Malware finds unwitting ally in GitHub

Winnti's abuse of GitHub repository leaves the site in the tricky position of deciding which projects can stay and which ones to shut down

Just because it's on GitHub doesn't mean it's legitimate. A financially motivated espionage group is abusing a GitHub repository for C&C (command and control) communications, Trend Micro warned.

Researchers found malware used by Winnti, a group mainly known for targeting the online gaming industry, was connecting to a GitHub account to obtain the exact location of its C&C servers. The malware looked up an HTML page stored in the GitHub project to obtain the encrypted string containing the IP address and port number for the C&C server, wrote Trend Micro threat researcher Cedric Pernet on the TrendLabs Security Intelligence blog. It would then connect to that IP address and port to receive further instructions. As long as the group kept the HTML page updated with the latest location information, the malware would be able to find and connect to the C&C server.

The GitHub account contained 14 different HTML files, all created as various times, with references to nearly two dozen IP address and port number combinations. There were 12 IP addresses, but the attackers rotated between three different port numbers: 53 (DNS), 80 (HTTP), and 443 (HTTPS). Trend Micro looked at the first-and-last commit timestamps on the HTML files to determine that C&C server information was being posted to the project from Aug. 17, 2016 to March 12, 2017.

The GitHub account was created in May 2016, and its sole repository, mobile-phone-project, was created in June 2016. The project appears to be derived from another generic GitHub page. Trend Micro believes the account was created by attackers themselves and not hijacked from its original owner.

"We have privately disclosed our findings to GitHub prior to this publication and are proactively working with them about this threat," Pernet said. InfoWorld reached out to GitHub for more information about the project and will update with any additional details.

GitHub is no stranger to misuse

Organizations may not be immediately suspicious if they see lots of network traffic for a GitHub account, which is good for the malware. It also makes the attack campaign more resilient, since the malware can always obtain the latest server information even if the original server gets shut down by law enforcement action. The server information isn't hard-coded in the malware, so it'll be harder for researchers to find C&C servers if they come across just the malware.

"Abusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between compromised computers and their servers, while staying under the radar," Pernet said.

GitHub has been notified about the problematic repository, but this is a tricky area, as the site has to be careful in how it reacts to abuse reports. It clearly doesn't want to have its site used by criminals to transmit malware or to commit other crimes. The GitHub terms of service is very clear on that: "You must not transmit any worms or viruses or any code of a destructive nature."

But it also doesn't want to shut down legitimate security research or educational development. Source code is a tool, and it can't be considered good or bad on its own. It's the intent of the person running the code that makes it beneficial, as security research or used in defense, or malicious, as part of an attack.

The source code for the Mirai botnet, the massive IoT botnet behind the series of crippling distributed denial-of-service attacks last fall, can be found on GitHub. In fact, multiple GitHub projects are hosting the Mirai source code, and each is marked as intended for "Research/IoC [Indicators of Compromise] Development Purposes."

That warning seems to be enough for GitHub to not touch the project, though anyone can now use the code and create a new botnet. The company doesn't hinge its decision-making on the possibility that the source code could be misused, especially in cases where the source code first needs to be downloaded, compiled, and reconfigured before it can be used maliciously. Even then, it doesn't scan or monitor repositories looking for projects actively being used in a harmful manner. GitHub investigates and acts based on reports from users.

The same reasoning applies to ransomware projects EDA2 and Hidden Tear. They were originally created as education proofs-of-concepts and posted on GitHub, but since then, variations of the code have been used in ransomware attacks against enterprises.

The Community Guidelines has a bit more insight in how GitHub evaluates potential problematic projects: "Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform for exploit delivery, such as hosting malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Note, however, that we do not prohibit the posting of source code which could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community."

Cybercriminals have long relied on well-known online services to host malware to trick victims, run command-and-control servers, or hide their malicious activities from security defenses. Spammers have used URL shorteners to redirect victims to dodgy and malicious sites and attackers have used Google Docs or Dropbox to create phishing pages. The abuse of legitimate services makes it challenging for the victims to recognize attacks, but also for site operators to figure out how to prevent criminals from using their platforms.

Copyright © 2017 IDG Communications, Inc.