By: ThreatLabz

Is 360.CN Evil?

Analysis

... a tough and controversial question to answer (I'm sure there will comments on this).
 
360.cn is a Chinese provider of "free security software", more specifically: "360.cn is a Chinese anti virus program that integrates with IE" (reference) ... huh, "integrates" with my browser how? And "free" usually means there is some other revenue stream than end-user licensing.
 
360.cn was developed by Qihoo, a Beijing-based community search company. There has been some controversy surrounding Qihoo and its 360 security suite, such as it reporting other anti-virus software and search tools as being malicious (reference) and doing QQ (IM/chat) session hijacking (reference). Within the past year of Qihoo going public, there have been further controversies - including reports of the company spying, hacking, and leaking data (reference). And then there are the rumors that the 360 software includes spyware - and that they may have affiliations with PRC Gov't to track, monitor, and police user's online activity (reference).
 
Looking at our web logs, I can see a number of requests regularly beaconing out doing HTTP POST requests to sites like:
 
conf.f.360.cn/getconf.php
qurl.f.360.cn/check_outchain.php
 
All with the User-Agent string "Post_Multipart"
 
These POST requests typically average around 1200 bytes in data (excludes HTTP header), and 360.cn responds back with 164 byte status message. Below is the status that I pulled:

To protect customer privacy and also handle the volume of transactions that we do - content of the transactions are not stored, so it is hard to say what data is leaving the network of these hosts - whether the data is user/host tracking information, keystrokes, or just license information it is hard to tell. But the frequent beaconing seems to be more spyware like in nature than say a daily check-in for latest signatures or something similar. I'll see if I can get some meaningful packet traces out of the software to find out what data is included in the POSTs.

 
The current McAfee SiteAdvisor report for 360.cn shows it as having a poor reputation (note though, 360.cn is also technically a competitor to McAfee, albeit a small one):


McAfee marks the site and its affiliates as bad - containing spyware. It also shows an affiliation with a Chinese Gov't site: miibeian.gov.cn (Ministry of Industry and Information Technology Department). One such sample that McAfee flagged in this report was also uploaded to VirusTotal ... 21/40 A/V vendors identified the binary as malicious.

 
This puts security companies such as ourselves in an interesting predicament - do we flat out block 360.cn? Probably not. Is traffic to the domain, its affiliates and wares suspicious? Certainly. It is then left up to security products to detect the malicious binaries and is up to organizations to make the decisions about these sites. If you don't use 360.CN products in your organization, it probably wouldn't hurt to block traffic to their domains.

Learn more about Zscaler.