msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Tweet Week: March 22-28, 2010

28 Mar 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Open X hack, Firefox 0-day + NoScript + update, Scareware + Zeus … »»

Internals of Rogue Blogs

17 Mar 10   Filed in Website exploits with 4 Comments

Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.

Recently I’ve been contacted by one of Servage clients who found his sites hacked:

I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.

He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.
Continue »»

Tweet Week: March 1-7, 2010

07 Mar 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Google notifications, security patches, malicious PHP code … »»

Web of Koobface

27 Feb 10   Filed in Website exploits with 5 Comments

This research is provoked by the following blogpost of Joshua Long where he lists domain names used by Koobface. Generally, I focus on website hacks and don’t research malware distributed via email spam and social networks (Koobface is an anagram of Facebook). However that list showed me how legitimate hacked sites were integrated into Koobface scheme and I decided to try to investigate how the whole thing worked.

Joshua’s list was a good starting point. I saw multiple rogue blogspot blogs that followed the same pattern and multiple compromised sites where those blogs redirected to. For some reason, most of the functionality of the malicious pages on the hacked sites is implemented as a client-side JavaScript, so I could easily retrieve and analyze those scripts. They provided me with very interesting details about the internals of the attack: sites it expected as referrers and usage of infected PCs. As a result I came up to the following scheme:
Koobface attack flow and other details »»

Tweet Week: Dec 21-27, 2009

28 Dec 09   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Dec 23, 2009

Christmas theme: who-is-santa-2010 (dot) com – domain name of one scareware site

Dec 24, 2009

Response to my blog post from LeaseWeb

Dec 25, 2009

Sophos on the “GNU GPL” malicious script (Troj/JSRedir-AK)

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Similar posts:

Tweet Week: Dec 14-20, 2009

20 Dec 09   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Updates: WP 2.9 and FF 3.5.6, Adobe vulnerability, scareware and $150m, plus an insightful discussion »»

Rogue blogs redirect search traffic to bogus AV sites. Part 1.

26 Nov 09   Filed in Website exploits with 8 Comments

As I tweeted a few days ago, I gathered a lot of interesting information about this case. So to make the post readable, I’ve broken it down into two parts. The first part is about how rogue blogs work, and the second part is about different generations of this black hat campaign and about the connection with Servage hosting provider.

A few days ago, I stumbled upon a great post where guys from Cyveillance blog wrote about a massive Google search results poisoning. Well worth reading.
Here is a brief summary of their post followed by my own findings »»