Cheetah Academy of Sciences · 2016/05/16 16:31
0x00 Local hijacking
At the moment of mouse click, traffic flows through layers of nodes in the user system and runs to the remote server under the guidance of routing. In this section of the road, hand-to-hand combat is often the most intense. Hijackers are always ambushed at all the nodes where the traffic may pass by, and the means of traffic hijacking also emerge in an endless stream. From home page configuration tampering, hosts hijacking, process Hook, startup hijacking, LSP injection, browser plug-in hijacking, HTTP proxy filtering, kernel packet hijacking, bootkit and so on. Perhaps from the moment of boot, the story of traffic hijacking has begun.
1. Sanctimonious malware
“Website navigation” can be called the domestic Internet the most unique scenery line, from hao123 began to develop, each major navigation station began to become the Internet flow of the most important a point of entry, accompanied by the navigation homepage link around the small tail (promotion ID), launched a thrilling attack and defense sniper war. On the one hand, domestic security software is more and more closely protected to the traditional IE browser’s home page, on the other hand, the third party browser with better user experience begins to occupy the mainstream position, the domestic rogue Trojan horse also begins to seek navigation amount “find another way”.
The case mentioned below is a batch of navigation homepage hijacking samples that we have captured. The historical active period can be traced back to 2014 at the earliest. It is mainly spread through multiple types of rogue software bundling, and its hijacking function module is obtained through network update, and then dynamically loaded after multi-level memory decryption. The home page hijacking plug-in module realizes home page tampering by modifying browser configuration files, covering more than 20 mainstream browsers at home and abroad, such as Chrome, Firefox, Safari, Maxthon, QQ, 360 and Sogou. Realizing these functions obviously requires reverse analysis of the configuration file format and encryption algorithm of these browsers. In the process of sample analysis, we even found that the rogue author used a vulnerability to bypass the protection function of the home page of two of the browsers.
[1] A software dropdown loads the homepage hijacking plug-in
Above is we crawl in one of the software to the home page hijacked module file and update packet, you may be in the packet is not very familiar with this domain name, but referred to “sound” start the software believe that many people will know something about safety strap, the major security BBS toolkit are basically use it to manage configuration, Accompanied by a lot of small small-time hackers like the author studies the growth, so there are still a lot of feeling in the process of analysis of the sample, of course, these Trojan hijacking behavior may not have too big relations with the original author, heard the software in stop updating a few years later sold to Shanghai science and technology company, its many software products have been discovered rogue hijacking behavior, Interested readers can find their own baidu, no further disclosure here.
As in the previous case, part of the old software began to slowly deteriorate, away from users gradually; On the other hand, as the change of domestic security environment in recent years, the traditional Trojan horse such as the popular pilfer number, downloader and far control is declining with each passing day, the rascal that another large number is wearing formal software coat also begins to rise, their way of operation has the following characteristics:
1. Pretend to be formal software, but the actual function is single and simple, some are even empty shell software, common such as calendar, weather forecast, color broadcast, input method and other multifarious forms of camouflage, in an attempt to use the coat of these normal functions to escape the interception of security software, to achieve the purpose of resident user system.
2. Behind the behavior and Trojan virus is the same, its purpose is to obtain promotion traffic, such as home page lock, webpage hijacking, advertising popup, traffic dark brush, silent installation and so on. Moreover, a large part of malicious modules and configurations of rogue software are controlled by cloud pull-down, which can be triggered by timing, region and scene.
[2] Cloud control background of a rogue software
- Variant speed is relatively fast, repeatedly kill more than, after being intercepted by security software, it will soon replace the digital signature, and even change the software shell after packaging. These digital signature registration of enterprise information is a lot of rogue software authors from other channels specifically acquired.
[3] A rogue software changed its digital signature certificate several times within a month to avoid being killed by security software
The following can be understood through several typical cases of these rogue software traffic hijacking techniques:
1) flow through the browser plug-in to hijack the QTV series of varieties, the sample web page in which users through BHO plugin for IE browsers into the JS script, the core for the chrome browser exploits to bypass some of the normal browser plug-in installation steps, by adding the browser plug-in to tamper with the configuration file for dynamic hijacked.
[4] Plug-in modules installed silently in the browser inject hijacked web pages through JS
The technical advantages of hijacking users’ web browsing by injecting JS scripts are also obvious. On the one hand, the injected cloud JS scripts are flexible and can be controlled and modified in the cloud at any time. On the other hand, they are very hidden and difficult to detect for ordinary users. JS scripts injected into users’ web pages have hijacked most of the promotional traffic in web browsing, as shown below:
[5] Inject JS into web pages to hijack promotion traffic
2) the following “hd video rascal virus” case is last year, further tracking the spread of the virus a rogue gang, disguised as a player main kinds of the samples on the rogue software, technical characteristics as shown in the figure below, most of the hijacked module is the driver files, through the dynamic memory is loaded into the system kernel, implementation browser hijack, silent promotion behavior of the virus.
[6] “HIGH-DEFINITION film and TELEVISION” Trojan hijacking process diagram
From the Trojan horse background server forensics files, the sample spread in a short period of time is very large, the peak of a day reached 20W +, a week of cumulative infected users more than 1 million, the installation of statistical database backup files every day more than 1G.
[7] “HIGH-DEFINITION film and TELEVISION” Trojan background server forensics
2. Continuously active AD pop-ups hang horses
Mentioned traffic hijacked, have to say to the nearly 2 years remain highly active advertising popups hang a horse attack case, original advertising flow were injected with web trojans, in the form of advertising pop-up trigger on the client, this belongs to the flow of a disguised hijacked, rather should be called “traffic pollution” or “poisoning” flow, here we will be classified as local hijacked.
Recently, the loopholes used by the horse are mostly IE God Hole (CVE-2014-6332) and a number of Flash vulnerabilities leaked by HackingTeam. By hanging horses on web pages, traffic hijackers convert very cheap AD pop-up traffic into higher price installs. Common forms of ADVERTISING traffic such as CPM and CPV cost only a few yuan per 1000 users. Assuming that the success rate of hanging horses on web pages is 5%, it means that hijackers get 20 users’ installs. The average user silently installs 5 kinds of software, the hijacker’s income is conservatively estimated to be 50 yuan, so the profit margin of “advertising traffic poisoning” is nearly 10 times. This should be the biggest source of motivation behind the frequent occurrence of horse events in the past two years.
[8] Web Trojan often used IE God hole (CVE-2014-6332)
[9] Web Trojan uses RES protocol of IE browser to detect domestic mainstream security software
Most of these advertisements flow from software pop-up, porn sites, dump group, operators hijacked quantity, etc., there is no lack of among them even many well-known software flow of advertising, found from our monitoring data including the cool dog music stewards, sohu video, telecommunications, storm video, baidu video, pipi video advertising many famous software manufacturers such as flow has been hijacked hang a horse. It is precisely because of such a huge traffic base, so once the horse hanging event occurs, the number of users under security threat is very large.
[10] Flash vulnerability exp discovered by forensics of a virus server that uses client pop-ups to mount horses
It is understood that a lot of software manufacturers have loopholes in their own advertising traffic management and monitoring, some even through the multi-layer agent subcontract, and the lack of a unified and powerful security audit mechanism, resulting in being inserted into the web Trojan “infected traffic” was pushed to the client in large numbers, ultimately leading to user system infection virus. In the process of sample tracing, we even found a sub-module in a well-known music software specially used to brush advertising traffic. The more users, the greater the responsibility, and the line and cherish.
[11] List of popover client processes involved in a horse hanging event in 2015
[12] Database forensics of the most active horse server in 2015 (5K + installation per hour in peak period)
0x01 Network Hijacking
The story of traffic hijacking continues, when a network packet successfully evades the local host system and leaves the user host to travel through the gateway nodes and embark on a new adventure. The path between the user host and the remote server is similarly ambushed, with packets being directed to the wrong destination (DNS hijacking), impersonated (302 redirects), or simply tampered with (HTTP injection).
1. Carrier hijacking
Mention network hijacking is often the first to think of the operator hijacking, may be every Internet users more or less have encountered, computer systems or mobile phones with security software scanning without any abnormalities, but open normal web pages are always puzzling pop-up ads or jump to other sites. Such behavior can be said to be abhorrent to ordinary users, enterprises and regular websites also suffer from it, and their normal business and corporate image will be affected. At the end of 2015, Tencent, Xiaomi, Weibo and other six Internet companies jointly issued a joint statement to resist traffic hijacking by operators.
During our daily security operation is also often received suspected operators hijacking user feedback, the following tells a very typical HTTP hijacked jump case, user feedback to open the cheetah browser home page, click on the download will pop up ads page, after our testing found that users of network operators took, open the web page of the packet was injected in the advertising hijack code. There are a lot of similar cases, in addition to the AD pop-up on the surface, and the background silent traffic dark brush. For ordinary users, only customer service complaints from operators or complaints from the Ministry of Industry and Information Technology can make these hijacking behaviors slightly restrained.
[13] The packet that the user opens the web page is injected with advertising code
[14] Users randomly click on the webpage to trigger an advertisement pop-up to jump to the promotion page of “6 Rooms”
This case hijacked the code in the domain name “abc.ss229.com” belongs to the promotion of advertising alliance, in the security forum and Weibo has many user feedback, its official website said the average daily PV reached 250 million. In fact, operators hijacking traffic is actually a semi-open secret in the circle, combined with the analysis of users’ online habits, can achieve precise customization of advertising push for different regions and different groups of users, interested readers can search the relevant QQ group.
[15] Overt carrier traffic hijacking
DNS protocol without security protection and HTTP traffic transmitted in plaintext are very vulnerable to hijacking, while operators occupy the only way of network traffic and have inherent advantages in advertising hijacking technology, such as the common split mirror technology, which has relatively high cost for ordinary users and manufacturers. On the other hand, domestic mainstream search engines, navigation sites, e-commerce sites have begun to actively embrace the more secure HTTPS protocol, which is undoubtedly a very welcome change.
[16] Often used in operators traffic hijacking spectroscopic mirroring technology
Wooyun platform has also exposed many cases of traffic hijacking by operators, such as the case once reported by users, “Downloading Xiaomi Mall was hijacked to UC browser APP”. Thanks to the almighty white Hat for revealing the secrets of the hijacking platform system of a certain operator.
[17] The management background of apK download and distribution hijacking of an operator that was exposed
Above all, have to let a person think of “rob circle” the most famous muddy language, “this mountain is I open, this tree is I plant, want to cross this road, leave to buy road wealth”, “buy network to send advertising” has become the standard package of network operators. These traffic hijacking is obviously not just the so-called “illegal operation of individual internal staff”, or the saying that the more users are responsible, and the line and cherish.
2. CDN cache contamination
CDN acceleration technology is a kind of benign DNS hijacking in essence. Through DNS bootstrap, users’ requests for static resources such as JS and pictures that do not change frequently on the server are directed to the nearest server, so as to accelerate network access. The good user experience of accelerating access makes CDN acceleration widely used by major websites, and the amazing traffic contained in it naturally becomes the target of traffic hijackers.
[18] After opening the normal webpage, the user will jump to the “color broadcast” induced page
Last year, we received feedback from users for many times that they were often redirected to pornographic promotion pages when they opened web pages using mobile browsers. After packet capture analysis, it was found that the key JS files in baidu Netmeng CDN cache server were contaminated and injected into advertising codes. The hijacked code determines the traffic source according to the User-Agent header and then performs shunting popup for PC, Android, ISO and other platforms to induce users to install the “pseudo-color broadcast” virus APP.
[19] Packet capture analysis shows that baidu Wangmeng’s public JS files are injected into advertising codes
[20] Hijacking codes are distributed according to different access source platforms to promote the “pseudo-color broadcast” virus APP
Baidu network alliance as one of the country’s largest advertising alliance, the daily advertising flow PV is based on hundreds of millions of units, its CDN cache encountered hijacking will have a very extensive impact. Through analysis, we confirmed that only a few areas of the country’s network would encounter such hijacking, and we reported the situation to our friends at the first time. However, we have not received the final feedback on the cause of cache hijacking, whether it is intermediate hijacking by operators or the intrusion of some cache servers is still unknown. However, this case once again sounded the alarm for the security protection of our CDN service.
[21] Schematic diagram of the behavior process of “pseudo-color seeding” virus APP promoted by traffic hijacking
From this case, we can also see that a very important exit of “traffic hijacking” on mobile terminals is the induction of “pseudo pornography”. These viral apps basically make illegal profits by means of SMS withholding, induced payment, advertising popup, traffic brush and promotion installation. This gray industrial chain of mobile terminals has been mature in the past two years, and “color seeding” samples have become one of the malicious APP family categories with the largest infection volume in mobile terminals.
[22] “pseudo-color seeding” virus APP was used for induction and promotion
After the installation of these “pseudo-color broadcast” virus apps in addition to a variety of advertising promotion, but also secretly send SMS in the background to customize a variety of operators to pay business, and the business confirmation SMS automatic reply and shielding, to prevent users from noticing; Some have integrated third-party payment SDK to induce users to pay by way of VIP recharge, and users can only suffer if they don’t see the “welfare” they want in the end.
[23] A “pseudo-color broadcast” virus APP deducted the fee through the SMS customization service interface data packet
[24] Virus APP automatically replies and shields business SMS to prevent users from being aware of it
Take an advertising alliance specialized in “color broadcast induction” business as an example, there are hundreds of promotion channels behind it, and the annual financial flow for promotion settlement is more than 5000W yuan. From one color to broadcast its virus app management background, just half a years deduction order data more than 100 w, the average amount of each user deduction from 6 ~ 20 yuan, among other rogue gains, only deduction this a half year the total revenue is 1 m, but this is just a huge in a “pseudo color information” virus samples, The windfall profits of the whole industrial chain can be imagined.
[25] Deduction fee statistics background of a “pseudo-color seeding” virus APP
[26] Data storage server of a “pseudo-color broadcast” virus APP deduction channel
3. The DNS hijacking
As the basic equipment for hundreds of millions of users to access the network, the importance of router security is self-evident. In the last two years, router vulnerabilities, backdoors and other cases have been exposed everywhere. Although some manufacturers have released patch firmware, ordinary users seldom take the initiative to update the router system, so the persistent damage of router vulnerability is much higher than that of ordinary PC platform. On the other hand, the security protection of the router has always been the blank spot of the traditional security software, and the user router is often unable to detect the trick.
The attacks on routers at home and abroad are also very frequent in the last two years. Currently, we can find two types of attacks. One is to use loopholes or backdoors to obtain the permission of the router system and then plant zombie Trojans, which are mostly ddos Trojans and compatible with embedded platforms such as ARM and MIPS common to routers. On the other hand, after obtaining the router management permission, tamper with the default DNS server Settings and hijack user traffic through THE DNS, which is generally used for AD brushing and phishing attacks.
[27] Sample DDOS Trojan horse compatible with multi-platform router
The following case is a very typical DNS hijacking case that we found recently. The hijacker hijacks user DNS through router vulnerability, injects JS hijacking code into user web pages, and realizes navigation hijacking, e-commerce advertising hijacking, and dark traffic scanning, etc. The attack codes for d-Link, TP-Link, ZTE and other brand routers were also found in the hijacking codes, and the DNS Settings of routers were tampered with by using the CSRF vulnerability.
[28] Router DNS traffic hijacking case diagram
[29] Attack code for D-Link, TP-Link, ZTE and other brand routers
The tampered malicious DNS will hijack the static resource domain names of common navigation stations, such as s0.hao123img.com and s0.qhimg.com. The hijacker will inject JS code into the jquery library referenced by the web page to realize the subsequent hijacking. Because of page caching, poisoning through JS cache can also achieve long-term hijack.
[30] Common navigation site domain names have been hijacked
[31] Malicious code was injected into the jquery library referenced by the website
Hijacked code injected into the page is mostly used for advertising dark brush and e-commerce traffic hijacking, from the discovery of dozens of hijacked JS file code history changes, it can be seen that the author has been constantly trying to test and improve different hijacking methods.
[32] Hijacked the code to secretly brush the advertisements of major e-commerce companies
[33] Inject CPS advertisements into the webpage and jump to the e-commerce diversion platform
We have simply tracked the hijacker’s traffic statistics background. According to the data statistics of 51LA, the hijacker’s traffic is still amazing, with average daily PV of about 200W and even reaching about 800W at the peak at the end of 2015. It is not difficult to imagine the hijacker’s windfall profits.
[34] DNS traffic hijackers use 51 statistics background
In the past two years, DNS hijacking activities are very frequent, and the number of malicious DNS is growing very rapidly. We have detected hundreds of new malicious DNS servers every year. The hijacking attacks against routers do not only happen in China. From the honeypot system and small-scale vulnerability detection results, we also captured a number of DNS attacks on routers around the world.
[35] DNS traffic hijackers use 51 statistics background
[36] A case of router CSRF vulnerability “Whole Family bucket” was discovered in foreign areas, and more than 20 kinds of attacks were used to attack Playload
The following case is the beginning of 2016 we capture the kind of honeypot system for router vulnerability scanning attack, then we try for traceability and impact assessment, in part on a neighbour’s active IP segments of small range of scanning probe found large quantities of router is exposed, the loophole of router has been tampered with the DNS Settings around 30%.
Putting aside the hijacking of advertising traffic for profit, if you want to infiltrate or destroy a large number of networks in a country or region, the current security situation of routers with numerous holes can undoubtedly be used as a very suitable breakthrough, which is not alarmist.
In the figure below, the preferred DNS of the vulnerability router is set as the IP address of the hijack server, and the alternate DNS server is set as Google public DNS(8.8.8.8).
[37] A large number of vulnerable routers in a certain network segment of neighboring countries were hijacked DNS Settings
[38] Various vulnerable routers hijacked DNS Settings
4. Mystery hijacking
At the end of the story is a mysterious hijacking case. We have encountered many mysterious samples in our work, as if they were dark ghosts hidden in layers of networks. We do not know where they came from, nor where the information they intercepted ultimately flows, leaving us with only a mysterious figure.
These enigmatic specimens have survived for so long that we’ve captured early variants dating back to about 12 years ago. To fill in the beginning of the puzzle, most of these samples are from some network nodes that may have been hijacked. Please take a look.
[39] Comparison of normal and abnormal status of a software upgrade packet
[40] Packet capture data in the process of software upgrade
At the beginning of 2015, we captured a new variant of one of the samples. In addition to the mysterious way of transmission, the sample itself also has many interesting technical details. Limited to space, only one analysis screenshot shared internally can be included here.
[41] Schematic diagram of technical analysis of mystery samples
0 x02 tail
There are many stories of flow circle, hijacking and anti-hijacking of the story in a long time will continue to deduce. Traffic is the basis for the survival of many Internet enterprises. It is the only right way to gain users and traffic through excellent products. The trust of users is hard-won, and it is cherished. The article stops here temporarily, have interested place welcome message discussion.
reference
Wooyun.org/bugs/wooyun…