Matt Berry's  Instablog

Matt Berry
Send Message
Follow me on Twitter: I'll be publishing on my blog from now on. I usually send my reports through a newsletter first. Join the mailing list at Interests: -- reading up on bounded rationality, behaviorism, and philosophy -- writing... More
My blog:
3 Foot Crowbar
My book:
The Mechanics of Virtue: A cynic's guide to righteous behavior
  • Qihoo 360 Accused Of Faking A Microsoft Patch 11 comments
    Aug 14, 2012 2:28 PM | about stocks: QIHU

    [To go back to the main article, see "Table of Contents"]


    After spending two weeks on this, I have concluded that Qihoo did indeed counterfeit Microsoft's security patch. Below you can see some of the evidence during the "gathering process."

    If you are new to this page, please skip down to the August 1 entry to begin.


    I got ahold of Windows-KB360018-v4-x86.exe and re-analyzed it at Same SHA256. The filename has now updated to Windows-KB360018-v4-x86.exe. The filename -- WindowsXP-KB999999-x86.exe -- shows up in "more details" as the original filename.


    Thanks to Richard X Roe for pointing me in this direction and giving me an education on SHA256. (Any mistakes here are mine. Please correct me in the comment section if any of my information/assumptions are off.)

    As I understand it, each executable program will/can have a unique encrypted ID generated. For Qihoo and its recent scandal, we are referring to the SHA256 ID (Secure Hash Algorithm 256 bits).

    The SHA256 ID for the Microsoft Update which is said to be FAKE is the same on both systemexplorer and virustotal. However the names were different.

    (I will shorten the names for convenient reading.) What on is kb360 was kb999 on virustotal. The date is 2012.

    What on system explorer is kb999 does not have the same SHA256 ID as the original kb999 on virus total. The date is 2011.

    Before I updated the filename by re-analyzing it, this is how the two appeared in

    (click to enlarge source material)Change the Name, SAME SHA256

    Go to ...

    kb360: here

    kb999: here

    Click on the button "MD5" to connect with Virus Total. Click "more details" to see the former filename.

    1. Was Qihoo covering its tracks and/or avoiding being labeled a threat on Virus Total?
    2. Users on systemexplorer are flagging Qihoo's software as a "Threat." If they are correct, should the same software on VirusTotal be flagged as well?


    Video claiming to capture installation process: here.


    As if the issue were not confusing enough, articles today emerge accusing Kingsoft of virtually the same abuse, and using almost identical language as found in the charges leveled against Qihoo. Click here. [updated 08/04/2012]

    [Back to Qihoo 360]


    Here's a screenshot widely published in China, to which I have added some detail:

    (click to enlarge)Qihoo fake patch kb360018

    The red circle and red text were not mine. I added the call-outs framed in orange and using orange arrows.

    You can see the translation in the Google translator at the top or click here for a "live" translation.

    You can also see in the lower call-out that "" assigns the patch to Qihoo 360 and not to Microsoft. Click Here.

    I have been unable to confirm a response from Microsoft, although several blogs have reported that there has been response: IE, that its not Microsoft's patch. See below.

    [See end of blog for claim that Qihoo had a partnership with Microsoft to update the IE browser.]

    Articles for August 2, 2012 through Google Translator:

    "360 counterfeit Microsoft released a Patch With the latest progress,Microsoft official responded that "(KB360018) is certainly not Microsoft's products" incident in an interview. For how Microsoft will deal with this event, Microsoft officials without further response. Microsoft said that the relevant treatment temporarily can not be revealed to the media."

    "Up to now, Microsoft's official response, 360 did not further respond, but the events of the "patch" incident further expansion of the trend, the outside world has shown great interest in how Microsoft will deal with this event."

    August 1, 20012:

    [All excerpts below were professionally translated, except where noted otherwise.]

    News appeared today accusing Qihoo 360 of faking a Microsoft patch in order to fool users into installing its own browser, locking them into Qihoo's default home page, leaving them unable to install it, and turning rival browsers into "Zombies."

    First, let me take the devil's advocate.

    I looked but could not find a mention of this by Microsoft, and one should expect one to follow at some point if this story is true.

    I found a blog which translated through Google which appeared to suggest the same: he found no mention (at this time) by Microsoft.

    I myself had installed the Qihoo 360 Safe browser this last weekend and had no trouble with the uninstall procedure. I did not install the patch however (as far as I know). (I did however install the antivirus, but after I had already installed the browser.) Also the problem involved IE6, and I was unable to get Microsoft to uninstall below IE7. So I was unable to give it a full test.

    On the other side of the argument,

    Mr Fu Sheng, the CEO of Kingsoft Internet Security, directly accuses Mr Zhou Hong Yi in a microblog,

    "The browser from 360 masquerades itself as a legitimate Microsoft update patch to trick users to install it, isn't this a problem? How are you going to remedy it? Mr Zhou?""

    The incident appeared in today's news (August 1, 2012), in an article that I ordered a translation for. Here are some excerpts and some screen shots that accompanied the article.

    Published through several news organizations, one of which was

    See it in the Google Translator, here; in the original Chinese, here. See all articles of the same title, here.

    Title: Qihoo 360 falsely reports loopholes in the Windows system to force the installation of their 360 browser.

    "Recently, Qihoo 360 has once again been exposed for malicious and deceptive fraud against users, and this has sparked widespread backlash in the blogging scene. There have been users who have posted screenshots online which show the 360 Security Defender wrongly detecting holes in the Windows system and thereby recommending users to install an upgrade patch. After the upgrading is completed, only then do they realise the "patch" is the 360 browser."

    The "patch" disables rival browsers:

    " Previously installed browsers are rendered inactive instantly and the default browser is locked as the 360 browser, with the homepage fixed as".

    QIHU accused of Fake MSFT patch

    [For a larger sample of screenshots -- apparently in sequential order -- here]

    A bit more technical information was provided:

    "According to evidence from the users, the 360 browser upon downloading as a patch changes its name to "Windows-KB360018-v7-x86.exe", which is markedly similar to actual Microsoft patches in name. "

    And then the past of the Qihoo CEO was resurrected:

    "Previously, incidents where users were forced to install software which subsequently modified the registry such that it cannot be deleted were fairly common. A classic example would be Qihoo 360's predecessor, 3721, for which Mr Zhou Hong Yi has thereby been called the 'Father of rogue software'."

    (For more on 3721, click here.)

    • Qihoo claims partnership with MSFT to upgrade browser?

    Huan Ren was said to Claim that Microsoft and Qihoo have a "partnership" with the Browser (emphasis mine):

    "Huan (Qihoo 360): The situation was much worse 2 years ago. Since then, IE6 market share has dropped from 60% to 20% thanks to a collective effort from all these browser vendors, but in particular Qihoo 360 has a partnership with Microsoft that upgrades the default browser on Windows XP from IE6 to IE8. In addition, even for those users who choose not to upgrade browsers, the Qihoo 360 browser brings an IE8 rendering engine to them. That turns out to be a big factor in phasing out IE6."

    This interview had been translated into English and was said to be "filed" in June 2012. See "Interview: Huawei, Maxthon, Qihoo 360, UC Web, and the Chinese Browser Perspective"

    Compare with recent allegations of the current scandal,

    (Google translated) IE6 kernel upgrade patch? 360 by counterfeit Microsoft patch strong push to the browser

    • Another article touching on the topic of IE6 updates and Qihoo360:

    Qihoo 360 Chairman Zhou domestic IE6 browser still occupies such a large market share, the relationship is not piracy. IE6 user's habits difficult to change, many ordinary users in this respect there is a lot of inert, they adapt to the IE6 style, do not want to and back to the top of the other browser. "Microsoft has stopped on IE6 technology support, and calls for global users to abandon IE6, using the new version of the browser. Unchanged to maintain the user's habits, to provide users with IE6 style browser, but using the updated kernel, you can better solve this problem, Zhou said.

    Allegedly, launched last month 360 security browser 5.0 has been adopted IE8.0 kernel.Interface, maintained consistent with the old version of IE6 browser, and user migration to the new version, no need to change the browsing habits. Technology research, this browser can not uninstall IE6 browser under the protection of user security. Did not uninstall the old version of the browser, users within the network does not support the new version of the browser can also use the older version of IE6 for office.

    Eliminate IE6 browser does not cooperate with their peers

    Internet security issues will always need to be addressed. 360 initiative 'to eliminate IE6' action to the original intention is to protect the user's security. Destroy the old version of the browser 360 one alone can not be done. 360 need everyone to work together to promote a new browser the update process. "Zhou said on Sohu IT, despite the eradication of IE6 this initiative requires the support of various industries, but 360 will not do browser counterparts to promote this action. Zhou's explanation is that the browser 360 in the domestic market share is the largest browser except IE series, if the 360 ​​can not move, other browsers will not do.

    "360 initiatives to eliminate IE6 browser Zhou said the cooperation with their peers" Link is to original Chinese page, since the whole page was truncated in the Google Translator link.

    • Not the first time users have been confused over Microsoft - Qihoo patches:

    Topic on Microsoft here, last post provides link to "Kafan" board.

    [Back to main article, "Table of Contents"]

    (Please feel free to correct me in the comment section.) From how I understand it, each executable program will have a unique encrypted code named for it. One such encrypted code name is SHA256 (Security Hash Algorithm 256 bits).

    The SHA256 for the file accused of being a fake Microsoft patch has one name on and another name on VirusTotal. For convenience, I will shorten the names to KB360 and KB999. It is listed on VirusTotal in June 2012.

    The filename KB999 on Systemexplorer has a completely different name on VirusTotal. It was listed in VirusTotal in January 2011.

    This means that the filename on VirusTotal is not the same as the filename in the recent scandal (although the SHA256 ID is the same).



    Disclosure: I am short QIHU.

    Stocks: QIHU
Back To Matt Berry's Instablog HomePage »

Instablogs are blogs which are instantly set up and networked within the Seeking Alpha community. Instablog posts are not selected, edited or screened by Seeking Alpha editors, in contrast to contributors' articles.

Comments (11)
Track new comments
  • BugEYE
    , contributor
    Comments (194) | Send Message
    yep, that is outrageous and unbelievable. However cheaters do thrive in China. Sigh....
    2 Aug 2012, 06:55 AM Reply Like
  • Matt Berry
    , contributor
    Comments (222) | Send Message
    Author’s reply » CEO Zhou has big enemies ... and lots of them. These guys have been waging a war of words for years now. We'll have more clarity when MSFT comments on it (that is, IF they comment).
    2 Aug 2012, 09:21 AM Reply Like
  • blebli
    , contributor
    Comments (2) | Send Message
    All Microsoft updates intended for the general public have a website describing them, if there was an update called KB360018 its describition would be at (fun fact: recent microsoft patches have a digit more)
    3 Aug 2012, 12:18 PM Reply Like
  • Matt Berry
    , contributor
    Comments (222) | Send Message
    Author’s reply » A fun fact it is. I'm still looking for an official Microsoft response.
    3 Aug 2012, 03:33 PM Reply Like
  • Matt Berry
    , contributor
    Comments (222) | Send Message
    Author’s reply » Posted a question to Microsoft yesterday. No response by end of the day.
    4 Aug 2012, 01:16 PM Reply Like
  • blebli
    , contributor
    Comments (2) | Send Message
    That Microsoft wants IE6 out of its way is no secret. Also that China is the last red country on Microsoft's IE6 countdown site:
    So it's very likely to assume that Microsoft did indeed ask all popular browser vendors in China utilising the Trident engine to update to the IE6 version, but one thing is certain, they didn't ask them to be impersonated by them.
    4 Aug 2012, 05:00 PM Reply Like
  • Matt Berry
    , contributor
    Comments (222) | Send Message
    Author’s reply » CEO of Kingsoft appears to have said pretty much the same. He was responding to what I'm calling "cloned smears" (See


    Note: "Jinshan" (phonetic) and "Gold Mountain" (literal) are how Google sometimes deals with the Chinese characters (金山) -- which in the English speaking world is known as "Kingsoft". The Chinese statement uses the 金山 characters consistently, while in the Google translator it appears in three different forms -- so I have inserted [Kingsoft] for more accurate and easier reading. See link for the original.


    "The face of this "[Kingsoft] defender patch" incident, Fu Sheng, CEO of Kingsoft Internet microblogging statement said: "In fact, Microsoft does have an IE6 upgrade IE8 plans, including 360 invited, [Kingsoft], including the number of partners to participate. only [Kingsoft] honestly help Microsoft to upgrade to ie6 ie8, 360 but by the opportunity to trick users to install the browser 360. 360 things brought to light after the crazy dirty water splashed to [Kingsoft]. "
    5 Aug 2012, 12:19 PM Reply Like
  • Richard X Roe
    , contributor
    Comments (2280) | Send Message


    Looked at the unique SHA256 signature of the "patch." It appears that the same file was submitted for virus check about a month ago but under the name "WindowsXP-KB999999-x8...



    Also note these posts and from January 2011 in which Qihoo employees explain that this is a valid Qihoo patch (although not necessarily a Microsoft patch). As far as I know, Microsoft has no rights to the names "windows-kb360018-v4-x... or "WindowsXP-KB999999-x8... so Qihoo should be able to use them to deploy its own "patches."


    Looks like Qihoo has been doing this for quite some time (at least for 19 months), and it is unclear why it has become such an issue recently. Of course, nobody in their right mind will ever use Qihoo browser and antivirus on a desktop, given that IE, Chrome, and Microsoft Security Essentials are all free and pretty decent products.
    7 Aug 2012, 02:49 PM Reply Like
  • heyuehong2013
    , contributor
    Comments (2) | Send Message
    Chinese netizens (except for a few people) are very hate 360, in tencent and 360 the "war" proved.
    10 Oct 2012, 02:51 AM Reply Like
  • heyuehong2013
    , contributor
    Comments (2) | Send Message
    Chinese (except for a few people) are very hate JiHu, because tencent and JiHu the "war" has proved JiHu very dirty
    10 Oct 2012, 02:53 AM Reply Like
  • kebok
    , contributor
    Comment (1) | Send Message
    I'm very don't like qihoo360. because it's very, now ,you can to truy the Kingsoft Antivirus and tencent, that's very good! it'sreally!!
    10 Oct 2012, 04:17 AM Reply Like
Full index of posts »
Latest Followers


More »

Latest Comments

Instablogs are Seeking Alpha's free blogging platform customized for finance, with instant set up and exposure to millions of readers interested in the financial markets. Publish your own instablog in minutes.