Hackers Used Imgur to Launch DDOS Attacks on 4chan

[Batu69]

Malicious code injected in Imgur images used a Reddit thread to bombard 4chan servers with millions of requests

A Reddit user has uncovered a covert method of carrying DDOS attacks on 4chan's infrastructure using images hosted on Imgur, via Reddit.

According to Reddit user rt4nyp, who discovered the vulnerability, every time an Imgur image was loaded on the /r/4chan sub-reddit, over 500 other images were also loaded in the background, images hosted on 4chan's CDN.

Since traffic on 4chan is quite huge as is, getting some extra connections from Reddit pushed 4chan's servers over the edge, crashing them several times during the day. Additionally, 8chan, a smaller 4chan spin-off, was also affected and suffered some downtime as well.

Malicious code was being loaded with Imgur images

Reddit user rt4ny was alerted that something was amiss when he noticed that Imgur images on Reddit were loaded as inlined base64 data. Taking a closer look at the base64 code, he observed that a small piece of JavaScript code was added at the end, which had no business being there.

This code secretly stored the "axni" variable in the browser's localStorage, which was set to load another JavaScript file from "4cdns.org/pm.js." This is not 4chan's official CDN, but a domain registered to closely resemble the real deal, which was taken down in the meantime.

When refreshing the original image that loaded the "axni" variable, the malicious code would not be loaded again, a measure taken to avoid detection.

Additionally, also to avoid detection, the JS file stored on "4cdns.org/pm.js" could not be loaded directly in the browser.

Loading 500+ 4chan images inside a hidden iframe

Analyzing the pm.js file, rt4ny found that it loaded an iframe outside the user's view with the help of some clever CSS off-screen positioning tricks, inside which the hundreds of 4chan images were being loaded, along with a 142 KB SWF file.

Imgur was contacted about this issue, and fixed it on the same day.

"Yesterday a vulnerability was discovered that made it possible to inject malicious code into an image link on Imgur," said the Imgur team. "From our team’s analysis, it appears the exploit was targeted specifically to users of 4chan and 8chan via images shared to a specific sub-reddit on Reddit.com using Imgur’s image hosting and sharing tools."

It's a sad day for humanity when we see hackers combine the three best sites on the Internet to find cat GIFs into such wicked and immoral ways.

@GranPC Hi there, thanks for bringing this to our attention, we're currently working on a solution. — Imgur (@imgur) September 21, 2015

.@skooooch @imgur pic.twitter.com/HB9WzCXzQ9 — Gran PC (@GranPC) September 21, 2015

Source

[Cereberus]

wow this sux..... imgur is really popular cause ease of use and reliability.

so if the fav site you visits posts one malicious pic from imgur, you have no choice but to blacklist imgur from that site where that 1 infected pic from imgur was posted.

can still use imgur on other sites though as long as that offending image doesn't pop up on other site as well....

but there is just no way to flag that specific img or images hosted from imgur, without black listing the entire imgur service .....

i hope imgur will then actively scan their servers to remove malicious images so that this does not happen -_-

[steven36]

wow this sux..... imgur is really popular cause ease of use and reliability.

so if the fav site you visits posts one malicious pic from imgur, you have no choice but to blacklist imgur from that site where that 1 infected pic from imgur was posted.

can still use imgur on other sites though as long as that offending image doesn't pop up on other site as well....

but there is just no way to flag that specific img or images hosted from imgur, without black listing the entire imgur service .....

i hope imgur will then actively scan their servers to remove malicious images so that this does not happen -_-

Back in the old days picture host use to also ban sites themselves . This is the reason many sites only allow one are 2 image host because something like this could happen . Before they posted images from a site on here that was ban by google and google started banning this site . ;)

A person can't be ddos only a site can this is only a 4chan problem witch imgur says they fixed already . i believe them I use imgur all time i never had any problem .

Also ddos attacks have been found linked to TPB and everywhere else .. But I doubt TPB even has fixed it. :P

When i go visit 4chan its working fine its not down?

If you read here These sites are known DDOS each other most likely they do this to kill out the completion :s

Eliminate the competition? Reddit doesn't allow slimgur links, and has helped ddos Voat before, so it's been done this year and in the past.

well with 4chan just being sold to Nishimura who has been known to DDOS competition !!

https://www.reddit.com/r/4chan/comments/3lutoo/imgur_is_doing_fishy_things_with_4chan_screencaps/

For years and years people have been able to put stuff in pictures and you could open them with winrar and get it out . They expect this was done the same way .

[straycat19]

so if the fav site you visits posts one malicious pic from imgur, you have no choice but to blacklist imgur from that site where that 1 infected pic from imgur was posted.

You didn't read the article. Imgur fixed it the day it was found and the malicious server was taken down, so even if you had an infected image it can't do anything with the code because there is nowhere for it to get its data from.

For years and years people have been able to put stuff in pictures and you could open them with winrar and get it out . They expect this was done the same way .

Not the same, you are talking about steganography which is injecting data into an image. Winrar has nothing to do with it. Matter of fact, unless you knew it was there and what software was used to inject it, you would never have access to the data. This imgur hack was done by using base64 code added to an image file which is a simple process of adding data to the end of the file that javascipt sees and then executes. Nothing new here, same old processes we used to create viruses back in the late 80s and early 90s by adding code to the end of an exe file, just new concepts using newer software. This is also the same process some software developers are using to mark their software downloads by registered users so they can tell who illegally uploads the files.

[steven36]

so if the fav site you visits posts one malicious pic from imgur, you have no choice but to blacklist imgur from that site where that 1 infected pic from imgur was posted.

You didn't read the article. Imgur fixed it the day it was found and the malicious server was taken down, so even if you had an infected image it can't do anything with the code because there is nowhere for it to get its data from.

For years and years people have been able to put stuff in pictures and you could open them with winrar and get it out . They expect this was done the same way .

Not the same, you are talking about steganography which is injecting data into an image. Winrar has nothing to do with it. Matter of fact, unless you knew it was there and what software was used to inject it, you would never have access to the data. This imgur hack was done by using base64 code added to an image file which is a simple process of adding data to the end of the file that javascipt sees and then executes. Nothing new here, same old processes we used to create viruses back in the late 80s and early 90s by adding code to the end of an exe file, just new concepts using newer software. This is also the same process some software developers are using to mark their software downloads by registered users so they can tell who illegally uploads the files.

Ether way if and A hole puts malware in them or adding data to the end to the file it takes a A hole to do it this is why you upload you're own images from places that direct link them . But in a world were people steal links to images and filehost its always been dangerous. I remember using kaspersky years ago and it flagging images with malware that was much worse than something that is targeted for DDOS

[212eta]

Never liked Imgur... :whistle:

[steven36]

Never liked Imgur... :whistle:

It dont matter what you like any image host can be hacked ,

As you may have noticed, a lot of spam exists for the specific purpose of tricking you into visiting a particular website--often one that intends to download malware. Images can play a big part of that. You probably already know not to click a link in a suspicious email, but photos can be embedded in emails as they are in webpages—and do their dirty work when you open the mail.

Fortunately, most modern mail clients don't display such pictures by default. Best to keep it that way.

Another trick is the double extension, which takes advantage of Windows' file-naming conventions. If a file is named adorable.jpg.exe, most Windows computers will display it as adorable.jpg. Most users, therefore, will think it a harmless image file, even though it's really an executable program. And when you run the program, it probably will show you an adorable picture...while it infects your PC.

And finally, there's steganography, which in a digital context means the art of hiding data in another type of file. A .jpg can easily contain additional bits interwoven within the image, without noticeably effecting the image's appearance. That additional data can include code, which is encrypted to make it harder to identify.

Luckily, such an altered image can't do much by itself. No image viewer will see or know what to do with that code, even if it isn't encrypted. But malware developers often break up their code into multiple pieces and distribute them separately to avoid detection. The information hidden in a picture could contain instructions useful to another piece of malware on your computer. See Zeus banking malware hides crucial file inside a photo for one recent example.

How do you protect yourself? Giving up on images seems a bit extreme. There are better methods.

Keep your operating system, browser, and antivirus software up-to-date. Of course, you should be doing that already.

Be wary of photos whose origins you don't know.

And finally, have Windows show you file extensions so you won't be fooled. In Start menu's Search field, or in Windows 8's Search charm, type folder options. Select Folder Options. On the View tab, uncheck Hide extensions for known file types.

http://www.pcworld.com/article/2105408/3/watch-out-for-photos-containing-malware.html

This info is from 2014 but this stuff been happening for a very long time

[Cereberus]

hm... mbam is now auto blocking imgur..... wonder when that will change ;_;

[212eta]

It dont matter what you like any image host can be hacked ,

Good Lord.

I was simply jocking.

:o