Users are getting infected with ransomware thanks to criminals managing to hack the DNS records of Go Daddy hosted websites.
That's not welcome news for the world's largest domain name registrar.
To understand how these attacks work, a short primer on DNS is required.
In a nutshell, DNS provides a system where computers on a network (the internet) can be referenced by a user-friendly name. These names are known as hostnames, and DNS translates them into what is known as an IP address.
A key feature of DNS is that changes can be made and applied very rapidly, allowing resources to be moved between machines/networks/locations without affecting end users. The hostnames remain constant, and DNS handles any changes in the IP address as the resources move.
In this current spate of attacks, criminals are exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses. The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers.
This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe.
In some cases, users have had several subdomains added, pointing to one or more malicious IP addresses.
The rogue servers are running an exploit kit calling itself 'Cool EK'.
The Russian origin of the kit is evident from the login page for the admin panel.
Users hitting the malicious site are hit with various malicious files, exploiting several vulnerabilities, in order to infect them with ransomware.
- snake.[redacted].info/r/l/certainly-devices.php (exploit landing page, Mal/ExpJS-AV)
- snake.[redacted].info/r/32size_font.eot (CVE-2011-3402, Troj/DexFont-A)
- snake.[redacted].info/r/media/file.jar (Mal/JavaGen-E)
- snake.[redacted].info/r/f.php?k=1&e=0&f=0 (ransomware payload, Troj/Ransom-KM)
Once running, the ransomware displays the familiar payment page, with contents that vary based on the country of the victim.
Here is a British example, which uses the name of the Police Central E-Crime Unit:
And here is the type of lock page you would see if you lived in, say, Bulgaria:
Note the use of an animated GIF in this lock page to mimic the video from the user's webcam! This sort of attention to detail is what helps convince many users that the warning is legitimate.
At the time of writing, an important question remains to be answered. How were the attackers able to hack these Go Daddy DNS records?
One likely cause is compromised user credentials (stolen or weak passwords). To help confirm this I suggested one of the affected webmasters check his historical login activity. Sadly, this does not seem to be readily possible for users. Furthermore, the response from Go Daddy offers no help as well.
Thank you for contacting Online Support regarding your account. Please note we have security devices and protocols in place to protect our network and infrastructure. As stated previously, we can not release information regarding account logins or activity. If you feel that someone has logged into your account, you best defense is to change your password. Please see our previous response for instructions on how to do this.
Sigh. Enabling users to view historical login activity is a very simple way of helping to spot malicious activity early. Let's hope Go Daddy change their stance on this.
Given the prevalence of attacks against web sites for the purpose of malware distribution it is high time that associated services (Registrars, hosting providers etc) pay adequate consideration to security.
Users should not be allowed to use weak passwords. Two-factor authentication should be readily available, if not enforced.
With a little forethought and consideration to what happens when the keys to the kingdom get lost, malicious activity can be disrupted more quickly.
Go Daddy customers who wish to check they have not been affected by these attacks should check their DNS configuration according to the Go Daddy support page.
Aside from contacting some of the affected webmasters, we have contacted Go Daddy to alert them to these attacks.
Thanks to the webmasters who responded to my notifications about these attacks, whose input was very helpful in putting together the content for this post.
-- Update: November 26th, 2012 --
We have received a statement from Go Daddy concerning these attacks, a copy of which is included below:
Go Daddy has detected a very small number of accounts have malicious DNS entries placed on their domain names. We have been identifying affected customers and reversing the malicious entries as we find them. Also, we're expiring the passwords of affected customers so the threat actors cannot continue to use the accounts to spread malware.
We suspect that the affected customers have been phished or their home machines have been affected by Cool Exploit as we have confirmed that this is not a vulnerability in the My Account or DNS management systems.
Go Daddy highly recommends that US- and Canada-based customers enable 2-Step Authentication to help protect their accounts. Details on how to set up this feature are located at http://support.godaddy.com/help/article/7502/enabling-twostep-authentication.
If a customer suspects their account may have an issue, we encourage them to contact Go Daddy Customer Care or fill out the form at the following link: https://support.godaddy.com/support/?section=support.
It is good news that out initial suspicions are confirmed - compromised user credentials are responsible for these hacks. Thanks to Go Daddy for their quick response confirming this to be the case. We would encourage all CA and US users to enable 2-factor authentication. Users elsewhere should ensure their passwords are strong and unique to Go Daddy.Follow @SophosLabs