msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Unmask Parasites. A Year of Blogging.

   02 Dec 09   Filed in General

A year ago, on December 1, 2008, I published my first post on this blog. Its title was “Let’s Unmask Parasites“.

Working on Unmask Parasites service, I could easily spot prevalent threats and trends in malware attacks. I used this information to help webmasters of hacked sites on various security-related forums and news groups. However, forum format assumes that you answer similar questions again and again, which is very inefficient. That’s why I decided to publish information about prevalent website security problems here. This way I could write detailed information once and then just link to my articles in my forum answers.


This approach worked great for me. The very first post about .htaccess redirects to bogus anti-virus sites became pretty popular. I didn’t have to waste my time duplicating the same answers again and again (there were several questions a day from owners of affected sites that time. One year later, there are still many sites hacked this way). Soon enough, my posts started to attract visitors from search engines. As a result, one blog post could help much more webmasters than several similar posts on specialized forums.

Helping webmasters

My blog is not an average security blog that talks about new threats. It is not for security specialists (they usually know more than me about the topics I cover here). It is for webmasters who want to keep their site secure. For people who work hard to build their websites and then find out that all their efforts can be easily ruined by hackers. In my posts about hacker attacks, I try to include information about how to detect breaches, clean up web sites, remove malware warnings, and prevent future break-ins. I also try to explain what makes those attacks possible and why hackers target legitimate web sites.

And even if I don’t have some information about a specific attack, I always encourage my readers to share their information in comments. This worked particularly well for posts about Gumblar and Goscanpark meta redirects, where comments sections are probably more informative than the posts themselves. Thanks guys.

Security problems of a security blog

While most of my posts are based on the information I collect investigating security issues of third-party sites, there had been a real security problem with my own blog. It was originally hosted on a shared server that happened to be hacked (not my blog, but the whole server) back in May. It was a nasty elusive problem that my hosting provider couldn’t resolve for almost two weeks. Finally, we managed to locate the malicious process and the backdoor script.

To share details about this incident, I posted an article about the Beladen exploit, which happened to affect many other shared web servers too. This was a lesson for me: in a shared hosting environment your site’s security depends on security of other websites hosted on the same server. As a result, I moved my blog from a shared hosting to a virtual private server (VPS) where I can control (virtually) everything. Of course, now I pay more money for the blog hosting and have to maintain the server myself, but I’m much more confident that my blog is not dangerous for my readers (I take it seriously).

False positives

There had also been a problem with false warnings from certain anti-virus programs. Quite frustrating to see anti-virus programs with flaws in detection algorithms keeping webmasters away from the articles that could help them remove malware from their sites and stop infecting their site visitors’ computers.

In my articles, I post snippets of malicious code that hackers inject into legitimate web pages. I don’t post screenshots of the malicious code like many other security blog do. The purpose of my articles is to help webmasters of compromised blogs resolve their security issues. So I want them to be able to find my blog when they Google for parts of suspicious code they find inside their web pages. Many webmasters find my blog this way.

I realize the danger of the malicious code that I post. That’s why I slightly garble it, making it non-executable if copy-pasted into HTML. Nonetheless, some anti-virus programs confuse such code with real malicious code (their detection algorithms are imperfect). After each report about false positives from my blog readers, I had to garble code samples even more until the false warnings went away.

Reader contributed information.

For my posts, I investigate every case myself. However, I can’t gather complete information without internal access to compromised websites (I’m not a hacker and never break into third-party websites). That’s why I’d like to thank people (webmasters, hosting providers, security researchers, etc.) who email me and share internal details about the hacks. Your help is indispensable.

Readers’ comments are also a very important part of this blog. They usually add missing bits to my posts. Sometimes comments sections are more informative than corresponding articles. That’s great! I’m glad to provide a place for fruitful discussions.

I’d also like to thank my readers who allowed me to post their emails on my blog. Here are the two articles based on their emails:

If you want to see your articles published on this blog, don’t hesitate to contact me. Guest post are welcome!

In the news

Several posts from this blog have made it into major press. You can find references to my articles on sites of the New York Times, Washington Post, The Register, CNet, ComputerWorld, SC Magazine, etc. (click here for the full list) Internet security community (e.g. StopBadware.org, Google Online Security blog, IBM Internet Security Systems, Sophos, etc) also actively links to this blog. I consider it as a proof of the quality of the original content that I post here.

Stats and facts.

So a year has passed. Looking back, I can share some interesting (or maybe boring) stats and facts.

60 posts in 5 categories (114 tags)

122,000+ visits from 178 countries (literally from all over the world), but mainly from the United States (30%), United Kingdom (8%) and India (6%).

41% of visitors came from search engines (mainly from Google – 97%)

1,800+ sites referred visitors to this blog.

The most active referrers were:

Most popular keywords that sent me visitors from search engines:

  • gumblar
  • gumblar .cn
  • martuz .cn
  • martuz
  • gifimg.php

They are all related to the Gumblar attack and account for 13,000+ visits.

No wonder, my original article about Gumblar is the most visited article on this blog (55,000+ visits). If I sum up visits to all my articles about Gumblar, it will be almost 79,000 visits. The new incarnation of the Gumblar attack is still active so this statistics will only increase.

The second most visited article is Malicious “Income” IFrames from .CN Domains21,000+ visits. It was my first article about the iframe injection attack that uses stolen FTP credentials. This attack evolved over the time and I frequently posted updates. All posts on this topic have been visited more than 40,000 times.

Among other popular topics are redirects to scareware sites and Beladen/Goscanpark server-wide exploits.

750+ approved comments

Most discussed posts:

News feed: Feedburner currently reports about 450 subscribers. Not bad for a specialized blog. If you have a site that you want to protect from hackers or you are simply into website security, consider subscribing too. You can read this blog updates in your favorite RSS reader or in your good old email client. You can also follow me on Twitter.

Looking into the future

I actively develope Unmask Parasites and participate in various security forums, so there is no shortage of topics to cover here. If I had enough time I would post interesting information every day. However, in real world, many posts take at least 2-3 days of research, sometimes a few weeks, so I struggle to publish at least 2-3 original posts a month.

Hope I’ll be able to find enough time and incentive to keep on blogging at this pace. And if you want to see me motivated, please provide your feedback: leave comments, suggest topics, ask questions, share your information, and spread the word — this helps me concentrate on blogging ;-)

Read my blog. Keep your sites secure.

Your,
Denis Sinegubko

Related posts:

If you like this blog, you might also want to check my free online service called Unmask Parasites. It helps webmasters solve security problems revealing hidden illicit content in their web pages.

Reader's Comments (4)

  1. |

    [...] This post was mentioned on Twitter by Denis and Oscar, Gumblar. Gumblar said: Blog: Unmask Parasites. A Year of Blogging. | Unmask Parasites. Blog. http://bit.ly/7EqGWn [...]

  2. |

    Thanks man, reckon you’ve saved me my job with the gumblar stuff!!! Keep up the good posts.

    T…

  3. |

    Congratulations, Denis! We appreciate your ongoing contribution to the fight against badware. We hope to see more of you around the SBW/BadwareBusters community over the next year!

  4. |

    Congratz, Denis.I hope that all this information will never ends, and why not… maybe in feature you will write more.. :)