Sophos Cloud Optix
Users are getting infected with ransomware thanks to criminals managing to hack the DNS records of Go Daddy hosted websites.
That’s not welcome news for the world’s largest domain name registrar.
To understand how these attacks work, a short primer on DNS is required.
In a nutshell, DNS provides a system where computers on a network (the internet) can be referenced by a user-friendly name. These names are known as hostnames, and DNS translates them into what is known as an IP address.
A key feature of DNS is that changes can be made and applied very rapidly, allowing resources to be moved between machines/networks/locations without affecting end users. The hostnames remain constant, and DNS handles any changes in the IP address as the resources move.
In this current spate of attacks, criminals are exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses. The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers.
This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe.
In some cases, users have had several subdomains added, pointing to one or more malicious IP addresses.
owner.[redacted].com
move.[redacted].com
mouth.[redacted].com
much.[redacted].com
muscle.[redacted].info
music.[redacted].mobi
The rogue servers are running an exploit kit calling itself ‘Cool EK’.
As noted last week, this is actually very similar to Blackhole exploit kit.
The Russian origin of the kit is evident from the login page for the admin panel.
Users hitting the malicious site are hit with various malicious files, exploiting several vulnerabilities, in order to infect them with ransomware.
- snake.[redacted].info/r/l/certainly-devices.php (exploit landing page, Mal/ExpJS-AV)
- snake.[redacted].info/r/32size_font.eot (CVE-2011-3402, Troj/DexFont-A)
- snake.[redacted].info/r/media/file.jar (Mal/JavaGen-E)
- snake.[redacted].info/r/f.php?k=1&e=0&f=0 (ransomware payload, Troj/Ransom-KM)
Once running, the ransomware displays the familiar payment page, with contents that vary based on the country of the victim.
Here is a British example, which uses the name of the Police Central E-Crime Unit:
And here is the type of lock page you would see if you lived in, say, Bulgaria:
Note the use of an animated GIF in this lock page to mimic the video from the user’s webcam! This sort of attention to detail is what helps convince many users that the warning is legitimate.
At the time of writing, an important question remains to be answered. How were the attackers able to hack these Go Daddy DNS records?
One likely cause is compromised user credentials (stolen or weak passwords). To help confirm this I suggested one of the affected webmasters check his historical login activity. Sadly, this does not seem to be readily possible for users. Furthermore, the response from Go Daddy offers no help as well.
Thank you for contacting Online Support regarding your account. Please note we have security devices and protocols in place to protect our network and infrastructure. As stated previously, we can not release information regarding account logins or activity. If you feel that someone has logged into your account, you best defense is to change your password. Please see our previous response for instructions on how to do this.
Sigh. Enabling users to view historical login activity is a very simple way of helping to spot malicious activity early. Let’s hope Go Daddy change their stance on this.
Given the prevalence of attacks against web sites for the purpose of malware distribution it is high time that associated services (Registrars, hosting providers etc) pay adequate consideration to security.
Users should not be allowed to use weak passwords. Two-factor authentication should be readily available, if not enforced.
With a little forethought and consideration to what happens when the keys to the kingdom get lost, malicious activity can be disrupted more quickly.
Go Daddy customers who wish to check they have not been affected by these attacks should check their DNS configuration according to the Go Daddy support page.
Aside from contacting some of the affected webmasters, we have contacted Go Daddy to alert them to these attacks.
Thanks to the webmasters who responded to my notifications about these attacks, whose input was very helpful in putting together the content for this post.
— Update: November 26th, 2012 —
We have received a statement from Go Daddy concerning these attacks, a copy of which is included below:
Go Daddy has detected a very small number of accounts have malicious DNS entries placed on their domain names. We have been identifying affected customers and reversing the malicious entries as we find them. Also, we’re expiring the passwords of affected customers so the threat actors cannot continue to use the accounts to spread malware.
We suspect that the affected customers have been phished or their home machines have been affected by Cool Exploit as we have confirmed that this is not a vulnerability in the My Account or DNS management systems.
Go Daddy highly recommends that US- and Canada-based customers enable 2-Step Authentication to help protect their accounts. Details on how to set up this feature are located at http://support.godaddy.com/help/article/7502/enabling-twostep-authentication.
If a customer suspects their account may have an issue, we encourage them to contact Go Daddy Customer Care or fill out the form at the following link: https://support.godaddy.com/support/?section=support.
It is good news that out initial suspicions are confirmed – compromised user credentials are responsible for these hacks. Thanks to Go Daddy for their quick response confirming this to be the case. We would encourage all CA and US users to enable 2-factor authentication. Users elsewhere should ensure their passwords are strong and unique to Go Daddy.
It just me that finds the polished look of this to be a dead give away that it is a scam? I mean really, take a look at how they did the FBI at the top, very cool italic font, the whole "we recorded your web cam". Anyone who knows much about the FBI would know that if FBI was behind it you would simply run into a wall of text a mile long in a font that looks like was stolen from an early model typewriter.
You are right – many would not fall for the ransomware lock page, so would not pay up. However, bear in mind that at that point their machine is infected – they are prevented from doing anything on their machine.
And we need to remember that there are a lot of users out there who would be fooled. History tells us that. Look at Fake AV (very much the predecessor to ransomware). That has enjoyed years of success, driven by profit generated from fooling victims into paying to register the fake product.
Indeed, this article (http://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/) shows exactly how scarily successful these ransomware variants are at turning a profit.
Lets also not forget that the crappy crafted pages are becoming less and less as the criminals are stepping up their game and hiring experts to do their design work. The ones with misspelling or makeshift fonts are not as common anymore. We are seeing fake sites that even the owners can not discern between real and fake.
It will only get worse as organized crime digs in.
Talk about Fake AV, I have never thought that anyone will fall into that. Until my not-IT-savvy friend told me he needs my help to clear a virus, but later called me again that he had solved the problem by paying the "Antivirus Software" with the instruction
Someone will fall into it!
It seems that conclusion on Russan origin because the login page is in Russian is quite weak. In fact, it might be a cover for those who would expect such lame conclusions. Thankfully we do not use such “evidence” in court (most of the times).
The Cool EK kits has numerous similarities to Blackhole (known to be of Russian origin), which is discussed in the previous blog article I linked. You are right, just the login page itself is not evidence, but when you dig into these kits a bit further there are plenty of pointers to origin.
12:18PST Just got off the phone with GoDaddy technical support. I am not an employee of GoDaddy, but I am a customer of theirs for email, domains and web hosting.
This info does not appear to be correct: GoDaddy have no indications that any problems have affected their DNS servers in the time frame covered by this Sophos article.
What seems more likely is that a few GoDaddy customers (and maybe some customers of other hosting sites?) may have had their DNS records hacked because of weak passwords chosen by those individuals and then reported this to Sophos, but this does not appear to be an issue that is systemic to GoDaddy hosting customers.
I have generally found this Sophos site to have good info, but perhaps some more extensive fact-checking is warranted before posting a news story like this. //Dave//
In the article I indeed suggest the likely cause is compromised user credentials. So not sure what additional fact checking you are suggesting?
If the website admin used the same email address for godaddy as the one on their public domain record, then the attacker can hack into that account first, then reset the godaddy password without any failing attempts at all. I know a lot of people whose yahoo or hotmail accounts got hacked.
"Two-factor authentication should be readily available, if not enforced."
http://support.godaddy.com/help/article/7502/enab…
Well if you get sucked in and your computer is locked, just drop the bastard in the ocean where they can have the keys to a useless piece of junk, get a new one and log back on to sites you use etc…using hard to crack passwords, most of this boils down to user laziness password wise.
Two-step authentication should be mandatory. If your entire website hangs on one password, you've already failed.
That's going to needlessly inconvenience some users, though, especially those who nonetheless keep their computers as "clean" as possible. Besides, as noted above, 2-factor only applies to U.S. and Canada-based customers.