Recently most of the people used to collaborate through GitHub experienced a new kind of Denial Of Service Attack widly recognized as Main-On-The-Side Attack. The Github DDOS attack was driven by the State of China (NewYorkTime) with the intent to alert GitHub company about the violation of the Chinese censorship policies.
“Because GitHub is fully encrypted, China’s domestic web filters cannot distinguish between pages that host code useful to programmers and code that circumvents censorship.” (Source: NewYorkTime)
A unaware user is browsing from outside China
A compromised response is sent out from China instead of the actual Baidu Analytics script
The compromised response tells to the user browser to contnuosly load specific pages on GitHub.com.
Finding the original malicious code in order to analyze it, was actually the real challenge (at least for me). I’ve tried to execute tons of Baidu urls GET requests but no malicious payloads were found. Fortunately Urlquery.net saw the code and stored it (here). The following image shows one of the used payloads (that report proves tha multiple payloads were involved).
Script From Baidu during the Chinese Github Attack
The connections path captured by urlquery is shown in the following picture where is almost evident the query to cloudfront comming after having loaded a fake baidu script.
Getting little bit deeper — a malicious payload downloaded from —
<img src="http://urlquery.net/images/flags/cn.png" height="11" title="China AS4808 CNCGROUP IP network China169 Beijing Province Network" width="16" /> 220.127.116.11 HTTP/1.0 200 OK