Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Two Malware Trends Combined in One Attack

06 Oct 10   Filed in Website exploits with 8 Comments

Two of the major trends in malware attacks described on this blog this summer were the use of hijacked DNS records of legitimate domains and continuous attacks against sites on MediaTemple and RackSpace. In the end of this September, I noticed a new attack that combined these two trends.

At higher level, this attack is no different from many preceding variations that hit MediaTemple. It prepends malicious code to the first line of some existing .js files or injects it inside the <ads>…</ads> tags at the bottom of HTML code of legitimate web pages.

However, soon you notice new techniques.
Continue »»

Malware on Hijacked Subdomains. Part 2.

17 Jun 10   Filed in Website exploits with 11 Comments

About a month ago I wrote about a hacker attack that used hijacked subdomains of legitimate websites to serve malware (fake anti-virus software) off of them. Most likely cyber criminals used a phishing attack to steal credentials of GoDaddy’s domain management control panel and created rogue DNS records for some subdomains to make them point to hacker-controlled servers.

In that article I wondered if that was a new trend (usage of virtually free hijacked subdomains) or just temporary approach that wouldn’t be used anywhere else. Well, this week I came across a different malware attack that also uses hijacked subdomains of legitimate websites.
Continue »»

Malware on Hijacked Subdomains. New Trend?

22 May 10   Filed in Website exploits with 28 Comments

Yesterday, Patrick (aka Noxwizard, phpBB support team member) pointed me at the new malware attack that surfaced this week (first mentioned on May 16th).

The attack creates/modifies .htaccess files to redirect site visitors that come from major search engines and popular websites (e.g. Twitter, Facebook, Wikipedia, Flickr, Ebay, etc) to scareware sites that aggressively push fake anti-virus software. The redirects also occur if visitors request unexisting pages or pages that produce server errors.

This .htaccess conditional redirect approach is nothing new. It has been actively exploited by hackers for at least couple of years (and Unmask Parasites does a good job of detecting such redirects). And while the .htaccess code in this particular case has some new features (maybe more about it next time), it isn’t the most interesting thing about this attack.
Continue »»

Tweet Week: Sept 14-20, 2009

20 Sep 09   Filed in Tweet Week with Comments Off on Tweet Week: Sept 14-20, 2009

Selected short messages and links you might have missed if you don’t follow me on Twitter.
Continue »»

Dynamic DNS and Botnet of Zombie Web Servers

11 Sep 09   Filed in Website exploits with 44 Comments

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

  • They started with gambling-related .cn domains (like cheapslotplay .cn).
  • They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
  • They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
  • They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
  • In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
  • And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details »»