Pierluigi Paganini February 29, 2016

Chinese ISPs (internet service providers) are redirecting users legitimate traffic to malicious websites serving malware and ads.

China is know to be not very “ortodox” when talking about freedom on the internet, over the time, it developed numerous projects to monitor users’ activity. The Great Firewall

Now three Israeli researchers uncovered that Chinese ISPs (China Telecom and China Unicom) are injecting content into the users’ traffic.

The way these two Chinese ISPs pollute their client’s network was by setting up proxy servers that lead clients in advertisement links and malware.

When a user access a domain that is under one of these Chinese ISP’s, the altered packet redirects the users browser to parse the rogue network routes. The result is that the initial traffic will be redirected to malicious sites serving adversities and malware.

In their paper, the researchers detailed the tactics used to conduct such kind of attacks and how the IPSs monitor the network traffic for specific URLs altering the traffic.

The ISPs are using two injection techniques, the first one called Out of Band TCP Injection and the second its HTTP Injection.

In the Out of Band TCP Injection, the network operators send a forged packet without dropping the legitimate ones, this means that the ISP clones the legitimate traffic and send both legitimate and cloned traffic to the final destination.

The destination receives two traffic stream coming from the same source, the legit and the cloned one, but only one can arrive first, if the legit one wins the race nothing will happen and the users will be fine, but if the cloned one wins the race the user will be in serious problems.

The HTTP Injection works injecting false HTTP responses into the web client. The HTTP is a stateless client-server protocol that uses TCP as its transport.

An HTTP exchange begins by a client sending an HTTP request, usually to retrieve a resource indicated by a URI included in the request. After processing the request, the server sends an HTTP response with a status code. The user might get the following responses:

• 200 (Successful): The request was successfully received, understood, and accepted. Responses of this type will usually contain the requested resource.
• 302 (Redirection): The requested resource resides temporarily under a different URI. Responses of this type include a Location header field containing the different URI.

“An HTTP client will receive only one HTTP response for a given request even when a false HTTP response is injected because, as mentioned above, the TCP layer will only accept the first segment that it receive.”

The researchers collected evidence to discover the threat actor behind the forged packets.

They discovered a sort of dirty alliance between advertising sites and ISPs that working together can generate huge amounts of advertisement revenue and divide the profit.

During the investigation, the researchers detected massive amounts of traffic being redirected based on this partnership.

Even though this is happening in China, all users in the world can be affected by it, simply because if you want to access to websites hosted in China you will need to pass through Chinese ISPs before arriving the website, and you will have your traffic susceptible to be injected with ads or malware.

How to detect traffic changed/cloned by the Chinese ISPs?

IP identification

A forged packet is masqueraded as a legit packet but can be discovered by the time stamp in each packet, providing an evidence of being a rogue packet.

“We formulate the following rule to determine which of the two raced packets is the forged one: the forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets (except the raced one).”

TTL (Total Time to Live)

“The IP TTL value in a received packet is dependent on the initial value set by the sender and the number of hops the packet has traversed so far. Thus, it is unusual for packets of the same session to arrive at the client with different TTL values. Therefore, if the raced packets have different TTL values we can use them to distinguish between the two packets. From our observations, the injecting entity often made no attempt to make the TTL value of the forged packet similar to the TTL values of the other packets sent by the server. Similarly to the case of the IP identification rule above, we identify the forged packet using the following rule: the forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets. (except the raced one).”

Timing Analysis

“The race between the forged and legitimate packets can also be characterized by the difference in their arrival times. By arrival time we mean the time at which the packet was captured by the monitoring system. Since the system captures traffic at the entrance to the edge network close to the client, it is reasonable to assume that these times are very close to the actual arrival times at the end client. For each injection event we calculatethe difference between the arrival time of the legitimate packet and the arrival time of the forged packet. A negative difference means that the forged packet “won” the race, and a positive difference means that the legitimate packet “won”.”

How to mitigate the risk?

The best way to avoid this kind of attacks is to access websites supporting HTTPS, because in generally the malicious URLs are not SSL Shield, therefore the use of HTTPS by a website can block this type of attack.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – Chinese ISPs, malware)