Profile

Cover photo
117 followers|47,806 views
AboutPostsPhotosVideos

Stream

Unmask Parasites

Shared publicly  - 
 
Just wanted to document some latest changes in Darkleech behavior that may help you detect it.

IE=EmulateIE9 to turn on the IE 9 compatibility mode in new IE browsers

"_SESSION_ID" cookie for 1 week so it doesn't solely rely on IP blacklisting

http://blog.unmaskparasites.com/2014/11/27/darkleech-update-november-2014/
Documenting some latest changes in Darkleech behavior that may help you detect it. IE=EmulateIE9 meta tag and _SESSION_ID cookie
1
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
My new blogpost with speculations about doorway schemes that redirect back to search results.

Dumping unneeded traffic or second level of search engine optimization and traffic re-targeting?
http://blog.unmaskparasites.com/2014/06/11/google-doorway-google-spam/
Speculations on the doorway scheme that redirects back to search results. Dumping unneeded traffic or second level search engine optimization?
3
2
Richard Hearne's profile photoDenis Sinegubko's profile photoPe lagic's profile photo
 
Great read.  Thanks Denis
Add a comment...

Unmask Parasites

Shared publicly  - 
 
My new post on the +Sucuri Inc. blog. It's about malware added to most of premium plugins that various shady sites redistribute for "free".

In the article, you'll find several examples of backdoors and unwanted ad scripts that can be found there.

Please, think what you install on your server. Software form unreliable sources may cause lots of trouble.

http://blog.sucuri.net/2014/03/unmasking-free-premium-wordpress-plugins.html
1
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
Do you know Chinese fortune cookies? This malware reminded me of them.

Its algorithm uses some sort of a game of chance to determine whether to redirect you or not, and the final decision is delivered in an HTTP cookie. Moreover, it specifically checks for Chinese language and visits from Hong Kong sites (although just to turn them down).
About a week ago we got an interesting Zencart case. Being that we don't often write about Zencart we figured it'd be good time to share the case and details on
1
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
A popular Joomla extension JomSocial (that powers 160,000+ communities) has recently released a security update
http://www.jomsocial.com/blog/hot-fix-3-1-0-4

The reason was serious -- their own site was hacked using a security hole in their product.

At this moment JomSocial is "unlisted" in the official Joomla extension directory as a "vulnerable extension"
http://extensions.joomla.org/extensions/clients-a-communities/communities/7608

Meanwhile, we see attack attempts that try to exploit this JomSocial vulnerabilities.

If you use this extension, make sure to upgrade it ASAP. And consider using a website firewall to be protected even during the window between the time when hackers begin to exploit some vulnerability and the time when you patch your system.
2
2
Denis Sinegubko's profile photoConstantine Lopatko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
This is what I feared and predicted a few years ago.

Hackers have been stealing FTP credentials from FileZilla for many years
http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/
http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/

But to do it they needed to infect a webmaster's computer. Moreover, if webmasters didn't save passwords in Filezilla, malware couldn't steal full credentials.

So, given that FileZilla is an open source software, anyone can build their own copy of FileZilla. And nothing can prevent adding some extra code into such custom builds. For example such code can send current FTP session credentials (which are guaranteed to be full and valid) to a third-party server. With such custom build, however, the criminals would still somehow need to make people install their version, not the official one.

This Avast blog post shows that such "custom" FileZilla builds are actually already can be found in the wild. Some people just don't pay any attention where they download their software from: official and reputable sites, or just random site with a download link.

If you use FileZilla, please read this article and check whether your copy is genuine.

http://blog.avast.com/2014/01/27/malformed-filezilla-ftp-client-with-login-stealer/
2
2
Denis Sinegubko's profile photoPe lagic's profile photo
Add a comment...
Have them in circles
117 people
Stefan Tauson's profile photo
Ansis Blodnieks's profile photo
kothapati ramakanth's profile photo
Shine on Education's profile photo
Srikanth Rayabhagi's profile photo
Sucuri Labs's profile photo
Christopher Barnard's profile photo
Geena Antunovic's profile photo
Nelson Bradley's profile photo

Unmask Parasites

Shared publicly  - 
 
When we see malicious code on web pages, our usual suspects are:

* Vulnerabilities in website software
* Trojanized software from untrusted sources (e.g. pirated themes and plugins)
* Stolen or brute-forced credentials (anything from FTP and SSH to CPanel and CMS)
* Cross-site contamination, or poor isolation from hacked sites on the same server.
* Server-level infections like Darkleech or Ebury.

But sometimes website infection vector is as exotic as a rogue browser extension on a site owner's computer...
-----------
My article on +Sucuri Inc. blog
1
Add a comment...

Unmask Parasites

Shared publicly  - 
 
A new post from +Sucuri Inc.  in the series about contaminated
plugins from shady sources:

http://blog.sucuri.net/2014/06/wordpress-plugin-alert-loginwall-imposter-exposed.html

This one besides the legitimate stuff, created spammy sections on websites that installed it.

Previous post:
http://blog.sucuri.net/2014/03/unmasking-free-premium-wordpress-plugins.html
1
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
A BadwareBusters thread about 30+ infected and blacklisted sites and an answer from +Caitlin Condon, StopBadware:
-----------------
StopBadware can provide a bulk review of sites blacklisted by Google, yes. If you have more than 20 sites that are currently blacklisted by Google and you have cleaned them up, you can email bulkreviews <at> stopbadware.org
We are only able to do this for sites on Google’s blacklist; we are unable to process bulk reviews for sites blacklisted by ThreatTrack Security or NSFocus
--------------------
A huge list of our system(datingfactory.com) sites were blacklisted in 2 days for no reason. I can see in webmaster tools that malware code wasn't located on site pages, also google shows malware status randomly – every time I refresh page google changes status from malware to normal and ...
1
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
In response to the +Data Driven Security blog post that did an independent analysis of of the bitly data that I published in my article on +Sucuri Inc.  blog about how Darkleech abused Bitly URL shortening service and how I used Bitly API to collect data and estimate the scale of the Darkleech infection.

This time just a story about how I collected the data and worked with it. All data interpretations are in my previous article here:
http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.html

http://datadrivensecurity.info/blog/posts/2014/Feb/reproducible-research-sucuri-darkleech-data/

http://blog.unmaskparasites.com/2014/02/10/working-with-the-darkleech-bitly-data/
A post about how I collected bitly data and processed it for my article about Darkleech. In response to Data Driven Security Blog.
2
2
Denis Sinegubko's profile photodre g's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
My new post on Sucuri blog. It's about how hackers abuse popular web services, and how this helps security researchers obtain interesting statistics about malware attacks and even [temporarily] disrupt them.

Some highlights ( extrapolated data ):
* 303 infected servers
* 3.5 million iframe loads since the middle of December of 2013
* half a million malicious bitly.com links created during that time
* web surfers from 196 countries were attacked during that time

http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.html
This post is about how hackers abuse popular web services, and how this helps security researchers obtain interesting statistics about malware attacks. We, a
2
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
It's quite an old exploit, but it still helps hack so many Joomla sites because their webmasters don't bother upgrading them.  Moreover, it looks like the number of malicious bots that crawl the Internet searching for sites with vulnerable versions of JCE component has increased. 

Just quick stats of one site (based on log analysis):

7,409 requests with the User-Agent ”BOT/0.1 (BOT for JCE)“ that came from 785 different IPs during the period of Dec 24th – Jan 24th (one month)
239 requests from 51 unique IP addresses during the last 24 hours
4 independent (uploaded different types of backdoors) successful infections during one day.

Please, keep your sites up-to-date and protected.

http://blog.unmaskparasites.com/2014/01/27/invasion-of-jce-bots/
Thousands of malicious bots scan the Internet for Joomla websites with vulnerable versions of JCE component.
3
4
Elena Kovakina's profile photoSergey Chepurov's profile photo
Add a comment...
People
Have them in circles
117 people
Stefan Tauson's profile photo
Ansis Blodnieks's profile photo
kothapati ramakanth's profile photo
Shine on Education's profile photo
Srikanth Rayabhagi's profile photo
Sucuri Labs's profile photo
Christopher Barnard's profile photo
Geena Antunovic's profile photo
Nelson Bradley's profile photo
Contact Information
Contact info
Address
http://www.UnmaskParasites.com/contact/
Story
Tagline
Website security and Unmask Parasites updates
Introduction
Unmask Parasites is an online tool that helps webmasters check their web pages for obscure security problems such as
  • unauthorized redirects,
  • invisible links and iframes
  • suspicious scripts,
  • cloaking

This Google+ page will help you better understand how to detect website hacks and what should be done to protect your website.

To get started, read the Introduction to Website Parasites article.