November 27, 2012
UPDATE: Ransomware Found On Sites Hosted By Go Daddy
The following article has been updated with new information from Scott Gerlach, Director of Information Security Operations at Go Daddy.
redOrbit Staff & Wire Reports - Your Universe Online
According to Fraser Howard, a Principal Virus Researcher with SophosLabs, the hackers behind these attacks are "exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses. The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers."
By doing so, the criminals are able to set-up URLs that seem legitimate, potentially sneaking through security filtering systems and duping Internet surfers into believing they are harmless, he explained in a Friday blog entry. In some instances, multiple subdomains were added to each user's account, with each of them redirecting viewers to at least one malicious IP address.
Howard reports the exploit kit being used to create the false subdomains is called "Cook EK" and is Russian in origin, based on the "login page for the admin panel." The method used in the attack is "very similar to Blackhole exploit kit," he added, and anyone unfortunate enough to arrive at the malicious destination page "are hit with various malicious files, exploiting several vulnerabilities, in order to infect them with ransomware“¦ Once running, the ransomware displays the familiar payment page, with contents that vary based on the country of the victim."
So how were the hackers able to gain access to the Go Daddy domain name system records? While there was no definitive answer to that as of Friday, Sophos believes that easily cracked or stolen passwords were one possible cause. Howard requested one affected webmaster review his log-in history, but he was unable to do so, and attempts to contact the domain hosting firm offered no insight into the matter either, as they refused to release information related to account log-ins or other activity.
"Enabling users to view historical login activity is a very simple way of helping to spot malicious activity early. Let's hope Go Daddy change their stance on this," Howard said. "Given the prevalence of attacks against web sites for the purpose of malware distribution it is high time that associated services (Registrars, hosting providers etc) pay adequate consideration to security."
He said he has contacted some of those webmasters that have been victims of the attack, as well as Go Daddy themselves, and suggests anyone wanting to see if they were attacked should go to their Go Daddy support page to review their DNS configuration. Howard also urged strengthening security measures to prevent the use of weak passwords, and to enable (and perhaps require) the use of two-factor authentication.
In an emailed statement to redOrbit.com, Scott Gerlach, Director of Information Security Operations at Go Daddy, was cited as saying: “Go Daddy has detected a very small number of accounts have malicious DNS entries placed on their domain names. We have been identifying affected customers and reversing the malicious entries as we find them. Also, we're expiring the passwords of affected customers so the threat actors cannot continue to use the accounts to spread malware.”
“We suspect that the affected customers have been phished or their home machines have been affected by Cool Exploit as we have confirmed that this is not a vulnerability in the My Account or DNS management systems,” he added. “Go Daddy highly recommends that US- and Canada-based customers enable 2-Step Authentication to help protect their accounts.”
This may not have been the first hacking attempt against Go Daddy this fall. In September, a hacker from the shadowy group Anonymous claimed to have taken down the domain registry and web hosting company. However, one day after the attack, Go Daddy denied they had been targeted by cybercriminals.
"The service outage was not caused by external influences," CEO Scott Wagner said in a statement. "It was not a 'hack' and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com."