Recently most of the people used to collaborate through GitHub
experienced a new kind of Denial Of Service Attack widly recognized as Main-On-The-Side Attack
. The Github DDOS attack was driven by the State of China (NewYorkTime
) with the intent to alert GitHub company about the violation of the Chinese censorship policies.
“Because GitHub is fully encrypted, China’s domestic web filters cannot distinguish between pages that host code useful to programmers and code that circumvents censorship.” (Source: NewYorkTime)
- A unaware user is browsing from outside China
- A compromised response is sent out from China instead of the actual Baidu Analytics script
- The compromised response tells to the user browser to contnuosly load specific pages on GitHub.com.
Finding the original malicious code in order to analyze it, was actually the real challenge (at least for me). I’ve tried to execute tons of Baidu urls GET requests but no malicious payloads were found. Fortunately Urlquery.net saw the code and stored it (here
). The following image shows one of the used payloads (that report proves tha multiple payloads were involved).
|Script From Baidu during the Chinese Github Attack
After a couple of deobfuscation “raunds” (JDetox
. Both of the URLs are mirror sites for GreatFire.org and the Chinese New York Times. GreatFire and NYT both use GitHub to circumvent the online censorship performed by the Great Firewall of China (GFW).
The connections path captured by urlquery is shown in the following picture where is almost evident the query to cloudfront comming after having loaded a fake baidu script.
Getting little bit deeper — a malicious payload downloaded from —
HTTP/1.0 200 OK
Date: Wed, 18 Mar 2015 09:56:57 GMT
Last-Modified: Wed, 18 Mar 2015 05:43:55 GMT
Expires: Wed, 18 Mar 2015 09:56:57 GMT
forced the user browser to load content from: d18yee9du95yb4.cloudfront.net
GET /?1425380212 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Accept: text/plain, */*; q=0.01
Currently the host has been blocked down due to the described attack as follows:
|Blocked host because the “Chinese Attack”
I decided to write a little bit about this attack since it is one of the most “dramatic” examples on how “states” might perform wide attacks using unware services and state infrastructures…