Cloning Security

Coming to a PC near you very soon is an innovative and possibly deadly combination of well known exploitation techniques, emerging from the dark side of the Internet. What makes this new attack so innovative are the targets: Internet security information and research Web sites. Hackers in the last week have been creating exact clones of Internet security Websites using proxies, DNS (domain name server) spoofing or redirection, and dedicated denial-of-service (DDoS) attacks.

It should not surprise anyone to realize Internet security research, forums, and information Websites are attacked on a regular or even daily basis. Mostly it is nuisance spam, bogus log-in attempts, or hack attempts to gain entry to the administrator side, and in more intense cases, DDoS.

But this cloning approach emerged from investigation only in the last week. To begin with, there was the discovery purely by accident, of an exact clone of the HostExploit Website. After further investigation, it was discovered this was not an isolated case, with one server hosting clones of security sites like avertlabs.com (McAfee), isc.sans.org, milw0rm.com, nmap.org, packetstormsecurity.org, secunia.com, securiteam.com, securityfocus.com, securityreason.com, thedarkvisitor.com, www-935.ibm.com (IBM), and xforce.iss.net (IBM).

In itself this was a worrying discovery, if simply viewed from content theft, hijacked traffic, click through, SSL forgery, PayPal information, and RSS links etc., of relatively high-traffic security sites. However, in parallel to the emergence of these clones commencing on Friday and over the weekend, several of the real sites listed as clones and a few others -- Metasploit, Zone-H, and Kaspersky -- were under hacker or DDoS attack, and in some cases a mixture of the two. For a while a couple sites were completely unavailable for a day or so, and one or two are still under a continuous DDoS attack.

Working off limited data from server logs and network traffic, at least a couple of the attacks originated from Poland (AS5617 TPNET); Romania (AS 9050 Romtelecom, AS39650 VIANET); Russia (JSC servers funneled via RTcomm, and Rostelecom via AS9002 RETN); and Turkey (AS9121 TTNet, AS8386 KOCNET). Many of these servers appear regularly on lists of the worst European offenders for hosting spam and exploits, according to the German-based anti-spam service UCEprotect.

I must emphasize here that there's no proven link between the appearances of the clones and this weekend's attacks. This could be a simple coincidence, but as Edmund Burke said. "Better be despised for too anxious apprehensions, than ruined by too confident security." It does leave the open question, if by hacking and DDoS, the real security Websites were offline the only source available could be the clones. It is by a simple step to include by DNS redirection, cookie plants, and other exploits, to ensure visitors went to and continued to visit the false, cloned sites.

Consider the mayhem that could be caused by providing bad file downloads and misinformation using these sorts of exploits, botnets, and spam, or even distorting the core news and advisories this sector, its enterprise customers and the press depend upon. Worst of all, even without any changes from the real sites, the data gathered from all those misdirected, security-minded visitors would be hugely valuable.

Obviously the intended outcome of the attacks and the clones is to damage reputations, create distrust, and ultimately make it easier for cyber-criminals to operate. The good news is thanks to swift action, these discovered clones and the hacker site serving them are offline. This is certainly not the last we will see of this approach.