msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Darkleech Update – November 2014

Just wanted to document some latest changes in Darkleech behavior that may help you detect it.

I’d like to thank internet security enthusiasts who share their findings with me. Without you, I could have easily missed these new (?) details.

Quick recap

Darkleech is a root level server infection that installs malicious Apache modules. The modules inject invisible iframes into server response when it is already prepared (linebreaks added for readability).

<style>.a4on6mz5h { position:absolute; left:-1376px; top:-1819px} </style> <div class="a4on6mz5h">
<ifr ame src="hxxp://tfmjst .hopto .org/nsiumkogckv1tv4locfzyv2eykqss9ltfb9wnmhfqz1ol2" width="247" height="557"></ifram e></div>

All the elements of this code are random and auto-generated on the fly (style name, coordinates, iframe diminsions, URL paths). Moreover, the iframe domains change every few minutes — lately hackers prefer free No-IP.com dynamic DNS hostnames like hopto.org, ddns.net, myftp.biz, myftp.org, serveftp.com, servepics.com, etc.

This infection is hard to detect as it only shows up once per IP per day (or maybe even more seldom). And since it works on a low system level, it can detect if server admins are logged in, so it lurks until they log out — this means that they won’t see anything even if they monitor outgoing TCP traffic.

For more details, please check the links at the bottom of this post.
What’s new? »»

Dynamic DNS and Botnet of Zombie Web Servers

11 Sep 09   Filed in Website exploits with 44 Comments

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

  • They started with gambling-related .cn domains (like cheapslotplay .cn).
  • They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
  • They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
  • They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
  • In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
  • And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details »»