Flooding the messengers

16 January 2018

Starting the 15th of January at 11:42 AM, the Azeri website gununsesi.info that has been reporting about the tensions between the oil giant SOCAR and Palmali received a denial of service attack. The same day the sites yenicag.az and bastainfo.com suffered attacks.

According to the website editor, the attacks can be connected with a series of articles covering the tensions between SOCAR and Palmani.

Türkiyədə Azərbaycan izi necə itirilir?

 

Biz dövlətə hörmət edirik, Azərbaycana ziyan gəlməsin deyə susuruq

The application layer attack consisted in a botnet of 800+ servers performing requests of the form:

GET /?s=qwerty+spvcoulc&x=32&y=7

GET /?s=qwerty+<8 random chars>&x=32&y=7

The majority of the requests used four User Agents

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36

The botnet is composed of HTTP proxies, 20% of them Mikrotik open proxies.

One interesting web proxy was the address 188.32.110.74, this Mikrotik router redirects traffic to a “Privoxy” tor proxy (Proxy-Agent: Privoxy 3.0.21).
In this way the attacker could also daisy chain the HTTP requests into the TOR network, increasing the number of IPs launching the attack.

* Connected to 188.32.110.74 (188.32.110.74) port 8888 (#0)
> GET http://www.gununsesi.info/?s=qwerty+SWEETRICK HTTP/1.1
> User-Agent: curl/7.38.0
> Host: www.gununsesi.info
> Accept: */*
> Proxy-Connection: Keep-Alive

Using the information provided by the TOR public ToRDNSEL service, we could confirm that 15 of the IP where tor exits.

For example this request came from a TOR exit at 104.244.73.126 but was daisy chained in a Mikrotik Proxy in the IP 188.32.110.74

104.244.73.126 – – [15/Jan/2018:11:42:39 +0000] “GET /?s=qwerty+gzxagmvx&x=32&y=7 HTTP/1.1″ 502 10144 [487] “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36” “—” “US” “AS53667 FranTech Solutions” “Via:1.1 188.32.110.74 (Mikrotik HttpProxy)” “185.152.212.131” “www.gununsesi.info” “tcp80”

 

Who performed the attack?

When we analyzed the attack, we show that the GET requests contained the string “&x=32&y=7 “. Many application layer attacks will randomize variables in the requests to bypass a cache system, so initially we thought that the x and y variables were part of the “randomness” . But not, the requests were randomizing the string after qwerty+ but not the value of x and y.

So, what is the meaning of &x=32&y=7?

At the beginning we thought this was part of the botnet code, that randomized the requests to bypass our protections but we later discovered that this is a feature of some browsers (Chrome and Firefox) when submitting content of type “image”.

The x and y variables corresponds to the coordinates of the mouse when submitting a “type image” to a site. If you care about the details as we did, check this out

So why our attacker used the &x=32&y=7 in the attack strings?

Looking into the logs and the source code of the site, we figure out what happened. The attacker went to the website first to find the “search” function.

 

If we look into the HTML code, we can see that the programmer of the site made an error and the input type of the whole search is “image”.

So when someone searches for an article the coordinates of the mouse inside of the image are also sent with the request.

So what happened?

The attacker went to the gununsesi.info website and placed a search request to obtain the link for the attack minutes before the attack started. Then he placed the search link in the attack software but forgot to remove the x=32&y=7 as thought it was relevant for the attack to work.

So now… we go back to the logs, and we find the hit of the attacker “GET /?s=socar&x=32&y=7” and some interesting search queries: socar, palmali

5.44.38.195 - - [15/Jan/2018:11:40:42 +0000] "GET /?s=socar&x=32&y=7  HTTP/1.1" 200 16749 "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/63.0.3239.73 Mobile/15C202 Safari/604.1" "---" "AZ" "AS197830 Bakcell LLC" "
5.44.38.195 - - [15/Jan/2018:11:44:37 +0000] "GET /?s=palmali&x=0&y=0 HTTP/1.1" 302 224 [520] "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0 Mobile/15C202 Safari/604.1" "---" "AZ" "AS197830 Bakcell LLC"So now back to the logs, and we find the hit

WhatApp also leaked info

The attacker reports about the attack progress via WhatsApp.

5.44.38.195 - - [15/Jan/2018:11:43:27 +0000] "GET /?s=ri&x=24&y=12 HTTP/1.1" 502 10144 [206] "-" "WhatsApp/2.18.11 i" "---" "AZ" "AS197830 Bakcell LLC" "
5.44.38.195 - - [15/Jan/2018:11:43:28 +0000] "GET /?s=am&x=24&y=12 HTTP/1.1" 502 10144 [206] "-" "WhatsApp/2.18.11 i" "---" "AZ" "AS197830 Bakcell LLC"
5.44.38.195 - - [15/Jan/2018:11:43:29 +0000] "GET /?s=amcell&x=24&y=12 HTTP/1.1" 502 10144 [210] "-" "WhatsApp/2.18.11 i" "---" "AZ" "AS197830 Bakcell LLC"
5.44.38.195 - - [15/Jan/2018:11:43:30 +0000] "GET /?s=amcello&x=24&y=12 HTTP/1.1" 499 0 [211] "-" "WhatsApp/2.18.11 i" "---" "AZ" "AS197830 Bakcell LLC" "
85.132.76.48 - - [15/Jan/2018:11:44:29 +0000] "GET /?s=palmali&x=0&y=0 HTTP/1.1" 200 17250 [167] "-" "WhatsApp/0.2.7315 N" "---" "AZ" "AS29049 Delta Telecom Ltd"

Conclusions

The application layer attack performed to several sites the 15th of January seems closely connected to the SOCAR and Palmani disputes. The attacker IP address at the time of the attack is 5.44.38.195 and communicated with someone with the address 85.132.76.48.