How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY doorway generators


By Dancho Danchev

How are cybercriminals most commonly abusing legitimate Web traffic?

On the majority of occasions, some will either directly embed malicious iFrames on as many legitimate Web sites as possible, target server farms and the thousands of customers that they offer services to, or generate and upload invisible doorways on legitimate, high pagerank-ed Web properties, in an attempt to monetize the hijacked search traffic.

In this post I’ll profile a DIY blackhat SEO doorway generator, that surprisingly, has a built-in module allowing the cybercriminal using it to detect and remove 21 known Web backdoors (shells) from the legitimate Web site about to be abused, just in case a fellow cybercriminal has already managed to compromise the same site.

Are turf wars back in (the cybercrime) business? Let’s find out.

More details: Continue reading

Webroot’s Threat Blog Most Popular Posts for 2012


By Dancho Danchev

It’s that time of the year! The moment when we look back, and reflect on Webroot’s Threat Blog most popular content for 2012.

Which are this year’s most popular posts? What distinguished them from the rest of the analyses published on a daily basis, throughout the entire year?

Let’s find out.

Continue reading

A Primer for Secure Coding in PHP and MySQL


PHP is an incredibly popular language for creating dynamic web applications — websites such as Facebook are built on it. This can be attributed to many reasons; it is easy to learn, easy to install and does not require the user to compile code. An unfortunate side effect of the ease of development with PHP is a tendency to ignore security during the development process.

In this post I will discuss some of the ways to make your PHP apps more secure. I will go through creating a PHP web app that connects to a MySQL back end database. The application will be a simple address book. The approach I will take is one of layered security.  There is no sure fire quick method of blocking all attacks, but using the layered security approach we severely limit our exposure.

Continue reading

DDoS for hire services offering to ‘take down your competitor’s web sites’ going mainstream


By Dancho Danchev

Thanks to the increasing availability of custom coded DDoS modules within popular malware and crimeware releases, opportunistic cybercriminals are easily developing managed DDoS for hire, also known as “rent a botnet” services, next to orchestrating largely under-reported DDoS extortion campaigns against financial institutions and online gambling web sites.

In this post, I’ll profile a managed DDoS for hire service, offering to “take down your competitor’s web sites offline in a cost-effective manner”.

More details:

Continue reading

Mass SQL injection attack affects over 200,000 URLs


by Dancho Danchev

Security researchers from the Internet Storm Center, have intercepted a currently ongoing SQL injection attack, that has already affected over 200,000 URLs.

The attack was originally detected in early December, 2011. It currently affects ASP sites and Coldfusion, as well as all versions of MSSQL.

Continue reading

Trojans Employ Misdirection Instead of Obfuscation


By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

An unusual family of Trojans, apparently of Chinese origin, engages in rootkit-like behavior which seems designed not to hide the presence of the malware on an infected system, but to misdirect or confuse a technical person who might be using system analysis tools on an infected computer.

The Trojans all originated from a server operated by a free Web host in China, and each sample we tested sent profiling data about the infected system to a command-and-control server located on yet another free Web host, also located in China. It appears to have capabilities to receive instructions to download other components, and it scans the system for antivirus products commonly available in China, including products made by Qihoo 360, China’s largest homegrown antivirus company.

But the most interesting aspect of the Trojans was how it managed to fool most of the free tools someone might use to monitor running programs. The Trojan shows up in the list of active programs, but when that list includes a full path to the running executable, that path points at a nonexistent file supposedly in another location. Continue reading

Phishers Cast Their Nets in the Social Media Pool


By Ian Moyse, EMEA Channel Director

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It can seem at times that the only people who like change are Internet attackers. And they don’t just like it—they need it. Technology’s rapid changes give cybercriminals new attack vectors to exploit, and new ways to turn a profit out of someone else’s misfortune.

Take phishing, for example. The concept is simple: Send an email disguised as a message from a bank, PayPal, or UPS. Wait for the user to click a link in the message, and enter their private details into a phishing site, and presto! The attacker attains financial or personal login details that can be used to commit fraud or theft.

Of course, it was only a matter of time before most people caught on to email scams. Users read again and again not to click on such links. Mail solutions became better at spotting phishing emails and filtering them into a junk email folder. Even free Web mail providers now catch the majority of these attacks.

Once cybercriminals noticed their traditional phishing approaches were returning lower response rates, they rapidly adjusted to new mediums. As a result, a new trend emerged: smishing (social media phishing) became the new trend in cyber attacks.

Continue reading

Why Put Security Into the Cloud?


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

This week, Webroot’s Thre@t Reply managed to steal some time with Ian Moyse, who knows a thing or two about the benefits of putting your computer and network security into the cloud, out where the threats are, rather than keeping your security inside your network or on individual computers.

As always, feel free to submit your security question to @webroot, or by email to blog (at) webroot (dot) com, or in the comments below and we’ll get one of our threat researchers to answer it on an upcoming Thre@t Reply video. To see any of our other video replies to reader questions, visit the Webroot channels on YouTube or Vimeo.

Malicious PHP Scripts on the Rise


By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Last week, I gave a talk at the RSA Security Conference about malicious PHP scripts. For those who can’t attend the conference, I wanted to give you a glimpse into this world to which, until last year, I hadn’t paid much attention.

My normal week begins with a quick scan of malware lists — URLs that point to new samples — that come from a variety of public sources. I started noticing an increasing number of non-executable PHP and Perl scripts appearing on those lists and decided to dig a little deeper.

In a lot of ways, PHP is an ideal platform for malicious Web pages. For programmers and techies, PHP is easy to learn. Virtually all Web servers run the PHP engine, so there are vast numbers of potential “victims” (though the numbers aren’t anything close to the number of Windows-using potential malware victims). And just like many forms of executable malware that runs on Windows — the type I’m more familiar with — the most successful malicious PHP scripts permit their users (the criminals) to control and manipulate Web servers for their own benefit and, most commonly, profit.

Continue reading

Google Results Tarnished Again to Push Rogues


By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s been a few months since Google implemented new ways that it displays search results, and in that time, it’s been difficult to find the kinds of hijacked search results we saw in huge numbers a year ago. But if you thought the search engine manipulators were laying down on the job, you’d be wrong.

A new campaign seems to have hijacked Google search terms of not just products or words, but of people’s names, towns, and phrases in both English and Spanish to lure victims into a trap. One of our Threat Research analysts stumbled upon the new scheme while searching for information about a friend. We were surprised to find that the top four results of that search led directly to that dreaded Sarlaac Pit of malware, the rogue antivirus fakealert.

At first, visiting the four top links in our searches led to the same fakealert. After an hour passed, however, the pages started to shake things up, leading to fakealerts that mix up their appearance. One screen displays something that looks like an alert from the Windows Security Center in Windows Vista; Another generates a dialog that looks like the Security Center alert from Windows 7. Still others take on the now-classic faux-Windows Defender appearance.
Continue reading