china-hacker-malware
China has gained a considerable global attention when it comes to their Internet policies in the past years; whether it's introducing its own search engine dubbed "Baidu," Great Firewall of China, its homebrew China Operating System (COP) and many more.

Along with the developments, China has long been criticized for suspected backdoors in its products: Xiaomi and Star N9500 smartphones are top examples.

Now, Chinese Internet Service Providers (ISPs) have been caught red-handed for injecting Advertisements as well as Malware through their network traffic.

Three Israeli researchers uncovered that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia's largest network operators, have been engaged in an illegal practice of content injection in network traffic.
Cybersecurity

Chinese ISPs had set up many proxy servers to pollute the client's network traffic not only with insignificant advertisements but also malware links, in some cases, inside the websites they visit.

If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user's browser to parse the rogue network routes. As a result, the client's legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs.

Here's How Malware and Ads are Injected


In the research paper titled 'Website-Targeted False Content Injection by Network Operators,' the Israeli researchers wrote that the tactic has now expanded to core ISPs – the Internet companies that interconnect edge ISPs with the rest of the ISPs globally.

These ISPs have set up specialized servers that monitor network traffic for specific URLs and move to alter it, no matter the end users are their customers or not.

Methods of Injection:

Various methods had been adopted by ISPs to infiltrate the legitimate traffic. Some of them are:

1- Out of Band TCP Injection


Unlike in the past when ISPs modified network packages to inject ads, the network operators send the forged packets without dropping the legitimate ones.

Interestingly, instead of interception or rewriting of network packets, cloning of HTTP response packets had been adopted by ISPs to replicate the infection. The ISP clones the legitimate traffic, modifies the clone, and then sends both packets to the desired destination.
Cybersecurity

So ultimately, there are 2 packet responses generated for a single request. Hence, there is a chance of forged packet to win the race, while legit packet reaches at last.

Since the cloned traffic will not always arrive at the end users before the legitimate one, the injected traffic is harder to detect.

But a serious analysis with netsniff-ng would knock out the fake packets.

2) HTTP Injection


HTTP is a stateless client-server protocol that uses TCP as its transport. As TCP only accepts the initial packet upon its receival and discards the second, there is a chance to receive the fake packet in first place; if infection had been taken place.

Here, the user might get a response with HTTP Status Number 302 (Redirection) instead of HTTP Status Number 200 (OK) and would be re-routed to the other non-legit links.

How to Identify Rogue Packets?


1) IP Identification


IP identification value does contains a counter that is sequentially incremented after each sent the packet.

The forged packet returns soon after making a request that masquerades as a legit packet. But the time stamp in each packet would provide enough evidence to eliminate the rogue packet.

The forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets

2) TTL (Total Time to Live)


Each received packet contains an initial value set by sender that calculates the number of hops covered by the packet during the transmission.

If packet is received with different number of hop counts, then it would clearly draws a line between the legit and illegit ones.

The forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets

3) Timing Analysis


Time stamp in the packet captured by the monitoring systems at the entrance to the Edge network would figure out the genuinity.

The data packet with apparent time close proximity would differentiate the legitimate packets from the forged packets with unmatched arrival time.

List of the Infection Groups

Chinese ISPs Caught Injecting Ads and Malware into Web Pages
Chinese ISPs Caught Injecting Ads and Malware into Web Pages
In general, 14 different ISPs had been discovered with malicious background, and out of these 10 are from China, 2 from malaysia, and 1 each from India and United States.

Following are the injection groups and their characteristics:

1. Hao – Referred the user to hao123.com itself, but using an HTTP 302 response mechanism to infect users.

2. GPWA – The genuine website of Gambling had been forged to another web domain which intelligently redirects the traffic to 'qpwa' (sometimes, public would not find the difference between 'q' and 'g').

The forged content here includes a JavaScript that refers to a resource having the same name as the one originally requested by the user, but the forged resource is located at qpwa.org registered to a Romanian citizen.

3. Duba Group – The injections in this group add to the original content of a website a colorful button that prompts the victim to download an executable from a link at the domain duba.net.

The executable is flagged as malicious by several antivirus vendors.

4. Mi-img – In these injected sessions, the client, which appears to be an Android device, tries to download an application. The redirected response navigates into an online bot database that had been identified by a BotScout lookup.

5. Server Erased – In this group, the injections were identical to the legitimate response but the original value of the HTTP header 'Server' is changed.

Motive Behind the Attack


Both the advertising agencies and the ISPs are benefited by redirecting user's traffic to the corresponding sites.

This practice would mark an increase in advertisement revenue and other profits to advertisers and ISPs.

During their research, the researchers logged massive amounts of Web traffic and detected around 400 injection incidents based on this technique.

Most of these events happened with ISPs in China and far east countries, even if the traffic originated from Western countries, meaning a German user accessing a website hosted in China is also susceptible to having his/her traffic injected with ads or malware.

How to Mitigate?


Since the companies that engage in such practices are edge ISPs - the final network providers that connect users to the Internet, users can change their Internet provider.

However, the simplest way to combat this issue is for website operators to support HTTPS for their services, as all the websites that infect users are SSL-less.

The sites that supply malicious URLs are not guarded by SSL Shield, making them vulnerable to carry out the illegit things.

Therefore, usage of HTTPS-based websites would block such kinds of attacks, so users are advised only to stick to SSL sites.

Delivering the illegit content, or redirecting the crowd to stash the cash would end up losing the public trust on the technologies.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.