True denial: analyzing the True proxy attack

Don Sambandaraksa

True denial: analyzing the True proxy attack

January 16, 2014

Over the weekend, news broke in social media circles that True’s transparent proxy had been compromised and was serving up compromised Google Ad Javascript files that had hard-coded ads of a rather dubious nature.

That attack stopped almost immediately after the news was blogged, but not before a network engineer on True Internet was able to duplicate the results independently and shared with me many of his logs.

True has also since issued an official reply saying that the issue was due to malware on users’ computers and not their fault.

“Our systems show no signs of being compromised and everything is functioning as normal. In the past True has had users complain of this behaviour and it was discovered that these users lacked sufficient protection which led to strange behaviour and changes in browser data,” the the spokesperson wrote to me in Thai.

The email went on to say that local caching was something done by every ISP in the world to improve users speed and quality of service and closed by reassuring me that they had in place continuous security tests to ensure quality of service for their customers.

It almost made me feel sorry for the PR person who had to write that letter considering the mountain of logs I had with evidence to the contrary.

To recap, for a number of months prior to the discovery, a small number of users were complaining of annoying pop-ups to a number of dodgy sites such bcduplicator.com, a Bitcoin ponzi-scheme site.

The problem was first reported to True, by a user known as @Icez, who posted his experience and analysis of the problem on popular Thai webboard pantip.com on 8 December - over a month before @_JacobFish’s English-language post.

A fresh install of Windows 8, Linux and even Android phones, with different web browsers (both Chrome and Firefox) were all tested and all exhibited the symptom intermittently.

Digging deeper, it emerged that the problem lay with one particular Google ad Javascript file, pubads_impl_32.js. The compromised version was hard-coded with the scamming websites (with a referral ID which should have made it possible to locate were the police competent and True not in denial). The hacked version was just 7 kb in size, whereas the genuine version is 59 kb.

Google has a number of servers that partner.googleadservices.com resolved to in the subnet 173.194.126./0. Fetching pubads_impl_32.js from most of the servers will return the full-size uncompromised version, but fetching it from 173.194.126.122 would result in the poisoned version.

However, this would only happen from within True Internet. Downloading the file from 173.194.126.122 via a VPN to somewhere or over Dtac 3G or from any other ISP would not yield the compromised file.

All this ceased on Saturday night, hours after Twitter users @_JacobFish published some details of the attack on a blog in English.

It would not be unreasonable to assume that someone had managed to compromise True’s transparent proxy to redirect Google’s 173.194.126.122 from the real address to a compromised server which served up the compromised file, the same way undesirable websites are censored in Thailand.

The question is, what does this all mean and should we be worried?

The network engineer who helped perform the analysis put it bluntly: True has no clue what they are doing and they issued that statement about users PC’s being infected with malware to save face. Well, actually he used a couple of expletives that would not be safe for publication, but that was the gist of it.

The optimistic view was that there was an attack, perhaps even an insider wanting to make some money on the side, which was detected by True and shut down on Saturday night. While on the other hand, True PR was given that statement to placate the public into a sense of security. Mainstream media bought the explanation and some newspapers printed True’s alabi verbatim.

The other possibility was that True really has no idea what happened and the hacker simply disabled the redirect and is lying low, still with access to True’s transparent proxy, still looking at the browsing habits of users, still ready to plant malware... perhaps this time of a more malicious nature rather than just cheap ponzi-scheme pop-up referrals.

Having a mega-corporation running things and controlling access to information (and food) is bad. Having a clueless mega-corporation that is out-run and out-witted by a hacker is even worse.
 

Thumbail image from server side store: 
Don Sambandaraksa

 

Telecomasia.net full website

© 2012 Questex Asia Ltd., a Questex Media Group company. All rights reserved. Reproduction in whole or in part is prohibited. Please send any technical comments or questions to our webmaster.