msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Lorem Ipsum and Twitter Trends in Malware. Update.

18 Feb 12   Filed in Website exploits with 4 Comments

A few weeks ago I published an article about an attack that hosted malware on a fast flux network of infected PCs and used a clever algorithm based on Twitter trends to generate four new hard-to-predict domain names every day.

Shortly after that I was contacted by foks, who shared some interesting information. He conducted his own investigation and found out how hackers injected those scripts into legitimate web pages. He also found a new (buggy) version of the malicious script.
Continue »»

Lorem Ipsum and Twitter Trends in Malware

26 Jan 12   Filed in Website exploits with 5 Comments

A couple of years ago I wrote about malware attacks that used Twitter API to generate domain names for their malicious sites using trending topics as keys in the domain generating algorithm.

  • Each domain was in use for a few hours only
  • The next domain names would become available just a few hours before the malicious scripts on hacked sites begin to use them.

Since 2009, I’ve seen many revisions of that attack. It has never been the most prevalent issue but as far as I can tell it constantly evolves and mutates. The recent update of the malicious script injected by this attack looked quite interesting and I decided to find out what has changed since late 2009.
Continue »»

Tweet Week: September 20-26, 2010

27 Sep 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Twitter XSS, Google New, ASP.Net vulnerability, FTP via KeePass automation … »»

Intermediaries to Torpig Attack Sites

15 Dec 09   Filed in Website exploits with 1 Comment

In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.

However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)

The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.

I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.
Here’s the story »»

Twitter API Still Attracts Hackers

09 Dec 09   Filed in Website exploits with 8 Comments

A few weeks ago I blogged about hacked sites where malicious scripts used Twitter API to generate domains of new attack sites and trigger “drive-by” downloads.

As you might remember, I mentioned that the script was buggy (failed to work on certain days) and the approach didn’t look viable in the long term since it required that hackers manually register one new domain name every day. As a result, in November, this vector looked abandoned (I couldn’t find active and even registered malicious domains).

However, hackers seem to be die-hard fans of Twitter and don’t want to give up on the idea.

A few days ago I found a blacklisted site, where search.twitter.com was mentioned as an intermediary in malware distribution. Safe Browsing diagnostic pages also mentioned fresh (beginning of December) malicious domains that were definitely generated by the above-mentioned script. No wonder, on the infected site I found the familiar script. Actually, it was not the same script. It was an improved version of that script.
So what’s new? »»

Tweet Week: Nov 30 – Dec 6, 2009

06 Dec 09   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

IE and Typo3 vulnerabilities, WordPress attack, Twitter API in malicious scripts »»

Tweet Week: Nov 9-15, 2009

15 Nov 09   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

WordPress, Twitter, passwords, gumblar … »»

Hackers Use Twitter API To Trigger Malicious Scripts

11 Nov 09   Filed in Website exploits with 5 Comments

To improve my Unmask Parasites online service I regularly visit compromised sites and analyze malicious content cybercriminals inject into legitimate web pages. I have to admit that hackers are very creative and I learn new tricks every week.

Today, I’ve found an interesting obfuscated script that used Twitter API to trigger malicious process.
Here’s the story »»