ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.



Read more here - "ICANN and IANA’s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.com



More details will be posted as soon as they emerge.



UPDATE:



The ICANN has restored access to its domains, and as in every other DNS hijacking the correct records will be updated on a mass scale in 24/48 hours. Some press coverage :



Ankle-biting hackers storm net's overlords, hijack their domains

Hackers hijack critical Internet organization sites

No such thing as a guaranteed safe site

Good Always Comes Out of Bad

Hackers Deface ICANN, IANA Sites

ICANN publicity may have triggered malicious behavior

Turkish Hackers Relive Memories in Photobucket

ICANN Web Site Compromise

Moreover, according to an article at Computerworld, the ICANN weren't aware of the hijack :



"A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he find out more."



Let's hope that they issue a statement on the situation once they know more about how it happened. More comments follow from the ICANN - "Turkish Hacker Group Strikes Again, This Time Victims are ICANN and IANA" :



"Latest response received by CircleID from ICANN states that the problem took place at their registrar level. A Whois look up shows Register.com as the registrar for the hacked domains. ICANN has further stated that the registrar "fixed the dns redirection within 20 minutes of us notifying them of the problem. The registrar is actively investigating what happened and has promised to report back to us on what happened."



This is the second time in a row when DNS hijacking happens through Register.com compared to Comcast.net's one done through Network Solutions.

Right Wing Israeli Hackers Deface Hamas's Site

Compared to historical hacktivism tensions between different nations, Israeli and Palestinian hacktivists seem to be most sensitive to "virtual fire exchange" like this one, and consequently, just like in real-life, always look and find for an excuse to engage in a conflict. Israeli hackers penetrate Hamas website :

"Israeli hackers boasted Thursday about breaking into the website of Izz al-Din al-Qassam, Hamas’ military wing, which now displays a white screen and words in Arabic announcing technical difficulties. The hacker group, which calls itself Fanat al-Radical (the fanatical radicals), also said that it broke into additional terror organizations’ sites and those of various leftist movements. In a Ynet interview, a group representative who refused to reveal his name said, “We searched for relevant sites with the criteria we look for, whether leftist or anti-Zionist, and looked for loopholes. Our emphasis was always on the al-Qassam site. "The criteria are defined as anti-Zionist or anti-Jewish sites that support or assist in harming Zionism and the existence of Israel as a Zionistic, Jewish state."

The message they left :

"Hacked by XcxooXL and FENiX from Fanat Al Radical Greets: Sn4k3 Contact: Fanat.al.Radical@gmail.com "

These script kiddies using SQL injection vulnerabilities within the affected sites, since they indeed managed to deface several other as well, seem to have also participated in the 2006 cyber conflict sparkled due to the the kidnapping of three soldiers. One of their defacements remains still active (aviv.perffect-x.net/deface.html)

"We will stand against the Islam until the kidnapped soldiers, Gilad Shalit, Eldad Regev and Ehod Goldvaser will be return, We will attack arabic servers and site which support the Islam and protest against the zionism"

What if every script kiddie with a SQL injection scanners goes into politics? It's a mess already.

Related posts:
Monetizing Web Site Defacements
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions
Hacktivism Tensions - Israel vs Palestine Cyberwars
Mass Defacement by Turkish Hacktivists
Overperforming Turkish Hacktivists

Backdoording Cyber Jihadist Ebooks for Surveillance Purposes

It appears that cyber jihadists are striking back at the academic and intelligence community, by binding their propaganda Ebooks with malware, then distributing them across different forums, thanks to a recently analyzed Ebook entitled "The Al-Qaeda network's timely entrance in Palestine" distributed by the Global Islamic Media Front - hat tip to Warintel.

If it were posted by a newly joined forum member, it would have logically raises the suspicion that it's in fact intelligence agencies spreading malware infected Ebooks around cyber jihadist forums, but it's since this one in particular is being distributed by what looks like a hardcore cyber jihadist, it brings the discussion to a whole new level.

What are they trying to achive? Abuse the already established trust of their readers and cyber jihadist supporters in order to snoop on their Internet activities, or it's the academic and intelligence community they are trying to monitor? In times when botnets can be rented and created on demand, they seem to be more interested in infecting their enemies. Moreover, I suspect that prior to the forum posting, private messages and emails were automatically sent to notify members whose number of posts at the forum greate outpace those of average observers, perhaps the target in such an attack.

The malware is detected by 9 out of 33 antivirus scanners as Trojan.Midgare.gra. Consider reading a previous post on "Terror on the Internet - Conflict of Interest" as well as through the related posts summarizing all the cyber jihadist research I've conducted so far.

Fake Porn Sites Serving Malware

Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999% uptime. In this very latest example of using malicious doorways redirecting to fake porn sites, consisting of over twenty different domains serving the usual Zlob malware variants, we have a decent abuse of a template for a porn site.

The easy of management of such domain farms and the availability of templates for high trafficked topic segments such as celebrities and pornography, continue contributing to the increasing number of Zlob variants served through fake codecs. Moreover, once set up, the malicious infrastructure starts attracting now just generic search traffic, but also traffic coming from affiliates with whom revenue is shared on the basis of the number of people that downloaded the codec.

In this campaign, the malicious doorway that expands the entire ecosystem is located at search-top.com/in.cgi?5&parameter=drs (66.96.85.113). A redirector that appears to have been operating since 2006, according to this forum posting.

What follows on-the-fly, are all the fake porn sites whose legitimately looking videos attempt to download a Zlob malware variant from a single location - vipcodec.net. Here are all the fake porn sites, and the associated campaigns in this redirection :

watchnenjoy .com/index.php?id=1287&style=white
craziestclips .com/index.php?id=1287&q=
immensevids .com
planetfreepornmovies .com/?t=1&id=1219
poweradult .net/edmund/16551689/1/&id=1219
scan-porn .net/rosalyn/1742941675/1/&id=1219
about-adult .net/emiline/108846601/1/&id=1219
service-porn .com/inde/964842117/1/&id=1219
pleasure-porn .com/elnora/648311952/1/&id=1219
porn-the .net/verge/1734135233/1/&id=1219
porn-pleasure .net/dal/1663381205/1/&id=1219
scan-porn .net/gretchen/515268975/1/&id=1219
abc-adult .com/lillah/1467790484/1/&id=1219
about-adult .net/jenne/434165228/1/&id=1219
look-adult .net/ette/681831796/1/&id=1219
about-adult .net/mime/65729013/1/&id=1219
name-adult .net/alfe/550398461/1/&id=1219
group-adult .net/demerias/867452637/1/&id=1219
useporn .net/rhode/167691118/1/&id=1219
porn-look .net/hephsibah/1254235416/1/&id=1219
scan-porn .net/hence/1684651134/1/&id=1219
abc-adult .com/kendra/371598555/1/&id=1219
name-adult .net/link/1334727639/1/&id=1219
porn-the .net/flo/84660854/1/&id=1219
porn-popular .com/assene/875893411/1/&id=1219
about-adult .net/charlotta/972714195/1/&id=1219
porn-comp .com/orlando/761508522/1/&id=1219
useporn .net/jemima/1405735776/1/&id=1219
about-adult .net/obadiah/263904242/1/&id=1219
group-adult .net/douglas/1110779475/1/&id=1219
porn-look .net/lydde/1844064103/1/&id=1219
pleasure-porn .com/marcia/1627490290/1/&id=1219
service-porn .com/cono/295680123/1/&id=1219
group-adult .net/wes/1733468207/1/&id=1219
abc-adult .com/wib/648341815/1/&id=1219
scan-porn .net/greg/2064937302/1/&id=1219
contact-adult .net/maris/33184936/1/&id=1219
look-adult .net/regina/1273816838/1/&id=1219
abc-adult .com/gwendolyn/869744046/1/&id=1219
service-porn .com/carthaette/1021629112/1/&id=1219
scan-porn .net/ninell/1522355420/1/&id=1219
porn-pleasure .net/waldo/755290223/1/&id=1219
porn-the .net/green/669090607/1/&id=1219
try-adult .com/lula/447057398/1/&id=1219
visit-adult .net/jay/1021153563/1/&id=1219
contact-adult .net/rosa/849017739/1/&id=1219
name-adult .net/hannah/2111126283/1/&id=1219
about-adult .net/robin/2114086747/1/&id=1219
scan-porn .net/geraldine/921262381/1/&id=1219
contact-adult .net/christine/1821111087/1/&id=1219
porn-popular .com/frederica/364993202/1/&id=1219
about-adult .net/kerste/735582753/1/&id=1219
porn-the .net/vine/715820953/1/&id=1219
porn-the .net/newt/1835463160/1/&id=1219
try-adult .com/max/602914725/1/&id=1219
porn-pleasure .net/cille/1420660046/1/&id=1219
poweradult .net/phililpa/178057959/1/&id=1219
name-adult .net/lise/1379126759/1/&id=1219
pleasure-porn .com/marianne/1083617952/1/&id=1219
poweradult .net/emile/1173468576/1/&id=1219
useporn .net/patse/155685496/1/&id=1219
helpporn .net/verna/625840253/1/&id=1219
name-adult .net/aubrey/190928373/1/&id=1219
about-adult .net/alphinias/1345158043/1/&id=1219
useporn .net/rosa/223743611/1/&id=1219
pleasure-porn .com/nerva/1509620489/1/&id=1219
helpporn .net/leet/1619667733/1/&id=1219
about-adult .net/roberta/887345003/1/&id=1219
porn-pleasure .net/tore/1032556395/1/&id=1219
useporn .net/bo/1963737386/1/&id=1219
porn-look .net/karon/136085893/1/&id=1219
poweradult .net/tense/1523522750/1/&id=1219
poweradult .net/hopp/1955964399/1/&id=1219
scan-porn .net/vanne/350822489/1/&id=1219
porn-comp .com/deb/1451360694/1/&id=1219
about-adult .net/moll/1511640690/1/&id=1219
porn-popular .com/obediah/562846948/1/&id=1219
helpporn .net/tamarra/776122096/1/&id=1219
pleasure-porn .com/aristotle/1046422029/1/&id=1219
porn-comp .com/titia/158157566/1/&id=1219
group-adult .net/gay/1297835054/1/&id=1219
porn-look .net/katherine/2136357734/1/&id=1219
helpporn .net/azubah/1197502147/1/&id=1219
porn-comp .com/claes/770105101/1/&id=1219

Associated fake porn sites :

pornbrake .com
sexnitro .net
brakesex .net
pornnitro .net
adultbookings .com
qazsex .com
lightporn .net
delfiporn .net
pornqaz .com
megazporn .com
uinsex .com
xerosex .com
serviceporn .com
aboutadultsex .com
superliveporn .com
bestpriceporn .com
contactporn .net
relatedporn .com
landporno .com
adultsper .com
plus-porn .com
adultstarworld .com
cutadult .com
moviexxxhotel .com
porno-go .com
pornxxxfilm .com
porn-sea .com
review-sex .com
sureadult .com
browseadult .com
network-adult .com
timeadult .com
virtual-sexy .net
funxxxporn .com
loweradult .com
adultfilmsite .com
xxxallvideo .com
custom-sex .com
gallerypictures .net
usaadultvideo .com
adultmovieplus .com
porn-cruise .com
clubxxxvideo .com
mitadult .com
galleryalbum .net
xxxteenfilm .com
hardcorevideosite .com
helpadult .com
portaladult .net
service-sex .com
driveadult .com
access-porno .com
time-sex .com
plus-adult .com
worldadultvideo .com
key-adult .com
estatesex .com
superadultfriend .com
superporncity .com
zero-porno .com
scanadult .com
adultsexpro .com
adultzoneworld .com
porntimeguide .com
usbestporn .com
adulttow .com
look-porn .com
galleryclick .net
micro-sex .com
estatesex .com
try-sex .com
0bucksforpornmovie .com
gays-video-xxx .com
hackthegrid .com
savetop .info
vidsplanet .net
freexxxhere .com
gestkoeporno .com
tv-adult .info
gays-adult-video .com
matures-video .com
analcekc .com
tabletskard .in
molodiedevki .com
dom-porno .com
pornoaziatki .com
latinosvideo .com
geiporno .com
sweetfreeporn .com

If exposing a huge domains portfolio of currently active redirectors has the potential to ruin someone's vacation, then consider someone's vacation ruined already.

Related posts:
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

An Update to Photobucket's DNS Hijacking

With Photobucket’s recently hijacked DNS records by Turkish hacking group, the second high profile DNS hijack for the past two months next to Comcast.net's DNS hijacking in May, domain registrant impersonation attacks seems to fully work, and Tier 1 domain registrars remain susceptible to them.

So far, none of these DNS hijacks served any malware, live exploits, or bogus home pages aiming to steal accounting data. However, the DNS hijacking by itself resulted in a Denial of Service attack on Photobucket, one that would have required a great deal of bandwidth if it were executed in the old fashioned frontal attack approach.

And with Photobucket still labeling the DNS hijacking as a "DNS error", their failure to admit what has actually happened is already sparkling quite a few negative comments across the Web - with a reason. Creating alternate realities when it comes to evidential proof of a hack isn't necessarily state of the art public relations. Photobucket.com's domain registrar, the Register.com comments on the DNS hijacking :

"The Photobucket site was down for a very short time and was restored immediately when we became aware of the issue." Roni Jacobson, general counsel of Register.com, said in a statement on Thursday. "We are currently investigating the source of the problem."

As well as Atspace.com's (Zettahost.com) statement left on their site regarding the DNS hijacking :

"IMPORTANT! Photobucket.com problem read here: Last night Photobucket.com DNS at register.com was hacked by malicious people that are trying to compromise our business! We are in no way affiliated with such bad deeds and cooperate with photobucket in capturing these individuals. They have pointed the domain photobucket.com to an account hosted on our systems! We have blocked that and photobucked techs have restored the domain pointing to its original location!ALL account information and pictures on photobucket.com are OK, please have patience! Unfortunately the complete DNS replication usually takes 24-48 hours and during this time caches DNS records might still point to us! The normal operation of Photobucket is restored and as soon as the replication is complete there should be no further such issues! We would like to emphasize that we are in now way responsible for what happens with photobucket and all users bumping across our systems! We are a legitimate web hosting company operating since 2003 and in no way tolerate such hacking attempts! If you have any questions please do not hesitate to contact us at abuse@zettahost.com! Thanks for your patience and understanding!"

When the affected company acts like nothing's happened, whereas multiple sources continue providing pieces of the puzzle, a statement on the measures taken to prevent that type of hijacking in the future would be better PR than denying the hijacking of the first place and the fact that they could have pointed Photobucket.com to anywhere they wanted to.

Underground Multitasking in Action

How many ways in which a malicious party can abuse its unauthorized access to a host, can you think of? In this example of remotely file included web backdoor (web shell), we have a malicious party that's hosting a web spammer, planning to launch a phishing attack impersonating Halifax, locally hosting blackhat SEO junk pages redirecting to rogue security software, redirecting to multiple live exploit URLs through javascript obfuscations, as well as to fake casinos and fake celebrity video sites - all from a single location.

This risk-forwarding process for all the malicious and criminal activities to the owner of the compromised web server is something usual, what's more interesting in this case is the number and diversity of the affiliations this guy has set up in order to monetize the unauthorized access by using all the possible sources of revenues like the ones I pointed on in a previous post regarding increasing monetization of web site defacements.

In fact, he seems to have built enough confidence in the new "hosting provider", that he's even hosting his blackhat SEO advetising services there. The multiple javascript obfuscations hosted locally, point to the following malicious domains which expose all the revenue generating affiliations, and even more malicious doorways :

analytics-google .info/q/urchin.js
209.205.196.16/freehost22/paula2/index.php?id=0271
209.205.196.16/freehost22/paula2/exxe.php?id=0271
crklab .us/index.php
my-page-de .info/in.cgi?2&1400397
tapki .cn/1.html?92465
dificalgot .net/s/in.cgi?2?1121268b0d022308
my-page-de .info?default.cgi
magichotgaming .net
allextra .com/best/go.php?sid=2&tds-parametr1=Taryn+Manning
newextra .com/in.cgi?19&group=allextra
drivemedirect .com/soft.php?aid=0358&d=3&product=XPA securityscannersite .com/2008/3/freescan.php?aid=880358

Sampe detection rate for the casino adware, a reminder on why you shouldn't play poker on an infected table :

Scanners result : 7/33 (21.22%)
Trojan.Casino.466752; W32/Casino.A.gen!Eldorado; Adware.Casino-18
File size: 466752 bytes
MD5...: b0f70441dde5c2b82ba5388f3d566576
SHA1..: 5603b1b972e2cff99d6339fbd8970278f5ff371d


To sum up - with the overall availability of templates for phishing sites, fake video sites, fake security software, as well as the ongoing traffic management tool's convergence with web malware exploitation kits, the opportunity for a malicious party to participate in different affiliate based scams on revenue sharing basis, increases. Therefore, what looked like an isolated attack, is slowly becoming an "attack in between" the rest of the malicious activities lunched by the same party.