Profile

Cover photo
112 followers|37,457 views
AboutPostsPhotosVideos

Stream

Unmask Parasites

Shared publicly  - 
 
My new post on the +Sucuri Inc. blog. It's about malware added to most of premium plugins that various shady sites redistribute for "free".

In the article, you'll find several examples of backdoors and unwanted ad scripts that can be found there.

Please, think what you install on your server. Software form unreliable sources may cause lots of trouble.

http://blog.sucuri.net/2014/03/unmasking-free-premium-wordpress-plugins.html
WordPress has a large repository of free plugins (currently 30,000+) that can add almost any functionality to your blog. However, there is still a market for pr
1
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
Do you know Chinese fortune cookies? This malware reminded me of them.

Its algorithm uses some sort of a game of chance to determine whether to redirect you or not, and the final decision is delivered in an HTTP cookie. Moreover, it specifically checks for Chinese language and visits from Hong Kong sites (although just to turn them down).
1
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
A popular Joomla extension JomSocial (that powers 160,000+ communities) has recently released a security update
http://www.jomsocial.com/blog/hot-fix-3-1-0-4

The reason was serious -- their own site was hacked using a security hole in their product.

At this moment JomSocial is "unlisted" in the official Joomla extension directory as a "vulnerable extension"
http://extensions.joomla.org/extensions/clients-a-communities/communities/7608

Meanwhile, we see attack attempts that try to exploit this JomSocial vulnerabilities.

If you use this extension, make sure to upgrade it ASAP. And consider using a website firewall to be protected even during the window between the time when hackers begin to exploit some vulnerability and the time when you patch your system.
2
2
Constantine Lopatko's profile photoDenis Sinegubko's profile photo
Add a comment...
 
This is what I feared and predicted a few years ago.

Hackers have been stealing FTP credentials from FileZilla for many years
http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/
http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/

But to do it they needed to infect a webmaster's computer. Moreover, if webmasters didn't save passwords in Filezilla, malware couldn't steal full credentials.

So, given that FileZilla is an open source software, anyone can build their own copy of FileZilla. And nothing can prevent adding some extra code into such custom builds. For example such code can send current FTP session credentials (which are guaranteed to be full and valid) to a third-party server. With such custom build, however, the criminals would still somehow need to make people install their version, not the official one.

This Avast blog post shows that such "custom" FileZilla builds are actually already can be found in the wild. Some people just don't pay any attention where they download their software from: official and reputable sites, or just random site with a download link.

If you use FileZilla, please read this article and check whether your copy is genuine.

http://blog.avast.com/2014/01/27/malformed-filezilla-ftp-client-with-login-stealer/
2
2
Pe lagic's profile photoDenis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
Starting this week, you may see the Suspicious Styles section in Unmask Parasites reports.

In this section, you will see excerpts of the style definitions that Unmask Parasites considers suspicious. If you see it in your site reports, then you should check the HTML code of your pages and figure out whether that style is a normal part of your pages or it was added there to hide something illicit.
1
2
István Maczkó's profile photoDenis Sinegubko's profile photo
Add a comment...
In their circles
2 people
Have them in circles
112 people

Unmask Parasites

Shared publicly  - 
 
A BadwareBusters thread about 30+ infected and blacklisted sites and an answer from +Caitlin Condon, StopBadware:
-----------------
StopBadware can provide a bulk review of sites blacklisted by Google, yes. If you have more than 20 sites that are currently blacklisted by Google and you have cleaned them up, you can email bulkreviews <at> stopbadware.org
We are only able to do this for sites on Google’s blacklist; we are unable to process bulk reviews for sites blacklisted by ThreatTrack Security or NSFocus
--------------------
1
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
In response to the +Data Driven Security blog post that did an independent analysis of of the bitly data that I published in my article on +Sucuri Inc.  blog about how Darkleech abused Bitly URL shortening service and how I used Bitly API to collect data and estimate the scale of the Darkleech infection.

This time just a story about how I collected the data and worked with it. All data interpretations are in my previous article here:
http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.html

http://datadrivensecurity.info/blog/posts/2014/Feb/reproducible-research-sucuri-darkleech-data/

http://blog.unmaskparasites.com/2014/02/10/working-with-the-darkleech-bitly-data/
2
2
dre g's profile photoDenis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
My new post on Sucuri blog. It's about how hackers abuse popular web services, and how this helps security researchers obtain interesting statistics about malware attacks and even [temporarily] disrupt them.

Some highlights ( extrapolated data ):
* 303 infected servers
* 3.5 million iframe loads since the middle of December of 2013
* half a million malicious bitly.com links created during that time
* web surfers from 196 countries were attacked during that time

http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.html
2
1
Denis Sinegubko's profile photo
Add a comment...

Unmask Parasites

Shared publicly  - 
 
It's quite an old exploit, but it still helps hack so many Joomla sites because their webmasters don't bother upgrading them.  Moreover, it looks like the number of malicious bots that crawl the Internet searching for sites with vulnerable versions of JCE component has increased. 

Just quick stats of one site (based on log analysis):

7,409 requests with the User-Agent ”BOT/0.1 (BOT for JCE)“ that came from 785 different IPs during the period of Dec 24th – Jan 24th (one month)
239 requests from 51 unique IP addresses during the last 24 hours
4 independent (uploaded different types of backdoors) successful infections during one day.

Please, keep your sites up-to-date and protected.

http://blog.unmaskparasites.com/2014/01/27/invasion-of-jce-bots/
3
4
Andrey Lipattsev's profile photoElena Kovakina's profile photo
Add a comment...
People
In their circles
2 people
Have them in circles
112 people
Contact Information
Contact info
Address
http://www.UnmaskParasites.com/contact/
Story
Tagline
Website security and Unmask Parasites updates
Introduction
Unmask Parasites is an online tool that helps webmasters check their web pages for obscure security problems such as
  • unauthorized redirects,
  • invisible links and iframes
  • suspicious scripts,
  • cloaking

This Google+ page will help you better understand how to detect website hacks and what should be done to protect your website.

To get started, read the Introduction to Website Parasites article.