Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Hacked websites are being put at even greater risk by malicious web redirect scripts

Representational image of internet connections against a cityscape.

Parrot traffic direction system (TDS), a malicious script that redirects website visitors to dangerous destinations, was observed evolving and becoming harder to detect.

Cybersecurity researchers Unit 42, from Palo Alto Networks, recently analyzed 10,000 Parrot landing page scripts, gathered between August 2019 and October 2023. 

They concluded the majority of the scripts (75%) were new, representing the fourth iteration of the code. Another 18% were of the previous version, while the remaining 7% were running older scripts.

Different payloads for different victims

Compared to the older versions, the fourth iteration comes with a number of enhancements, including improved obfuscation with complex code structure and encoding mechanisms. Furthermore, the fourth version has different array indexing and handling that disrupts pattern recognition and signature-based detection, and comes with a variation in the handling of strings and numbers. 

As for its efficiency and productivity, Parrot TDS remains as useful as ever. It profiles the victim’s environment and, depending on the conditions found, drops different payloads. Unit 42 found a total of nine different payloads who, among themselves, don’t differ that greatly. There are “minor obfuscation changes” and target OS checks. 

In most cases (70%), Parrot will drop the second version of the payload with doesn’t come with any obfuscation.

To remain secure, website owners should search their servers for suspicious php files. They should also scan the ndsj, ndsw, and ndsx keywords, and use firewalls to block webshell traffic. Finally, they should deploy URL filtering tools to block traffic coming from known malicious URLs and IP addresses. 

Parrot TDS was first discovered in April 2022, by cybersecurity researchers from Avast. It was then said that the script was probably active since 2019, managing to infect more than 16,500 websites.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.