Internet Systems Consortium Site Redirects to Angler Exploit

UPDATE: The website of the Internet Systems Consortium, the developers of the BIND DNS software deployed all over the Web, was reportedly infected with malware last week.

UPDATE: This story has been updated with comments from the Internet Systems Consortium.

The Internet Systems Consortium website is offline today after the non-profit domain name service maintainer announced its website had possibly become infected with malware.

The ISC, as it is commonly known, is perhaps best known as the developers of BIND, the most widely used DNS software on the Internet. However, the group also maintains the F-root server, one of the Internet’s 13 root name servers.

The security firm Cyphort says it notified ISC.org of the infection on December 22. Sometime thereafter, the ICS replaced it’s homepage with a static notice informing users of the infection.

“We believe the web site may have become infected with malware,” the ISC announced. “Please scan any machine that has accessed this site recently for malware. This is a WordPress issue, ftp.isc.org, kb.isc.org and our other network resources are unaffected.”

The consortium goes on to note that it has not received any complaints of visitors having been infected with malware, but is urging that any potential victims contact ISC’s security officer via email.

This is a WordPress issue, ftp.isc.org, kb.isc.org and our other network resources are unaffected.

Cyphort explained last week that attackers managed to compromise  ISC.org through a WordPress bug that allowed them to modify the ISC homepage with code that redirected visitors to a landing page hosting the Angler exploit kit. The kit, they say, is known to deploy a variety of exploits. In this case, Cyphort says the kit relied on Internet Explorer, Flash and Silverlight exploits.

In order to evade detection, the attackers have been cycling through the redirect domains hosting Angler.

The initial IE exploit is obfuscated. Upon deobfuscation, Cyphort determined that the kit attempts to detect the presence security products and virtual machine use. After that, it starts to enumerates plugins present and attempts to find a vulnerable version of IE. If there is a vulnerable version of Microsoft’s browser, Angler exploits it.

The kit then deobfuscates shellcode that finds windows APIs using an API hash technique and downloads the binary from the server. After decoding that binary, Cyphort explained that the shellcode downloads another pair of binaries (one for 32-bit and another for 64-bit systems).

Cyphort researcher McEnroe Navaraj says the shellcode is particularly clever because even if the user dumps the file from the memory, the hash of the loaded binary will be different each time the exploit loads.

“The reason behind this file hash difference is a few modified fields in the PE Optional Header,” Navaraj wrote. “It stores the dynamically allocated buffer address as part of PE Optional Header. This trick modifies the file hash each time you load the exploit.”

Each of the binaries are DLL files. the 32-bit MD5 hash is “38f583da8bc6e3d09799c88213206f14” while the 64-bit variety is “deacb2e37746ec97ac199e28e445c123”

The 64-bit DLL has the following exports: AtTwo, BothCase, IsAroundMustSyntax, LineNames, ThereForAboveColumnLearn, TruthFileIs and WithinFor. The 32-bit DLL has the following exports: StartMustValueTrailing, ThatRecognisedOptionHeaderm WithinShareMustTheFile and YouLeastBrokenIntoDefining.

ISC spokesperson Vicky Risk told Threatpost via email that they have zero indication that this attack was specifically targeted toward the ISC. In fact, she explained, the injected code contained an explicit statement regarding how the exploit should proceed for both WordPress and Drupal sites. ISC, of course, does not use Drupal, so if the attack had been targeting them exclusively, there would be no need for a Drupal module.

“We think the web site vulnerability was first discovered by Sucuri.net, a company that offers a web site virus scanning and remediation service for WordPress and Drupal (and some other CMSes),” Risk said. “We remediated ourselves after they reported we had some spam redirect links, removed the hidden spam, added a more complex captcha, updated our php and made a few other security improvements. This remediation was presumably inadequate in hindsight, because later, we were infected with the Angler Exploit.

“We are reconsidering our use of WordPress,” Risk continued. “We have fairly simple needs and we could go to a more static site. However, in the meantime, we have protected our site with the Sucuri web site scanning service.   We should probably have had a web site virus protection plan in place, just as nobody would use a pc these days without virus protection.”

While it appears that this attack only would have affected visitors to the ISC site and not the organization’s BIND software or other work, it is troubling nonetheless, considering the ISC’s broad role in the architecture of the Internet. The attack also invites comparison to another earlier this month, when unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names.

Suggested articles