msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

NewGeoCheck.js and Malicious AddThiss .net Iframe

19 May 10   Filed in Website exploits with 4 Comments

Yesterday, I checked one site that had the following text on its Google Safe Browsing diagnostic page:

Malicious software is hosted on 1 domain(s), including addthiss .net/.

Unmask Parasites didn’t detect anything suspicious but a quick manual check revealed the following script tag right after the <body> tag in every web page:

<sc ript type="text/javascript" src="newgeocheck.js"></script>

(Unmask Parasites doesn’t check .js file, so no wonder it couldn’t detect the source of the problem)

This script loaded an invisible iframe form addthiss .net.

<i frame width="1" height="1" frameborder="0" scrolling="no" marginwidth="0" marginheight="0" style="" src="hxxp://addthiss .net/ in.cgi?8"></iframe>
Here goes the real investigation »»

Tweet Week: Feb 8-14, 2010

15 Feb 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

security updates, phpMyAdmin, FTP and cPanel, etc. »»

Tweet Week: Jan 25-31, 2010

31 Jan 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

This week is packed with interesting links and notes »»

From Hidden Iframes to Obfuscated Scripts

23 Dec 09   Filed in Website exploits with 52 Comments

In December, I noticed that ubiquitous hidden iframes that have been the prevailing site hack this year seemed to have gone. Unmask Parasites finds them on very few sites now. And even on infected sites, I see only old domains, while this attack is known for introducing at least one new domain every day and for frequently updating the iframe code on infected sites.

At the same time I noticed a new type of obfuscated scripts injected into hacked websites. And I believe it’s a new incarnation of the same attack that previously injected hidden iframes.
Here’s the story »»

Evolution of Hidden Iframes

28 Oct 09   Filed in Website exploits with 12 Comments

Injecting hidden malicious iframes into compromised legitimate websites is one of the most popular types of malware attacks. Invisible iframes allow to silently load exploits from “bad” sites while unsuspecting web surfers browsing visible content of infected websites.

Iframes are rectangular elements of webpages where you can load other web pages either from the same site or from some third party site (in other words: webpage inside a webpage). There are many legitimate uses of iframes. The most common is ad blocks (e.g. Google displays AdSense in iframes)

Hiding iframes

It is said that iframes are rectangular elements and they occupy some space on web pages. So how do hackers make them invisible?
Continue »»

Revenge of Gumblar Zombies

23 Oct 09   Filed in Website exploits with 50 Comments

Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.

The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.
Continue »»

10 FTP Clients Malware Steals Credentials From

23 Sep 09   Filed in Tips and Tricks with 20 Comments

This year, most successful malware attacks against legitimate websites used stolen FTP credentials. I always suggest that you don’t store passwords in your FTP programs where they are easily accessible by any program running on your computer (including malware). For example, in FileZilla, FTP passwords are stored as plain text in configuration files. And FileZilla is not the only FTP client malware authors target in their hunt for website credentials.

In the recent post about Quicksilver malware network, you can read that the trojan behind the infamous iframe injection attack “looks for all kinds of configuration files of ftp programs in their default install paths“. I contacted the researcher and asked if he had a full list of the FTP clients this malware looks for.
And here’s the list »»

Tweet Week: Sept 14-20, 2009

20 Sep 09   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.
Continue »»

Beware: FileZilla Doesn’t Protect Your Passwords

01 Sep 09   Filed in Tips and Tricks with 39 Comments

2009 is the year of malware attacks that use stolen FTP credentials to infect legitimate web sites. Hundreds of thousands websites have been hacked this way and suffered from hidden iframe injections, Gumblar, redirections to bogus anti-virus sites, etc.

The success of those attacks is based on the fact that a significant percentage of web surfer are webmasters and site owners themselves. Once a computer of a site owner is infected, malware can steal his/her FTP credentials and use them to make the site distribute malware to unsuspecting visitors, who, in turn, may also be site owners.  As a result, we see rapid growth in number of compromised websites.

There are quite a few hypotheses about how cibercriminals steal the credentials: traffic sniffing, using keyloggers, etc. But the most viable is that trojans simply extract everything they need from configuration files of popular FTP programs.  Let me show how easy it can be done.
Continue »»