February 26, 2015

Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.

On Feb. 23, google.com.vn briefly redirected visitors to a page that read, “Hacked by Lizard Squad, greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas).” The message also included a link to the group’s Twitter page and its Lizard Stresser online attacks-for-hire service.

Today, the group took credit for hacking Lenovo.com, possibly because it was recently revealed that the computer maker was shipping the invasive Superfish adware with all some new Lenovo notebook PCs (the company has since said Superfish is now disabled on all Lenovo products and that it will no longer pre-load the software).

According to a report in TheVerge.com, the HTML source code for Lenovo.com was changed to read, “the new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey.”

The Verge story notes that both men have been identified as members of the Lizard Squad; to my knowledge this has never been true. In fact, both used to be part of a black hat and now-defunct hacker collective known as Hack The Planet (HTP) along with one of the main current LizardSquad members — Julius “Zeekill” Kivimaki (for more on Julius, see these stories). However, both King (a.k.a “Starfall”) and Godfrey (“KMS”) have been quite publicly working to undermine and expose the group for months.

Reached via instant message, both King and Godfrey said the Lizard Squad used a command injection vulnerability in Webnic.cc to upload a rootkit — a set of hacking tools that hide the intruder’s presence on a compromised system and give the attacker persistent access to that system.

Webnic.cc is currently inaccessible. A woman who answered the phone at the company’s technical operations center in Kuala Lumpur acknowledged the outage but said Webnic doesn’t have any additional information to share at this time. “We’re still in the investigation stage,” said Eevon Soh, a Webnic customer support technician.

webnic-down

It appears the intruders were able to leverage their access at Webnic.cc to alter the domain name system (DNS) records for the Google and Lenovo domains, effectively giving them the ability to redirect the legitimate traffic away from the domains to other servers — including those under the attackers’ control.

King and Godfrey said the Lizard Squad also gained access to Webnic’s store of “auth codes” (also known as “transfer secrets” or “EPP” codes), unique and closely-guarded codes that can be used to transfer any domain to another registrar. As if to prove this level of access, the Lizard Squad tweeted what they claim is one of the codes.

Starfall and KMS say the rootkit has been removed from Webnic’s servers, meaning the Lizard Squad should no longer be able to hijack Webnic domains with the same method they used to redirect Lenovo.com or Google Vietnam.

This is not the first time these actors have messed with Webnic.cc. Web Commerce Communications Ltd. (Webnic) is a popular registrar among hacker forums and underground stores that traffic in stolen credit cards and identity information, and a great number of those sites are registered through Webnic. It was hardly a coincidence that many of these criminal storefronts which have been hacked over the past couple of years — including rescator[dot]so, and ssndob — were registered at Webnic: All of the same players involved this week’s drama were involved in those hacks as well.


31 thoughts on “Webnic Registrar Blamed for Hijack of Lenovo, Google Domains

  1. Starfall

    I like how I repeatedly make the news without trying because script kids drop my name everywhere.

    Actually I hate it, but it’s a part of life I guess.

    1. Douglas Gourlay

      At least you don’t have paparazzi following you around on mopeds yet…

      1. Starfall

        Won’t be long if kids keep using my tools to have their fun, especially if they put my name and photos on it.

  2. broken

    I think the biggest thing to take away from this incident is the fact they had control over MX records which would allow them to route incoming mail to wherever they wanted. Not good…

    1. Starfall

      In this case, that was only possible for an hour or two. Could be much worse.

  3. Mike

    I’ve been saying that most new computers come infected right out of the box and this Superfish thing just proves it. If it were not a thing, Lenovo wouldn’t have acted the way it did. Should we be thanking someone for this revelation? or perhaps we should just blame a “hacker” somewhere?

    The Lizard Squad isn’t doing itself any favors in the way it does things in general. The world would be better off if they would just stick to their WoW play. But then, the world would be better off if Hollywood would stick to acting and stay out of public politics and national policy making processes.

    Komodo can kiss it too with all it’s advertising. It’s so heavy with outside code that it isn’t even worth trying to view.

    If people want to complain about rootkits…….take it to Sony (it started with them).

    1. Jon Marcus

      Mike, I think you made a couple of mistakes. Komodo != Comodo. Komodo is the company that made the flawed implementation that SuperFish distributed. Comodo is an unrelated company that makes a firewall product. (And also is related to PrivDog, which has it’s own problems, but that’s a whole ‘nother story.)

      And rootkits certainly did not start with Sony. I recall someone at Bell Labs talking about messing with the C compiler to silently subvert the login command back in…the 80s, I think? Anyway, Sony’s was perhaps the most famous and egregious corporate rootkit, but the marketing bozos at Sony definitely did not invent with the concept.

        1. Jon Marcus

          Whoops, that’s right. It is Komodia. Shoulda checked before I posted.

      1. Mike

        Thanks but it was actually Gizmodo (the Kinja thing) that I was thinking (I apologize to anyone named komodo…..it was early and was on my first cup of coffee….but anyway).

        I’m not going to spend time worried about the complete history of the concept of rootkits. What bothers me is that it was never any real issue until Sony did their thing. Had they not used it like that (or at all), it quite likely would have never been a second thought outside of the most extreme world of office pranks with Linux networks. It would likely rank up there with fork bombs.

        I will stand by my original sentiment though.

    2. CooloutAC

      CIH came on infected brand new IBM computers right before it was set to go off. I remember getting a virus from an HP factory printer disc years ago. So Its definitely not out of the question. We are talking almost 20 years ago, I can only imagine how bad it is now lol.

      1. JustMe

        HP is notorious for having viruses embedded or packed with their printer software both on the disks and online drivers

        Kaspersky (yah!) notified us of the first one just by inserting the disk in the (then) CD drive back in the 90’s

        I notified them then – they did not seem impressed – and notified them multiple times on various drivers since.

        The NSA is sloppy in their work… : P

    1. CooloutAC

      I never liked lenovo when I found out they suckered my boss I was working for at the time to buy these laptops for an obscene amount of money, that we found out had wireless cpu’s.

    2. Starfall

      As far as WebNIC is involved… you don’t know the half of it (yet).

      Not sure if Brian’s interested in writing more about that, but that one runs pretty deep.

        1. Starfall

          The compromise goes as far back as last year, actually. The rootkit is my code from three years ago (I have a much nicer one and wouldn’t be caught dead using this one) and was installed on January 7th of this year. As noted before, the original vector was a shell command injection and it has in fact been patched (poorly, three separate times).

          Not sure what else to say at this point, there’s a nice long story involving us and Mr. Kivimaki but I doubt you care to hear it, and by now it’s mostly irrelevant.

          1. Jo

            If kivimaki is apart of lizardsquad i’d love to read anything from the guy. Is he responsible for this attack from what you know?

            1. Starfall

              You can email me at reiko^neko`li if you’re interested in a full history. My PGP key is available at keybase.io/reiko

              ^ = @
              ` = .

  4. ronw

    “greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas).”

    Wow Brian, number two spot, right after antichrist.

  5. mbi

    I purchased a Lenovo recently and was alarmed to discover Superfish which I removed immediately. As much as I don’t like adware on my machine, hacking was way too much of a response and sounds like an excuse for these hackers.

    1. Starfall

      Well of course it’s an excuse. You think people on Twitter hack for any other reason than attention? LOL

        1. Starfall

          Email me reiko at neko dot li

          I do use Postgrey, so it may take a few minutes to receive your initial message.

          1. Scarboni

            Your avatar looks like something an 8 year old girl would use.

  6. Franky

    Has anyone published the name of the rootkit used in the webnic.cc hack?

      1. Franky

        Why do you think it was Umbreon?

        I’m looking all over the news and don’t see any mention of Umbreon in connection to the webnic hack.

        1. Daniel

          Quoting Starfall from the above comments:
          “The rootkit is my code from three years ago …”
          (aka Umbreon)

Comments are closed.