Website Exploits | Unmask Parasites. Blog.

Loading site search ...

Web of Koobface

27 Feb 10 Filed in Website exploits with 2 Comments

This research is provoked by the following blogpost of Joshua Long where he lists domain names used by Koobface. Generally, I focus on website hacks and don’t research malware distributed via email spam and social networks (Koobface is an anagram of Facebook). However that list showed me how legitimate hacked sites were integrated into Koobface scheme and I decided to try to investigate how the whole thing worked.

Joshua’s list was a good starting point. I saw multiple rogue blogspot blogs that followed the same pattern and multiple compromised sites where those blogs redirected to. For some reason, most of the functionality of the malicious pages on the hacked sites is implemented as a client-side JavaScript, so I could easily retrieve and analyze those scripts. They provided me with very interesting details about the internals of the attack: sites it expected as referrers and usage of infected PCs. As a result I came up to the following scheme:
Koobface attack flow and other details »»

Tags: blogspot Koobface KROTEG LDPinch password safe browsing scareware

Bety.php Hack. Part 2. Black Hats in Action.

26 Jan 10 Filed in Website exploits with 2 Comments

This is the second article about the hacker attack against osCommerce-powered sites. In the first part, you can find the description of the attack along with detection and clean-up instructions. Now I want to show you what exactly hackers did and how they managed to poison Google search results.

The main goal is to demystify hackers and encourage webmasters to explore their own sites. The more you know about hackers, the better you’ll be at protecting your site against their attacks.

This post is based on the files and access logs of three compromised sites that I received from a webmaster who contacted me a couple of weeks ago.

Quick facts

The attack uses unpatched vulnerability in osCommerce 2.2 that allows an attacker to upload arbitrary files to compromised servers using a security hole in file_manager.php.
Only one of the three sites actually uses osCommerse (site-1).The rest two sites had been hacked using access gained via the hacked site-1.

Chronicle of the attack »»

Tags: bety.php black hat seo Googlebot osCommerce redirects statistics Webmaster Tools

Bety.php – osCommerce Hack. Part 1.

18 Jan 10 Filed in Website exploits with 0 Comments

About a week ago I received a very insightful email from one webmaster where he described a recent attack that his site was subject to and showed how Google’s Webmaster Tools helped him notice the hack.

With Jim’s permission, I publish this email here »»

Tags: bety.php black hat seo file_manager.php osCommerce Webmaster Tools

From Hidden Iframes to Obfuscated Scripts

23 Dec 09 Filed in Website exploits with 50 Comments

In December, I noticed that ubiquitous hidden iframes that have been the prevailing site hack this year seemed to have gone. Unmask Parasites finds them on very few sites now. And even on infected sites, I see only old domains, while this attack is known for introducing at least one new domain every day and for frequently updating the iframe code on infected sites.

At the same time I noticed a new type of obfuscated scripts injected into hacked websites. And I believe it’s a new incarnation of the same attack that previously injected hidden iframes.
Here’s the story »»

Tags: FTP iframe Leaseweb mdvhost obfuscated script OVH

List of Gumblar Zombie URLs

18 Dec 09 Filed in Website exploits with 5 Comments

My list of Gumblar zombie URLs that I originally posted and updated in the Revenge of Gumblar Zombies article, have already reached the size of 400+ items, which makes the web page too heavy.

I decided to move this list to a separate page to make the original post less cluttered. At the same time the list should remain searchable via major search engines and webmasters of compromised sites will be able to find this page that contains a direct link to the post with Gumblar infection details and removal instructions.

Gumblar infection is pretty sophisticated and removing the malicious code is usually not enough to completely clean up your site. If this page contains a URL that was a part of the suspicious code injected into your sites’ web pages and .js files, make sure to read the following post.
The list »»

Tags: gifimg.php gumblar

Intermediaries to Torpig Attack Sites

15 Dec 09 Filed in Website exploits with 1 Comment

In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.

However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)

The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.

I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.
Here’s the story »»

Tags: domoktov iframe obfuscated script Torpig twitter

Twitter API Still Attracts Hackers

09 Dec 09 Filed in Website exploits with 6 Comments

A few weeks ago I blogged about hacked sites where malicious scripts used Twitter API to generate domains of new attack sites and trigger “drive-by” downloads.

As you might remember, I mentioned that the script was buggy (failed to work on certain days) and the approach didn’t look viable in the long term since it required that hackers manually register one new domain name every day. As a result, in November, this vector looked abandoned (I couldn’t find active and even registered malicious domains).

However, hackers seem to be die-hard fans of Twitter and don’t want to give up on the idea.

A few days ago I found a blacklisted site, where search.twitter.com was mentioned as an intermediary in malware distribution. Safe Browsing diagnostic pages also mentioned fresh (beginning of December) malicious domains that were definitely generated by the above-mentioned script. No wonder, on the infected site I found the familiar script. Actually, it was not the same script. It was an improved version of that script.
So what’s new? »»

Tags: Mebroot obfuscated script Sinowal Torpig twitter

Rogue blogs redirect search traffic to bogus AV sites. Part 2.

27 Nov 09 Filed in Website exploits with 5 Comments

This is the second part of the post about rogue blogs installed into subdirectories of hacked legitimate websites. The first part talked about how those blogs redirect search engine traffic to scareware sites. In this part I will talk about the whole black hat campaign, its evolution and its strange connection with Servage hosting provider.

Generations of rogue blogs

In the Cyveillance blog, they mentioned two types of rogue blogs with “bsblog” and “bmsblog” strings in the URLs. Having played with Google searches, I discovered some more versions:

bmblog. allinurl:bmblog/category search returns 281 000 results
mdblog. allinurl:mdblog/category returns 1 880 results
and generic blog (with specific categories).

So what do those strings mean? A quick analysis of the blogs’ content suggests that “blog“, “bmblog”, “bsblog“, “bmsblog” and “mdblog” strings in blog addresses correspond to different generations of this black hat campaign.
Here is the timeline »»

Tags: bmblog bmsblog Coppermine css.js google mdblog redirects Servage

Rogue blogs redirect search traffic to bogus AV sites. Part 1.

26 Nov 09 Filed in Website exploits with 7 Comments

As I tweeted a few days ago, I gathered a lot of interesting information about this case. So to make the post readable, I’ve broken it down into two parts. The first part is about how rogue blogs work, and the second part is about different generations of this black hat campaign and about the connection with Servage hosting provider.

A few days ago, I stumbled upon a great post where guys from Cyveillance blog wrote about a massive Google search results poisoning. Well worth reading.
Here is a brief summary of their post followed by my own findings »»

Tags: black hat seo css.js google PHP redirects scareware

Hackers Use Twitter API To Trigger Malicious Scripts

11 Nov 09 Filed in Website exploits with 5 Comments

To improve my Unmask Parasites online service I regularly visit compromised sites and analyze malicious content cybercriminals inject into legitimate web pages. I have to admit that hackers are very creative and I learn new tricks every week.

Today, I’ve found an interesting obfuscated script that used Twitter API to trigger malicious process.
Here’s the story »»

Tags: obfuscated script Torpig twitter