browser Perspective"

    Compare with recent allegations of the current scandal,

    (Google translated) IE6 kernel upgrade patch? 360 by counterfeit Microsoft patch strong push to the browser

    • Another article touching on the topic of IE6 updates and Qihoo360:

    Qihoo 360 Chairman Zhou domestic IE6 browser still occupies such a large market share, the relationship is not piracy. IE6 user's habits difficult to change, many ordinary users in this respect there is a lot of inert, they adapt to the IE6 style, do not want to and back to the top of the other browser. "Microsoft has stopped on IE6 technology support, and calls for global users to abandon IE6, using the new version of the browser. Unchanged to maintain the user's habits, to provide users with IE6 style browser, but using the updated kernel, you can better solve this problem, Zhou said.

    Allegedly, launched last month 360 security browser 5.0 has been adopted IE8.0 kernel.Interface, maintained consistent with the old version of IE6 browser, and user migration to the new version, no need to change the browsing habits. Technology research, this browser can not uninstall IE6 browser under the protection of user security. Did not uninstall the old version of the browser, users within the network does not support the new version of the browser can also use the older version of IE6 for office.

    Eliminate IE6 browser does not cooperate with their peers

    Internet security issues will always need to be addressed. 360 initiative 'to eliminate IE6' action to the original intention is to protect the user's security. Destroy the old version of the browser 360 one alone can not be done. 360 need everyone to work together to promote a new browser the update process. "Zhou said on Sohu IT, despite the eradication of IE6 this initiative requires the support of various industries, but 360 will not do browser counterparts to promote this action. Zhou's explanation is that the browser 360 in the domestic market share is the largest browser except IE series, if the 360 ​​can not move, other browsers will not do.

    "360 initiatives to eliminate IE6 browser Zhou said the cooperation with their peers" Link is to original Chinese page, since the whole page was truncated in the Google Translator link.

    • Not the first time users have been confused over Microsoft - Qihoo patches:

    Topic on Microsoft here, last post provides link to "Kafan" board.

    [Back to main article, "Table of Contents"]

    (Please feel free to correct me in the comment section.) From how I understand it, each executable program will have a unique encrypted code named for it. One such encrypted code name is SHA256 (Security Hash Algorithm 256 bits).

    The SHA256 for the file accused of being a fake Microsoft patch has one name on and another name on VirusTotal. For convenience, I will shorten the names to KB360 and KB999. It is listed on VirusTotal in June 2012.

    The filename KB999 on Systemexplorer has a completely different name on VirusTotal. It was listed in VirusTotal in January 2011.

    This means that the filename on VirusTotal is not the same as the filename in the recent scandal (although the SHA256 ID is the same).



    Disclosure: I am short QIHU.

    Aug 14 2:28 PM | Link | 11 Comments
  • More Dust Kicked Up In Kingsoft And Qihoo Fake Microsoft Patch Accusations

    [Note: This blog is an offshoot of a larger story: Qihoo 360 Accused of Faking a Microsoft Patch. ]

    A Disinformation war between Kingsoft and Qihoo 360?

    08/05/2012 (see 08/04/2012 update at end of blog)

    CEO of Kingsoft responding to what I'm calling "cloned smears" (See 08/03/2012 entry below):

    "The face of this "Gold Mountain defender patch" incident, Fu Sheng, CEO of Kingsoft Internet microblogging statement said: "In fact, Microsoft does have an IE6 upgrade IE8 plans, including 360 invited, Jinshan, including the number of partners to participate. only Jinshan honestly help Microsoft to upgrade to ie6 ie8, 360 but by the opportunity to trick users to install the browser 360. 360 things brought to light after the crazy dirty water splashed to Jinshan. "


    As if the issue were not confusing enough, articles today emerge accusing Kingsoft of virtually the same abuse, and using pretty much the same language as found in the charges leveled against Qihoo. (The link I had placed here no longer points to the same article.)

    It is almost comical how identical the accusations are. Search for ""补丁门"又有最新进展,或许是迫于舆论指责和微软的压力" and both Qihoo and Kingsoft accusations emerge next to each other. Just change the name and the patch code and its a "story"!

    (click to enlarge)Kingsoft and Qihoo identical accusations

    You can see the above here in a Google search. For a google translation try it in this Baidu search, here.

    So far a news search of the above string ( ""补丁门"又有最新进展,或许是迫于舆论指责和微软的压力" ) in Google will yield the accusation against Kingsoft, but news searches in Baidu only yield those accusations laid against Qihoo.

    General searches (outside of the news) on both engines yielded results for both.

    Here is the text comparing two articles, one accusing Kingsoft and the other accusing Qihoo (run through the Google translator).

    Cloned articles accusing both Qihoo and Kingsoft
    Article accusing KingsoftArticle accusing Qihoo 360
    Google Translator, hereGoogle Translator, here
    Forced by the accused of public opinion and pressure on Microsoft? The Jinshan emergency under the frame of the counterfeit patches

    Forced by Microsoft's pressure? 360 Emergency shelf counterfeit patches

    Jinshan counterfeit Microsoft patch door "but also the latest developments, perhaps forced by the pressure of opinion accusations and Microsoft Jinshan official emergency shelf fake Microsoft patch" KB660002, KB660001 ", and changed his tune called" Jinshan official patch.360 security guards "patch door" and the latest progress, perhaps forced by the pressure of opinion accusations and Microsoft have been 360 official emergency shelf of counterfeit Microsoft patch KB360018, and corrected himself and called 360 official patch.

    Previously review:

    Previous users microblogging broke Jinshan naming rules in accordance with Microsoft security patches, concocted a counterfeit Microsoft patch KB660002, KB660001, mislead consumers bundle to install the upgrade Kingsoft.

    Previously review:

    Previous users microblogging broke the 360 ​​naming rules in accordance with Microsoft security patches, concocted counterfeit Microsoft patch KB360018 "mislead consumers bundled installation of 360 browser.
    Subsequently, Microsoft appeared to stand, saying "It (KB660002, KB660001) is certainly not Microsoft's products". Follow-up processing for Microsoft, Microsoft officials were not done further response. Microsoft also said that the processing method temporarily to the media.Subsequently, Microsoft appeared to stand, saying "(KB360018) is certainly not Microsoft's products". Follow-up processing for Microsoft, Microsoft officials were not done further response. Microsoft also said that the processing method temporarily to the media.
    Jinshan official also made a formal response, said KB660002, KB660001 does not Microsoft's official patch, but by Jinshan self-published "false patch" the original intention of the software upgrade program. "360 official also made a formal response to recognition of KB360018 does not Microsoft's official patch, but from 360 self-published "false patch", the intention is "to provide the the IE6 kernel upgrade program.

    Latest developments:

    Microsoft officially released to hardware manufacturers Windows8RTM version with the appearance of the world's attention Win8 application store. Regrettably, the old domestic soft kill Duba did not get the opportunity into the Win8 application store.

    Latest developments:

    360 "360 018 360 official patch" claimed on its official forum, also announced that this patch has been off the assembly line.

    Here's another "cloned smear." I got this through the search "色收入占九成", which google translates as "black income accounted for 90% of the):

    (click to enlarge)Another cloned smear featuring Qihoo and Kingsoft


    Didn't get very far on this one, but a blogger in China made a nice observation, which I looked into and upon which I will elaborate:

    1.The fake patch attributed to Kingsoft had a 2009 date next to it. Qihoo's has 2012.

    2. The patch attributed to Qihoo took on a unique code. The one attributed to Kingsoft was identical to a patch independently attributed to Microsoft (see link below).

    3. Bloggers and the CEO of Kingssoft have said that Qihoo's patch installed its own browser, while Kingsoft's patch really did update the Internet Explorer.

    4. The official KB660001 patch was available before either Kingsoft's security guards existed or the new browser existed. As you can see a patch with the same code/name was offered independently in 2010, with a 2009 date next to the download:here. The URL found on that page still However, I was not able to find KB660001 on Microsoft's official site.

    This is not a slam-dunk, of course. The accusers can still say that it's possible that Kingsoft put malware under the guise of a 2009 IE8 SP Pack ... but why do that when, for example, they could have used a later update, such as the one available for Internet Explorer dated 2010? The pitch was, "your computer is in a high state of vulnerability" ... and then you want to fool them by offering a 3 year-old patch? If you're going to tell a lie, you are not limited to what's available. You can make up anything you want. In contrast, the patch attributed to Qihoo had a July 2012 date next to it.

    Although not conclusive, here's some source material:

    (click to enlarge)Kingsoft patch source material

    Disclosure: I am short QIHU.

    Aug 07 2:38 PM | Link | Comment!
  • Qihoo Reported To Have Lost Smartphone Partner Due To Recent Bad Press

    [back to "Table of Contents"]

    Qihoo Reported To Have Lost Smartphone Partner Due To Recent Bad Press

    First I should introduce two articles which suggest that the breakup might not be true and that the deal is ongoing:

    All translations here are through Google: The first article is here and the second, here.

    First article Title: "Huawei shining ship in August by the Ministry of certification"

    Relevant Text:

    "Phone Home Information Center, August 1, once came Huawei and Qihoo 360 both to the breakdown of news, but for the first 360 special machine "shine" or come to the reporters in the website of the Ministry of have seen this machine, Model Huawei U8836D, according to the official version, the machine will be listed in August shipment."

    The fact that the Ministry of Certification document is provided may suggest an attempt to debunk the articles such as the one that appeared yesterday. The rest of the article appears to be promotional material and goes on to detail the specs and shows some images of the phone.

    This article was one of the main reasons why I decided not to pursue this accusation any further and also stopped with professional translations at this point (below translations had already been performed). However, I'll keep this story on the watch list.

    Second Article Title: "Test the water commerce Huawei false start to the Internet" (Here)

    Both positive and negative suggestions in this article. Here is the sentence that leads one to believe that the deal is still in play:

    "In fact, Huawei shines special for the machine with 360 co-operation is still underway, but Huawei for 360 low-key approach, the fundamental reason is that, Huawei began the road of self-built Internet brand."

    Pro: Articles appeared in the press with supposedly inside staff members declaring the deal to be off.

    First, in the immediately preceding article ‒ "Test the water commerce Huawei false start to the Internet" (Here) ‒ we find suggestion of a rift:

    "Cooperation Initially, Yu Chengdong the excitement overflow in microblogging, but also on many occasions mentioned the 360. But more than a month later, Huawei 360 cooperation "cold treatment", the official voice no longer speak.

    "The fundamental reason is that, Huawei has its own idea, e-commerce specifications, Huawei's new thinking on the development of the Internet strategy. "

    The first part adds a little weight to the argument that a rift has taken place, if you believe that the second is merely how each party can save face.

    The excerpts from the next article were professionally translated. This article appeared before the above mentioned articles, otherwise I probably would not have gone through with paying for it. Oh well. Here it is:

    Titled: "Huawei's internal management confirms that it is cancelling its partnership with Qihoo 360: Exclusive behind the scenes news of the farce"

    This particular copy was pulled from China National Radio Network: Google Translation, here; the original, here.

    The article opens,

    "Recently, internal employees of Huawei have leaked out the news that Huawei's management has decided to cancel the partnership with Qihoo 360, although the exact reasons are unknown. But information from an internal meeting shows that Qihoo 360's own internal problems were a key factor in the termination of the partnership. Previously, the two machines specially provided by Qihoo 360 failed disastrously."

    Information on the "disaster" with the other two machines will be covered in this same series, in other blogs. Please refer to the "table of contents." This break up had been rumored to have taken place for over a month, and so just when I thought it had been finalized, and after paying for the translation, the other two articles (above) appeared and put on the brakes for further research. We'll just have to wait and see what happens. Time will tell.

    "According to the source, Huawei is a company that places great importance on the brand, and could not tolerate mobile phones with malicious software that causes chargebacks and delibrate leakage of user data. Before this, industry experts have analysed that the only hope of the continued partnership between Huawei and Qihoo 360 was if Qihoo 360's software was not packaged with the phones for sale, but such a move would not benefit Zhou Hong Yi at all."

    The next few sections of the article deal with the immediately preceding "disaster" where Qihoo 360 was blamed for the leakage of use data. This I will cover in the other blogs related to this one. See the "Table of contents."

    This particle article ends with a hard hit, and keeps up the suspicion that this might just be a smear:

    "A famous media 'Mobile Information' wrote: 'After 3 rounds of wrangling, it is time for answers from Qihoo 360. Right now, the outlooks seems poor, whether it is for consuming the bottom line to salvage the last vestiges of hope, or a quick and painless execution. The 360 Special Phones has breathed its last'"

    As mentioned earlier, the rumor of a breakup between these two is not new. It has persisted since the first announcement of the "cooperation" a little over a month ago. It is however a bolder declaration of the breakup. But it is contradicted by other articles, as mentioned above.

    The breakup itself would not seem t affect Qihoo's ongoing revenue story. What it would do however is shed light on the other more serious incidents detailed in the other blogs and which apparently would be a factor in any such breakup.

    [Return to "Table of Contents"

    Disclosure: I am short QIHU.

    Aug 01 10:46 PM | Link | Comment!
Full index of posts »
Latest Followers


More »

Latest Comments

Posts by Themes
Instablogs are Seeking Alpha's free blogging platform customized for finance, with instant set up and exposure to millions of readers interested in the financial markets. Publish your own instablog in minutes.