Recently most of the people used to collaborate through GitHub experienced a new kind of Denial Of Service Attack widly recognized as Main-On-The-Side Attack. The Github DDOS attack was driven by the State of China (NewYorkTime) with the intent to alert GitHub company about the violation of the Chinese censorship policies.
"Because GitHub is fully encrypted, China’s domestic web filters cannot distinguish between pages that host code useful to programmers and code that circumvents censorship." (Source: NewYorkTime)
- A unaware user is browsing from outside China
- A compromised response is sent out from China instead of the actual Baidu Analytics script
- The compromised response tells to the user browser to contnuosly load specific pages on GitHub.com.
Finding the original malicious code in order to analyze it, was actually the real challenge (at least for me). I've tried to execute tons of Baidu urls GET requests but no malicious payloads were found. Fortunately Urlquery.net saw the code and stored it (here). The following image shows one of the used payloads (that report proves tha multiple payloads were involved).
|Script From Baidu during the Chinese Github Attack|
The connections path captured by urlquery is shown in the following picture where is almost evident the query to cloudfront comming after having loaded a fake baidu script.
Getting little bit deeper -- a malicious payload downloaded from --
18.104.22.168 HTTP/1.0 200 OK Content-Type: text/html
Server: nginx Date: Wed, 18 Mar 2015 09:56:57 GMT Content-Length: 114 Last-Modified: Wed, 18 Mar 2015 05:43:55 GMT Etag: "5509109b-72" Expires: Wed, 18 Mar 2015 09:56:57 GMT Cache-Control: max-age=0 Accept-Ranges: bytes Connection: keep-alive
forced the user browser to load content from: d18yee9du95yb4.cloudfront.net
GET /?1425380212 HTTP/1.1 Host: d18yee9du95yb4.cloudfront.net
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Accept: text/plain, */*; q=0.01 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://pos.baidu.com/wh/o.htm?ltr=&cf=u Origin: http://pos.baidu.com
Currently the host has been blocked down due to the described attack as follows:
|Blocked host because the "Chinese Attack"|