Matt Berry's  Instablog

[To go back to the main article, see "Table of Contents"]

08/14/2012

After spending two weeks on this, I have concluded that Qihoo did indeed counterfeit Microsoft's security patch. Below you can see some of the evidence during the "gathering process."

If you are new to this page, please skip down to the August 1 entry to begin.

08/08/2012

I got ahold of Windows-KB360018-v4-x86.exe and re-analyzed it at VirusTotal.com. Same SHA256. The filename has now updated to Windows-KB360018-v4-x86.exe. The filename -- WindowsXP-KB999999-x86.exe -- shows up in "more details" as the original filename.

08/07/2012

Thanks to Richard X Roe for pointing me in this direction and giving me an education on SHA256. (Any mistakes here are mine. Please correct me in the comment section if any of my information/assumptions are off.)

As I understand it, each executable program will/can have a unique encrypted ID generated. For Qihoo and its recent scandal, we are referring to the SHA256 ID (Secure Hash Algorithm 256 bits).

The SHA256 ID for the Microsoft Update which is said to be FAKE is the same on both systemexplorer and virustotal. However the names were different.

(I will shorten the names for convenient reading.) What on systemexplorer.net is kb360 was kb999 on virustotal. The date is 2012.

What on system explorer is kb999 does not have the same SHA256 ID as the original kb999 on virus total. The date is 2011.

Before I updated the filename by re-analyzing it, this is how the two appeared in Virustotal.com:

(click to enlarge source material)

Go to systemexplorer.net ...

kb360: here

kb999: here

Click on the button "MD5" to connect with Virus Total. Click "more details" to see the former filename.

1. Was Qihoo covering its tracks and/or avoiding being labeled a threat on Virus Total?
2. Users on systemexplorer are flagging Qihoo's software as a "Threat." If they are correct, should the same software on VirusTotal be flagged as well?

8/04/2012

Video claiming to capture installation process: here.

8/03/2012

As if the issue were not confusing enough, articles today emerge accusing Kingsoft of virtually the same abuse, and using almost identical language as found in the charges leveled against Qihoo. Click here. [updated 08/04/2012]

[Back to Qihoo 360]

8/02/2012

Here's a screenshot widely published in China, to which I have added some detail:

(click to enlarge)

The red circle and red text were not mine. I added the call-outs framed in orange and using orange arrows.

You can see the translation in the Google translator at the top or click here for a "live" translation.

You can also see in the lower call-out that "systemexplorer.net" assigns the patch to Qihoo 360 and not to Microsoft. Click Here.

I have been unable to confirm a response from Microsoft, although several blogs have reported that there has been response: IE, that its not Microsoft's patch. See below.

[See end of blog for claim that Qihoo had a partnership with Microsoft to update the IE browser.]

Articles for August 2, 2012 through Google Translator:

• Microsoft's response to the 360 "patch" incident: That is certainly not a Microsoft product

"360 counterfeit Microsoft released a Patch With the latest progress,Microsoft official responded that "(KB360018) is certainly not Microsoft's products" incident in an interview. For how Microsoft will deal with this event, Microsoft officials without further response. Microsoft said that the relevant treatment temporarily can not be revealed to the media."

"Up to now, Microsoft's official response, 360 did not further respond, but the events of the "patch" incident further expansion of the trend, the outside world has shown great interest in how Microsoft will deal with this event."

• Dark cloud exposure Qihoo 360 any user password
• Qihoo 360 rogue promotion habits Zhou accused
• Qihoo 360 black income accounted for 90% of the Zhou acquiescence dark deduction malicious promotion
• Qihoo 360 rogue promotion of malignant events social impact

August 1, 20012:

[All excerpts below were professionally translated, except where noted otherwise.]

News appeared today accusing Qihoo 360 of faking a Microsoft patch in order to fool users into installing its own browser, locking them into Qihoo's default home page, leaving them unable to install it, and turning rival browsers into "Zombies."

First, let me take the devil's advocate.

I looked but could not find a mention of this by Microsoft, and one should expect one to follow at some point if this story is true.

I found a blog which translated through Google which appeared to suggest the same: he found no mention (at this time) by Microsoft.

I myself had installed the Qihoo 360 Safe browser this last weekend and had no trouble with the uninstall procedure. I did not install the patch however (as far as I know). (I did however install the antivirus, but after I had already installed the browser.) Also the problem involved IE6, and I was unable to get Microsoft to uninstall below IE7. So I was unable to give it a full test.

On the other side of the argument,

Mr Fu Sheng, the CEO of Kingsoft Internet Security, directly accuses Mr Zhou Hong Yi in a microblog,

"The browser from 360 masquerades itself as a legitimate Microsoft update patch to trick users to install it, isn't this a problem? How are you going to remedy it? Mr Zhou?""

The incident appeared in today's news (August 1, 2012), in an article that I ordered a translation for. Here are some excerpts and some screen shots that accompanied the article.

Published through several news organizations, one of which was http://www.citnews.com.cn/news/201208/153010.html.

See it in the Google Translator, here; in the original Chinese, here. See all articles of the same title, here.

Title: Qihoo 360 falsely reports loopholes in the Windows system to force the installation of their 360 browser.

"Recently, Qihoo 360 has once again been exposed for malicious and deceptive fraud against users, and this has sparked widespread backlash in the blogging scene. There have been users who have posted screenshots online which show the 360 Security Defender wrongly detecting holes in the Windows system and thereby recommending users to install an upgrade patch. After the upgrading is completed, only then do they realise the "patch" is the 360 browser."

The "patch" disables rival browsers:

" Previously installed browsers are rendered inactive instantly and the default browser is locked as the 360 browser, with the homepage fixed as hao.360.cn".

[For a larger sample of screenshots -- apparently in sequential order -- here]

A bit more technical information was provided:

"According to evidence from the users, the 360 browser upon downloading as a patch changes its name to "Windows-KB360018-v7-x86.exe", which is markedly similar to actual Microsoft patches in name. "

And then the past of the Qihoo CEO was resurrected:

"Previously, incidents where users were forced to install software which subsequently modified the registry such that it cannot be deleted were fairly common. A classic example would be Qihoo 360's predecessor, 3721, for which Mr Zhou Hong Yi has thereby been called the 'Father of rogue software'."

(For more on 3721, click here.)

• Qihoo claims partnership with MSFT to upgrade browser?

Huan Ren was said to Claim that Microsoft and Qihoo have a "partnership" with the Browser (emphasis mine):

"Huan (Qihoo 360): The situation was much worse 2 years ago. Since then, IE6 market share has dropped from 60% to 20% thanks to a collective effort from all these browser vendors, but in particular Qihoo 360 has a partnership with Microsoft that upgrades the default browser on Windows XP from IE6 to IE8. In addition, even for those users who choose not to upgrade browsers, the Qihoo 360 browser brings an IE8 rendering engine to them. That turns out to be a big factor in phasing out IE6."

This interview had been translated into English and was said to be "filed" in June 2012. See "Interview: Huawei, Maxthon, Qihoo 360, UC Web, and the Chinese Browser Perspective"

Compare with recent allegations of the current scandal,

(Google translated) IE6 kernel upgrade patch? 360 by counterfeit Microsoft patch strong push to the browser

• Another article touching on the topic of IE6 updates and Qihoo360:

Qihoo 360 Chairman Zhou domestic IE6 browser still occupies such a large market share, the relationship is not piracy. IE6 user's habits difficult to change, many ordinary users in this respect there is a lot of inert, they adapt to the IE6 style, do not want to and back to the top of the other browser. "Microsoft has stopped on IE6 technology support, and calls for global users to abandon IE6, using the new version of the browser. Unchanged to maintain the user's habits, to provide users with IE6 style browser, but using the updated kernel, you can better solve this problem, Zhou said.

Allegedly, launched last month 360 security browser 5.0 has been adopted IE8.0 kernel.Interface, maintained consistent with the old version of IE6 browser, and user migration to the new version, no need to change the browsing habits. Technology research, this browser can not uninstall IE6 browser under the protection of user security. Did not uninstall the old version of the browser, users within the network does not support the new version of the browser can also use the older version of IE6 for office.

Eliminate IE6 browser does not cooperate with their peers

Internet security issues will always need to be addressed. 360 initiative 'to eliminate IE6' action to the original intention is to protect the user's security. Destroy the old version of the browser 360 one alone can not be done. 360 need everyone to work together to promote a new browser the update process. "Zhou said on Sohu IT, despite the eradication of IE6 this initiative requires the support of various industries, but 360 will not do browser counterparts to promote this action. Zhou's explanation is that the browser 360 in the domestic market share is the largest browser except IE series, if the 360 ​​can not move, other browsers will not do.

"360 initiatives to eliminate IE6 browser Zhou said the cooperation with their peers" Link is to original Chinese page, since the whole page was truncated in the Google Translator link.

• Not the first time users have been confused over Microsoft - Qihoo patches:

Topic on Microsoft here, last post provides link to "Kafan" board.

[Back to main article, "Table of Contents"]

(Please feel free to correct me in the comment section.) From how I understand it, each executable program will have a unique encrypted code named for it. One such encrypted code name is SHA256 (Security Hash Algorithm 256 bits).

The SHA256 for the file accused of being a fake Microsoft patch has one name on systemexplorer.net and another name on VirusTotal. For convenience, I will shorten the names to KB360 and KB999. It is listed on VirusTotal in June 2012.

The filename KB999 on Systemexplorer has a completely different name on VirusTotal. It was listed in VirusTotal in January 2011.

This means that the filename on VirusTotal is not the same as the filename in the recent scandal (although the SHA256 ID is the same).

KB360: http://systemexplorer.net/file-database/file/windows-kb360018-v4-x86-exe

KB999: http://systemexplorer.net/file-database/file/windowsxp-kb999999-x86-exe

Disclosure: I am short QIHU.