Web of Koobface
This research is provoked by the following blogpost of Joshua Long where he lists domain names used by Koobface. Generally, I focus on website hacks and don’t research malware distributed via email spam and social networks (Koobface is an anagram of Facebook). However that list showed me how legitimate hacked sites were integrated into Koobface scheme and I decided to try to investigate how the whole thing worked.
Joshua’s list was a good starting point. I saw multiple rogue blogspot blogs that followed the same pattern and multiple compromised sites where those blogs redirected to. For some reason, most of the functionality of the malicious pages on the hacked sites is implemented as a client-side JavaScript, so I could easily retrieve and analyze those scripts. They provided me with very interesting details about the internals of the attack: sites it expected as referrers and usage of infected PCs. As a result I came up to the following scheme:
Koobface attack flow and other details »»
Tweet Week: Nov 9-15, 2009
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Revenge of Gumblar Zombies
Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.
The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.
Continue »»
10 FTP Clients Malware Steals Credentials From
This year, most successful malware attacks against legitimate websites used stolen FTP credentials. I always suggest that you don’t store passwords in your FTP programs where they are easily accessible by any program running on your computer (including malware). For example, in FileZilla, FTP passwords are stored as plain text in configuration files. And FileZilla is not the only FTP client malware authors target in their hunt for website credentials.
In the recent post about Quicksilver malware network, you can read that the trojan behind the infamous iframe injection attack “looks for all kinds of configuration files of ftp programs in their default install paths“. I contacted the researcher and asked if he had a full list of the FTP clients this malware looks for.
And here’s the list »»
Beware: FileZilla Doesn’t Protect Your Passwords
2009 is the year of malware attacks that use stolen FTP credentials to infect legitimate web sites. Hundreds of thousands websites have been hacked this way and suffered from hidden iframe injections, Gumblar, redirections to bogus anti-virus sites, etc.
The success of those attacks is based on the fact that a significant percentage of web surfer are webmasters and site owners themselves. Once a computer of a site owner is infected, malware can steal his/her FTP credentials and use them to make the site distribute malware to unsuspecting visitors, who, in turn, may also be site owners. As a result, we see rapid growth in number of compromised websites.
There are quite a few hypotheses about how cibercriminals steal the credentials: traffic sniffing, using keyloggers, etc. But the most viable is that trojans simply extract everything they need from configuration files of popular FTP programs. Let me show how easy it can be done.
Continue »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
