The Problem

For the past week webmasters from all over the world have reported several visits originating from a mysterious chinese domain name.

Many website managers are expressing concern over this peculiar traffic, originating from a domain name called qq829.com with the referring URL appearing as:

www.qq829.com/web_stat.asp?dn=www.domainname.com

Several discussions and blog posts are appearing over the internet, with currently the de-facto hub of discussion on the Google Analytics Help forum, where several webmeisters are reporting activity and exchanging theories.

What is it doing?

As of writing it is still unclear exactly what the activity is. A handful of members of the Google Analytics discussion are reporting tampering to their files, although this has not been corroborated, it is of concern but may just be a spam in the pan.

Sparkstar at HubPages clears the matter as follows:

After a lot of research it seems that this may be a new variant of trojan.adclicker, as reported by Threatexpert, which places cookies on the user’s computer then generates false hits on various websites and displays malicious adverts over the top of a website’s pages. All these hits appear to be referred to websites by the url above which is why webmasters are seeing traffic from this link in their logs. However, it’s not the computer user who determines which sites the trojan accesses, it’s the creator of the trojan.

It is also believed that if a webmaster clicks on the link via their logs, it displays the animated graph and possibly tries to download malicious software onto their computer. Some webmasters have also reported changes to their website upon noticing this traffic such as php-injections.

If you are a webmaster experiencing this problem it is recommended that you scan your website/s and all of the equipment that you use for FTP, etc. Most webmasters have resorted to amending their .htaccess file to block all of China. However, I recommend either simply blocking the referring link or cnzz.com, 188.com and qq829.com. You’re probably experiencing this because one or more of your website’s users are infected with a new variant on the trojan, it doesn’t necessarily mean that your website or equipment is infected.

Symantec provide the following summary statement of the threat:

Discovered: September 12, 2002
Updated: February 13, 2007 11:40:28 AM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Trojan.Adclicker is a generic class of Trojan Horses that are designed to artificially generate traffic to certain Web sites. These Trojans send HTTP requests to simulate clicks on banner advertisements, or to inflate Web counter statistics.

Antivirus Protection Dates
Initial Rapid Release version September 13, 2002
Latest Rapid Release version April 20, 2010 revision 007
Initial Daily Certified version September 13, 2002 revision 020
Latest Daily Certified version April 20, 2010 revision 008
Initial Weekly Certified release date September 18, 2002

Solutions

You can either block the URL using the following approach provided by AurelloSoft:

Updated: April 20th, 2010 ( Both of these options have been confirmed as working; however, some have had better results with Option 1 )

Option 1:

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} cnzz\.cn [NC,OR]
RewriteCond %{HTTP_REFERER} qq829\.com [NC]
RewriteRule .* - [F]

Option 2:

SetEnvIfNoCase Referer "^qq829" TOBLOCK=1
SetEnvIfNoCase Referer "^cnzz" TOBLOCK=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=TOBLOCK
</FilesMatch>

It is also possible to apply IP blocks within your .htaccess file, if running apache servers. I briefly did so as earlier attempts to block referral traffic failed to halt traffic. A drastic measure, granted. But as I rarely receive chinese visitors to my site, hardly an inverted Great Firewall of China.

The following code will block all traffic from China and any referred traffic from qq829.com:

Note: If you’re running WordPress, insert right at the top above permalinks setup.

order allow,deny
allow from all
# Get up-to-date list from http://www.okean.com/thegoods.html or (in .htaccess format) http://www.wizcrafts.net/chinese-blocklist.html
# China IP Address Blocks
deny from 58.14.0.0/15 58.16.0.0/13 58.24.0.0/15 58.30.0.0/15 58.32.0.0/11 58.66.0.0/15 58.68.128.0/17 58.82.0.0/15 58.87.64.0/18 58.99.128.0/17 58.100.0.0/15 58.116.0.0/14 58.128.0.0/13 58.144.0.0/16 58.154.0.0/15 58.192.0.0/11 58.240.0.0/12
deny from 59.32.0.0/11 59.64.0.0/13 59.72.0.0/15 59.77.0.0/16 59.78.0.0/15 59.80.0.0/14 59.107.0.0/16 59.108.0.0/14 59.151.0.0/17 59.155.0.0/16 59.172.0.0/14 59.191.0.0/16 59.192.0.0/10
deny from 60.0.0.0/11 60.55.0.0/16 60.63.0.0/16 60.160.0.0/11 60.194.0.0/15 60.200.0.0/13 60.208.0.0/12 60.232.0.0/15 60.235.0.0/16 60.245.128.0/17 60.247.0.0/16 60.252.0.0/16 60.253.128.0/17 60.255.0.0/16
deny from 61.4.80.0/20 61.4.176.0/20 61.8.160.0/20 61.28.0.0/17 61.29.128.0/17 61.45.128.0/18 61.47.128.0/18 61.48.0.0/13 61.87.192.0/18 61.128.0.0/10 61.232.0.0/14 61.236.0.0/15 61.240.0.0/14
deny from 116.1.0.0/16 116.2.0.0/15 116.4.0.0/14 116.8.0.0/14 116.13.0.0/16 116.16.0.0/12 116.52.0.0/14 116.56.0.0/15 116.58.128.0/20 116.58.208.0/20 116.60.0.0/14 116.66.0.0/17 116.69.0.0/16 116.70.0.0/17 116.76.0.0/14 116.89.144.0/20 116.90.184.0/21 116.95.0.0/16 116.112.0.0/14 116.116.0.0/15 116.128.0.0/10 116.192.0.0/16 116.193.16.0/20 116.193.32.0/19 116.194.0.0/15 116.196.0.0/16
deny from 116.198.0.0/16 116.199.0.0/17 116.199.128.0/19 116.204.0.0/15 116.207.0.0/16 116.208.0.0/14 116.212.160.0/20 116.213.64.0/18 116.213.128.0/17 116.214.32.0/19 116.214.64.0/20 116.214.128.0/17 116.215.0.0/16 116.216.0.0/14 116.224.0.0/12 116.242.0.0/15 116.244.0.0/14 116.248.0.0/15 116.252.0.0/15 116.254.128.0/17 116.255.128.0/17
deny from 117.8.0.0/13 117.21.0.0/16 117.22.0.0/15 117.24.0.0/13 117.32.0.0/13 117.40.0.0/14 117.44.0.0/15 117.48.0.0/14 117.53.176.0/20 117.57.0.0/16 117.58.0.0/17 117.59.0.0/16 117.60.0.0/14 117.64.0.0/13 117.72.0.0/15 117.74.64.0/20 117.74.128.0/17 117.75.0.0/16 117.76.0.0/14 117.80.0.0/12 117.100.0.0/15 117.103.16.0/20 117.103.128.0/20 117.106.0.0/15 117.112.0.0/13 117.120.64.0/18 117.120.128.0/17 117.121.0.0/17 117.121.128.0/18 117.121.192.0/21 117.122.128.0/17 117.124.0.0/14 117.128.0.0/10
deny from 118.24.0.0/13 118.64.0.0/15 118.66.0.0/16 118.67.112.0/20 118.72.0.0/13 118.80.0.0/15 118.84.0.0/15 118.88.32.0/19 118.88.64.0/18 118.88.128.0/17 118.89.0.0/16 118.91.240.0/20 118.102.16.0/20 118.112.0.0/13 118.120.0.0/14 118.124.0.0/15 118.126.0.0/16 118.132.0.0/14 118.144.0.0/14 118.178.0.0/16 118.180.0.0/14 118.184.0.0/13 118.192.0.0/12 118.212.0.0/15 118.224.0.0/14 118.228.0.0/15 118.230.0.0/16 118.239.0.0/16 118.242.0.0/16 118.244.0.0/14 118.248.0.0/13
deny from 119.0.0.0/15
deny from 121.0.16.0/20 121.4.0.0/15 121.8.0.0/13 121.16.0.0/12 121.32.0.0/13 121.40.0.0/14 121.46.0.0/15 121.48.0.0/15 121.51.0.0/16 121.52.160.0/19 121.52.208.0/20 121.52.224.0/19 121.55.0.0/18 121.56.0.0/15 121.58.0.0/17 121.58.144.0/20 121.59.0.0/16 121.60.0.0/14 121.68.0.0/14 121.76.0.0/15 121.79.128.0/18 121.89.0.0/16 121.100.128.0/17 121.192.0.0/13 121.201.0.0/16 121.204.0.0/14 121.224.0.0/12 121.248.0.0/14 121.255.0.0/16
deny from 122.0.64.0/18 122.0.128.0/17 122.4.0.0/14 122.8.0.0/13 122.48.0.0/16 122.49.0.0/18 122.51.0.0/16 122.64.0.0/11 122.96.0.0/15 122.102.0.0/20 122.102.64.0/19 122.112.0.0/14 122.119.0.0/16 122.136.0.0/13 122.144.128.0/17 122.156.0.0/14 122.192.0.0/14 122.198.0.0/16 122.200.64.0/18 122.204.0.0/14 122.224.0.0/12 122.240.0.0/13 122.248.48.0/20
deny from 123.0.128.0/18 123.4.0.0/14 123.8.0.0/13 123.49.128.0/17 123.52.0.0/14 123.56.0.0/13 123.64.0.0/11 123.96.0.0/15 123.98.0.0/17 123.99.128.0/17 123.100.0.0/19 123.101.0.0/16 123.103.0.0/17 123.108.128.0/20 123.108.208.0/20 123.112.0.0/12 123.128.0.0/13 123.136.80.0/20 123.137.0.0/16 123.138.0.0/15 123.144.0.0/12 123.160.0.0/12 123.176.80.0/20 123.177.0.0/16 123.178.0.0/15 123.180.0.0/14 123.184.0.0/13 123.196.0.0/15 123.199.128.0/17 123.232.0.0/14 123.244.0.0/14 123.249.0.0/16 123.253.0.0/16
deny from 124.6.64.0/18 124.14.0.0/15 124.16.0.0/15 124.20.0.0/14 124.28.192.0/18 124.29.0.0/17 124.31.0.0/16 124.40.112.0/20 124.40.128.0/18 124.42.0.0/16 124.47.0.0/18 124.64.0.0/15 124.66.0.0/17 124.67.0.0/16 124.68.0.0/14 124.72.0.0/13 124.88.0.0/13 124.108.8.0/21 124.108.40.0/21 124.112.0.0/13 124.126.0.0/15 124.128.0.0/13 124.147.128.0/17 124.156.0.0/16 124.160.0.0/13 124.172.0.0/14 124.192.0.0/15 124.196.0.0/16 124.200.0.0/13 124.220.0.0/14 124.224.0.0/12 124.240.0.0/17 124.242.0.0/16 124.243.192.0/18 124.248.0.0/17 124.249.0.0/16 124.250.0.0/15 124.254.0.0/18
deny from 125.31.192.0/18 125.32.0.0/12 125.58.128.0/17 125.61.128.0/17 125.62.0.0/18 125.64.0.0/11 125.96.0.0/15 125.98.0.0/16 125.104.0.0/13 125.112.0.0/12 125.169.0.0/16 125.171.0.0/16 125.208.0.0/18 125.210.0.0/15 125.213.0.0/17 125.214.96.0/19 125.215.0.0/18 125.216.0.0/13 125.254.128.0/17
deny from 134.196.0.0/16
deny from 159.226.0.0/16
deny from 161.207.0.0/16
deny from 162.105.0.0/16
deny from 166.111.0.0/16
deny from 167.139.0.0/16
deny from 168.160.0.0/16
deny from 192.83.122.0/24 192.124.154.0/24 192.188.170.0/24
deny from 198.17.7.0/24 198.97.132.0/24
deny from 202.0.110.0/24 202.0.160.0/20 202.0.176.0/22 202.4.128.0/19 202.4.252.0/22 202.8.128.0/19 202.10.64.0/20 202.14.88.0/24 202.14.235.0/24 202.14.236.0/23 202.14.238.0/24 202.20.120.0/24 202.22.248.0/21 202.38.0.0/20 202.38.64.0/18 202.38.128.0/21 202.38.136.0/23 202.38.138.0/24 202.38.140.0/22 202.38.144.0/22 202.38.149.0/24 202.38.150.0/23 202.38.152.0/22 202.38.156.0/24 202.38.158.0/23 202.38.160.0/23 202.38.164.0/22 202.38.168.0/21 202.38.176.0/23 202.38.184.0/21 202.38.192.0/18 202.41.152.0/21 202.41.240.0/20 202.46.32.0/19 202.46.224.0/20
deny from 202.60.112.0/20 202.69.4.0/22 202.69.16.0/20 202.70.0.0/19 202.74.8.0/21 202.75.208.0/20 202.85.208.0/20 202.90.0.0/22 202.90.224.0/20 202.90.252.0/22 202.91.0.0/22 202.91.128.0/22 202.91.176.0/20 202.91.224.0/19 202.92.0.0/22 202.92.252.0/22 202.93.0.0/22 202.93.252.0/22 202.94.0.0/19 202.95.0.0/19 202.95.252.0/22 202.96.0.0/12
deny from 202.112.0.0/13 202.120.0.0/15 202.122.0.0/19 202.122.32.0/21 202.122.64.0/19 202.122.112.0/21 202.122.128.0/24 202.123.96.0/20 202.124.24.0/21 202.125.176.0/20 202.127.0.0/18 202.127.112.0/20 202.127.128.0/19 202.127.160.0/21 202.127.192.0/18 202.130.0.0/19 202.130.224.0/19 202.131.16.0/21 202.131.48.0/20 202.131.208.0/20 202.136.48.0/20 202.136.208.0/20 202.136.224.0/20 202.141.160.0/19 202.142.16.0/20 202.143.16.0/20 202.148.96.0/19 202.149.160.0/20 202.149.224.0/19
deny from 202.150.16.0/20 202.152.176.0/20 202.153.48.0/20 202.158.160.0/19 202.160.176.0/20 202.164.0.0/20 202.164.25.0/24 202.165.96.0/21 202.165.176.0/20 202.165.208.0/20 202.168.160.0/19 202.170.128.0/19 202.170.216.0/21 202.173.8.0/21 202.173.224.0/19 202.179.240.0/20 202.180.128.0/19 202.181.112.0/20 202.189.80.0/20 202.192.0.0/12
deny from 203.18.50.0/24 203.79.0.0/20 203.80.144.0/20 203.81.16.0/20 203.83.56.0/21 203.86.0.0/18 203.86.64.0/19 203.88.0.0/22 203.88.32.0/19 203.88.192.0/19 203.89.0.0/22 203.90.0.0/22 203.90.128.0/18 203.90.192.0/19 203.91.32.0/19 203.91.96.0/20 203.91.120.0/21 203.92.0.0/22 203.92.160.0/19 203.93.0.0/16 203.94.0.0/18 203.95.0.0/21 203.95.96.0/19 203.99.16.0/20 203.99.80.0/20
deny from 203.100.32.0/20 203.100.80.0/20 203.100.96.0/19 203.100.192.0/20 203.110.160.0/19 203.118.192.0/19 203.119.24.0/21 203.119.32.0/22 203.128.32.0/19 203.128.96.0/19 203.128.128.0/19 203.130.32.0/19 203.132.32.0/19 203.134.240.0/21 203.135.96.0/19 203.135.160.0/20 203.148.0.0/18 203.152.64.0/19 203.156.192.0/18 203.158.16.0/21 203.161.192.0/19 203.166.160.0/19 203.171.224.0/20 203.174.7.0/24 203.174.96.0/19 203.175.128.0/19 203.175.192.0/18 203.176.168.0/21 203.184.80.0/20 203.187.160.0/19 203.190.96.0/20 203.191.16.0/20 203.191.64.0/18 203.191.144.0/20 203.192.0.0/19 203.196.0.0/22
deny from 203.207.64.0/18 203.207.128.0/17 203.208.0.0/20 203.208.16.0/22 203.208.32.0/19 203.209.224.0/19 203.212.0.0/20 203.212.80.0/20 203.222.192.0/20 203.223.0.0/20
deny from 210.2.0.0/19 210.5.0.0/19 210.5.32.0/20 210.5.144.0/20 210.12.0.0/15 210.14.64.0/19 210.14.112.0/20 210.14.128.0/17 210.15.0.0/17 210.15.128.0/18 210.16.128.0/18 210.21.0.0/16 210.22.0.0/16 210.23.32.0/19 210.25.0.0/16 210.26.0.0/15 210.28.0.0/14 210.32.0.0/12 210.51.0.0/16 210.52.0.0/15 210.56.192.0/19 210.72.0.0/14 210.76.0.0/15 210.78.0.0/16 210.79.64.0/18 210.79.224.0/19 210.82.0.0/15 210.87.128.0/18 210.185.192.0/18 210.192.96.0/19
deny from 211.64.0.0/13 211.80.0.0/12 211.96.0.0/13 211.136.0.0/13 211.144.0.0/12 211.160.0.0/13
deny from 218.0.0.0/11 218.56.0.0/13 218.64.0.0/11 218.96.0.0/14 218.104.0.0/14 218.108.0.0/15 218.192.0.0/12 218.240.0.0/13 218.249.0.0/16
deny from 219.72.0.0/16 219.82.0.0/16 219.128.0.0/11 219.216.0.0/13 219.224.0.0/12 219.242.0.0/15 219.244.0.0/14
deny from 220.101.192.0/18 220.112.0.0/14 220.152.128.0/17 220.154.0.0/15 220.160.0.0/11 220.192.0.0/12 220.231.0.0/18 220.231.128.0/17 220.232.64.0/18 220.234.0.0/16 220.242.0.0/15 220.248.0.0/14
deny from 221.0.0.0/13 221.8.0.0/14 221.12.0.0/17 221.12.128.0/18 221.13.0.0/16 221.14.0.0/15 221.122.0.0/15 221.129.0.0/16 221.130.0.0/15 221.133.224.0/19 221.136.0.0/15 221.172.0.0/14 221.176.0.0/13 221.192.0.0/14 221.196.0.0/15 221.198.0.0/16 221.199.0.0/17 221.199.128.0/18 221.199.192.0/20 221.199.224.0/19 221.200.0.0/13 221.208.0.0/12 221.224.0.0/12
deny from 222.16.0.0/12 222.32.0.0/11 222.64.0.0/11 222.125.0.0/16 222.126.128.0/17 222.128.0.0/12 222.160.0.0/14 222.168.0.0/13 222.176.0.0/12 222.192.0.0/11 222.240.0.0/13 222.248.0.0/16 222.249.0.0/17 222.249.128.0/18 222.249.192.0/19 222.249.224.0/20 222.249.240.0/21 222.249.248.0/23

SetEnvIfNoCase Referer "^qq829" TOBLOCK=1
SetEnvIfNoCase Referer "^cnzz" TOBLOCK=1

Order Allow,Deny
Allow from all
Deny from env=TOBLOCK

Recourses & Discussion

• AurelloSoft solution to block all referred traffic from qq829.com & cnzz.com (known spam site being associated with qq829)
• Google Analytics Help has the most active discussion on the subject currently
• SharkLadyTech outlines the most current solutions to block traffic from this domain and china as a whole.
• LinkedIn has an Answers forum post discussing the subject also.

At a much hyped and frenzied big Apple event today in San Francisco’s Yerba Buena Center for the Arts. The press gathered to check in and finally discover what Steve Jobs had up his sleeve.

Apple iPad first glimpse from Steve Jobs, CEO Apple.

You must admit his black neck tied top is a bit priestly. Reportedly Moses was used as a comical slide to hint to ‘the announcement’ during the run-up of the show. The CNET Live blog by Erica Ogg reported:

10:06 a.m.: That’s the end of the updates. Now to the main event.

He shows a photo of Moses holding a tablet. “I chuckled when I saw this.”

Erica Ogg continues:

10:09 a.m.: Some people have thought that’s a Netbook, he says. “The problem is Netbooks aren’t better at anything,” he says to loud laughter and applause.

“They’re just cheap laptops. We think we have something better.”

10:10 a.m.: iPad is the name.

iPad is the name

A giant iPod Touch-looking device ½ inch thin and weighing 1.5 pounds steals the show.

Some of the other little features:

• A 9.7-inch IPS display, the same display used in the latest-generation iMac.
• 802.11n Wi-Fi, Bluetooth, accelerometer, compass, and a 10-hour battery life.
• One month of standby battery life. You can leave it asleep and not use it for 30 days.
• Full screen multi-rotational internet browser.
• A calendar and address book for contacts. Maps using Google Maps too.
• Doubles as an iPod with 16gb capacity and access to the iTunes Store.
• You can also watch YouTube, TV shows (iPlayer), and movies on it.
• Photos able to be viewed in stacks, viewed in portrait or landscape.
• You sort through by flicking with your finger. A bottom bar looks like a film strip you can scroll through to see all photos in an album.
• Can organize by faces, places, or events, just like iPhoto.
• All App Store apps including Games run on the iPad also.
• Price: It’s $499 for the 16GB Model

With reports coming in of vast sums of money being donated through online and text appeals, it is interesting to see who is doing what and how it is being reported.

Google

Google has dedicated disaster relief site now for Haiti. It aggregates the latest news, video and aid information currently available.

Twitter

Tweak the Tweet, provides a dictionary of hashtags for reporting on issues on the ground in Haiti and calling for aid. Here are templates for using their syntax

Learning to speak #machine

Twitter has provided many people with a communication lifeline. For those affected on the ground as well as those affected around the world. The role played by twitter in facilitating disaster relief is now being reviewed through the discussion of ‘hashtags for emergency response’ an interesting examination into the semantic ‘hashtag’ protocol potential of twitter data definition for emergency response.

Facebook

Facebook provides a variety of ways to communicate. Through messaging, wall-posts and IM. All of which have been used as a way of directly communicating. Alongside direct messaging, a great many groups have sprung up also. With groups being open the public it’s unfortunate, albeit inevitable, to witness a growing abuse in peoples trust through these public groups.

Related News Reports

The BBC has filed a couple of reports on the phenomenal and innovative ways that social media has been used to help victims, relatives and facilitate aid efforts. I’m sure we’ll see a few more of these in the coming weeks.

• Social networks and the web offer a lifeline in Haiti
• Twitter and Facebook users respond to Haiti crisis

Other related news stories

• Facebook Haiti Earthquake Scam Artists Surface – Associated Content
• Twitter and Facebook praised by Haiti charity – The Telegraph
• Social networking sites boost Haiti disaster appeal – Charities Aid Foundation
• Aid agencies ‘must use new tools’ – BBC

Learn More

• Visit the Decode: Digital Design Sensations website
• More information on how the Radiohead video was created and how you can obtain the source code from Google Code
• Have your work projected on the London Underground. Find out more about Recode Decode