msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Selected Tweets (Oct-Nov 2011)

21 Nov 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

It has been a while since the last Tweet Week. The main reason is I don’t tweet that often now to post my tweets every week and I don’t want to post old news here either.

So what happened? The answer is I can’t get used to Twitter web interface – it is so inconvenient. I had to use it when I had some strange problems with my Twitter client (twhirl). Thank’s god, I’ve finally made my twhirl work so I hope I will be able to tweet more often.

Anyway, here are some of the latest tweets.
Continue »»

Why Does Google Consider Some Images Malicious?

18 Nov 11   Filed in Tips and Tricks with 2 Comments

The other day I received an email from a webmaster whose site was blacklisted by Google. In Webmaster Tools, he found the following example of a malicious code detected on his site (domain changed):

<img src="http://example .net/images/logos/rssicon.png" />

So why did Google think this image tag was malicious? Can images be malicious? After all they are not scripts, iframes or embedded executable objects that that hackers use to attack web surfers.
Continue »»

Hackers target unpatched WooFramework

24 Aug 11   Filed in Short Attack Reviews with 9 Comments

When Michael VanDeMar mentioned the malicious “googlesafebrowsing .com” domain, I decided to check how exactly it was used in malware attacks. It’s quite a popular trick to mimic Google’s own domains to make malicious code look legitimate. I have a “collection” of several dozens on misspelled Google Analytics domains alone that were used for malware distribution. In this case, the domain name was made up rather than misspelled. It referres to Google’s Safe Browsing project and their diagnostic pages that actually use the google.com domain (as most other Google’s services).
Continue »»

Google Image Poisoning. What’s New in June?

29 Jun 11   Filed in Website exploits with 3 Comments

This is the second (more techie) part in the series of posts about a new wave of the Google Image poisoning attack. This part will heavily refer to the detailed description of the attack that I made back in May. Most of the aspects are still true so I will only talk about changes here. If you want to have a complete picture, I suggest that you read the original description first.

Changed doorway behavior

After May 18th, I noticed that doorway pages no longer redirected me anywhere when I clicked on poisoned search results. Neither to bad sites nor to home pages of compromised sites. Instead they displayed the spammy content generated for search engine crawlers only.

That was strange. That could never happen if the old algorithm was still in use.

Then I checked the cache directories (./.log/compromiseddomain.com/) and found new maintenance files there: don.txt and xml.txt. The don.txt file contained HTML template of spammy pages and was a replacement for the shab100500.txt file used by the original algorithm. The xml.txt contained the following string: bG92ZS1ibG9nY29tLm5ldA==, which decoded (base64) to “love-blogcom.net“. It was clear it was a more secure replacement for xmlrpc.txt that stored the domain name of a remote malicious server in plain text.

A few days later, the xml.txt files was replaced by xml.cgi, which was a clever step since .cgi files produce server errors when you try to open them in directories that aren’t configured to execute CGI scripts.

So I knew that the doorway script was updated, but I couldn’t understand why the doorways exhibited no malicious behavior when I clicked on hijacked image search results. That didn’t make much sense. What was the purpose of showing those spammy unintelligible pages without trying to monetize the traffic? The only plausible idea was they were playing the “long game” and needed some time to have the new pages rank well without risks of being identified as cloaked or malicious content, and when many pages reach prominent positions in search results they’ll start redirect web searchers to bad sites. Well, that was a working hypothesis until I got the source code of the new doorway script. The reality is crooks don’t want to play “long games” if they can monetize right away – the new doorway pages did redirect to bad site but my virtual environment wasn’t properly configured to trigger the redirects.
Continue – Dissecting the updated Google Image poisoning attack »»

Google Image Poisoning. Mitigation and the New Wave.

23 Jun 11   Filed in General, Short Attack Reviews with 1 Comment

In May, I wrote a big article about my investigation of a massive Google Image poisoning attack. A quick recap: cybercriminals created millions of doorway pages on dozens of thousands compromised websites. Those pages exploited a flaw in Google Image search algorithm that made it possible for pages with hot-linked images to hijack search results of websites where the images actually belonged to. The attack scheme was very efficient and hundreds of thousand (if not millions) people clicked on poisoned image search results every day.

Not only did I publish results of my investigation on my blog but also shared a great deal of gathered information (lists of compromised sites, algorithms, etc.) with Google and antivirus vendors. I hope this made some difference as I started observe changes literally the next day after the article publication.

In this 2-part series of posts, I will talk about what’s changed since then. Specifically about how Google addressed this problem (part I) and how cybercriminals changed the attack scheme (part II).
Continue »»

Two Tweet Weeks: May 30 – June 12, 2011

13 Jun 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

SEO poisoning, Mac FakeAV vs PC FakeAV, the state of badware report, Readable SafeBrowsing addon …

Imgaaa .net And Other Blacklisted Domains Used in Google Image Search Poisoning

08 May 11   Filed in Short Attack Reviews with 8 Comments

This is a short follow up on my post about hacked sites that poisoned Google Image search results.

As I mentioned in that post, most compromised sites where hackers created malicious doorway pages, contained one of the following images or iframes in their legitimate index pages.
Continue »»

Readable SafeBrowsing Add-on for Firefox 4+

28 Apr 11   Filed in General, Tips and Tricks with 1 Comment

I actively work with Google’s Safe Browsing diagnostic pages. They are a great source of information if you know how to interpret them. I usually read several dozen such diagnostic pages a day. Unfortunately, the readability of the diagnostic pages is quite poor.

To make my life easier, I created a simple script that highlighted important information so that I could see everything I needed at a glance. I had been using that script for more than a year before the recent Firefox 4 upgrade broke it (the technology I used is deprecated now). This was a serious loss for me. Every time I opened Safe Browsing diagnostic pages (several dozen times a day) I missed my script. Even though I knew the page layout very well, it took significantly more efforts to extract the same amount of information. The difference was almost the same as you might feel when you have to use a touchpad instead of a normal mouse.
Continue »»

Tweet Week: April 4-10, 2011

11 Apr 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Gumblar was not SQL-injection, WP 3.1.1, download alerts in Chrome, timing warning removal …

Tweet Week: October 25-31, 2010

01 Nov 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

New security holes and updates plus things that can help mitigate security issues … »»