msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Lorem Ipsum and Twitter Trends in Malware

26 Jan 12   Filed in Website exploits with 5 Comments

A couple of years ago I wrote about malware attacks that used Twitter API to generate domain names for their malicious sites using trending topics as keys in the domain generating algorithm.

  • Each domain was in use for a few hours only
  • The next domain names would become available just a few hours before the malicious scripts on hacked sites begin to use them.

Since 2009, I’ve seen many revisions of that attack. It has never been the most prevalent issue but as far as I can tell it constantly evolves and mutates. The recent update of the malicious script injected by this attack looked quite interesting and I decided to find out what has changed since late 2009.
Continue »»

Tweet Week: March 14-20, 2011

21 Mar 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Best practices for hosting providers, security statistics, basicpills in WordPress, Rustock, phishing …

Tweet Week: March 7-13, 2011

14 Mar 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

phishing, botnets, poisoned search results … »»

Tweet Week: November 1-7, 2010

08 Nov 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

ProFTPD, OpenX, reporting webspam, cross-platform malware … »»

Tweet Week: Jan 11-17, 2010

17 Jan 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Security updates, botnets, Unmask Parasites »»

Tweet Week: Dec 28, 2009 – Jan 3, 2010

03 Jan 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Dec 28, 2009

LeaseWeb seems to have removed malicious servers from its network after my blog post about the “GNU GPL” scripts. (OVH still hosts hackers)

Dec 30, 2009

Good Guys Bring Down the Mega-D Botnet – respect @FireEye !

Jan 2, 2010

Microsoft confirms IIS hole

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

Tweet Week: Oct 5-11, 2009

11 Oct 09   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Oct 6, 2009

Yet another Beladen/Goscanpark story from a server admin
http://www.linuxquestions.org/questions/linux-security-4/virus-in-a-server-malware-running-randomly-in-all-server-sites.-758806/#post3708050

Story from my blog reader:  60 support tickets and 1,000 screenshots before his hosting provider took action. (His site was hosted on a Goscanpark-infected server)

Oct 8, 2009

Researchers Hijack a Drive-By Botnet – insights from the inside

Oct 9, 2009

I see loads of spammy accounts on CommunityServer-powered sites. Sample Google search: http://www.google.com/search?q=inurl%3Amembers+inurl%3Aaspx+tramadol – they look like hacked

The Cash Factory – All aspects of the iframe-injection attack: spam, trojans, passwords, etc.

Oct 10, 2009

The Malware Warning Review Process – from Google Anti-Malware team

If you want more real-time experience, you can follow @unmaskparasites on Twitter.

Similar posts:

http://www.viruslist.com/en/analysis?pubid=204792083

Quicksilver Malware Network

17 Sep 09   Filed in Website exploits with 6 Comments

In my latest post about the iframe attack that used free domains from dynamic DNS hosting providers that pointed to a network of compromised dedicated server, I asked readers for any additional information they know about this attack. A few day later I received this email:

Hi there.

Since this may I am watching this network (I named it “quicksilver“) after two PCs/users ran into cn-8080-iframe-modified websites. Using only “white hat” instruments (dig, whois, malzilla, VMWare, google and my brain ;) ) I was able to collect information about the basic frame of this network.

It is not a simple botnet – it combines three networks with different functions to form a “malware superstructure”.

Nearly everything in this network is constantly moving (thus the name) and uses compromised machines acting as proxies or slaves. The machines of the real black hats are movable themselves – the older “gumblar” network (which i think is a precursor to quicksilver) used an ukrainian c&c-server with a different ip address.

At the end of the email, the reader said that he had a chart of this network and asked me if I wanted to take a look at it. The information looked interesting so I asked if he would like to publish it on my blog and got his permission:

you have my explicit permission to publish everything I send you – anonymously. Although I have a name and a title, the only thing relevant is to unmask those networks.

So here it is. I’ve published the story as is. I just added some formatting and converted the chart to GIF format to avoid PDF security concerns.
Continue »»

Dynamic DNS and Botnet of Zombie Web Servers

11 Sep 09   Filed in Website exploits with 44 Comments

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

  • They started with gambling-related .cn domains (like cheapslotplay .cn).
  • They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
  • They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
  • They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
  • In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
  • And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details »»