BBC, Trump web attacks “just the start,” says hacktivist group

newsroom.jpgThe newsroom at the BBC, which had its website attacked by hacktivists. (Image: BBC Corp.)

NEW YORK — The group that claimed responsibility for taking down the BBC’s global website last week has said the attack was “just the start.”

On Saturday, a group calling itself New World Hacking also claimed responsibility for an attack that downed Republican presidential candidate Donald Trump’s campaign website for about an hour.

The cause of the attack was a massive distributed denial-of-service (DDoS) attack, which relies on pummeling a web server with so much traffic that it crumbles under the weight and stops responding.

DDoS attacks are widely used, and simple to carry out, often by online groups with the aim of bringing down websites for extended periods.

The group targeted the BBC earlier in the week. BBC websites, including its iPlayer on-demand service, suffered downtime for at least three hours on Thursday.

One of the members of the group, who identified himself as Ownz and declined to use his real name, told ZDNet that the attacks on the BBC’s website and Trump’s website were a “test of power” and server strength.

“ISIS is our main target,” said Ownz.

Ownz, a self-described “hacktivist,” sent ZDNet a screenshot of a web interface that was allegedly used to launch the attacks, indicating an assault of up to 602 Gbps, backing up similar claims the group made to the BBC.

We were not able to verify the authenticity of the screenshot, or the alleged size of the attack.

If that attack size is proven true, it would vastly surpass the previous record for largest DDoS attack of 334 Gbps, recorded by Arbor Networks in mid-2015.

Ownz said the size of the attack was possible by using at least two “Amazon servers,” but did not disclose additional details.

Amazon has previously said that Amazon Web Services “employs a number of automated detection and mitigation techniques to prevent the misuse of our services,” with the capability to stop denial-of-service attacks from being launched and to shut down such an attack quickly if one is detected.

“We have our ways of bypassing Amazon,” said Ownz. “The best way to describe it is we tap into a few administrative services that Amazon is use to using. The [sic] simply set our bandwidth limit as unlimited and program our own scripts to hide it.”

Amazon did not respond to a request for comment over the weekend.

Ownz said the group of 12 people, many of whom are based in the US, spent about two weeks programming before they launched the attack on the BBC.

“The main purpose of this benefits unmasking ISIS, stopping the spread, and possibly ending the propaganda,” said Ownz. “We have been taking down ISIS websites in the past… this is just the start of a new year.”

The hacktivist said the group is compiling a list of Islamic State-related targets and plans to release the list Tuesday.

Ownz declined to name any targets in advance of the planned release.

Prior to the attacks on the BBC and Trump’s campaign website, the group was involved in a number of activities, including unmasking members of the Ku Klux Klan, and efforts to find and report online accounts associated with the Islamic State following the November terrorist attacks in Paris.

The group also said it was involved in the hacking of a major US retailer, which led to the unauthorized access of millions of credit cards. The hacktivist declined to identify the retailer on the record.

Ownz said that other targets were on the group’s radar, particularly sites dedicated to neo-Nazi and white-supremacist materials. The hacktivist mentioned one website in passing. Moments later, the site appeared offline.

ZDNet asked if the site was offline because Ownz mentioned it in conversation just a few moments earlier.

“Yes, indeed,” said the hacktivist.

WebSearcher PUP applies Proxy Lockdown

WebSearcher is an adware application brought to you by “Web Fox” and usually comes bundled with “extremely useful” applications like “Video Codex” and “Video Player”. WebSearcher uses a proxy to insert the advertisements into your normal web experience. Sniffer

What makes this one different?

What makes this one different is that it uses a set of permissions to get the three most popular browsers to use the proxy it has set. If you look in Internet Explorer (IE) under “Internet Options” on the “Connections” tab and click on “LAN settings” you will see this form with all the user options “greyed out”. Note the announcement you can see on the “Connections” tab that I highlighted.

warning2

Basically this means the system internet traffic controlled by the proxy settings are going through the application that controls port 9091 (in this case Sniffer.exe) and the normal user is blocked from changing that. That takes care of IE. In Chrome the change is pretty basic. The hijacker changes the “ProxyMode” value under the registry key HKEY_LOCAL_MACHINE/Software/Policies/Google/Chrome and sets the value-data to “system” which means Chrome has to use the same setting that was described earlier.

chromeproxy

For Firefox the procedure they followed was a bit more complex. In the file “local-settings.js” these lines were added:

pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");

This locks down the settings in Firefox and tells the browser to look in the file “mozilla.cfg” for the configuration. Looking at that file we will find this line:

lockPref("network.proxy.type", 5);

The value 5 for “network.proxy.type” tells Firefox to use the proxy set for “system” (see above).

Extra word of warning

This adware abuses two libraries of the legitimate web debugging proxy Fiddler (FiddlerCore.dll and FiddlerCoreWrapper.dll) and the DO_NOT_TRUST_FiddlerRoot certificate, which has been known to sometimes cause slowdowns and errors on systems where the proxy is no longer present. If you experience these problems and want to check for and/or remove the certificate.

Procedure:

Use Winkey + R to open the Run box.

Type or Copy & paste certmgr.msc

Click ok to execute the command and the Certification Manager Window will open.

Select the Trusted Root Certification Authorities > Certificates and you should see something like the screenshot below.

You can delete certificates from this list by right-clicking on them and then choose Delete.

FiddlerCertificate

Removal and detection

 Malwarebytes Anti-Malware detects and removes WebSearcher as PUP.Optional.WebSearcher. A removal guide can be found on our forums.

protection1

Resources

 

Mozillazine: Locking_preferences

Mozillazine: Network.proxy.type

Pieter Arntz