msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Why Does Google Consider Some Images Malicious?

18 Nov 11   Filed in Tips and Tricks with 2 Comments

The other day I received an email from a webmaster whose site was blacklisted by Google. In Webmaster Tools, he found the following example of a malicious code detected on his site (domain changed):

<img src="http://example .net/images/logos/rssicon.png" />

So why did Google think this image tag was malicious? Can images be malicious? After all they are not scripts, iframes or embedded executable objects that that hackers use to attack web surfers.
Continue »»

Two Tweet Weeks: July 25 – August 7, 2011

08 Aug 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Crisis in Fake AV industry, story about incompetent security auditor, zero-day in WordPress themes, osCommerce hack, and many more »»

Google Image Poisoning. What’s New in June?

29 Jun 11   Filed in Website exploits with 3 Comments

This is the second (more techie) part in the series of posts about a new wave of the Google Image poisoning attack. This part will heavily refer to the detailed description of the attack that I made back in May. Most of the aspects are still true so I will only talk about changes here. If you want to have a complete picture, I suggest that you read the original description first.

Changed doorway behavior

After May 18th, I noticed that doorway pages no longer redirected me anywhere when I clicked on poisoned search results. Neither to bad sites nor to home pages of compromised sites. Instead they displayed the spammy content generated for search engine crawlers only.

That was strange. That could never happen if the old algorithm was still in use.

Then I checked the cache directories (./.log/compromiseddomain.com/) and found new maintenance files there: don.txt and xml.txt. The don.txt file contained HTML template of spammy pages and was a replacement for the shab100500.txt file used by the original algorithm. The xml.txt contained the following string: bG92ZS1ibG9nY29tLm5ldA==, which decoded (base64) to “love-blogcom.net“. It was clear it was a more secure replacement for xmlrpc.txt that stored the domain name of a remote malicious server in plain text.

A few days later, the xml.txt files was replaced by xml.cgi, which was a clever step since .cgi files produce server errors when you try to open them in directories that aren’t configured to execute CGI scripts.

So I knew that the doorway script was updated, but I couldn’t understand why the doorways exhibited no malicious behavior when I clicked on hijacked image search results. That didn’t make much sense. What was the purpose of showing those spammy unintelligible pages without trying to monetize the traffic? The only plausible idea was they were playing the “long game” and needed some time to have the new pages rank well without risks of being identified as cloaked or malicious content, and when many pages reach prominent positions in search results they’ll start redirect web searchers to bad sites. Well, that was a working hypothesis until I got the source code of the new doorway script. The reality is crooks don’t want to play “long games” if they can monetize right away – the new doorway pages did redirect to bad site but my virtual environment wasn’t properly configured to trigger the redirects.
Continue – Dissecting the updated Google Image poisoning attack »»

Tweet Week: April 4-10, 2011

11 Apr 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Gumblar was not SQL-injection, WP 3.1.1, download alerts in Chrome, timing warning removal …

Tweet Week: March 28 – April 3, 2011

04 Apr 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

CSP in Firefox 4, plugin check in Google Chrome, LizaMoon, Google human autocompleters …

Tweet Week: April 19-25, 2010

26 Apr 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Malware info in Webmaster Tools, StopBadware Stories, links from Matt Cutts and Brian Krebs, etc. »»

Future of Secure Web Browsing

08 Jul 09   Filed in General with 1 Comment

Google Chrome OS

This week Google announced that they are working on a new open source, lightweight operating system that will initially be targeted at netbooks – Google Chrome OS. That’s right. It’s a Google Chrome browser running on top of Linux kernel. Netbooks running Google Chrome OS should be available in the second half of 2010. (BTW, will European Union rule Google exclude Google Chrome browser from the default installation of a Google Chrome OS? )

They are going to completely redesign the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. As far as I understand the concept, everything should be stored and executed on the web, so traditional malware won’t work on such a OS. On the other hand, I envision criminals somehow make Chrome users subscribe to their malicious web services.
Continue »»

Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?

18 May 09   Filed in General, Website exploits with 40 Comments

Gumblar is dead

Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!

Meet the Martuz

The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain – martuz .cn (95 .129 .145 .58)
Continue »»