Preamble

Back in May, I blogged about how criminals massively poisoned Google Image search results. They exploited a flaw in the image search ranking algorithm that allowed even small sites to hijack top positions simply hot-linking to popular images and using some keyword-reach texts (even completely unintelligible word sequences). In most cases, Google preferred such outright spammy pages to reputable websites that actually hosted the images (and usually were the copyright owners of them).

The whole situation was so bad that at the peak days (end of April – beginning of May) there had been millions of clicks on poisoned search results every day. Fortunately, Google has finally noticed the problem and started to blacklist hacked sites with doorway page and remove them from search results. In the Technology Review article, Google spokesman says “[Google] has since reduced the number of malicious links in image searches by 90 percent from peak levels“, which actually matches my personal observations and the statistics that I have.

The same spokesperson also emphasized that “[Google] continues to plug holes in its algorithms to head off new methods of attack.”

While the amount of malicious (poisoned) image search results indeed has been significantly reduced, the original flaw in the ranking algorithm doesn’t seem to have been [properly] fixed. This post will be about a massive spam campaign that still flourish in Google Image search.

Spammy Blogger blogs

I noticed that group of Blogger blogs three months ago when I investigated the Image poisoning attack. The blogs were not malicious, just spammy, but they exploited the same flaw in Google Image search.

There are several thousand such blogs with more than a hundred (usually more than a thousand) posts in each. They managed to significantly pollute Image search results. The most spammed niches are hairstyles, wallpapers, and the ultimate “leader” is the the tattoo theme. Literally, every possible search query on tattoos in Google Image search returns quite a few results from those spammy blogspot.com blogs.

(Results in orange frames link to spammy blogs)

All those blogspot.com blogs follow the same pattern: hundreds of machine-generated spammy posts with hot-linked images. Each blog post targets some particular keywords, e.g “maori tattoo art“, “quote tattoo“, etc. and consists of several (usually 20) hot-linked images (top results for corresponding image searches) and short descriptions (apparently also extracted from search results) that make very little sence, for example “famous tattoo quotes somebody’s neck tattoo, to see quotes and phrases“.

Immigrationvoice & Macrumors

At some point, to “spice up” their blog post with more text, the spammers began to inserts completely unrelated excerpts from the immigrationvoice.org forum and from forums.macrumors.com. For example, try to Google for ["we have to make USCIS more transparent and effective"] or ["My question is when we try shaking two iPhones catching"] and check all the blogspot.com and zimbio.com results (see more about zimbio bellow).

Aggressive and shady ads

When you visit those blogs (with enabled scripts. not recommended though), it’s quite clear what was the whole idea behind this campaign. Search traffic is supposed to be monetized using aggressive advertisement placement. All blogs contain various banners and pop-ups that occupy the whole screen, moving the actual content of the blogs below the fold.

The most commonly used ad providers and “traffic boosters” :

• 777seo .com
• Paid-to-promote .net
• home-sd .com
• besthitsnow .com
• adultfriendfinder .com
• 2leep .com
• ptp4ever .net
• adv .blogupp .com
• ymads .com
• cdl .deplayer .net
• www .trafficrevenue .net
• ads .clicksor .com
• blueadvertise .com
• blueptp .com
• picadmedia .com
• adsensecamp .com
• advpoints .com
• ad .ad-u .com

Many of them have quite a questionable reputation (including malware distribution).

AdSense ads

Some of the blogs (about 1%) contain Google AdSense HTML blocks. However, their AdSense accounts seem to have been blocked already — they won’t show (Google generates empty iframes for them), which probably made them switch to shady ad providers at some point.

Multiple accounts

While all those blogs have individual templates, individual Blogger accounts, and individual accounts on ad networks, it is absolutely clear that they belong to the same people.

Why bother with so many accounts? Obviously to make it difficult to discover and shut down the whole network of splogs. If Blogger blocks one account, if won’t affect thousands of other blogs. If some ad provider suspends one suspicious account — not a big deal — it only contains few bucks and there are still many other accounts.

(Actually, Blogger is in the process of removing those spammy blogs. Out of more than 5,000 unique blogs from my list, more than 2,000 have already been removed by Blogger. Google still returns links to those removed blogs in search results though…)

But doesn’t it mean too much manual work to register thousands account when most services have CAPTCHAs and verification processes in place? As Brian Krebs writes on his recent blog post, there are many services where you can buy thousands of verified accounts or outsource account registration to low-wage workers in poor countries.

Zimbio.com & onsugar.com

Big sites like Zimbio.com and onSugar.com seem to have decided to piggyback on the same Google Images flaw and the existing network of spammy blogspot.com blogs.

They do it under the disguise of “user generated content”. For example, Zimbio allows users to import existing blogs into Zimbio articles (in exchange for the link to the original blog). So what we have now is thousands of fake Zimbio users with corresponding spammy blogspot.com blogs. Each blog post is republished by Zimbio, but now with their own ads. And because of the Zimbio.com domain reputation, they easily hijack search results that had been previously hijacked by the spammy blogs.

Here you can see, what I’m talking about:

• http://www.zimbio .com/Desktop+Wallpaper (I don’t want to link to them)
• Google search [site:zimbio.com h1b USCIS tattoo]

Can it be that Zimbio is just abused by spammers? Maybe. The only reason for spammers to submit their blogs to Zimbio is to get a free backlink. But there are many other places where they could get backlinks without risk that Zimbio will simply hijack “their” search results and search traffic (which happens now). Moreover, they would have to manually register thousands of accounts on Zimbio or buy them (not so free backlinks after all).

My speculation about possible scenarios (from Zimbio perspective):

• Spammers submitted their blogs in exchange for the backlinks? – Good, with their domain power and clever interlinking they will easily outrank them. Moreover, Blogger can remove those blogspot.com blogs, but the same posts on Zimbio.com will remain intact, thus can do better in the long run.
• Zimbio found the network of splogs that rank well on Google Image search. Why not add them to Zimbio and pretend that users added them there themselves (the profiles are quire anonymous)?
• The evilest scenatio: Zimbio created the spammy blogspot.com blogs themselves and then submitted them to Zimbio. This way they can monetize both spammy blogs and the zimbio traffic and it still looks like they are not connected.
• Any other scenario, anyone?;-)

In every scenario Zimbio wins (unless Google eventually penalizes them for large percentage of spammy and duplicate content). It’s their strategy to publish (and republish) huge amount of user generated content that would rank well for various long tail searches.

The onsugar.com site uses similar approach (e.g http://uglytattoo.onsugar .com/small-tattoo-ideas-14264936)

Conclusion

While Google has managed to reduce the number of malicious links in Image search results, the original flaw is still widely abused by black hats. This problem shouldn’t be taken lightly just because the blogs described in this article are not malicious (yet). Here are just a few reasons why Google should address this issue:

• These blogs prove feasibility of the approach. So the same scheme can be reproduced by people with more malicious intents.
• Spammy blogs can easily turn into malicious one day. Given the choice of the ad providers, they can easily accept offers of, say, Fake AV guys (as you, know they have actively use affiliate schemes).
• These blogs hijack search results and steal traffic from creators of the original content.
• And after all, it’s a shame that Google has such a low quality of their images search results.

##

Question to readers: How often do you come across hijacked Google image search results (either malicious or simply spammy)?

Related posts:

• Thousands of Hacked Sites Seriously Poison Google Image Search Results
• Google Image Poisoning. Mitigation and the New Wave
• Hackers Abuse Servage Hosting to Poison Google Image Search
• Introduction to Website Parasites

Not only did I publish results of my investigation on my blog but also shared a great deal of gathered information (lists of compromised sites, algorithms, etc.) with Google and antivirus vendors. I hope this made some difference as I started observe changes literally the next day after the article publication.

In this 2-part series of posts, I will talk about what’s changed since then. Specifically about how Google addressed this problem (part I) and how cybercriminals changed the attack scheme (part II).

Google’s reaction

Soon (within a few hours actually) after I published my article and contacted Google, they started to actively blacklist compromised sites with doorway pages. They used secondary signs (such as images and iframes injected into main pages of compromised sites) to identify hacked sites. Within three days Google has blacklisted more than 15,000 such sites. Ten days later the number of blacklisted site was close to 35 thousand.

Blacklisting has helped to mitigate the problem in a short time: flagged sites don’t normally make it into Google Images search result. And even if you click on a blacklisted result in Image search (where, unlike web search, there are no visible malware warnings) you will be navigated to an interstitial warning page.

Moreover, the warnings themselves and Google’s notifications helped webmasters of affected sites notice and fix the problem.

As a result, this malicious campaign began to register significant decrease in traffic after May 5th.

from 8.62 million hits on May 5th to 6.41 million hits on May 6th (-25% in just one day) and to 1.67 million hits on May 16th (-80% in 10 days)

May 18th

Nonetheless the attack is still in progress. Cybercriminals didn’t want to lose such a lucrative source of traffic and, around May 18th, they updated the tactics and changed the behavior of compromised sites making the problem less easily detectable.

Low detection rate

Indeed, this change helped newly infected sites escape blacklisting. I have a list of more than 9 thousand sites infected with this new modification of a malicious doorway script and less than 3% of them are currently flagged by Googles (mainly for past problems). At the same time, Safe Browsing diagnostic pages of most sites say that Google checked them on dates when the sites (I know it) had malicious content but nothing suspicious was detected. This means that Google is aware that sites are worth scanning for malware (good) but their detection rate is extremely low (bad).

Lower positions of poisoned search results.

This low detection rate shouldn’t be considered as a new victory of spammers over Google. The thing is the new doorway pages don’t nearly do as well in Google Image search results as they did before May 5th.

I have looong lists of keywords targeted by the malicious doorways and I regularly check Google Image search results for those keywords (using my Firefox add-on that highlights hijacked and hot-linked search results — let me know if you are interested). Very rarely I can see poisoned results on the first page (mainly for long and quite unpopular queries like ["campbell brown afl"] – only 13,300 results or ["camera timer icon"] only 104 results).

When I try more popular queries or don’t use quotes for restrictive phrase searches, the chances to see poisoned results on the first page are quite low. Malicious results usually start to appear on the second page or even lower.

I hope these changes can be attributed to some improvements in Google’s algorithm that made it less easy to hijack top image search results using hot-linking along with unintelligible keyword-stuffed texts. At least, I don’t see any changes in the page-generating and inter-linking part of the new doorway algorithm.

Nonetheless, the chances to click on a malicious image search result are still pretty high and Google needs to pay more attention to this problem. After all, what’s the use in search results if  many people have bad experience with Google images and now are reluctant to click on any image results?

As always, I’ll do my best to help them. I’ll send them my list of 9,000+ compromised sites and the full doorway script algorithm. In addition, in the second part of this series (really soon) I’ll describe what exactly has changed in this black hat SEO campaign since May 18th and what makes it less easily detectable. Stay tuned.

Related posts:

• Thousands of Hacked Sites Seriously Poison Google Image Search Results
• Imgaaa .net And Other Blacklisted Domains Used in Google Image Search Poisoning
• Hackers Abuse Servage Hosting to Poison Google Image Search
• Major Disasters in Poisoned Search Results
• Introduction to Website Parasites

To make my life easier, I created a simple script that highlighted important information so that I could see everything I needed at a glance. I had been using that script for more than a year before the recent Firefox 4 upgrade broke it (the technology I used is deprecated now). This was a serious loss for me. Every time I opened Safe Browsing diagnostic pages (several dozen times a day) I missed my script. Even though I knew the page layout very well, it took significantly more efforts to extract the same amount of information. The difference was almost the same as you might feel when you have to use a touchpad instead of a normal mouse.

Readable SafeBrowsing add-on

Finally I’ve reworked my script as a fully compatible Firefox 4 add-on. What a relief! And now that I know how such a simple thing can improve your productivity and what it means to get back to original Google’s formatting, I think it may be worth it to share this add-on with you. I actually think Google should revamp the diagnostic pages itself. But since they don’t change the look and feel of these pages for a few years, I guess I’d better off publishing my add-on so that anyone can benefit from it.

If you use Firefox 4+ (which I consider the best choice when used along with NoScript), you can install my Readable SafeBrowsing add-on here (no additional installs required, no restart required):

https://addons.mozilla.org/en-US/firefox/addon/readable-safebrowsing/

(You may see a warning when you click the “Download Now” button as the add-on hasn’t been reviewed by Mozilla yet.)

Features

• Different colors for suspicious and not suspicious reports. — The wording is almost the same for flagged sites and clean sites. The only difference is the “not” word in the middle of a sentence so you can’t tell the status of the report at a glance.
• Highlights the base URL covered by the report. — It may differ from the requested URL. For example, if you request a diagnostic page for a subdomain.example.org the report may actually show data for the whole example.org, which means that the problem can’t be resolved at the subdomain level.
• Highlights date of the last scan and the date when the problem was last found. — This is important to understand how up-to-date the report is, whether the original problem is still detectable, whether Google rescanned the site after a request submitted via Webmaster Tools.
• Highlights when the report was last updated. — Important if you are not sure whether Google has picked up your latest changes.

Currently it works with Safe Browsing diagnostic pages in English, German, Spanish, French and Russian.

Before/After screenshots

Before: not suspicious

After: not suspicious

Before: suspicious

After: suspicious

Testing

Once you install it, you can open any Safe Browsing diagnostic page and enjoy the improved look&feel. For example, here’s the diagnostic page for this blog:
http://www.google.com/safebrowsing/diagnostic?site=blog.unmaskparasites.com

Or you can construct a URL of a Safe Browsing diagnostic page for any site yourself:

http://www.google.com/safebrowsing/diagnostic?site=<example.com/path>
replace (the <example.com/path> part with the address of the desired site/page)

Don’t forget that you can also find links to Safe Browsing diagnostic pages in Unmask Parasites reports (both for the pages that you check and the pages they link to).

#

Let me know what you think about it. Is there something that can be changed or improved? Your feedback is welcome.

Related posts:

• Practical Guide to Dealing With Google’s Malware Warnings
• Readable SafeBrowsing add-on description at Mozilla.org

This week the list has reached the level of 1,000+ URLs. Although it’s just a small part of all Gumblar zombie scripts, this list makes a good base for a quick analysis of Gumblar zombie URLs.

What is a Gumblar zombie script?

On some compromised websites, Gumblar creates a new file with a .php extension. A link to this file is injected to other compromised sites.

<script src=hxxp://hacked-site.com/subdirectory/zombie-script.php ></script>

This script either tries to attack web surfers’ computer silently loading binary exploit files from the same zombie site, or load yet another zombie script from a third-party zombie site.

The zombie scripts are not linked to from any existing files on the same zombie site. Their are hidden somewhere in the directory structure and have names that look very trustworthy to site owners (they usually have a name of some existing legitimate file but with a .php extension). This is why webmasters of compromised sites (Gumblars zombies) are usually completely unaware of such scripts on their sites (and as a result they are usually puzzled over why Google has blacklisted their sites and says their sites host malicious content and infect other sites). Although my list is not complete, it helps webmasters locate zombie scripts on their sites.

And the below analysis of this list reveals interesting details both about the Gumblar attack and about its zombie URLs.

Analysis

I analyzed 1042 Gumblar zombie URL.

Top level domains

The attack affects sites all over the world. My list contains sites with 73 different top level domains. Of course, .com sites (as the most wide-spread) are the most affected.

------------------- Top 10 TLDs ---------------------
1 .com 452 43.4%
2 .net 77 7.4%
3 .ru 57 5.5%
4 .org 48 4.6%
5 .hu 37 3.6%
6 .de 32 3.1%
7 .in 25 2.4%
8 .pl 23 2.2%
9 .kr 23 2.2%
10 .ar 17 1.6%
: the rest 251 24.1%


File names

1042 URLs contain 749 unique filenames. As I already told you, the names are usually a combination of a name of some existing file and a .php extension. So no wonder, the most popular name of a zombie script is index.php. However, sometimes hackers use a filename (specific to the Gumblar attack) that doesn’t match any filenames of existing files – gifimg.php. It the the second most popular name of Gumblar zombie scripts.

---------------- Top 10 Filenames -------------------
1 index.php 73 7.0%
2 gifimg.php 55 5.3%
3 contact.php 13 1.2%
4 style.php 9 0.9%
5 error_log.php 8 0.8%
6 _vti_inf.php 8 0.8%
7 LICENSE.php 8 0.8%
8 favicon.php 7 0.7%
9 .ftpquota.php 7 0.7%
10 robots.php 7 0.7%
: the rest 847 81.3%

Directories

To make zombie scripts less prominent, hackers create them in subdirectories of hacked sites. In my list of 1042 URLs I found 562 unique paths (excluding filenames) to the rogue scripts. The most popular location of Gumblar zombie scripts is the /images directory (16.5%). It’s a very good location to hide malicious files — webmasters rarely check directories with image files when they are searching for something that can contain executable code. Moreover, if a file has some benign filename (e.g. gifimg) it can be easily overlooked. Other service directories (e.g. /cgi-bin, /_vti_bin, /css, /tmp, /js) are also among popular locations.

The tenth position is empty. This means that in less than 1% of cases the zombie script was found directly in the site root directory.

----------------- Top 10 directories ----------------
1 /images 172 16.5%
2 /cgi-bin 24 2.3%
3 /_vti_bin 21 2.0%
4 /css 18 1.7%
5 /img 15 1.4%
6 /tmp 13 1.2%
7 /wp-content 12 1.2%
8 /js 10 1.0%
9 /wp-admin 10 1.0%
10 9 0.9%
: the rest 738 70.8%


Subdirectory levels

In majority of cases (91.5%), zombie scripts can be found in a subdirectory one level deep. E.g. /images/zombie.php, /tmp/zombie.php, etc. However, sometimes their location is as deep as 3 levels from site root. E.g. /_flash/_notes/vz29/zombie.php. In nine cases (<1%), zombie scripts were found in a root directory (0 levels deep)
---------- Location relative to site root -----------
1 1 level deep 953 91.5%
2 2 levels deep 56 5.4%
3 3 levels deep 24 2.3%
4 0 levels deep 9 0.9%

Web servers

Gumblar uses stolen FTP credentials to break into web sites. This means that regardless of web server technology any site is potentially vulnerable to this sort of attack (as long as webmasters use FTP). My list of Gumblar zombie URLs provide enough evidence to prove this. You can find filenames and directories specific to different web server technologies.

For example:

• .htaccess.php files — Apache
• _vti_bin directories and _vti_inf.php files — sites powered by Microsoft technologies
• WEB-INF/classes/v7j/servertest.class.php — Tomcat

“s” directories

On many websites, next to a Gumblar zombie script there is a directory called s. It contains Gumblar service and log files. If you find it on your server, make sure to delete it.

Have your say

Did you notice any other interesting patterns in the list of Gumblar zombie URLs? Your comments are welcome!

Related posts:

• List of Gumblar Zombie URLs
• Revenge of Gumblar Zombies
• Gumblar .cn Exploit – 12 Facts About This Injected Script
• 10 FTP Clients Malware Steals Credentials From

My visit to Google, Moscow last week ;)

This definition perfectly describes relationships between hackers and legitimate websites. As it often happens in real life, the host (legitimate website and its owner) may be completely unaware of parasites until the harmful effect becomes obvious (e.g. drops in traffic, lost search engine rankings, site gets blacklisted, etc. ). And it doesn’t matter how big or small your site is and how malicious the hack is – this is the sort of relationships where parasites (hackers) always win and legitimate websites always lose.

As a webmaster, you can be more effective at detecting and mitigating parasitic activities if you know how hackers can benefit from your site .

Types of website parasitism

1. Parasitism on existing site traffic
2. Parasitism on search traffic
3. Parasitism on sites search engine ranking (Black-hat SEO)
4. Parasitism on server resources

1. Parasitism on existing site traffic.

How hackers benefit from a prolonged, close association with compromised websites?
If hackers incorporate some malicious content into legitimate websites, they can expose all visitors to those sites to their attacks. This is very cost effective since the infection process is fully automated (infected computers-zombies do all the dirty work) and they get all the traffic of compromised websites for free (while it is not free for the site owners who pay for hosting, create content, pay for ads, etc.). Since the cost of website infection is very low, hackers are targeting every website regardless of its size and content. This way they have infected thousands of web sites and millions of web pages.

Examples:

• Hidden iframes – Injecting hidden malicious iframes into compromised legitimate websites is one of the most popular types of malware attacks. Invisible iframes allow to silently load exploits from “bad” sites while unsuspecting web surfers browsing visible content of infected websites. More…
  Posts about attacks that inject hidden frames
• Malicious scripts – Also a very popular type of malware attacks that allows to create hidden iframes on the fly or redirect visitors to third-party sites.
  Posts about attacks that inject malicious scripts
• Rogue web servers – server-wide hacks that hijack web server processes and serve malicious content (usually redirects to rogue sites) instead of requested web pages. Such attack may be intermittent and very hard to detect. You can read about them in the following articles:
  Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.
  Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)
  More…

How compromised websites are harmed?

• sites get blacklisted
• lose traffic (blocked by security tools or redirected by malware)
• lose reputation when visitors see AV and Safe-Browsing warnings.
• as a result, they lose sales and revenues from ads.

2. Parasitism on search traffic

How hackers benefit from a prolonged, close association with compromised websites?

Sometimes hackers target only site visitors who come from search engines. This way they make the hack detection more difficult to site owners who rarely need search engine to open their own websites. In this case, hackers are the only ones who benefit from site owners’ efforts to improve search engine rankings.

Examples:

• .htaccess redirects – On Apache-powered sites, hackers inject conditional rewrite rules to redirect traffic from major search engine to malicious sites (usually to scareware sites).
  Posts about attacks that use malicious .htaccess redirects.
• PHP redirects – injected PHP code can redirect searchers to third-party pay-per-click search engines that share revenue with hackers (example).

How compromised websites are harmed?

• regardless of search engine rankings, compromised websites don’t receive any visitors from search engines (they are immediately redirected to third-party websites)
• eventually, sites get blacklisted
• lose natural traffic (blocked by security tools)
• lose reputation when visitors see AV and Safe-Browsing warnings in search results.
• as a result, they lose sales and revenues from ads.

3. Parasitism on sites search engine ranking (Black-hat SEO)

How hackers benefit from a prolonged, close association with compromised websites?

The more descriptive links from reputable sites point to some web page the higher its ranking for relevant keywords. This principle is abused by hackers who inject spammy links into legitimate websites to promote their shady web resources (online stores selling counterfeit and pirated goods, porn sites, scam sites). In this case, hackers benefit from existing search engine ranking (PR) and authority of the compromised sites that they share with the spammy sites.

Examples:

• Hidden links – the most simple attack that injects malicious links into legitimate webpages and uses HTML tricks to make them invisible to human visitors.
  Posts about attacks that inject hidden links
• Cloaking – more elaborate attacks, that serve different versions of web pages to normal visitors (legitimate web pages) and to search engine spiders (either modified web pages with injected spammy links or completely different spammy pages) . A lot of reputable sites have been affected by this sort of parasites:
  “Cheap Vista” or Cloaked Spam on High-Profile Sites
  Anti-Pirates Unknowingly Promote Pirates
• Rogue 301 redirects – When Google sees redirects with the 301 status code, it thinks that a website has permanently moved to another location. So it updates the site listing with the new location. Moreover, the new site automatically gains ranking of the original site. To steal ranking and search traffic from legitimate sites, hackers create conditional redirect rules (either in .htaccess files or in PHP scripts) that return the 301 status code along with the address of a malicious site for requests from search engine spiders. You can read the following posts about such attacks and their consequences:
  Exploit Redirects Googlebot to Malware Sites (Bablo me uk).
  Stats Anomaly Reveals Website Security Issues.

How compromised websites are harmed?

• The increased number of links dilutes the SEO value of web pages, which makes legitimate links less valuable SEO-wise.
• Black-hat SEO tricks inevitably lead to penalties and exclusion from search results, which usually means drop in traffic and revenues.
• Hidden links may affect contextual ads on compromised sites.
• Cloaked content makes it to site description in search results and people who search for you site name may see something like “Viagra Online – Buy Viagra Online – Cheapest Viagra On The Net” or even something pornographic next to your site link. Such thing can only harm your reputation (especially for sites of schools, churches, reputable international organizations – which I see quite often).
• Cloaked content replaces legitimate content in search index, and compromised web sites can no longer be found using relevant keywords.

4. Parasitism on server resources.

How hackers benefit from a prolonged, close association with compromised websites?

Sometimes hackers are not interested in existing content, ranking of compromised websites and their visitors. All they need is free web space and server resources – something that they can share with hacked legitimate websites whose owners unknowingly pay the bills both for themselves and for hackers.

Examples:

• Rogue pages – Deep in sub-directories of legitimate websites, hackers create thousands of web pages optimized for specific keywords to poison search results on major search engines. (usually something related to breaking news or some relatively unpopular keywords from the long tail – either way they have good chances to make it to the first page of search results). Once search engines index those rogue pages and start to send search traffic their way (it usually only take a few hours) the pages start to expose visitors to some malicious content (usually redirects to scareware sites) :
  Rogue blogs redirect search traffic to bogus AV sites. Part 1.
  Bety.php – osCommerce Hack. Part 1.
  Bety.php Hack. Part 2. Black Hats in Action.
  Internals of Rogue Blogs
• Phishing – To steal sensitive personal information hackers create rogue web pages that look exactly as login pages of banks and popular services (e.g. Facebook, PayPal, GMail, etc). When they send out tons of spam emails asking people, for example, to change their passwords (I bet you received such emails) and specifying a link to that phishing page on a hacked site. As a result of such phishing campaigns, some people may not notice the forgery and provide hackers with their logins and passwords. And the hacked sites make it into blacklists of anti-phishing organizations…
• Gumblar – One of the most elaborate malware attack – Gumblar – tries to use compromised websites to the fullest. Not only does it inject malicious scripts into legitimate web pages, it also creates subdirectories with binary exploits and malicious scripts that hackers use to infect visitors to other sites. Moreover, the backdoor scripts on infected sites are used to break into new sites and infect them. Gumblar-infected sites act as zombies of some botnet.
  Revenge of Gumblar Zombies
  List of Gumblar Zombie URLs
  More…
• Koobface – This attack, that primarily targets users of social networking sites, creates scripts in subdirectories of hacked legitimate sites that redirect victims of the attack further to malicious web pages on infected computers.
• Reverse proxies on port 8080 – To protect central malicious servers and keep them invisible to security researchers, hackers hide the real sources of badness behind reverse proxies on compromised web servers. Most hidden iframes with URLs that use port 8080 are just reverse proxies that behind the scenes pull the malicious content from secret servers.
  One of such reverse proxies
  Attacks that use such reverse proxies:
  Dynamic DNS and Botnet of Zombie Web Servers
  From Hidden Iframes to Obfuscated Scripts
  Quicksilver Malware Network

How compromised websites are harmed?

• Sites get blacklisted because of malicious content they host.
• Sites can be excluded from search results if hackers create spammy pages there.
• Sites can be marked as phishing sites.
• Everything above leads to traffic and revenue drops
• Rogue content may exhaust site quotas and slow down server performance.
• And after all, site owners pay for resource overage incurred by hacker activity.

Non-parasites

Not all hacker attacks are parasitic in their nature (which doesn’t make them less malicious, of course)

• Defacement – hackers replace/change legitimate content of websites to show everyone that the sites have been hacked. Usually it’s just a malicious mischief. It doesn’t involve prolonged and close relationship with hacked sites.
• DoS/DDos attacks – denial-of-service attacks try to render targeted websites/servers unavailable, exhausting their computational resources with floods of external requests. The goal of such attacks is usually either to get rid off unwanted sites (competitors, rivals, etc.) or to have site owners pay some ransom to stop the attack. While DoS attack may be quite prolonged (and last several weeks), they are completely external and don’t involve any close association with the the targeted sites.
• Theft – Sometimes hackers break into websites to steal some protected information (e.g. database of clients) or access premium content without paying for it.

Make knowledgeable decisions

Now that you know why hackers break into legitimate websites and how they use them, you can make knowledgeable decisions about how to detect the hacks and what tools you should use. E.g. to find injected iframes and malicious scripts you should thoroughly look through the HTML code of your web pages; to detect cloaking, you should check what Google has indexed on your site; to detect redirects from search results, you should try to spoof the Referer HTTP header with tools like wget, etc.

Unmask Parasites

To provide webmasters with a more universal, quick and secure way to check their sites for signs of hacker activity I created Unmask Parasites online service. It evolved during the last two years and proved to be a good starting point for detecting various types of website parasites: hidden links, iframes, malicious scripts, cloaking and conditional redirects.

It’s the tool that can help reveal the problem you were not aware of or provide a hint on where to look (or not to look) for the source of security problems you investigate. And it’s all in less than 30 seconds. Of course, Unmask Parasites can’t detect or correctly identify every security problem, but it’s just a first step in your investigation and you should have other more specialized tools in your toolkit as well.

If you haven’t tried Unmask Parasites yet, it’s time to click this link and check your site for parasites.

Build awareness

Did you learn anything new about website security threats? If yes, show this article to your fellow webmasters. The more we – webmasters – know about hackers, the less chance they have of exploiting our sites behind our backs.

Have your say

Do you have any other examples of parasitic activities of hackers? I would love to hear about them. Your comments are welcome.

Related posts:

• Let’s Unmask Parasites
• Unmask Parasites. A Year of Blogging
• Vulnerability Advisories for Third-Party Scripts
• 10 FTP Clients Malware Steals Credentials From

LeaseWeb reaction

Fortunately, such posts sometimes make difference. The same day Alex de Joode, LeaseWeb’ Security Officer, left a comment, explaining their company’s abuse handling policy and showing that they were ready to address malware issues. What more important is I can see the results: mdvhost.com domain name no longer resolve. And none of the malicious domains is currently mapped to IP addresses on the LeaseWeb network. Thanks Alex! And thanks Maxim Weinstein (StopBadware.org) who helped to draw attention to this issue.

The attack is still active

The loss of the mdvhost .com server didn’t stop the attack though. Apparently, hackers have back-up servers to replace the missing one. Anyway, this switch requires reconfiguring reverse-proxies and have probably slowed down the propagation of the malware. And by the way, in the beginning of this week I noticed a temporary decrease in this attack detection in Unmask Parasites. Or was it just a coincidence?

However, the attack is still active. Currently, malicious servers reside mostly on OVH network and on some German networks (for some reason hackers choose European hosting providers)

Here is a sample output of the dig command:

viewhomesale.ru. 432 IN A 85.25.73.243 Germany Berlin Bsb-service Gmbh
viewhomesale.ru. 432 IN A 91.121.49.129 France Paris Ovh Sas
viewhomesale.ru. 432 IN A 94.23.14.110 France Clermont-ferrand Ovh Sas
viewhomesale.ru. 432 IN A 94.23.89.95 Poland Ovh Sp. Z O. O
viewhomesale.ru. 432 IN A 94.23.206.229 France Ovh Sas

Some more IPs:

62.75.184.40 Germany Berlin Vserver – Virtual Dedicated Server-hosting
77.37.19.43 Germany Star-hosting E.k. – Vserver I
91.121.142.111 France Paris Ovh Sas
188.72.199.24 Germany Berlin De-netdirect
213.186.57.19  France Paris Ovh Sas

I hope OVH and the German hosting providers will follow LeaseWeb and finally sweep hackers away from their networks.

To hosting providers

The IPs in this post belong to compromised dedicated and virtual dedicated servers where hackers managed to install nginx on port 8080 (they work as reverse-proxies). It would be great if you find the nginx configuration files and determine the address of the central site where they get all the malicious stuff from. You can either post your findings here or contact me directly. Alternatively, you can contact the hosting provider of that malicious server yourselves.

P.S. Happy New Year!

Related posts:

• From Hidden Iframes to Obfuscated Scripts
• Dynamic DNS and Botnet of Zombie Web Servers
• Evolution of Hidden Iframes
• 10 FTP Clients Malware Steals Credentials From

Working on Unmask Parasites service, I could easily spot prevalent threats and trends in malware attacks. I used this information to help webmasters of hacked sites on various security-related forums and news groups. However, forum format assumes that you answer similar questions again and again, which is very inefficient. That’s why I decided to publish information about prevalent website security problems here. This way I could write detailed information once and then just link to my articles in my forum answers.

This approach worked great for me. The very first post about .htaccess redirects to bogus anti-virus sites became pretty popular. I didn’t have to waste my time duplicating the same answers again and again (there were several questions a day from owners of affected sites that time. One year later, there are still many sites hacked this way). Soon enough, my posts started to attract visitors from search engines. As a result, one blog post could help much more webmasters than several similar posts on specialized forums.

Helping webmasters

My blog is not an average security blog that talks about new threats. It is not for security specialists (they usually know more than me about the topics I cover here). It is for webmasters who want to keep their site secure. For people who work hard to build their websites and then find out that all their efforts can be easily ruined by hackers. In my posts about hacker attacks, I try to include information about how to detect breaches, clean up web sites, remove malware warnings, and prevent future break-ins. I also try to explain what makes those attacks possible and why hackers target legitimate web sites.

And even if I don’t have some information about a specific attack, I always encourage my readers to share their information in comments. This worked particularly well for posts about Gumblar and Goscanpark meta redirects, where comments sections are probably more informative than the posts themselves. Thanks guys.

Security problems of a security blog

While most of my posts are based on the information I collect investigating security issues of third-party sites, there had been a real security problem with my own blog. It was originally hosted on a shared server that happened to be hacked (not my blog, but the whole server) back in May. It was a nasty elusive problem that my hosting provider couldn’t resolve for almost two weeks. Finally, we managed to locate the malicious process and the backdoor script.

To share details about this incident, I posted an article about the Beladen exploit, which happened to affect many other shared web servers too. This was a lesson for me: in a shared hosting environment your site’s security depends on security of other websites hosted on the same server. As a result, I moved my blog from a shared hosting to a virtual private server (VPS) where I can control (virtually) everything. Of course, now I pay more money for the blog hosting and have to maintain the server myself, but I’m much more confident that my blog is not dangerous for my readers (I take it seriously).

False positives

There had also been a problem with false warnings from certain anti-virus programs. Quite frustrating to see anti-virus programs with flaws in detection algorithms keeping webmasters away from the articles that could help them remove malware from their sites and stop infecting their site visitors’ computers.

In my articles, I post snippets of malicious code that hackers inject into legitimate web pages. I don’t post screenshots of the malicious code like many other security blog do. The purpose of my articles is to help webmasters of compromised blogs resolve their security issues. So I want them to be able to find my blog when they Google for parts of suspicious code they find inside their web pages. Many webmasters find my blog this way.

I realize the danger of the malicious code that I post. That’s why I slightly garble it, making it non-executable if copy-pasted into HTML. Nonetheless, some anti-virus programs confuse such code with real malicious code (their detection algorithms are imperfect). After each report about false positives from my blog readers, I had to garble code samples even more until the false warnings went away.

Reader contributed information.

For my posts, I investigate every case myself. However, I can’t gather complete information without internal access to compromised websites (I’m not a hacker and never break into third-party websites). That’s why I’d like to thank people (webmasters, hosting providers, security researchers, etc.) who email me and share internal details about the hacks. Your help is indispensable.

Readers’ comments are also a very important part of this blog. They usually add missing bits to my posts. Sometimes comments sections are more informative than corresponding articles. That’s great! I’m glad to provide a place for fruitful discussions.

I’d also like to thank my readers who allowed me to post their emails on my blog. Here are the two articles based on their emails:

• Stats Anomaly Reveals Website Security Issues
• Quicksilver Malware Network

If you want to see your articles published on this blog, don’t hesitate to contact me. Guest post are welcome!

In the news

Several posts from this blog have made it into major press. You can find references to my articles on sites of the New York Times, Washington Post, The Register, CNet, ComputerWorld, SC Magazine, etc. (click here for the full list) Internet security community (e.g. StopBadware.org, Google Online Security blog, IBM Internet Security Systems, Sophos, etc) also actively links to this blog. I consider it as a proof of the quality of the original content that I post here.

Stats and facts.

So a year has passed. Looking back, I can share some interesting (or maybe boring) stats and facts.

60 posts in 5 categories (114 tags)

122,000+ visits from 178 countries (literally from all over the world), but mainly from the United States (30%), United Kingdom (8%) and India (6%).

41% of visitors came from search engines (mainly from Google – 97%)

1,800+ sites referred visitors to this blog.

The most active referrers were:

• Google Webmaster Forums
• Unmask Parasites
• heise.de (after the post about the botnet of compromised web servers)
• StumbleUpon
• TheRegister
• Reddit
• Slashdot
• Sophos

Most popular keywords that sent me visitors from search engines:

• gumblar
• gumblar .cn
• martuz .cn
• martuz
• gifimg.php

They are all related to the Gumblar attack and account for 13,000+ visits.

No wonder, my original article about Gumblar is the most visited article on this blog (55,000+ visits). If I sum up visits to all my articles about Gumblar, it will be almost 79,000 visits. The new incarnation of the Gumblar attack is still active so this statistics will only increase.

The second most visited article is Malicious “Income” IFrames from .CN Domains – 21,000+ visits. It was my first article about the iframe injection attack that uses stolen FTP credentials. This attack evolved over the time and I frequently posted updates. All posts on this topic have been visited more than 40,000 times.

Among other popular topics are redirects to scareware sites and Beladen/Goscanpark server-wide exploits.

750+ approved comments

Most discussed posts:

• Gumblar .cn Exploit – 12 Facts About This Injected Script – 184 comments
• Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects – 83 comments
• Malicious “Income” IFrames from .CN Domains – 77 comments
• Dynamic DNS and Botnet of Zombie Web Servers – 41 comments

News feed: Feedburner currently reports about 450 subscribers. Not bad for a specialized blog. If you have a site that you want to protect from hackers or you are simply into website security, consider subscribing too. You can read this blog updates in your favorite RSS reader or in your good old email client. You can also follow me on Twitter.

Looking into the future

I actively develope Unmask Parasites and participate in various security forums, so there is no shortage of topics to cover here. If I had enough time I would post interesting information every day. However, in real world, many posts take at least 2-3 days of research, sometimes a few weeks, so I struggle to publish at least 2-3 original posts a month.

Hope I’ll be able to find enough time and incentive to keep on blogging at this pace. And if you want to see me motivated, please provide your feedback: leave comments, suggest topics, ask questions, share your information, and spread the word — this helps me concentrate on blogging ;-)

Read my blog. Keep your sites secure.

Your,
Denis Sinegubko

Related posts:

• Happy Birthday Unmask Parasites!
• Let’s Unmask Parasites

If you like this blog, you might also want to check my free online service called Unmask Parasites. It helps webmasters solve security problems revealing hidden illicit content in their web pages.

This week Google announced that they are working on a new open source, lightweight operating system that will initially be targeted at netbooks – Google Chrome OS. That’s right. It’s a Google Chrome browser running on top of Linux kernel. Netbooks running Google Chrome OS should be available in the second half of 2010. (BTW, will European Union rule Google exclude Google Chrome browser from the default installation of a Google Chrome OS? )

They are going to completely redesign the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. As far as I understand the concept, everything should be stored and executed on the web, so traditional malware won’t work on such a OS. On the other hand, I envision criminals somehow make Chrome users subscribe to their malicious web services.

Gazelle browser

Another interesting project is the Microsoft’s Gazelle browser. This is a web browser that uses OS principles to isolate web application from each other and from the underlying host operating system. Effectively this browser is an OS  itself (with it’s own kernel and resources) running on top of the real operating system.  This architecture ensures that any misbehaving code (script, virus, buggy plug-in) affects only it’s own process, leaving other web applications, the browser kernel, and the host system intact.  Malware can’t jailbreak and infect your computer. It’s like Vegas (what happens in Vegas stays in Vegas). They definitely should have called this browser Vegas.

Anyway, it’s only a proof-of-concept research project and it may take years before something like this will be publicly available.

The future

These new projects (operating system as a web browser from Google, and web browser as an operating system from Microsoft) can make a revolution in computer security. Traditional desktop malware will become obsolete. It will be replaced by a new generation of web based malware.  Many antivirus companies may go out of business.

… and the present

You don’t have to wait another year to try this sort of secure web browsing. Something similar has been available for years. I’m talking about virtual machines. For example when I’m working in Windows XP, I I have a Linux guest operating system running in a window specifically to browse the web. Linux is less prone to malware attacks and it is isolated from my Windows. For me, it’s a combination of Google Chrome OS and Microsoft Gazelle. In this guest OS, where Firefox runs on top of a Linux kernel, “most of the user experience takes place on the web” and on the other hand my web browser is works in a stand-alone operating system, isolated from the host OS.

He received an email from Google saying that his site had been temporarily removed from search index because it contained hidden spam links and thus violated Google’s guidelines.

In the article you will read how Unmask Parasites helped reveal those hidden links, how they were removed, how the penalty affected search engine traffic, and what lesson about website security have been learnt, i.e:

• Signs that your site is hacked.
• Why hackers inject hidden links?
• How to protect WordPress blogs?

Note that the article is written by a marathon runner. And you don’t have to be a computer genius to protect your website either. But if your site is important to you, be sure to invest some time and learn some basics about website security. It may cost you much more (in terms of time and money) when you find your site blocked because of security issues.

This guy’s words apply to most of us:

When I started blogging I didn’t expect to find myself learning about internet security. Learning never ceases and it feels good to be empowered.

If you are convinced, here is a great article from Google: Best practices agains hacking. While it’s beginning looks a bit techie, the rest of the article provides valuable information for all site owners. Be sure to read the “Some resources about CMSs security“, “Some ways to identify the hacking of your site” and “Hacked behavior removed, now what?” sections of this article.

Another advice is regularly check your web sites for security issues. If you detect a problem and fix it before Google finds it, the damage will be minimal.

You can use my Unmask Parasites free online service for quick rough checks. It scans web pages and reveals illicit content and behavior such as hidden spam links, invisible iframes, suspicious scripts and unwanted redirections.

Have your say

Please share your thoughts about what makes people start learning about website security. Suggest security resource and “best practices” for newbie site owners. Your comments are welcome.

Similar posts:

• Let’s Unmask Parasites
• BadwareBusters.org Out of Beta