Disguising Exfiltrated Data

There's an interesting article on a data exfiltration technique.

What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Hurricane Electric, based in Fremont, Calif.

In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com, and outlook.com.


The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.

In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the "Police Mutual Aid Association" and with an expired certificate from an organization called "MOCOMSYS INC."

In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and redirect the traffic to that location.

Google Developers, formerly called Google Code, is the search engine's website for software development tools, APIs, and documentation on working with Google developer products. Developers can also use the site to share code.

With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company's hosted DNS service.

The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.

Honestly, this looks like a government exfiltration technique, although it could be evidence that the criminals are getting even more sophisticated.

Posted on August 21, 2014 at 6:08 AM • 24 Comments


WmAugust 21, 2014 7:01 AM

Interesting enough, the 'interesting article' link is timing out:

The connection has timed out
The server at www.infoworld.com is taking too long to respond.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

MendaxAugust 21, 2014 8:05 AM

The Infoworld link is totally unreachable anywhere. Archive.org does not have a single copy either.

"edirect" should probably read "redirect".

Scott "SFITCS" FergusonAugust 21, 2014 8:50 AM


The Infoworld link is totally unreachable anywhere. Archive.org does not have a single copy either.

Tested working here using a number of DNS providers including Google ( What DNS were/are you using and who is your ISP?

"edirect" should probably read "redirect".

GET / HTTP/1.1
Host: www.infoworld.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-au,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

HTTP/1.1 200 OK
Date: Thu, 21 Aug 2014 13:34:47 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Drupal-Cache: HIT
Etag: "1408627828-0"
Cache-Control: public, max-age=0, public, max-age=600
Last-Modified: Thu, 21 Aug 2014 13:30:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie, Accept-Encoding
X-Cnection: close
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Transfer-Encoding: chunked

curl inforworld.com | grep http
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1372  100  1372    0     0    504      0  0:00:02  0:00:02 --:--:--  1214

        Click here to go to inforworld.com.
curl inforworld.com?epl=mCqU83bfycTYzb1hIeGLgVAbC8ZBQuEUyV3se_IY6oStHiBVwo9KfZEynZGucjPqn6a0eOfCzWPTjRF7kprAMd6zlFDa07nlp74WsOUeUgtG0OBM0A2dJgUh50YVdAVmVdgytV4GGBkKPjExNPT1FaKQfmoaETWGa6KkSdAAgkN6vvwAA4H0BAABAgNsKAADUxoJxWVMmWUExNmhaQpUAAADw | head -n 4
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  9 47478    9  4658    0     0   1422      0  0:00:33  0:00:03  0:00:30  3042

No cache? Google, Blekko, and the Internet archive/Wayback machine? There are others but it doesn't seem necessary to check.

Kind regards

Bob S.August 21, 2014 8:57 AM

I've always distrusted Hurricane Electric. In my opinion it's likely a government operation which besides using it as a spy platform allows crooks and hackers on board for salt.

Clive RobinsonAugust 21, 2014 11:04 AM

Part of the reason this attack worked was the fact the targeted organisations outbound firewall rules were not correctly set up...

Back in the 1990's the advise was that an administrator would not allow users computers to use anything other than the internal Organisational DNS, and that only the organisational DNS would make external requests using fixed IP addresses to "known good" external servers for the first queary... This of course caused "growing pain" problems and it thus sunk below the waves... However blocking outbound requests from clients at the firewall and using them to trigger a "potential malware" alarm would have picked this up...

roll your own snifferAugust 21, 2014 2:48 PM

Many moons ago, when Sun Microsystems was still alive producing Solaris, I wrote a little network traffic tracker using Solaris 'snoop' and Perl. With less than 25 lines of Perl code I tracked and categorized all traffic going out to the Internet. And yes, I do mean all, where it originated, and where it was going. I didn't bother with delving into the actual content, though.

Here is the kinds of things that would have raised my eyebrows:
Why is there an inordinate amount of data going OUT?
Why are there ANY DNS requests going to a server that isn't the one that's been configured?
And of course, mine looked up the IP addresses independently.

While the article mentions the DNS reroute, it doesn't mention how the data was actually sent back. Based on the URLs used, I'm guessing the data was exfiltrated as email.

This is clever, but I wouldn't put it up there as some kind of genius level hack.

65535August 22, 2014 6:22 AM

@ Bob S.

ā€œI've always distrusted Hurricane Electric.ā€ ā€“ Bob S.

I Agree.

I see a number of UDP "echo+chargen bomb(s)" and TCP "suspicious" packets from Hurricane Electric show up in customer's firewall logs - many times. I first dismissed this as a cacheing device or IPv6 tunneling device gone wild. But, I am not so sure.

I notice Hurricane Electric was formerly who owned by a French company with a number of valid IP'sā€¦ Could this be a Vupen operation?

IP address lookup

IP Address
Address type IPv4
Hostname scan-12m.shadowserver.org
ISP Hurricane Electric
Organization LaFrance Internet Services (formerly New Media)
Timezone America(UTC-7)


Bob S,August 22, 2014 7:05 AM


Cryptome (when it's up) doesn't have much use for Hurricane Electric, either.

The exploits mentioned in this article involve the same DNS mentioned here:


(sandy.thehideout.net gave me and many others the blues for a long time.)

65535August 23, 2014 10:27 AM

@ Bob S.

Good link.

The combination of Hurricane Electric and Google/NSA should be examined. Hijacking domains and abusing certs must be illegal. The only entity that could get away with it is a nation/state entity or sub-contractors to those nation/state entities.

JeffAugust 23, 2014 8:57 PM

the complaints about HE free DNS miss the point.. anyone can run a NS and serve whatever answers they want, of course. this is no different. looking at DNS queries (and not the responses) to identify malware is obviously going to have holes...

weberMarch 30, 2015 9:29 AM

I saw today that firefox.exe (esr) calls a ip adress in the netherlands for two times open/close

doing nothing in web ( startet with empty site ),waited some minutes ...then: 49189 443 3392 firefox.exe C:\Program Files (x86)\Mozilla Firefox-esr\firefox.exe

does any one know more about firefox, the secure (?) localhost service and
what meta data mozilla generally is sending to their own servers
and third parties. ?
as i stopped now all chaching and other settings in the config,
its very bad that some connections start again.

an inquiry to mozilla was answered that this info is "intern"
and not for all.(!!)

so why does the foundation advertize the best privacy ,and the corporation
does other things we may not know. ?

is it not a open system any more ?
as a mozilla ceo told us that every can look to the code and check it.
but as the code is now 70 MB and not 5 MB as in version 1.0
its clear that even good checkers will have problems to find bad code or
code which is made for agencies.

and its not fair! that mozilla aks users in the world to check their software.
are 200 Mio not enough to do this mostly alone?

mozilla blows up the browser every year more and more , not to get more secure,but to integrate more and more options to get a fulltake inkls. remote webcam data,
chat data and ohter things like "safebrowsing"
and to make it every year harder to set "false" all these new functions by default,
as they do this all in the background and very user unfriendly.
in front they advert with big pictures for little children that they are so!
secure and protect privacy.!

please write more about the meta data mozilla sends to others.
to what companies and with whom they have ralatiosnships.
yes aol, google and yahoo,we know now.

there are many opinions in my area who say that they are a NSA sub-partner.


my opinion is that we need browsers like in 2004 ,
small and simple,but more secure.
and surely not with NSAdobe inside ,as windows will do.....

MozillaMarch 30, 2015 9:54 AM

Hi Weber, Hurricane Electric in my opinion very dodgy, do you use Hotspotshield by any chance?
I agree that Mozilla has become a pain in the ass, every update that occurs reverts back alot of your about:config data in ways that are nothing but... weird

However in about:config do a search for stuff like
mozilla,firefox etc and just delete all the lines or use a hosts file or firewall to block stuff, i am experimenting with whitelist approaches and its doable.

Here is something that might get you going:
Sorry for along post:

# LOCALES START (not complete) ast.phish-error.mozilla.com ast.phish-generic.mozilla.com ast.phish-report.mozilla.com ast.malware-error.mozilla.com ast.malware-report.mozilla.com da.phish-error.mozilla.com da.phish-generic.mozilla.com da.phish-report.mozilla.com da.malware-error.mozilla.com da.malware-report.mozilla.com de.phish-error.mozilla.com de.phish-generic.mozilla.com de.phish-report.mozilla.com de.malware-error.mozilla.com de.malware-report.mozilla.com dk.phish-error.mozilla.com dk.phish-generic.mozilla.com dk.phish-report.mozilla.com dk.malware-error.mozilla.com dk.malware-report.mozilla.com en.phish-error.mozilla.com en.phish-generic.mozilla.com en.phish-report.mozilla.com en.malware-error.mozilla.com en.malware-report.mozilla.com es-cl.phish-error.mozilla.com es-cl.phish-generic.mozilla.com es-cl.phish-report.mozilla.com es-cl.malware-error.mozilla.com es-cl.malware-report.mozilla.com es-es.phish-error.mozilla.com es-es.phish-generic.mozilla.com es-es.phish-report.mozilla.com es-es.malware-error.mozilla.com es-es.malware-report.mozilla.com en-gb.phish-error.mozilla.com en-gb.phish-generic.mozilla.com en-gb.phish-report.mozilla.com en-gb.malware-error.mozilla.com en-gb.malware-report.mozilla.com en-us.phish-error.mozilla.com en-us.phish-generic.mozilla.com en-us.phish-report.mozilla.com en-us.malware-error.mozilla.com en-us.malware-report.mozilla.com es-ar.phish-error.mozilla.com es-ar.phish-generic.mozilla.com es-ar.phish-report.mozilla.com es-ar.malware-error.mozilla.com es-ar.malware-report.mozilla.com es-mx.phish-error.mozilla.com es-mx.phish-generic.mozilla.com es-mx.phish-report.mozilla.com es-mx.malware-error.mozilla.com es-mx.malware-report.mozilla.com fi.phish-error.mozilla.com fi.phish-generic.mozilla.com fi.phish-report.mozilla.com fi.malware-error.mozilla.com fi.malware-report.mozilla.com fr.phish-error.mozilla.com fr.phish-generic.mozilla.com fr.phish-report.mozilla.com fr.malware-error.mozilla.com fr.malware-report.mozilla.com fy-nl.phish-error.mozilla.com fy-nl.phish-generic.mozilla.com fy-nl.phish-report.mozilla.com fy-nl.malware-error.mozilla.com fy-nl.malware-report.mozilla.com he.phish-error.mozilla.com he.phish-generic.mozilla.com he.phish-report.mozilla.com he.malware-error.mozilla.com he.malware-report.mozilla.com hu.phish-error.mozilla.com hu.phish-generic.mozilla.com hu.phish-report.mozilla.com hu.malware-error.mozilla.com hu.malware-report.mozilla.com it.phish-error.mozilla.com it.phish-generic.mozilla.com it.phish-report.mozilla.com it.malware-error.mozilla.com it.malware-report.mozilla.com ja.phish-error.mozilla.com ja.phish-generic.mozilla.com ja.phish-report.mozilla.com ja.malware-error.mozilla.com ja.malware-report.mozilla.com ja-jp-mac.phish-error.mozilla.com ja-jp-mac.phish-generic.mozilla.com ja-jp-mac.phish-report.mozilla.com ja-jp-mac.malware-error.mozilla.com ja-jp-mac.malware-report.mozilla.com ko.phish-error.mozilla.com ko.phish-generic.mozilla.com ko.phish-report.mozilla.com ko.malware-error.mozilla.com ko.malware-report.mozilla.com lv.phish-error.mozilla.com lv.phish-generic.mozilla.com lv.phish-report.mozilla.com lv.malware-error.mozilla.com lv.malware-report.mozilla.com nb-no.phish-error.mozilla.com nb-no.phish-generic.mozilla.com nb-no.phish-report.mozilla.com nb-no.malware-error.mozilla.com nb-no.malware-report.mozilla.com no.phish-error.mozilla.com no.phish-generic.mozilla.com no.phish-report.mozilla.com no.malware-error.mozilla.com no.malware-report.mozilla.com nn-no.phish-error.mozilla.com nn-no.phish-generic.mozilla.com nn-no.phish-report.mozilla.com nn-no.malware-error.mozilla.com nn-no.malware-report.mozilla.com pa-in.phish-error.mozilla.com pa-in.phish-generic.mozilla.com pa-in.phish-report.mozilla.com pa-in.malware-error.mozilla.com pa-in.malware-report.mozilla.com pl.phish-error.mozilla.com pl.phish-generic.mozilla.com pl.phish-report.mozilla.com pl.malware-error.mozilla.com pl.malware-report.mozilla.com pt-br.phish-error.mozilla.com pr-br.phish-generic.mozilla.com pr-br.phish-report.mozilla.com pr-br.malware-error.mozilla.com pr-br.malware-report.mozilla.com rm.phish-error.mozilla.com rm.phish-generic.mozilla.com rm.phish-report.mozilla.com rm.malware-error.mozilla.com rm.malware-report.mozilla.com ru.phish-error.mozilla.com ru.phish-generic.mozilla.com ru.phish-report.mozilla.com ru.malware-error.mozilla.com ru.malware-report.mozilla.com se.phish-error.mozilla.com se.phish-generic.mozilla.com se.phish-report.mozilla.com se.malware-error.mozilla.com se.malware-report.mozilla.com sk.phish-error.mozilla.com sk.phish-generic.mozilla.com sk.phish-report.mozilla.com sk.malware-error.mozilla.com sk.malware-report.mozilla.com sl.phish-error.mozilla.com sl.phish-generic.mozilla.com sl.phish-report.mozilla.com sl.malware-error.mozilla.com sl.malware-report.mozilla.com th.phish-error.mozilla.com th.phish-generic.mozilla.com th.phish-report.mozilla.com th.malware-error.mozilla.com th.malware-report.mozilla.com zh-tw.phish-error.mozilla.com zh-tw.phish-generic.mozilla.com zh-tw.phish-report.mozilla.com zh-tw.malware-error.mozilla.com zh-tw.malware-report.mozilla.com malware-error.mozilla.com malware-report.mozilla.com phish-error.mozilla.com phish-generic.mozilla.com phish-report.mozilla.com
# LOCALES END accounts.firefox.com activations.mozilla.com activations.mozilla.org activations.mozilla.or addons.cdn.mozilla.net addons.mozilla.com addons.mozilla.org api.accounts.firefox.com apps.mozillalabs.com aus0.mozila.org aus1.mozilla.org aus2.mozilla.org aus3.mozilla.org aus4.mozilla.org aus5.mozilla.org aus6.mozilla.org aus7.mozilla.org aus8.mozilla.org aus9.mozilla.org auth.services.mozilla.com autoconfig.thunderbird.net autoconfig-live.mozillamessaging.com blocklist.addons.mozilla.org broker-live.mozillamessaging.com code.cdn.mozilla.net crash-stats.mozilla.com dnt.mozilla.org domain-search.domaintools.com dtex4kvbppovt.cloudfront.net en-us.phish-error.mozilla.com en-us.phish-generic.mozilla.com en-us.malware-error.mozilla.com en-us.malware-report.mozilla.com en-us.phish-report.mozilla.com fhr.cdn.mozilla.net fhr.data.mozilla.com firefox.com firefoxflicks.com ftp.mozilla.org gaming.mozillalabs.com getfirefox.com heatmap.mozillalabs.com hg.mozilla.org incoming.telemetry.mozilla.org input.mozilla.org live.mozillamessaging.com live.thunderbird.net loop.services.mozilla.com marketplace.firefox.com mixi.jp mozilla.com mozsocial.cliqz.com mxr.mozilla.org nightly.mozilla.org now.msn.com opensearch-live.mozillamessaging.com pfs.mozilla.org planet.mozilla.org publicsuffix.org push.services.mozilla.com services.addons.mozilla.org services.mozilla.com setup.services.mozilla.com snippets.cdn.mozilla.net snippets.mozilla.com soft-start.loop.services.mozilla.com static.mozilla.com static-san.mozilla.org stun.services.mozilla.com support.live.mozillamessaging.com support.mozilla.org support.mozillamessaging.com telemetry-experiment.cdn.mozilla.net tiles.services.mozilla.com token.services.mozilla.com tracking.services.mozilla.com uptime.netcraft.com versioncheck-bg.addons.mozilla.org versioncheck.addons.mozilla.org webmaker.mozillalabs.com videos-cdn.mozilla.net videos.mozilla.org www.dnsstuff.com www.firefox.com www.firefoxflicks.com www.getfirefox.com www.gravatar.com www.publicsuffix.org www.mibbit.com www.mozilla.com www.mozilla.org whois.domaintools.com

MozillaMarch 30, 2015 10:25 AM

Weber, btw that ip took me to new.startpage.com which at least looks like
www.startpage.com so probably same or similar to that search engine, intresting that its hosted by Hurricane Electric

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.