Money for Nothing and Coins for Free

written by Antoine Neuenschwander

Beginning in mid-September 2017, we started seeing a new abuse scheme on .ch and .li domains. The websites in question were running on outdated software and inevitably, hackers exploited some well-known vulnerability in order to inject malicious code. At this point we would usually expect an exploit kit in the website’s content with the purpose of infecting the victim’s machine with malware. In these cases however, the Javascript inject often looked somewhat like the following:

This code is designed to run in the background of the victim’s browser and immediately starts an endless loop of intensive computations at full pace, effectively turning the browser into a hash-crunching mule for the sake of distributed mining of cryptocoins, with profits going directly to the hacker.

Continue reading “Money for Nothing and Coins for Free”

94 .ch & .li domain names hijacked and used for drive-by

A Swiss domain holder called us today telling us that the .ch zone points to the wrong name servers for his domain.

The NS entries were ns1.dnshost[.]ga and ns2.dnshost[.]ga. We contacted the registrar and soon realized that this is not the only domain that had unauthorized changes. We identified 93 additional .ch and .li domain names that pointed to the two rogue name servers. While domain hijacking by pointing to a rogue NS is a known attack,  94 domains on a single day is very unusual. So we analyzed what the hijacked domains were used for and soon found out that they are used to infect internet users with malware.

Visitors to the hijacked domains were redirected to the Keitaro TDS (traffic distribution system):


A TDS decides where to redirect the visitor to, often depending on its IP address (i.e. country),
user agent and operating system.

A dead end may look like the following:


And the visitor will be redirected to Google.

However, in some cases, the visitor is redirected to the Rig Exploit Kit:


And the visitor gets infected.

The payload is Neutrino Bot:

MD5: a32f3d0a71a16a461ad94c5bee695988
SHA256: 492081097c78d784be3996d3b823a660f52e0632410ffb2a2a225bd1ec60973d).

It gets in touch with its command and control server and grabs additional modules:


A little later, it also gets an update


MD5: 7c2864ce7aa0fff3f53fa191c2e63b59
SHA256: c1d60c9fff65bbd0e3156a249ad91873f1719986945f50759b3479a258969b38)


The rogue NS were inserted in the .ch zone file at around 13:00 today. The registrar discovered soon what happened and rolled back the unauthorized changes. At 16:00 all of the changes in the .ch & .li zone were reverted and the NS records pointed to the legitimate name servers again.

[Update 10.7.17 17:15]

Gandi the registrar of the 94 domain names has written a blog post, as well as SCRT the domain holder that initially informed us about the domain name hijacking of SCRT also showed how Strict Transport Security protected their recurring visitors from being redirected to the bogus website!

Attack of the killer Ads

By Daniel Stirnimann and Serge Droz

Recently I was quoted saying “… .ch and .li are the most secure (top-level) domains!”. In the same meeting, Security Rock Star Mikko Hyppönen claimed, “Surfing the Web with your laptop is the most dangerous thing you can do in the Internet.”  So what is true, what is false? Rather than speculate about obscure statistics I’d like to illustrate one of the big problems we face in .ch today, namely using ads as a back door to reach victims through reputable sites.

Ads: enter through the hallway

Malware distributors have one goal: spreading their stuff as widely as possible. This is achieved through different means. Malware was traditionally distributed – and still is – through e-mail attachments. This was the case, for example, with the Retefe malware. Alternatively, web pages can be hacked and used to spread malware by exploiting browser bugs. SWITCH has been very active, through its Safer Internet initiative, in working to reduce this infection vector. In fact, we’ve been so successful, that drive-by is very scarce in Switzerland, hence the statement that ” … .ch is one of the most secure ccTLDs”. Drive-by websites are always hacked, but in most cases they are not very popular websites, since popular websites are typically well protected. Many of the later ones offer a backdoor tough: ads! News sites in particular make most of their revenue by selling on line ads, which explains the “ad-war” arms race between ad-blockers an news agencies (see our Security Report on anti-anti-ad features). A very common way is malvertising, a term coined by William Salusky. Salusky found ads that were in fact carrying malicious payloads. Let’s look at a slightly different scenario, namely a legitimate but compromised ad server. While technically a different scenario it has the same effect on the end user.

Most people would think that visiting a website just serves you content from that site but this is not true for most of the large sites, in particular news sites. They import contents such as videos, trackers, counters, scripts and especially ads from third-party sites. These are not controlled by the original site, and often import content themselves from yet another site. Thus, a well maintained site with high security standards will often import stuff from sites with lower security. Think of it as sitting in a highly rated restaurant that has one bad food supplier.

The image below shows all the external sites involved whenever you visit three popular news sites.


Ohne Addon
The above example shows what happens when you visit three popular Swiss newspapers. Triangles denote third-party sites from which content is imported when you visit the respective news site. The visualisation was done using the Mozilla addon LightBeam

Continue reading “Attack of the killer Ads”

Fixing hundreds of websites in one day

Remedying Angler infections in Switzerland

Author: Serge Droz

In recent weeks the Angler exploit kit has become the dominating tool for DriveBy attacks. Cleaning Angler compromised web servers is a challenge which has been well mastered in Switzerland, thanks to the close collaboration of Swiss hosters and SWITCH.

The culprit

On Sunday July 5 an the Italian ‘offensive security’ firm HACKING TEAM got hacked and all its files were made public. This included a couple of zero day exploits. Only two days later one of these was already used in the wild by the notorious Angler exploit kit. This is not surprising: Angler today is the most sophisticated exploit kit. Since its inception in 2013 it sported several new innovations which are today uses by others. According to a Sophos blog Angler’s “market share” rose from about 22% last fall to more than 80% this spring.

The payload

Angler used to distribute a variety of different malwares, from ransom-ware to banking trojans. However it seems with the rapid growth of the kit it also focused on distributing mostly Cryptowall 3.0. This malware encrypts all the files on an infected system and demands a hefty ransom of several hundreds of Euros to unlock them. Many people claim to not have “anything important” on their PCs to then discover that all their family pictures of the past ten years are gone. An it’s not looking better for businesses that lose all their data, including their backups on USB disks.

Cleaning Infections in Switzerland

SWITCH has been cleaning up misused domains since several years now through its Safer Internet campaign. We have processed thousands of domains and thus protected visitors of Swiss websites from the evil of exploit kits, such as Angler. Infection rates of Swiss websites have indeed gone down over the past month, or so we believed. On the 22. July 2015 however,  the good folks from the National Cyber Security Centre Finland (NCSC-FI) and have managed to make a small dent into Angles infrastructure. A total of over 200’000 compromised URLs worldwide were reported that are misused by Angular.

Angler Distribution
Distribution of web servers, which are misused by the Angler exploit-kit.

Of these 166 where in the .ch and .li top level domain and thus could be entered into our program. We reported these URLs to the respective domain owners as well as the hoster we have contacts to. Checking on the 23. July over 90% of these domains have been cleaned up and a handful have been added. As of the 24. July 2015 only a few sites remain infected.

This means that Swiss hosters are doing an excellent job. Cleaning a web page is not simple. It’s not enough to just remove the the offending code from that page itself. It’s known that the Angler crew installs several back doors, all of which have to be found and removed. These back doors often are webshells, which give full control over the entire web space of the server. The respective php files are obfuscated and not easily recognizable.

The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.
The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.

Some of the hoster report information back to us for which we are very grateful. This information can then be used to make the analysis better and discover new attack patterns quickly.


The close collaboration and exchange of information between all the stakeholders allows for a very rapid reaction to threats. Cleaning these web pages needs substantial resources by the hosters and also SWITCH. But it’s well invested: Taking down these pages quickly protects visitors from being infected by Cryptowall and saves their valuable data, be this treasured personal files or critical business information.

Safer Internet

Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend helped her to install a popular open-source content management system (CMS) for the website, so that she can change the menu every week and perform other updates herself. The parents of the kids were delighted to have access to this information online.

Three months after the website went online, one of the parents called her, telling her that the website was no longer available, and a warning was displayed instead. He also told her that he had a virus on his home PC and had to reinstall his operating system and change all his Internet passwords. When she talked to other parents that day, they told her the same.

What happened? Continue reading “Safer Internet”

Drive-by code and Phishing on Swiss websites in 2014

In 2014, about 1,800 Swiss websites were cleaned from drive-by code, compared with 2,700 in 2013, a decline of 33%. At the same time, the number of phishing cases affecting .ch and .li top-level domains rose from only a handful in 2013 to more than 300.

Drive-by code on Swiss websites in 2014

Last year, 35,796 suspicious drive-by URLs in the .ch and .li top-level domains were reported to SWITCH. Security experts from SWITCH-CERT automatically sent requests to these servers and analysed the responses, looking for malicious code injected into the HTML source code. When an expert identified malicious code, the registrar or domain name holder and the web hoster were notified and asked to remove it within one working day. This was done for 1,839 domain names in 2014. In 1,493 (81%) cases, the code was removed by the web hoster or domain holder within one day. For the other 346 domains, the deadline was not met, and the domain name was temporarily suspended to prevent further damage to website visitors. Some 264 (14%) of the infected websites were cleaned of malicious code, with the remaining 82 domain names having to be reactivated after five days, the maximum suspension time by law. A request for identification was sent to the holders of all 82 domains, resulting in an additional 59 (3.2%) of websites being cleaned. A total of 23 (1.3% of all notified) domain names were deleted after 30 days because the domain holder failed to respond to the identification request.

Compromised .ch and .li websites used for drive-by infections by quarter

Continue reading “Drive-by code and Phishing on Swiss websites in 2014”

Swiss economy makes online security its priority

Switzerland is one of the safest countries in the world. To make also the Internet a secure place in Switzerland, the Swiss online economy has started the Swiss Internet Security Alliance (SISA). The goal of the alliance is to make Switzerland the “cleanest” Internet country in the world! The organization launched an online security check today which allows internet users to clean and protect their systems.

Offering more security
The founding of the Swiss Internet Security Alliance is a sign of its members’ commitment to making the Internet a secure place in Switzerland. The association brings together expert knowledge from representatives of various sectors and promotes information-sharing amongst competitors.

Overcoming challenges together
The Swiss Internet Security Alliance focuses on its main assets – the knowledge, experience and technical expertise of its members. Its members asut, Centralway, credit suisse, cyscon Schweiz, Lucerne University of Applied Sciences and Arts, Hostpoint, Migros Bank, PostFinance, Raiffeisen, Sunrise, Swisscard, Swisscom, SWITCH, UBS, upc cablecom and Viseca have longstanding experience in dealing with online security.  The association is open to other interested parties. More information can be found in the press release:

Comprehensive security check
Upon founding the association, the Swiss Internet Security Alliance is launching a security check. The Swiss Security Check provides protection on three levels.

  1. Users with outdated or incorrectly configured software who are therefore subject to a security risk, will find this out within seconds.
  2. If there is suspicion of malware, the malware cleaner helps with the diagnosis and resolution of the problems.
  3. A cyber vaccine completes the protection and keeps electronic pests at bay.


The Swiss Security Check is free and can be accessed here:


Please follow @swiss_isa on Twitter!

New wave of attack on Swiss Webservers

Author: Serge Droz

Since a few weeks SWITCH-CERT has observed a dramatic increase in sophisticated attacks on Swiss web servers. The compromised servers will then be used to distribute malware through drive-by attacks. We currently observe two different, although related, linux based attacks. Both deploy the black hole exploit kit as the actual drive-by infrastructure.

Both attacks are extremely difficult to detect for website owners, because:

  • The attacker code is in the server config, through modules, not in the content part
  • The black hole exploit kit returns malicious content only once per day and IP

The two attack waves have been dubbed darkleech and Cdorked respectively. Most attacks go after cPanel managed systems and target Apache. But this is not always the case: There are reports, that versions exist that target Lighttpd and nginx. Many of the compromised systems seem to also have a modified sshd, containing a backdoor installed. So if a compromise is detected, sshd must be cleaned, too. Sometimes it’s possible to spot tampered binaries through an integrity check, that various package managers offer. This obviously only works if a packet has been installed through a package manager. On cPanel based systems the webserver is not installed by this mechanism.

Continue reading “New wave of attack on Swiss Webservers”

Mehr Drive-By Exploits auf gehackten Schweizer Webseiten

Als Drive-By Exploit oder Drive-By Download bezeichnet man es, wenn auf dem Computer eines Internetnutzers nur durch das Aufrufen einer Webseite im Browser automatisch und unbemerkt schädliche Software installiert wird.

Nach der Infektion mit schädlicher Software haben Kriminelle meist unbegrenzten Zugirff auf den Computer und die darauf gespeicherten Daten und versuchen damit Geld zu verdienen. Trojaner stehlen z.B. Zugangs- und Kreditkarteninformation des Benutzers oder greifen in sein Ebanking ein. Ransomware versucht durch Einschüchterung des Benutzers und durch Blockade des PCs Geld zu erpressen.

Gemäss eines Berichts (PDF) der “European Network and Information Security Agency” ENISA stellen Drive-By Exploits für 2013 die grösste Bedrohung für Internetnutzer dar. Dies bestätigen auch die Zahlen aus der Schweiz. Continue reading “Mehr Drive-By Exploits auf gehackten Schweizer Webseiten”

Schutzmassnahmen gegen Drive-by-Attacken – Teil III

Dieser Artikel wurde von Renato Ettisberger geschrieben.

Fortgeschrittene Drive-by-Angriffe

Im ersten Teil der Serie haben wir uns auf Windows XP und die dort implementierten Gegenmassnahmen konzentriert. Wie von uns aufgezeigt, bieten sie wenig Schutz vor Drive-by-Angriffen. Im zweiten Teil lag der Fokus bei den Plug-Ins, die die Sicherheit bei Windows Vista und Windows 7 negativ beeinflussen können. In beiden Teilen lag der Schwerpunkt auf 08/15-Angriffen die nicht sehr fortgeschritten sind. Dies ändern wir nun in diesem Teil der Serie. Wir zeigen auf, dass sich die Schwachstelle auch auf Windows 7 und zwar ohne Nutzung von irgendwelchen Plug-Ins ausnutzen lässt. Als Gegenmassnahme stellen wir u.a. mit EMET ein frei erhältliches Tool von Microsoft vor. EMET kann sogar diese fortgeschrittenen Angriffe stoppen. Es ist aber kein Allheilmittel, wie die abschliessende Demo aufzeigen wird. Schliesslich geben wir im letzten Abschnitt Tipps, wie man seinen Windows-PC besser vor Angriffen dieser Art schützen kann.

Continue reading “Schutzmassnahmen gegen Drive-by-Attacken – Teil III”

Schutzmassnahmen gegen Drive-by-Attacken – Teil II

Dieser Artikel wurde von Renato Ettisberger geschrieben.

Das Problem der Plug-Ins

Im ersten Teil dieser Serie haben wir aufgezeigt, wie wenig Schutz die implementierten Gegenmassnahmen bei Windows XP in Bezug auf Drive-by-Angriffe bieten. Der Hauptgrund dafür ist, dass die Basis-Adressen von DLLs für ein bestimmtes Windows XP-System (Sprach- und Service Pack-abhängig) vorhersehbar sind. Ein Angreifer nutzt diesen Umstand, um daraus Code-Sequenzen zusammenzuhängen (ROP) und damit die „Schutzfunktion“ DEP zu umgehen.

Microsoft hat bei der Entwicklung von Windows Vista, Windows 7 und Windows 8 darauf reagiert. Zum einen ist bei neueren Windows-Systemen der „Protected Mode“ für den Internet Explorer (ab IE7) vorhanden. Ein Angreifer kann sich damit nicht mehr so einfach auf dem System permanent festsetzen. Zum anderen ist neben DEP mit ASLR eine zweite Gegenmassnahme standardmässig aktiviert. ASLR steht für „Address Space Layout Randomization“ und sorgt dafür, dass die DLLs an zufällige Basis-Adressen geladen werden. Damit kann der Angreifer die notwendigen Code-Sequenzen zur Umgehung von DEP nicht mehr zusammenstellen, weil er deren Basis-Adressen nicht mehr kennt. DEP bleibt dadurch effektiv und erstickt den Angriff im Keim – zumindest in den meisten Fällen.

Continue reading “Schutzmassnahmen gegen Drive-by-Attacken – Teil II”

More Malware distributing Websites in Q3 2012

 In the 3rd quarter 2012, SWITCH-CERT has helped to clean 1260 malware distributing websites under the .ch and .li top level domains. This is more than twice than in the quarters before.

Visiting a hacked website is the most common reason to get infected with malware. Most often these are legitimate websites that are compromised by cyber criminals. The attackers inject invisible elements, such as iframes of javascript into the website. These invisible elements try to exploit vulnerabilities when a visitor opens the website with his browser. When the exploits succeed, the computer of the visitor is most likely infected with a trojan and becomes part of a botnet. The attackers now have complete remote control over the infected system and can use it to steal confidential data, attack e-banking, send SPAM or launch a Distributed Denial of Service (DDOS) attacks from the “bot client”.

The dramatic rise of compromised websites in Q3 2012 is most likely due to a vulnerability in the popular Plesk server admin software, that allowed attackers to access the websites and enabled them to inject their invisible code. Exploit kits were commercially available on the internet.

Continue reading “More Malware distributing Websites in Q3 2012”

Schutzmassnahmen gegen Drive-by-Attacken – Teil I

Dieser Artikel wurde von Renato Ettisberger geschrieben.


Internet-Kriminelle nutzen „Drive-by-Angriffe“ seit längerem um Clients mit Schadcode zu infizieren, d.h. der Besuch einer infizierten Webseite reicht dazu bereits aus. Deshalb informiert SWITCH die Halter und Betreiber von infizierten Webseiten in der Schweiz und Liechtenstein und fordert sie auf, den Schadcode innert 24 Stunden zu entfernen.

Effektiver ist es jedoch, die Client-Systeme von vornherein besser vor Angriffen dieser Art zu schützen. Dies ist mit wenig Aufwand sehr wohl möglich. Anhand eines konkreten Beispiels zeigen wir in dieser Blog-Serie auf, welche Gegenmassnahmen standardmässig auf Windows-Systemen vorhanden sind und wie sie funktionieren. Im zweiten Teil gehen wir auf die Problematik der Plug-Ins ein und demonstrieren welche negativen Auswirkungen diese auf die Sicherheit eines aktuellen Windows-Systems haben können. Im abschliessenden Teil stellen wir schliesslich ein frei erhältliches Tool von Microsoft vor, das einen sehr effizienten Schutz vor Drive-by-Angriffen bieten kann.

Solche Angriffe sind für sämtliche Client-Betriebssysteme relevant: Von Windows über Mac OS X und Linux bis hin zu iOS (iPhone oder iPad) oder Android. Als Fallbeispiel für die Blog-Serie nehmen wir eine Schwachstelle in Internet Explorer 8 auf Windows XP und Windows 7. Der Grossteil des Inhaltes spricht sicherlich die Security-Spezialisten an. Im letzten Teil geben wir jedoch einfache Tipps für jedermann und zeigen, wie man seinen Windows-PC besser vor Angriffen aus dem Internet schützen kann.

Continue reading “Schutzmassnahmen gegen Drive-by-Attacken – Teil I”