ISC.org website hacked: Scan your PC for malware if you stopped by
Cryptographically signed BIND, DHCP code safe, we're told
The website for the Internet Systems Consortium, which develops the BIND DNS and ISC DHCP tools, has been hacked.
Anyone who recently browsed ISC.org is urged to check their PC for malware as miscreants booby-trapped the site to infect visitors. The website has been replaced by a placeholder page warning netizens of the attack.
ISC.org served pages using WordPress, and either that CMS or one of its plugins or support files was exploited to compromise the web server, it seems.
We're told the source code to ISC's crucial software packages are stored on a separate server, and cryptographically signed to prove they haven't been tampered with. Its BIND DNS server and DHCP tools are widely used on the internet, and included in most Linux and Unix-flavored operating systems.
"It was just the website – and it doesn't even look like we were targeted specifically," said Dan Mahoney of the ISC Security Officer team to The Register via email on Friday. "It looks like this was just one of those exploits that happens to CMSes of this nature."
You can forgive people for being slightly jumpy about an ISC.org compromise: its software glues the internet together, and the organization runs the world's F root servers [PDF] which are at the heart of the 'net's global address book of domain names.
People visiting the .org are likely to be involved in engineering software and hardware behind the scenes of the web; compromising them with malware could give attackers access to valuable systems and possibly the tools to subvert them.
Mahoney told us that the F-root servers' "service and security is absolutely unaffected" by ISC.org's compromise.
In November, ICANN – another crucial internet body – was compromised in a spear-phishing attack, but it appears there's no connection between that infiltration and the ISC.org attack.
According to a blog post by Cyphort Labs, ISC was warned its website was serving malware on December 22; the site was scrubbed clean and replaced by a placeholder the next day.
Miscreants had managed to exploit some part of the CMS to redirect visitors to a page serving the Angler Exploit Kit. This package attempts to infect Windows PCs using security holes in Internet Explorer, Flash and Silverlight.
If it achieves remote-code execution, the malware downloads more data, decrypts it into DLL files, and runs them in memory without touching a disk. The software nasty supports 32-bit and 64-bit Windows; the code's final purpose isn't clear but we assume it's bad news for the victim.
"We're working with some security researchers to determine the state of the damage and what our next steps are, and are rebuilding with a clean database and CMS, which has unfortunate timing with regard to people's travel and vacations, which is why the placeholder page has been up longer than we'd like," Mahoney added.
"All our releases remain cryptographically signed, and checksummed, and are distributed via ftp.isc.org, which is a completely different system and houses no dynamic content." ®