Tweet Week: Jan 11-17, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Tweet Week: Dec 28, 2009 – Jan 3, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Dec 28, 2009
LeaseWeb seems to have removed malicious servers from its network after my blog post about the “GNU GPL” scripts. (OVH still hosts hackers)
Dec 30, 2009
Good Guys Bring Down the Mega-D Botnet – respect @FireEye !
Jan 2, 2010
If you want more real-time experience, you can follow @UnmaskParasites on Twitter.
Related posts:
Tweet Week: Oct 5-11, 2009
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Oct 6, 2009
Yet another Beladen/Goscanpark story from a server admin
http://www.linuxquestions.org/questions/linux-security-4/virus-in-a-server-malware-running-randomly-in-all-server-sites.-758806/#post3708050
Story from my blog reader: 60 support tickets and 1,000 screenshots before his hosting provider took action. (His site was hosted on a Goscanpark-infected server)
Oct 8, 2009
Researchers Hijack a Drive-By Botnet – insights from the inside
Oct 9, 2009
I see loads of spammy accounts on CommunityServer-powered sites. Sample Google search: http://www.google.com/search?q=inurl%3Amembers+inurl%3Aaspx+tramadol – they look like hacked
The Cash Factory – All aspects of the iframe-injection attack: spam, trojans, passwords, etc.
Oct 10, 2009
The Malware Warning Review Process – from Google Anti-Malware team
If you want more real-time experience, you can follow @unmaskparasites on Twitter.
Similar posts:
Quicksilver Malware Network
In my latest post about the iframe attack that used free domains from dynamic DNS hosting providers that pointed to a network of compromised dedicated server, I asked readers for any additional information they know about this attack. A few day later I received this email:
Hi there.
Since this may I am watching this network (I named it “quicksilver“) after two PCs/users ran into cn-8080-iframe-modified websites. Using only “white hat” instruments (dig, whois, malzilla, VMWare, google and my brain ;) ) I was able to collect information about the basic frame of this network.
It is not a simple botnet – it combines three networks with different functions to form a “malware superstructure”.
Nearly everything in this network is constantly moving (thus the name) and uses compromised machines acting as proxies or slaves. The machines of the real black hats are movable themselves – the older “gumblar” network (which i think is a precursor to quicksilver) used an ukrainian c&c-server with a different ip address.
At the end of the email, the reader said that he had a chart of this network and asked me if I wanted to take a look at it. The information looked interesting so I asked if he would like to publish it on my blog and got his permission:
you have my explicit permission to publish everything I send you – anonymously. Although I have a name and a title, the only thing relevant is to unmask those networks.
So here it is. I’ve published the story as is. I just added some formatting and converted the chart to GIF format to avoid PDF security concerns.
Continue »»
Dynamic DNS and Botnet of Zombie Web Servers
It’s always interesting to watch how malware attacks evolve over time.
Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.
- They started with gambling-related .cn domains (like cheapslotplay .cn).
- They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
- They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
- They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
- In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
- And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
