msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Evict Hackers

30 Dec 09   Filed in General with 1 Comment

Last week, I wrote about the latest mutation of the website hack that has been active (mostly in form of iframe injection) throughout this year. I mentioned that for some reason all malicious domain names had been mapped to IP addresses on LeaseWeb and OVH networks. Moreover, LeaseWeb hosted a central site mdvhost .com (hidden behind reverse-proxies) for at least 3 months.
LeaseWeb reaction »»

Tweet Week: Dec 21-27, 2009

28 Dec 09   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Dec 23, 2009

Christmas theme: who-is-santa-2010 (dot) com – domain name of one scareware site

Dec 24, 2009

Response to my blog post from LeaseWeb

Dec 25, 2009

Sophos on the “GNU GPL” malicious script (Troj/JSRedir-AK)

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Similar posts:

From Hidden Iframes to Obfuscated Scripts

23 Dec 09   Filed in Website exploits with 52 Comments

In December, I noticed that ubiquitous hidden iframes that have been the prevailing site hack this year seemed to have gone. Unmask Parasites finds them on very few sites now. And even on infected sites, I see only old domains, while this attack is known for introducing at least one new domain every day and for frequently updating the iframe code on infected sites.

At the same time I noticed a new type of obfuscated scripts injected into hacked websites. And I believe it’s a new incarnation of the same attack that previously injected hidden iframes.
Here’s the story »»

Tweet Week: Dec 14-20, 2009

20 Dec 09   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Updates: WP 2.9 and FF 3.5.6, Adobe vulnerability, scareware and $150m, plus an insightful discussion »»

List of Gumblar Zombie URLs

18 Dec 09   Filed in Website exploits with 12 Comments

My list of Gumblar zombie URLs that I originally posted and updated in the Revenge of Gumblar Zombies article, have already reached the size of 1,400+ items, which makes the web page too heavy.

I decided to move this list to a separate page to make the original post less cluttered. At the same time the list should remain searchable via major search engines and webmasters of compromised sites will be able to find this page that contains a direct link to the post with Gumblar infection details and removal instructions.

Gumblar infection is pretty sophisticated and removing the malicious code is usually not enough to completely clean up your site. If this page contains a URL that was a part of the suspicious code injected into your sites’ web pages and .js files, make sure to read the following post.
The list »»

Intermediaries to Torpig Attack Sites

15 Dec 09   Filed in Website exploits with 1 Comment

In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.

However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)

The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.

I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.
Here’s the story »»

Tweet Week: Dec 7-13, 2009

13 Dec 09   Filed in Tweet Week with Comments Off on Tweet Week: Dec 7-13, 2009

Selected short messages and links you might have missed if you don’t follow me on Twitter.

malware in error pages, torpig domains, black hat SEO »»

Twitter API Still Attracts Hackers

09 Dec 09   Filed in Website exploits with 8 Comments

A few weeks ago I blogged about hacked sites where malicious scripts used Twitter API to generate domains of new attack sites and trigger “drive-by” downloads.

As you might remember, I mentioned that the script was buggy (failed to work on certain days) and the approach didn’t look viable in the long term since it required that hackers manually register one new domain name every day. As a result, in November, this vector looked abandoned (I couldn’t find active and even registered malicious domains).

However, hackers seem to be die-hard fans of Twitter and don’t want to give up on the idea.

A few days ago I found a blacklisted site, where search.twitter.com was mentioned as an intermediary in malware distribution. Safe Browsing diagnostic pages also mentioned fresh (beginning of December) malicious domains that were definitely generated by the above-mentioned script. No wonder, on the infected site I found the familiar script. Actually, it was not the same script. It was an improved version of that script.
So what’s new? »»

Tweet Week: Nov 30 – Dec 6, 2009

06 Dec 09   Filed in Tweet Week with Comments Off on Tweet Week: Nov 30 – Dec 6, 2009

Selected short messages and links you might have missed if you don’t follow me on Twitter.

IE and Typo3 vulnerabilities, WordPress attack, Twitter API in malicious scripts »»

Unmask Parasites. A Year of Blogging.

02 Dec 09   Filed in General with 4 Comments

A year ago, on December 1, 2008, I published my first post on this blog. Its title was “Let’s Unmask Parasites“.

Working on Unmask Parasites service, I could easily spot prevalent threats and trends in malware attacks. I used this information to help webmasters of hacked sites on various security-related forums and news groups. However, forum format assumes that you answer similar questions again and again, which is very inefficient. That’s why I decided to publish information about prevalent website security problems here. This way I could write detailed information once and then just link to my articles in my forum answers.

Continue »» (Round-up of what happened to this blog this year. Stats and facts.)