Loading site search ...
A few days ago Jindrich Kubec (Avast) pinged me that the RunForestRun malware changed the domain generating algorithm (DGA) and now uses waw.pl subdomains (instead of .ru) in malicious URLs.
I decided to take a look at the new scripts and found quite a few very interesting changes. This post will be about those changes.
Continue »»
I first came across this attack in late May of 2012. It had quite a recognizable and frequently updated type of malicious JavaScript code injected in the <head> section of WordPress blogs and iframe URLs generated by this script always ended with top2.html (now rem2.html)
It was a massive infection and many webmasters asked me to help them clean up their sites. I told them how to search for various pattern of malicious files and asked them to provide me with access logs and samples of the malicious code they found on their servers.
At first the hack looked quite mysterious:
- Webmasters sent me many backdoor files but none of them contained the malicious code I saw in infected web pages.
- In theme files, the <head> section didn’t contain any malicious code at all.
- While access logs showed some successful TimThumb attacks, I didn’t see requests to backdoors that updated the malicious code injected into the <head> section (and that code somehow changed every day).
- And the script injection was quite hard to track since it would usually disappear after the first check. You couldn’t tell whether webmasters really cleaned their sites up or the malware was simply hiding from you.
The mystery was solved when I got access to one of the infected sites.
Continue »»
According to the Betteridge’s Law of Headlines “Any headline which ends in a question mark can be answered by the word ‘no’“. Nonetheless, I use this type of a headline for this post because this was the question I asked myself when I came across the following attack.
Continue »»
During the last few days I’ve noticed an increased number of websites that redirect search traffic to ciscotred .cz .cc. The typical Unmask Parasites report looks like this:
Continue »»
A few days ago I tweeted that “this year the most popular TLD for malicious sites is .CC“. I conducted some research on the most prevalent attacks that use the .CC TLD and now want to elaborate on what is going on.
Continue »»
Today, I can see many blacklisted sites where Google report one of the following three domains as a source of the problem:
- aubreyserr .com
- medien-verlag .de
- yennicq .be
E.g.
Malicious software is hosted on 1 domain(s), including medien-verlag.de/.
The attack is quite interesting so I decided to share results of my initial investigation here.
Continue »»
Two of the major trends in malware attacks described on this blog this summer were the use of hijacked DNS records of legitimate domains and continuous attacks against sites on MediaTemple and RackSpace. In the end of this September, I noticed a new attack that combined these two trends.
At higher level, this attack is no different from many preceding variations that hit MediaTemple. It prepends malicious code to the first line of some existing .js files or injects it inside the <ads>…</ads> tags at the bottom of HTML code of legitimate web pages.
However, soon you notice new techniques.
Continue »»
This is a short post about one of the ongoing attacks. It injects the following script [usually] at the very bottom of the HTML
Continue »»
A few days ago I noticed a new mass infection of sites on RackSpace. It mostly affects WordPress blogs and sites hosted under the same account with WordPress blogs.
Hackers create malicious .js files in some subdirectory of the compromised sites and inject links to those .js files into website pages.
Continue »»
