Observations regarding the EC-Council DNS Hijack (Certified Ethical ‘Hijacking’)

Over the weekend, EC-Council’s website experienced what appears to be a DNS Hijacking. Steve Ragan has an excellent overview of the events on his CSO Online blog, which can be found here.

It becomes clear after reading the blog post that the particular IP address used with the DNS redirect has a very interesting history:

  • The same IP address was utilized by a user who appeared briefly in the #Linode IRC channel earlier this year (January 2014).  The user in question alludes to a SQL dump of a Linode database which included older forum credentials, which coincides with this story.
  • Additionally, the IP address in question made the news in early February 2014 when it was used to compromise the “Realm of the Mad God” domain.  It has been confirmed that malware was being served to visitors during that time and you can check out details of the VirusTotal report here.
  • This IP address is registered with Ecatel Network (NL).  Unfortunately, Ecatel has had a unique reputation among hosting providers over the years (securing the #1 ‘Bad Host’ position in 2010) and has been known to have IP ranges that are included on many reputation based blacklists.

Considering the above, I decided to use urlQuery.net before visiting the EC-Council site to reduce any chance of potential malware being served.  (“urlQuery.net is a service for detecting and analyzing web-based malware. It provides detailed information about the activities a browser does while visiting a site and presents the information for further analysis.”)

urlQuery scan for http://www.eccouncil.org appeared to be clean

 urlQuery scan for http://www.eccouncil.org/certification displayed some IDS alerts

It was interesting that the Suricata IDS results from urlQuery.net were different considering they were the same source IP.  Regardless, other IP addresses owned by Ecatel (NL) appear to have similar IDS and RBN alerts.

I came across some analysis of the ‘ZeroAccess’ Rootkit from 2010 which claimed that it originated from Ecatel networks and attributes particular ties to certain organizations for example EFC IELTS.

I was curious about the malware that was previously served from the “RoTMG” domain and figured it could have potentially compromised someone at EC-Council.  There were reports in some gaming related forums that the malware included a keylogger:

ec_keyWith a keylogger being a possibility, it is not unlikely that the mail account credentials for EC-Council could have been compromised this way if the user in question visited the “RoTMG” site.  Having access to the contents of this email account most likely aided in the domain redirect request to Ecatel. View more: may giat cu

The fact that this particular EC-Council email account potentially contained unencrypted sensitive data is a story unto itself. This is also quite surprising considering that just last year (May 2013), EC-Council experienced an issue where directories were able to be viewed without authorization on their web server.  You can read more about the “Godzilla” incident here.

It seems as though it may be time to implement some sort of reputation check when domains are pointed to or transferred to blacklisted IP’s/ranges.  This should hold especially true for hosting providers or IP ranges with such a well known and longstanding “bad” reputation.  This could have aided in keeping control of the domain, but not necessarily have mitigated any of the possible PII issues that may have been discovered.

–Special thanks to @ArmyTra1n3d for helping with all of this and a shout-out to @SynAckPwn for the great references.