27 May 2020

One of China's largest malware botnets is temporarily disrupted by Chinese tech firms


One of China's largest malware botnets is temporarily disrupted by Chinese tech firms

Chinese tech companies Qihoo 360 and Baidu have teamed up in a fight against DoubleGuns, one of China's largest malware botnets that targets only users in China and is believed to have infected hundreds of thousands of victims to date.

DoubleGuns is a Windows malware that has been targeting Chinese users since 2017. While growing in size, the botnet has undergone a few changes in the past three years. The malware is mainly being spread via malicious apps shared on Chinese websites, with most being pirated games made available on Chinese social networks and gaming forums.

The main purpose of DoubleGuns is to deliver MBR and VBR bootkits on infected devices, install various malicious drivers, and then steal credentials from local apps, such as Steam. The malware can also act as adware and is able to hijack QQ accounts to spread ads to the victim's friends via private messages, ZDNet wrote.

In a recent blog post Qihoo said that since May 14 it has been working with the Baidu security team to disrupt the DoubleGuns botnet operations. The companies’ joint efforts resulted in the takedown of some of the botnet's backend infrastructure, most of which has been using Baidu's Tieba image hosting service.

Qihoo said that for the past three years DoubleGuns has been downloading images from the Tieba service. The malware used a technique known as steganography to conceal malicious code in images. This code was used to provide DoubleGun bots with instructions of what operations to perform on the infected hosts.

For the past two weeks Qihoo and Baidu have been working on identifying and taking down malicious images and logging connections from infected hosts, which gave them insight into a real size of the botnet, currently estimated at "hundreds of thousands" of infected hosts.

Back to the list

Latest Posts

UK NCSC urges orgs to patch dangerous Microsoft SharePoint RCE flaw

UK NCSC urges orgs to patch dangerous Microsoft SharePoint RCE flaw

If exploited, CVE-2020-16952 could allow an attacker to run arbitrary code in the context of the local administrator on affected installations of SharePoint server.
19 October 2020
Google sheds light on tactics of APT31 that targeted Joe Biden’s campaign in June

Google sheds light on tactics of APT31 that targeted Joe Biden’s campaign in June

Google has also warned of increase in attacks by North Korean hackers against COVID-19 researchers and pharmaceutical companies.
19 October 2020
Microsoft releases out-of-band updates for RCE-flaws in Windows Codecs and Visual Studio Code

Microsoft releases out-of-band updates for RCE-flaws in Windows Codecs and Visual Studio Code

Microsoft said it has not identified any mitigating measures or workarounds for the two vulnerabilities.
19 October 2020