msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Darkleech Update – November 2014

Just wanted to document some latest changes in Darkleech behavior that may help you detect it.

I’d like to thank internet security enthusiasts who share their findings with me. Without you, I could have easily missed these new (?) details.

Quick recap

Darkleech is a root level server infection that installs malicious Apache modules. The modules inject invisible iframes into server response when it is already prepared (linebreaks added for readability).

<style>.a4on6mz5h { position:absolute; left:-1376px; top:-1819px} </style> <div class="a4on6mz5h">
<ifr ame src="hxxp://tfmjst .hopto .org/nsiumkogckv1tv4locfzyv2eykqss9ltfb9wnmhfqz1ol2" width="247" height="557"></ifram e></div>

All the elements of this code are random and auto-generated on the fly (style name, coordinates, iframe diminsions, URL paths). Moreover, the iframe domains change every few minutes — lately hackers prefer free No-IP.com dynamic DNS hostnames like hopto.org, ddns.net, myftp.biz, myftp.org, serveftp.com, servepics.com, etc.

This infection is hard to detect as it only shows up once per IP per day (or maybe even more seldom). And since it works on a low system level, it can detect if server admins are logged in, so it lurks until they log out — this means that they won’t see anything even if they monitor outgoing TCP traffic.

For more details, please check the links at the bottom of this post.
What’s new? »»

Working With the Darkleech Bitly Data

10 Feb 14   Filed in General with Comments Off on Working With the Darkleech Bitly Data

Data Driven Security took the time to analyze the raw data that I published in my recent post on Sucuri blog about how I used Bitly data to understand the scale of the Darkleech infection.

In their article, they have a few questions about data formats, meaning of certain fields and some inconsistencies, so I’ll try to answer their questions here and explain how I worked with the data.
Continue »»