Tweet Week: Feb 8-14, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Tweet Week: Jan 25-31, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Evolution of Hidden Iframes
Injecting hidden malicious iframes into compromised legitimate websites is one of the most popular types of malware attacks. Invisible iframes allow to silently load exploits from “bad” sites while unsuspecting web surfers browsing visible content of infected websites.
Iframes are rectangular elements of webpages where you can load other web pages either from the same site or from some third party site (in other words: webpage inside a webpage). There are many legitimate uses of iframes. The most common is ad blocks (e.g. Google displays AdSense in iframes)
Hiding iframes
It is said that iframes are rectangular elements and they occupy some space on web pages. So how do hackers make them invisible?
Continue »»
Revenge of Gumblar Zombies
Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.
The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.
Continue »»
10 FTP Clients Malware Steals Credentials From
This year, most successful malware attacks against legitimate websites used stolen FTP credentials. I always suggest that you don’t store passwords in your FTP programs where they are easily accessible by any program running on your computer (including malware). For example, in FileZilla, FTP passwords are stored as plain text in configuration files. And FileZilla is not the only FTP client malware authors target in their hunt for website credentials.
In the recent post about Quicksilver malware network, you can read that the trojan behind the infamous iframe injection attack “looks for all kinds of configuration files of ftp programs in their default install paths“. I contacted the researcher and asked if he had a full list of the FTP clients this malware looks for.
And here’s the list »»
Tweet Week: Sept 14-20, 2009
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Continue »»
Beware: FileZilla Doesn’t Protect Your Passwords
2009 is the year of malware attacks that use stolen FTP credentials to infect legitimate web sites. Hundreds of thousands websites have been hacked this way and suffered from hidden iframe injections, Gumblar, redirections to bogus anti-virus sites, etc.
The success of those attacks is based on the fact that a significant percentage of web surfer are webmasters and site owners themselves. Once a computer of a site owner is infected, malware can steal his/her FTP credentials and use them to make the site distribute malware to unsuspecting visitors, who, in turn, may also be site owners. As a result, we see rapid growth in number of compromised websites.
There are quite a few hypotheses about how cibercriminals steal the credentials: traffic sniffing, using keyloggers, etc. But the most viable is that trojans simply extract everything they need from configuration files of popular FTP programs. Let me show how easy it can be done.
Continue »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
