msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

RunForestRun Now Encrypts Legitimate JS Files

A few days ago Jindrich Kubec (Avast) pinged me that the RunForestRun malware changed the domain generating algorithm (DGA) and now uses waw.pl subdomains (instead of .ru) in malicious URLs.

The DGA has changed a bit... it now also generates h.hhrkeezqezsfpelh. waw. pl / runforestrun?sid=botner_api style domains

I decided to take a look at the new scripts and found quite a few very interesting changes. This post will be about those changes.
Continue »»

What’s in your wp-head?

11 Jul 12   Filed in Website exploits with 6 Comments

I first came across this attack in late May of 2012. It had quite a recognizable and frequently updated type of malicious JavaScript code injected in the <head> section of WordPress blogs and iframe URLs generated by this script always ended with top2.html (now rem2.html)

It was a massive infection and many webmasters asked me to help them clean up their sites. I told them how to search for various pattern of malicious files and asked them to provide me with access logs and samples of the malicious code they found on their servers.

At first the hack looked quite mysterious:

  • Webmasters sent me many backdoor files but none of them contained the malicious code I saw in infected web pages.
  • In theme files, the <head> section didn’t contain any malicious code at all.
  • While access logs showed some successful TimThumb attacks, I didn’t see requests to backdoors that updated the malicious code injected into the <head> section (and that code somehow changed every day).
  • And the script injection was quite hard to track since it would usually disappear after the first check. You couldn’t tell whether webmasters really cleaned their sites up or the malware was simply hiding from you.

The mystery was solved when I got access to one of the infected sites.
Continue »»

You Need to Pay For This Crypt. Trial Version of Malware?

07 Mar 12   Filed in Website exploits with 5 Comments

According to the Betteridge’s Law of HeadlinesAny headline which ends in a question mark can be answered by the word ‘no’“. Nonetheless, I use this type of a headline for this post because this was the question I asked myself when I came across the following attack.
Continue »»

Lorem Ipsum and Twitter Trends in Malware

26 Jan 12   Filed in Website exploits with 5 Comments

A couple of years ago I wrote about malware attacks that used Twitter API to generate domain names for their malicious sites using trending topics as keys in the domain generating algorithm.

  • Each domain was in use for a few hours only
  • The next domain names would become available just a few hours before the malicious scripts on hacked sites begin to use them.

Since 2009, I’ve seen many revisions of that attack. It has never been the most prevalent issue but as far as I can tell it constantly evolves and mutates. The recent update of the malicious script injected by this attack looked quite interesting and I decided to find out what has changed since late 2009.
Continue »»

Ciscotred .cz .cc – Joomla Hack

08 Aug 11   Filed in Short Attack Reviews with 5 Comments

During the last few days I’ve noticed an increased number of websites that redirect search traffic to ciscotred .cz .cc. The typical Unmask Parasites report looks like this:

ciscotred .cz.cc redirect detected

Continue »»

Versatile .CC Attacks

02 Mar 11   Filed in Website exploits with 28 Comments

A few days ago I tweeted that “this year the most popular TLD for malicious sites is .CC“. I conducted some research on the most prevalent attacks that use the .CC TLD and now want to elaborate on what is going on.
Continue »»

Injected Script Loads Host.exe Using Hidden Iframes and Java Applets

Today, I can see many blacklisted sites where Google report one of the following three domains as a source of the problem:

  • aubreyserr .com
  • medien-verlag .de
  • yennicq .be

E.g.

Malicious software is hosted on 1 domain(s), including medien-verlag.de/.

The attack is quite interesting so I decided to share results of my initial investigation here.
Continue »»

Two Malware Trends Combined in One Attack

06 Oct 10   Filed in Website exploits with 8 Comments

Two of the major trends in malware attacks described on this blog this summer were the use of hijacked DNS records of legitimate domains and continuous attacks against sites on MediaTemple and RackSpace. In the end of this September, I noticed a new attack that combined these two trends.

At higher level, this attack is no different from many preceding variations that hit MediaTemple. It prepends malicious code to the first line of some existing .js files or injects it inside the <ads>…</ads> tags at the bottom of HTML code of legitimate web pages.

However, soon you notice new techniques.
Continue »»

Geezter, Qawfer and Other Malicious Iframes From 121 .156 .57 .184

This is a short post about one of the ongoing attacks. It injects the following script [usually] at the very bottom of the HTML
Continue »»

“Inlovebot” and “Crazymasya” Iframes on RackSpace

19 Sep 10   Filed in Website exploits with 5 Comments

A few days ago I noticed a new mass infection of sites on RackSpace. It mostly affects WordPress blogs and sites hosted under the same account with WordPress blogs.

Hackers create malicious .js files in some subdirectory of the compromised sites and inject links to those .js files into website pages.
Continue »»