Baidu.com the Latest Victim of Iranian CyberArmy

iraniancyberarmy

A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that indexes over 740 million web pages for search and provides music and video content. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.

Such digital attacks for political purposes are sometimes referred to as hacktivism, usually defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends”.

The IP address baidu.com pointed to temporarily routed to 174.121.0.7 in Houston Texas when we pinged it, to a site hosted via ISP ThePlanet.com. The site normally shows hosts in Beijing, China, hosted by China Unicom (example: 202.108.22.5 is back up now). It appeared last night that the defacement site was hosted at a couple of different places.

The site as it appeared for about three hours today:

The site served up at baidu.com earlier.

The site served up at baidu.com earlier.


Baidu.com as it normally appears:

Baidu.com, normally.

Baidu.com, normally.


Two other domain names are referenced on the page: cyberarmyofiran.com and ircarmy.com. The first, IP 70.35.29.162, shows hosting by Netfirms in Markham Ontario in Canada. The second, ircarmy.com, is at IP 69.147.83.188, showing hosting by Yahoo in Sunnyvalue, California.

This is the same group responsible for the attacks on Twitter and mowjcamp.org last month, Twitter having gone down for a while the evening of December 17th. During the attack on Twitter a bad actor used an id and password assigned to Twitter to log in to the administrative portal of managed DNS service provider Dyn.

DNS Services

At the time that Baidu.com was being redirected, we were seeing different SOA and NS results for the Baidu.com domain name. A simple script was used to look at this data:

$ sh dnsbaidu.com
[baidu.com]----------------------
---[resolver.qwest.net]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
ns3.baidu.com.
ns2.baidu.com.
dns.baidu.com.
ns4.baidu.com.


---[4.2.2.2]---
---[SOA]---
---[NS]---


---[4.2.2.3]---
---[SOA]---
dns204.a.register.com. root.register.com. 2010011108 28800 7200 604800 14400
---[NS]---
dns050.c.register.com.
dns204.a.register.com.
dns010.d.register.com.
dns190.b.register.com.


---[8.8.8.8]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
dns.baidu.com.
ns2.baidu.com.
ns3.baidu.com.
ns4.baidu.com.


---[8.8.4.4]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
dns.baidu.com.
ns2.baidu.com.
ns3.baidu.com.
ns4.baidu.com.


---[208.67.222.222]---
---[SOA]---
ns1.coolhandle.com. server.pronethosting.net. 2010011101 86400 7200 3600000 86400
---[NS]---
ns2.coolhandle.com.
ns1.coolhandle.com.

We were seeing even more interesting results when using a DNS tool called Squishywishywoo. The results are below and I have attached the full output in: baidu-dnscheck.pdf


50.0% of queries will be returned by 174.121.0.2 (ns2303.hostgator.com) baidu.com. 86400 IN SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. ( 2010011202 ; Serial 86400 ; Refresh 7200 ; Retry 3600000 ; Expire 86400 ) ; Minimum TTL 50.0% of queries will be returned by 174.121.0.3 (ns2304.hostgator.com) baidu.com. 86400 IN SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. ( 2010011202 ; Serial 86400 ; Refresh 7200 ; Retry 3600000 ; Expire 86400 ) ; Minimum TTL

Out of all the DNS results, only Google (8.8.8.8) and Qwest (resolver.qwest.net) return correct answers for Baidu’s NS records. The others, OpenDNS (208.67.222.222), Level 3 (4.2.2.3 & 4.2.2.2), and Squishywishywoo returned incorrect results.

We are able to check for the correct expected results by looking at the WHOIS data provided by register.com. Register.com is the service that the Baidu.com domain was registered with and is the definitive authority for that domain.

definitive
Registrant: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: [email protected]


Registrar Name....: Register.com 
Registrar Whois...: whois.register.com 
Registrar Homepage: www.register.com 

Domain Name: baidu.com 
Created on..............: 1999-10-11 
Expires on..............: 2014-10-11 

Administrative Contact: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: [email protected]


Technical Contact: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: [email protected]


DNS Servers: 
ns3.baidu.com
ns2.baidu.com
ns4.baidu.com
dns.baidu.com

In directly querying the listed authoritative servers with the dig command, we are able to display the data that the rest of the world should be seeing.

dig @220.181.37.10 baidu.com SOA                                                                                       (~/tmp/new)

; <<>> DiG 9.6.0-APPLE-P2 <<>> @220.181.37.10 baidu.com SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;baidu.com.         IN  SOA

;; ANSWER SECTION:
baidu.com.      7200    IN  SOA dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200

;; AUTHORITY SECTION:
baidu.com.      86411   IN  NS  dns.baidu.com.
baidu.com.      86411   IN  NS  ns2.baidu.com.
baidu.com.      86411   IN  NS  ns3.baidu.com.
baidu.com.      86411   IN  NS  ns4.baidu.com.

;; ADDITIONAL SECTION:
dns.baidu.com.      300 IN  A   202.108.22.220
ns2.baidu.com.      300 IN  A   61.135.165.235
ns3.baidu.com.      300 IN  A   220.181.37.10
ns4.baidu.com.      300 IN  A   220.181.38.10

;; Query time: 308 msec
;; SERVER: 220.181.37.10£53(220.181.37.10)
;; WHEN: Tue Jan 12 00:17:03 2010
;; MSG SIZE  rcvd: 202

The key thing to note is the SOA serial number 2010011101. When a recursive DNS server such as Google’s 8.8.8.8 receives a request for Baidu.com and it does not have that data in its DNS cache, it will proceed down the DNS hierarchy to find the authoritative DNS server for the domain and request the needed data. The authoritative DNS server will return the requested data and the current serial number, which in this case is 2010011101. The recursive DNS server will return the cached results, but after a timeout period it will go back to the authoritative DNS server, send the serial number it has in the cache, and ask if it needs an update on the date. The authoritative DNS server will then compare the request and internal number to see if there needs to be an update.

The issue with this comes into play in our data above; OpenDNS’s results show an SOA serial number of 2010011101, which is correct, but also contain the wrong NS server entries for Baidu.com. When OpenDNS goes and asks the authoritative DNS server if it needs to update data it will be told no due to the matching SOA records; thus, it will continue returning bad DNS data until the authoritative DNS server changes the serial number.

With this data in mind, we would ascertain that the changes were initially made at .com level, most likely through Register.com to point the Baidu.com domain name to DNS servers controlled by the attackers. When we dug into DNS records, Register’s were corrected, but the cached bad records out on the other DNS servers still existed. While we can’t confirm this with certainty, the data found in DNS would lead to this conclusion.

A recommendation to Baidu.com’s DNS administrators is to update their serial numbers to something higher than 2010011202 as that has been the highest serial number we have see on any DNS server. This will force cached servers to update their records to the proper entries.

Translation of the Text

The text is Persian and translates roughly to:

"Iranian (Persian) Cyber Army, is formed (and is on the move), in protest for the meddling of the foreign and
 Zionist sites in our countries domestic affairs and broadcasting of false news and inciting of conflict."

The text in the middle says “Dear Hussein”, perhaps in reference to Imam Hussein.

A similar sentiment to the messages present in the attack on Twitter.

Baidu

The name Baidu comes from an 800 year old Chinese poem written during the Song Dynasty. The poem compares the search for retreating beauty amid chaotic glamor with the search for one’s dream impeded by life’s obstacles. And we have ‘Google’.

Finally

While pressured to intervene as a response to Iran’s nuclear ambitions, China has for the most part stayed clear of speaking out on the subject. Businesses in China have served as intermediaries for products imported from Iran that are then shipped to U.S. firms, in violation of U.S. economic sanctions against Iran. For these reasons, it is unclear how attacking a Chinese search engine fits into the strategy of this hacktivist pro-Iranian government group. It may have just been that baidu.com was an opportunity to spread their message on a high profile web site.

Filed Under: featuredWeb Site Defacement

Tags: , , ,

Comments (21)

Trackback URL | Comments RSS Feed

  1. Social comments and analytics for this post…

    This post was mentioned on Twitter by danielkennedy74: Baidu.com the Latest Victim of Iranian CyberArmy http://bit.ly/7yHCE0

  2. Robin says:

    Its a great search engine in china!

  3. CityTrader says:

    NICE SHOT GUYS………..WAY TO GO>>>>>>>

  4. Hassan says:

    The fact that the DNS entries point to the IP of the server hosting the website of the so-called “Iranian Cyber Army” does not guarantee that the attack was actually carried out by that group. Others can easily launch such attacks and redirect visitor to the website of their adversaries in order to implicate them. The fact that China is friendly to the murderous regime in Tehran further supports this argument. For example this could be an attack by Israeli hackers to annoy the Chinese and point the finger of blame toward the Iranians.

  5. Prefect says:

    Cui bono?

  6. [...] is the original: Praetorian Prefect | Baidu.com the Latest Victim of Iranian CyberArmy By admin | category: Uncategorized | tags: called-the-iranian, cyber, engine, [...]

  7. [...] Analisis del ataque (en inglés) en Praetorian Prefect [...]

  8. [...] A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com.Source:http://praetorianprefect.com/archives/2010/01/baidu-com-the-latest-victim-of-iranian-cyberarmy/?sms_… [...]

  9. CIANothing2Do says:

    These CIA people are so free. Even if you are unhappy about Iran & China relationship, don’t play these childish game to create misleading antagonism between the chinese & iranians. Please, Iran has the right not to sell oils to the Americans and sell them to the Chinese. The chinese doesn’t meddle into other affairs like the American and commit genocide against the Iraqi women & children. They don’t go bomb and kill people celebrating their wedding party using drone plane. Check your bankers greedy behaviours. They are robbing the American in broad daylight. Don’t commit genocide as what American have done to the native indians.

  10. Prefect says:

    All righty then…

  11. [...] the direct target of a DNS rerouting. According to security services firm Praetorian Group, which monitored the attack at the time, for at least three hours, calls to Baidu’s IP address were rerouted to a site hosted by [...]

  12. [...] the direct target of a DNS rerouting. According to security services firm Praetorian Group, which monitored the attack at the time, for at least three hours, calls to Baidu’s IP address were rerouted to a site hosted by [...]

  13. [...] content itself as opposed to being a DNS redirect or something similar as happened to Twitter and Baidu recently. The fact that TechCrunch uses the WordPress blog application has led to speculation that [...]

  14. Once Baidu was hacked hours later, It seems that lots of Chinese Hacker attach Iran Internet ,It is not very good

  15. It has a joke in China : Iranian want to buy Weapon From China

    They search suppliers via baidu.com

    They choose No1 listed in Baidu as their suppliers

    But Once They finish the business, They found that The Quality of Weapon is very very very bad

    So They want to attack Baidu.com

  16. Baidu Is the largest chinese search engine in china. So CyberArmy seems is nice harker, but I am not agree any one from different country hacked another, we would be nice to the world.

  17. Oh, My god.

    Baidu is the popular search engine for chinese, I always use it search for thing.

    So be nice to

  18. Baidu is the most popular search engineer in China

  19. Uone heaters says:

    Baidu is the most popular search engineer in China