Loading site search ...
A few weeks ago I published an article about an attack that hosted malware on a fast flux network of infected PCs and used a clever algorithm based on Twitter trends to generate four new hard-to-predict domain names every day.
Shortly after that I was contacted by foks, who shared some interesting information. He conducted his own investigation and found out how hackers injected those scripts into legitimate web pages. He also found a new (buggy) version of the malicious script.
Continue »»
A couple of years ago I wrote about malware attacks that used Twitter API to generate domain names for their malicious sites using trending topics as keys in the domain generating algorithm.
- Each domain was in use for a few hours only
- The next domain names would become available just a few hours before the malicious scripts on hacked sites begin to use them.
Since 2009, I’ve seen many revisions of that attack. It has never been the most prevalent issue but as far as I can tell it constantly evolves and mutates. The recent update of the malicious script injected by this attack looked quite interesting and I decided to find out what has changed since late 2009.
Continue »»
27 Sep 10 Filed in
Tweet Week with
Comments Off on Tweet Week: September 20-26, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Twitter XSS, Google New, ASP.Net vulnerability, FTP via KeePass automation … »»
15 Dec 09 Filed in
Website exploits with
1 Comment
In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.
However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)
The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.
I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.
Here’s the story »»
A few weeks ago I blogged about hacked sites where malicious scripts used Twitter API to generate domains of new attack sites and trigger “drive-by” downloads.
As you might remember, I mentioned that the script was buggy (failed to work on certain days) and the approach didn’t look viable in the long term since it required that hackers manually register one new domain name every day. As a result, in November, this vector looked abandoned (I couldn’t find active and even registered malicious domains).
However, hackers seem to be die-hard fans of Twitter and don’t want to give up on the idea.
A few days ago I found a blacklisted site, where search.twitter.com was mentioned as an intermediary in malware distribution. Safe Browsing diagnostic pages also mentioned fresh (beginning of December) malicious domains that were definitely generated by the above-mentioned script. No wonder, on the infected site I found the familiar script. Actually, it was not the same script. It was an improved version of that script.
So what’s new? »»
06 Dec 09 Filed in
Tweet Week with
Comments Off on Tweet Week: Nov 30 – Dec 6, 2009
Selected short messages and links you might have missed if you don’t follow me on Twitter.
IE and Typo3 vulnerabilities, WordPress attack, Twitter API in malicious scripts »»
15 Nov 09 Filed in
Tweet Week with
Comments Off on Tweet Week: Nov 9-15, 2009
Selected short messages and links you might have missed if you don’t follow me on Twitter.
WordPress, Twitter, passwords, gumblar … »»
To improve my Unmask Parasites online service I regularly visit compromised sites and analyze malicious content cybercriminals inject into legitimate web pages. I have to admit that hackers are very creative and I learn new tricks every week.
Today, I’ve found an interesting obfuscated script that used Twitter API to trigger malicious process.
Here’s the story »»