SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


Attack of the killer Ads

By Daniel Stirnimann and Serge Droz

Recently I was quoted saying “… .ch and .li are the most secure (top-level) domains!”. In the same meeting, Security Rock Star Mikko Hyppönen claimed, “Surfing the Web with your laptop is the most dangerous thing you can do in the Internet.”  So what is true, what is false? Rather than speculate about obscure statistics I’d like to illustrate one of the big problems we face in .ch today, namely using ads as a back door to reach victims through reputable sites.

Ads: enter through the hallway

Malware distributors have one goal: spreading their stuff as widely as possible. This is achieved through different means. Malware was traditionally distributed – and still is – through e-mail attachments. This was the case, for example, with the Retefe malware. Alternatively, web pages can be hacked and used to spread malware by exploiting browser bugs. SWITCH has been very active, through its Safer Internet initiative, in working to reduce this infection vector. In fact, we’ve been so successful, that drive-by is very scarce in Switzerland, hence the statement that ” … .ch is one of the most secure ccTLDs”. Drive-by websites are always hacked, but in most cases they are not very popular websites, since popular websites are typically well protected. Many of the later ones offer a backdoor tough: ads! News sites in particular make most of their revenue by selling on line ads, which explains the “ad-war” arms race between ad-blockers an news agencies (see our Security Report on anti-anti-ad features). A very common way is malvertising, a term coined by William Salusky. Salusky found ads that were in fact carrying malicious payloads. Let’s look at a slightly different scenario, namely a legitimate but compromised ad server. While technically a different scenario it has the same effect on the end user.

Most people would think that visiting a website just serves you content from that site but this is not true for most of the large sites, in particular news sites. They import contents such as videos, trackers, counters, scripts and especially ads from third-party sites. These are not controlled by the original site, and often import content themselves from yet another site. Thus, a well maintained site with high security standards will often import stuff from sites with lower security. Think of it as sitting in a highly rated restaurant that has one bad food supplier.

The image below shows all the external sites involved whenever you visit three popular news sites.


Ohne Addon

The above example shows what happens when you visit three popular Swiss newspapers. Triangles denote third-party sites from which content is imported when you visit the respective news site. The visualisation was done using the Mozilla addon LightBeam

Continue reading

Fixing hundreds of websites in one day

Remedying Angler infections in Switzerland

In recent weeks the Angler exploit kit has become the dominating tool for DriveBy attacks. Cleaning Angler compromised web servers is a challenge which has been well mastered in Switzerland, thanks to the close collaboration of Swiss hosters and SWITCH.

The culprit

On Sunday July 5 an the Italian ‘offensive security’ firm HACKING TEAM got hacked and all its files were made public. This included a couple of zero day exploits. Only two days later one of these was already used in the wild by the notorious Angler exploit kit. This is not surprising: Angler today is the most sophisticated exploit kit. Since its inception in 2013 it sported several new innovations which are today uses by others. According to a Sophos blog Angler’s “market share” rose from about 22% last fall to more than 80% this spring.

The payload

Angler used to distribute a variety of different malwares, from ransom-ware to banking trojans. However it seems with the rapid growth of the kit it also focused on distributing mostly Cryptowall 3.0. This malware encrypts all the files on an infected system and demands a hefty ransom of several hundreds of Euros to unlock them. Many people claim to not have “anything important” on their PCs to then discover that all their family pictures of the past ten years are gone. An it’s not looking better for businesses that lose all their data, including their backups on USB disks.

Cleaning Infections in Switzerland

SWITCH has been cleaning up misused domains since several years now through its Safer Internet campaign. We have processed thousands of domains and thus protected visitors of Swiss websites from the evil of exploit kits, such as Angler. Infection rates of Swiss websites have indeed gone down over the past month, or so we believed. On the 22. July 2015 however,  the good folks from the National Cyber Security Centre Finland (NCSC-FI) and abuse.ch have managed to make a small dent into Angles infrastructure. A total of over 200’000 compromised URLs worldwide were reported that are misused by Angular.

Angler Distribution

Distribution of web servers, which are misused by the Angler exploit-kit.

Of these 166 where in the .ch and .li top level domain and thus could be entered into our program. We reported these URLs to the respective domain owners as well as the hoster we have contacts to. Checking on the 23. July over 90% of these domains have been cleaned up and a handful have been added. As of the 24. July 2015 only a few sites remain infected.

This means that Swiss hosters are doing an excellent job. Cleaning a web page is not simple. It’s not enough to just remove the the offending code from that page itself. It’s known that the Angler crew installs several back doors, all of which have to be found and removed. These back doors often are webshells, which give full control over the entire web space of the server. The respective php files are obfuscated and not easily recognizable.

The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.

The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.

Some of the hoster report information back to us for which we are very grateful. This information can then be used to make the analysis better and discover new attack patterns quickly.


The close collaboration and exchange of information between all the stakeholders allows for a very rapid reaction to threats. Cleaning these web pages needs substantial resources by the hosters and also SWITCH. But it’s well invested: Taking down these pages quickly protects visitors from being infected by Cryptowall and saves their valuable data, be this treasured personal files or critical business information.

Sir Tim Berners-Lee receives the “Dutti-Prize” for a non-innovative idea

Yesterday I attended the award ceremony for Sir Tim Berners-Lee’s reception of the “Duttweiler-Preis”. For our non Swiss readers: Gottlieb Duttweiler founded Migros, today the largest food retailer in Switzerland, to put people and not money into the focus. At the time, “Dutti”, was loather and boycotted by the establishment. The Dutti-Prize goes to persons for “outstanding contributions to the well-being of the wider community and to a cultural, social or economic environment in which everyone can realize their potential and play an independent part in its development”.

The price, which was previously awarded to such people as Jimmy Wales or Kofi Annan, was given to Berners-Lee for his invention of the WWW at CERN. Incidentally: The paper on Information management: A proposal was positively received by his boss Mike Sendall but rejected as “not innovative” by a the Program Committee of the Hypertext Conference. But Tim Berners-Lee not only invented the Web, he made sure it stayed open and accessible and I think this is in the spirit of Gottlieb Duttweiler. Had the web been “protected” by patents, we’d probably still crawl around on our digital knees in the Internet.

The ceremony was a blast. Entering the large (and by the way publicly accessible) Park im Grüene, you were received and guided to the red carpet. The event assembled about 200 people in an atmosphere that invited informal exchange, I guess really in the spirit of Sir Tim.

The ceremony was opened by John Cale, co-founder of Velvet Underground. Before the actual laudation, video sequences of interviews with people about the WWW were shown. In summary: Most people think the WWW was invented some in the fifties in the USA, and most cannot imagine a life without it. Yet, only about one third of the global population has access to the net.

The laudation, presented by Harvard Prof Urs Gasser, stressed the social impact of Sir Tims invention on society. Continue reading

1 Comment

There is no such thing as a free domain

Since quite a long time now SWITCH actively cleans up drive-by sites. Attackers using the ever same tricks, analysing has become quite a routine, if not to say a bore. However recently, we stumbled over a new pattern. Many of the reported domains looked like


where XXX are three random letters. Most of the domain names didn’t give anything back when we tried. And they all had their name-servers with afraid.org, a free DNS hoster, which indeed provides quite a comprehensive service.

All these domains are used by malware, mostly ransomware. A lot has been written about this topic, so I won’t add another blog post about this.

What is the issue with afraid.org? In a nut shell: Their business model: The default, free, setting when you register a domain is public. You forked out some money to get a domain name, obviously it should be public, or no one can see it. However public in afraids terminology means:

Public – If you add your domain as public, […] , others will be permitted to create sub domains off your domain without involving you.

Indeed, creating a sub domain pointing to something totally unrelated is easy. Only premium members ($5/month) have full control over their domain.

Obviously miscreants will be busy finding new, creative, ways of using this service. And we are not the only ones concerned about this, so are our colleges at Check and Secure. But just blaming afraid.org would be too easy. Running a quality DNS service is not a simple task. It needs resources, time – know-how and, last but not least, money to buy hardware, pay power bills etc. The folks at afraid.org are very helpful and quick in fighting misuse.

So maybe it’s us (the internet community) who all too often confuse free with free beer: We are happy to use free services, free software and don’t care about the implications of a low price. Not convinced yet? Let’s rephrase this: Would you run your important e-business on infrastructure developed by a couple of aficionados in their spare time? No? Yes, you probably do. Only after a major disaster like heartbleed do people realize that there is no such thing as free as in free beer software. The same is true for free DNS.

So zooming back: How bad was this really: According to afraid.org there where about 100 ransomware sub domains with the “law-enforcement” pattern. Looking at Dynamoo’s Blog there were many more domains and patterns. They are, thanks to the afraid.org folks gone. As we have seen many other .ch/.li domains hosted at afraid.org abused, we informed about 700 owners of afraid.org hosted .ch/.li domains with the default public shared state. Our recommendation: Pay $5 / month!




Breaking News: New OpenSSL Vulnerabilities

Today the OpenSSL team announced new versions of the popular openssl libraries, which fixes several critical vulnerabilities. At the time of writing no exploits are seen in the wild. Never the less we suggest to patch in timely manner.

The following versions are affected:

  • OpenSSL 0.9.8
  • OpenSSL 1.0.0
  • OpenSSL 1.0.1

Most of the popular OS vendors should have patches out by now, or in a short while.

Sommerlektüre: Blackout

Endlich sind die Temperaturen gestiegen, der endlose Januar zu Ende und die geplanten Sommerferien in Reichweite. Wer die warmen Temperaturen bei einem spannenden Buch geniessen möchte, dem sei Marc Elsbergs Thriller Blackout empfohlen.

Die Geschichte beginnt an einem trüben Wintertag in Mailand, mit einem Verkehrsunfall. Ein Stromausfall bringt sämtliche Ampeln der Stadt zum erliegen, und der italienische Verkehr tut den Rest. Stromausfälle sind nichts ganz und gar ungewöhnliches, doch dieser will nicht aufhören. Der Protagonist der Geschichte, der alternde Hacker Piero Manzano, findet Anzeichen für einen gezielten Angriff.

Continue reading


New wave of attack on Swiss Webservers

Since a few weeks SWITCH-CERT has observed a dramatic increase in sophisticated attacks on Swiss web servers. The compromised servers will then be used to distribute malware through drive-by attacks. We currently observe two different, although related, linux based attacks. Both deploy the black hole exploit kit as the actual drive-by infrastructure.

Both attacks are extremely difficult to detect for website owners, because:

  • The attacker code is in the server config, through modules, not in the content part
  • The black hole exploit kit returns malicious content only once per day and IP

The two attack waves have been dubbed darkleech and Cdorked respectively. Most attacks go after cPanel managed systems and target Apache. But this is not always the case: There are reports, that versions exist that target Lighttpd and nginx. Many of the compromised systems seem to also have a modified sshd, containing a backdoor installed. So if a compromise is detected, sshd must be cleaned, too. Sometimes it’s possible to spot tampered binaries through an integrity check, that various package managers offer. This obviously only works if a packet has been installed through a package manager. On cPanel based systems the webserver is not installed by this mechanism.

Continue reading