msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Pqshow .org Scripts – New Plague On MediaTemple Sites

14 Aug 10   Filed in Website exploits with 19 Comments

New week — new attack on MediaTemple-hosted sites.

Almost everything remains the same as in the last week’s attack I described here. The only difference is the new script and the new remote malicious site – bl .pqshow .org.
Continue »»

Malicious “ads” and “bars” on RackSpace & MediaTemple

08 Aug 10   Filed in Website exploits with 21 Comments

Right before this week-end I noticed an increased number of sites hosted on MediaTemple and RackSpace coming to Unmask Parasites with the same problem — their sites are blocked by Google and their diagnostic pages mention the following five domains: “myads .name“, “adsnet .biz“, “toolbarcom .org“, “mybar .us“, “freead .name“.
Continue »»

NewGeoCheck.js and Malicious AddThiss .net Iframe

19 May 10   Filed in Website exploits with 4 Comments

Yesterday, I checked one site that had the following text on its Google Safe Browsing diagnostic page:

Malicious software is hosted on 1 domain(s), including addthiss .net/.

Unmask Parasites didn’t detect anything suspicious but a quick manual check revealed the following script tag right after the <body> tag in every web page:

<sc ript type="text/javascript" src="newgeocheck.js"></script>

(Unmask Parasites doesn’t check .js file, so no wonder it couldn’t detect the source of the problem)

This script loaded an invisible iframe form addthiss .net.

<i frame width="1" height="1" frameborder="0" scrolling="no" marginwidth="0" marginheight="0" style="" src="hxxp://addthiss .net/ in.cgi?8"></iframe>
Here goes the real investigation »»

Network Solutions and WordPress Security Flaw

11 Apr 10   Filed in Website exploits with 48 Comments

I first noticed this hidden iframe from hxxp://networkads .net/ grep/ on April 7. It instantly drew my attention with these weird “iframe_style” scripts in Unmask Parasites reports (I even thought it was a bug in Unmask Parasites, but when I checked the infected site, I found those scripts there).

weird scripts

However it was a single incident and I didn’t see any obvious pattern back then. Two days later, when I noticed David’s (Sucuri Security) article about this very issue and the follow-up by Brian Krebs, I decided to take a closer look at it. What I found is quite interesting and raises a few serious questions about security of websites on shared servers.
Continue »»

From Hidden Iframes to Obfuscated Scripts

23 Dec 09   Filed in Website exploits with 52 Comments

In December, I noticed that ubiquitous hidden iframes that have been the prevailing site hack this year seemed to have gone. Unmask Parasites finds them on very few sites now. And even on infected sites, I see only old domains, while this attack is known for introducing at least one new domain every day and for frequently updating the iframe code on infected sites.

At the same time I noticed a new type of obfuscated scripts injected into hacked websites. And I believe it’s a new incarnation of the same attack that previously injected hidden iframes.
Here’s the story »»

Intermediaries to Torpig Attack Sites

15 Dec 09   Filed in Website exploits with 1 Comment

In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.

However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)

The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.

I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.
Here’s the story »»

Twitter API Still Attracts Hackers

09 Dec 09   Filed in Website exploits with 8 Comments

A few weeks ago I blogged about hacked sites where malicious scripts used Twitter API to generate domains of new attack sites and trigger “drive-by” downloads.

As you might remember, I mentioned that the script was buggy (failed to work on certain days) and the approach didn’t look viable in the long term since it required that hackers manually register one new domain name every day. As a result, in November, this vector looked abandoned (I couldn’t find active and even registered malicious domains).

However, hackers seem to be die-hard fans of Twitter and don’t want to give up on the idea.

A few days ago I found a blacklisted site, where search.twitter.com was mentioned as an intermediary in malware distribution. Safe Browsing diagnostic pages also mentioned fresh (beginning of December) malicious domains that were definitely generated by the above-mentioned script. No wonder, on the infected site I found the familiar script. Actually, it was not the same script. It was an improved version of that script.
So what’s new? »»

Hackers Use Twitter API To Trigger Malicious Scripts

11 Nov 09   Filed in Website exploits with 5 Comments

To improve my Unmask Parasites online service I regularly visit compromised sites and analyze malicious content cybercriminals inject into legitimate web pages. I have to admit that hackers are very creative and I learn new tricks every week.

Today, I’ve found an interesting obfuscated script that used Twitter API to trigger malicious process.
Here’s the story »»

Ncccnnnc .cn – Warning: Not Opera Only

15 Oct 09   Filed in Website exploits with 11 Comments

This is just a quick post to let you know about a new type of server-wide script-injection attack I’ve just discovered.

I found this post on a phpBB forum and decided to check the infected site with Unmask Parasites. The tool reported a suspicious script:
Continue »»

Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?

18 May 09   Filed in General, Website exploits with 40 Comments

Gumblar is dead

Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!

Meet the Martuz

The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain – martuz .cn (95 .129 .145 .58)
Continue »»