Internet Security Report of Baidu for First Half of 2013 In Thailand



1 . Overview

According to data analysis by the cloud data center of Baidu internationalization team, Internet in Thailand demonstrates the following three characteristics in the first half of 2013:

1.   Privacy and account information security of users were deteriorating. Viruses and Trojans have shown a trend of being more interest-oriented.

2.   The destructive viruses and Trojans have decreased, but persistence of Trojans has grown. Once infected, it is difficult to be removed.

3.   The momentum of hanging horse was restrained, while phishing websites were rising which were of higher emulation and further specialized.


Abstract of main contents in this report:

1.       Making statistic analysis of the status of viruses and Trojans in the first half of 2013 and the future development trend of viruses based on interceptions for viruses and Trojans in the first half of 2013.

2.       Making statistic analysis of the categories and deceit ways of phishing websites in the first half of 2013, and analyzing the future trend of phishing based on the information intercepted from phishing websites in the first half of 2013.

3.       Comprehensively analyzing the current status of network security, and future difficulties of antivirus and solutions.

2 . Disclaimer

Data mentioned in this report bases on the summary data from such related departments as the cloud center of Baidu internationalization antivirus team (a subsidiary of Baidu).This report is only for statistics, research and analysis of the related information, technical details and development trend of viruses and Trojans in Thailand in the first half of 2013.All the conclusions and viewpoints are released exclusively by our company and are irrelevant to other companies and departments.   Some cases and data described in this report may differ from those of other institutes, therefore, users should make their own judgments, and our company undertakes no relevant legal liabilities .


3 . Virus and Trojan

3.1 Overview

In the first half of 2013, the cloud data center of Baidu internationalization security team   captured 13,300,308 new viruses and 1,078,008 of which came from Thailand, including 769,143 Trojans which account for 71.35% of all the viruses and top other types of viruses.   New virus samples contain 87,116 infectious viruses, accounting for 8.08% of the total which is the second largest group.   With a percentage of 6.50%, adware climbs ranks the third, surpassing backdoors and worms. Worms, backdoors and hack tools account for 3.99%, 3.82% and 5.98% respectively ,   as shown in the following figure .

              Figure 1:   Distribution of Different Types of Viruses Captured by Baidu Internationalization Security Team in First Half of 2013


Figure 2 displays the number of viruses and Trojans captured in each month of the first half of 2013.According to the chart, the numbers of samples captured in January and February are significantly less than that captured in each month after March. The main reason for that is the Spring Festival, because Thailand is also one of the countries where people celebrate the Spring Festival.   After that time, the explosion of different types of 0day caused an increase of hanging horse websites and applications using 0day, thus making the number of viruses rise obviously.   Especially in April, the new high risk vulnerability CVE-2013-0027 of Microsoft Internet Explorer influenced all versions of Microsoft Internet Explorer from Microsoft Internet Explorer 6 to Microsoft Internet Explorer 10. So the number of hanging horse rose perpendicularly in April and May, which leaded to an increase of the number of viruses, as shown in the following figure.

 Figure 2:   Number of Viruses Captured by Baidu Internationalization Security Team in Each Month of First Half of 2013


3.2 Top 10 Viruses in the first half of 2013

The following table shows the top ten viruses in Thailand in the first half of 2013 summarized by the cloud data center of Baidu internationalization security team based on the types, number of mutations, number of infected computers and damage degrees of viruses.



Name of Virus


Severity Level






This is an old infectious virus. A few mutations of this virus are still prevailing after several years of its first prevalence, and it is hard to remove and repair.





It is disguised as a folder icon, which makes users believe that it is a normal folder. Users get infected when double click the virus. If attacked, operations of registry and task manager will be prohibited, and the attributes of folders will be altered.   It is generally transmitted through mobile media such as USB disks.


Worm.Win32. Changeup.47



It evolves constantly to change its MD5, thus making it difficult for antivirus software to distinguish it.





It is often disguised as IE icon and transmits through method such as binding. After being infected by this Trojan, a number of unknown services and processes will appear, which can slow down computers.





This is a virus downloader, which can download many malwares from Internet to infected computers.





This is also a well-known infectious virus with a long history. Due to utilization of polymorphism, it has a lot of mutations. It is difficult to repair the systems infected by this virus which is still prevailing.





This Trojan uses support tools of computer games as the baits to steal the game accounts and passwords of infected users.





It transmits through the network share whose password can be cracked easily and receives instructions from an IRC channel of a specific IRC server.   The infected computers can be remotely accessed without authorization.





It injects viruses into puppet processes. It is difficult to be found out killed.   It also can release a few backdoors, making the infected computers be controlled by remote computers.





It uses complex encryption methods to obtain the users' windows login and ftp passwords and then email them to the authors.

  Figure 3:   Top 10 Viruses in Thailand in First Half of 2013

3.3 Analysis of virus technology trend in the first half of 2013

3.3.1 Old infectious viruses are still prevailing

According to data intercepted in the first half of 2013, infectious viruses following Trojans are still the second largest group among all the viruses in Thailand.   The two old infectious viruses, Virus.Win32.Virut.47 and Virus.Win32.Sality.47, accounting for more than 80% of infectious viruses, have the largest infected amount.

Although it has been many years since the first explosion of the two infectious viruses, they still have their impact. As they have various mutations and use such technologies as polymorphism and EPO, it has always been a trouble for manufacturers to detect and repair them.   For users, after being infected, systems will not encounter such problems as crash and retard, and the infected systems remain high stability, so common users cannot detect attacks.

3.3.2 The fight between viruses and antivirus software is escalating

As major antivirus software manufacturers continue to make efforts to suppress viruses and the cloud security system is improving constantly, virus authors are facing unprecedented pressure, resulting in a more fierce fight between viruses and antivirus software.   At the very beginning, feature codes could avoid being killed. Later, junk data was filled in the trailer to avoid cloud killing. And now viruses are changing constantly and can generate new md5 values, which makes antivirus software cannot identify or immediately identify viruses.

  The worm Changeup.47 generates many files through self-deformation ,   as shown in the following figure.   We can see that the icons generated by viruses are folder icons with random file names and same file size, but the CRC32 values of the files are different.


 Figure 4:   Files Generated by Viruses through Self-deformation

Some other special Trojans use the "white + black" method to avoid being intercepted and killed by antivirus software.   "White + black" refers to that virus authors bind a malicious component to a piece of software (generally with a valid digital signature) released by a legal company.

An executable file is a requirement for common programs, namely exe file, while large legal software has its own component, such as dynamic library loading dll.   However, many exe files do not detect the finiteness of dlls, as a result, hackers can create malicious dlls to replace normal dlls and then load and run these dlls.   The rough schematic diagram is as follows:


Figure 5:   Schematic Diagram of Using "White + Black"

As the software used by virus authors is generally widely used or a must for computer installation, it is difficult for users to distinguish whether some files are replaced maliciously and to defend themselves effectively.   So   Baidu security experts   remind that everyone should use   Baidu PC App Store (   if possible to download and install software, or go to large legal websites to download reliable software.

3.3.3 The large increasing amount of rogue advertisement software

As security manufacturers are making greater efforts to suppress viruses, there will be less and less space for viruses.   Although the fight continues, the cost is too high. Therefore, the virus authors who once aimed at profiteering are starting to develop rogue software, advertisement software and software that is used to brush flow maliciously instead of writing viruses and Trojans.

As advertisement software and background flow brush software are not viruses and Trojans in the conventional sense and different antivirus companies have their own standards, providing certain space for these rogue programs. The severity of rogue software is less than that of viruses and Trojans. Besides opening some processes silently in the background to brush flow, such software can only open advertisement boxes or bind a piece of software that seems nice (a piece of malicious promotion software in fact), so users usually cannot perceive it and will ignore it even when detecting it.   Thus, users unconsciously act as a tool to make money for hackers and have not realized it at all.

The following shows an operational process of advertisement brush software:


Figure 6:   Run Advertisement Software

This malicious advertisement program is disguised as an IE icon and runs silently in the background. Then this program will request to visit the advertisement websites designated by it every one minute.   Of course users do not know this operational process and this advertisement program executes silently in the background.   From the URL, we can see that there are promotion links in the webpage link and some virus authors earn money by using it to brush advertisements.


Figure 7:   Advertisement Webpage Visited Silently in the Background

3.3.4 Facebook is one of the victims

As users are spending more and more time on network communities in their lives, virus authors start to turn to these communities. As the largest social platform, Facebook naturally cannot avoid this.   In May, the Baidu cloud security center captured a browser plug-in named   Trojan.Chrome.SNS_Spy.38,   the number of computers infected by it reached up to more than 8000 within only 3 days in Thailand.   This plug-in steals users' privacy information such as cookie including users' login information and friend list when users log in Facebook,   and releases advertisements to deceit users to download malware.

With the stolen friend lists, this malicious information will also be sent to the friends of attacked users and this process will be duplicated and multiplied, as shown in the following figure.

                        Figure 5:   Facebook Infection Schematic Diagram

3.3.5 Account security becomes the top priority

With the increasing number of online gamers in Thailand and continuous popularity of online shopping, it becomes the top priority to prevent the theft of game account passwords and online bank passwords by hackers.

According to data from Baidu internationalization cloud security data center, 3700 account stealing viruses were captured in May, of which the online game account stealing and the bank account stealing account for 53.7% and 36.9% respectively.   These Trojans usually capture the screen information of users or link up with the keyboard hooks, and then send the captured information to the mail boxes specified by hackers.   Additionally, these viruses will create new system processes as puppet processes and inject the key codes of viruses into puppet processes to make it difficult for users to perceive and kill them.

The following shows how onlinegames.gen (a representative Trojan that steals game accounts) steals accounts:

First, the Trojan monitors the game login. This Trojan becomes active when users log in a game.

Figure 6:   Users Log in a Game Interface

Then the Trojan sends the captured account and password of the game to a mail box specified by its author through the installed mouse and keyboard hooks.   The following figure shows the sending process and sniffer.

Figure 7:   Network Package Generated When Trojan Sends Account and Password

The sent contents are encrypted through base64, and the contents after decryption are the account and password just entered in the game login interface.   The following figure shows the contents after decryption, which are found consistent with the contents entered during login.

Figure 8:   Mail Contents after base64 Decryption

Based on the conclusions after analysis of these samples by Baidu security researchers, the Trojans that appeared in Thailand still use relatively backward and primal technologies, but the increasing speed is very fast in the recent period, which is worth the attention of netizens and security companies.

3.3.6 Mobile Internet security problems are increasingly outstanding

In recent years, with the popularity of smart phones, people can shop online, send and receive Emails, chat, and process online payment with only a mobile phone or a tablet.   As we all know, Android, IOS, Symbian, WindowsMobile and BlackBerry are the most widely-used mobile security systems.   However, since Android system is highly open and most widely used, a large number of Android Apps are developed.   Moreover, Android system is in the use of open source, and therefore the defects of Android system are prone to be discovered by hackers, which certainly cause the disclosure of user privacy stored in their phones. Meanwhile, hackers can also brush flow and click advertisements on the background surreptitiously to bring expensive traffic fees to users.   In view of the above, Android system is increasingly becoming a strategic fort for hackers to attack.

According to Baidu Cloud Security Center's statistics,   Android   virus new samples only reported by users have reached to 2088 in the first half of 2013.The following figure shows the distribution of Android samples.

 Figure 9:   Distribution of Android samples in the first half of 2013


In general, viruses of Android system can intercept contact lists and call history of users and send the privacy information to the virus author.   The virus author will sell the information to merchants desiring the information to seek profit.   Then, the information buyer will send junk short messages and advertisements by using the information, disturbing people's daily life and work.   What is more, they even use the victims' social network to practice extortion.

Moreover, viruses of Android system can steal the user's photos, videos, account number and other personal privacy information, which seriously violates users' privacy, leading to severe consequences.

Additionally, when hackers brush flow for advertising on the background, they not only earn promotion returns but also cause expensive traffic fees. In this case, users have to pay for these advertising bills instead of merchants.

With the popularity of location based service (LBS), the location privacy of users has increasingly become a significant concern. Location information, which seems like worthless for common people, may bring extraordinary benefits for lawbreakers.

3.3.7 APT attack becomes a primary attack means

Recently, users are attacked by Advanced Persistent Threats (APTs) more frequently. According to incomplete statistics, a large number of websites of various enterprises and governments have ever been attacked more or less by APTs.   From the "Stuxnet" in 2010 to the "Flame" of last year to the incident of the website of the South Korea government is being invaded in March, APT has become a primary network attack means.   A wide variety of attack means as well as their concealment and persistence undoubtedly increase the network security defense difficulty.   How to protect the websites of enterprises and governments from attacks and their internal privacy from disclosure has become a severe challenge for the security departments of enterprises and governments.

4. Malicious websites

4.1 Overview

In the first half of 2013, Baidu Internationalization Security Team has detected the malicious URLs for 876,000 times in the URL Cloud Data Center, including 232,000 hanging horse websites, taking up 26.5% of total malicious URLs. Since hanging horse websites have no substantive technical breakthrough currently and a great many security manufactures can effectively block them, the threats of Trojan-linking websites is not so serious comparing with PE virus.

Nowadays, Thai websites have a low security in a whole and Thai people have relatively less understanding about the threat and severity of network virus invading. Moreover, as more and more automatic and intelligent tools come in being, it is not so difficult for virus and hanging horse websites to invade networks.   Therefore, it is still a severe challenge for Thai netizens and security manufacturers to prevent networks from being invaded and hung horse. The following will describe some specific problems.

4.2 Phishing websites

According to data intercepted by the Baidu Internationalization Security Team in the URL Cloud Data Center, phishing websites either directly visit URLs with IP addresses or use the realm name of com |||   The following figure shows the distribution of phishing websites realm names.


Figure 10:   Distribution of phishing websites realm names in 2013

According to the statistics of Baidu Cloud Data Center in the first half of 2013, most phishing websites are bank phishing websites. Since phishing websites are of high emulation, therefore they are scarcely distinguished from actual websites, so it is impossible for users to defend effectively.

4.3 Phishing websites trend analysis

4.3.1 Higher and higher emulation level raises discernment difficulty

With higher emulation level, more complex structure, and more concealed realm names of phishing websites, it is more difficult for users to distinguish them.   Even professional security personnel may be phished carelessly to suffer economic loss, let alone common users.

The following figure shows an example of a phishing website. If only viewing the contents on the webpage, can you distinguish the authentic website from the phishing websites?

Figure 11:   Authentic login page of the SCB bank


Figure 12:   Phished login page of the SCB bank

Most phishing websites spreads over Emails, as shown in the following figure.

Figure 13:   Phishing websites spread over Emails

Baidu security experts remind Thai netizens: confirm the URL in emails before open it. A secure browser is recommended because a   secure browser   can help users determine whether the opened website is official.

4.3.2 Facebook phishing is rising

As the social network service is becoming more advanced, the number of Facebook users in Thailand increases gradually. Generally, users publish their logs, share photos, and chat with good friends on Facebook.   In this case, hackers use phishing websites to intercept Facebook account numbers and passwords and then send them to the designated server.   The information can help hackers steal private information of users and sell account numbers and send junk short messages.


Figure 14:   Phished Facebook website page


5. Prospects for Internet Security Trend of the Second Half Year

5.1 Personal information and privacy security is the top focus

From the analysis of the first half year, hackers increasingly value the user's account information and privacy information since the information may bring enormous economic benefits.   Therefore, it is expected that hackers will still use all means in the second half year, including hanging horse, phishing and other means, to steal users' personal privacy information.

Meanwhile, webmasters of large websites need to protect their websites and servers to improve website security against attacks by hackers. Otherwise, once data is extracted from the database, large amount of user privacy information may be disclosed.

5.2 Mobile Internet security is rising

With the increase of smartphones and mobile App users, security problems of the mobile Internet are drawing more attention. It is expected that the mobile Internet will become the significant target of hackers in the second half of the year.

With hackers' more profound research on the mobile phone system especially the Android system and more exposed technical details, mobile phone virus manifest higher technical level and more low-layer technology are used So hackers have more chances to access mobile phones to practice more malicious and complex behaviors.   These behaviors are frequently driven by economic benefits, such as stealing online banking accounts, performing malicious chargeback, and sending junk and fraud short messages.

Although the information of hanging horse on the mobile phone has not been intercepted, the traditional Internet threats may reappear on the mobile clients sooner, bringing greater threat to the mobile Internet.

5.3 Attacks against enterprise and national networks are rising accordingly

The attack against to the South Korea government this March sounds the alarm for corporate and national network security problems again.   In the future, attacks with larger scale and higher technical level are bound to arrive.   Network security problems are increasingly upgrading to an international confrontation on science technology and information. How to avoid the loss, how to prevent the privacy of enterprises and nations from disclosure and how to minimize loss once suffering attacks have become primary focuses for academics and security experts.

6. Security suggestions

1. Do not open files and network links sent by strangers and even friends without confirmation.   Scan files with Baidu Antivirus before running the files sent by others. Do not run the program until confirm the security of the file. Verify carefully the realm name before clicking the network link sent by others.

2. Install the Baidu Antivirus of professional edition (, update the virus database in a timely manner, and enable the functions of active defense, browser protection and self-protection.

3. Visit   Baidu PC App Store   (   or go to famous websites to download and update program.   Do not download software from less well-known websites to block hanging horse viruses and viruses binding to the downloaded files.

4. Use Baidu PCFaster (   to install system patches in a timely manner to avoid losses caused by 0day hanging horse viruses from websites.

5. Use the secure browser Spark (   to distinguish secure networks from phishing websites and websites with hanging horse viruses.